Replace sequester_crypto

parsec/api/data/certif.py

@@ -4,7 +4,7 @@
 from parsec._parsec import DateTime
 from typing import Any, Dict, Literal
 
-from parsec.sequester_crypto import SequesterVerifyKeyDer, SequesterEncryptionKeyDer
+from parsec._parsec import SequesterVerifyKeyDer, SequesterPublicKeyDer
 from parsec.serde import fields, post_load
 from parsec.api.protocol import (
  SequesterServiceID,
@@ -48,7 +48,7 @@ class SCHEMA_CLS(BaseSchema):
  timestamp = fields.DateTime(required=True)
  service_id = SequesterServiceIDField(required=True)
  service_label = fields.String(required=True)
- encryption_key_der = fields.SequesterEncryptionKeyDerField(required=True)
+ encryption_key_der = fields.SequesterPublicKeyDerField(required=True)
 
  @post_load
  def make_obj(self, data: Dict[str, Any]) -> "SequesterServiceCertificate": # type: ignore[misc]
@@ -58,4 +58,4 @@ def make_obj(self, data: Dict[str, Any]) -> "SequesterServiceCertificate": # ty
  timestamp: DateTime
  service_id: SequesterServiceID
  service_label: str
- encryption_key_der: SequesterEncryptionKeyDer
+ encryption_key_der: SequesterPublicKeyDer

parsec/backend/cli/sequester.py

@@ -3,25 +3,24 @@
 
 import attr
 import click
-import oscrypto
 import textwrap
-from oscrypto.asymmetric import PrivateKey
 from async_generator import asynccontextmanager
 from base64 import b64encode, b64decode
 from pathlib import Path
 from typing import AsyncGenerator, Dict, List, Tuple
 
-from parsec._parsec import DateTime
+from parsec._parsec import (
+ DateTime,
+ SequesterPrivateKeyDer,
+ SequesterPublicKeyDer,
+ SequesterSigningKeyDer,
+ SequesterVerifyKeyDer,
+)
 from parsec.backend.postgresql.organization import PGOrganizationComponent
 from parsec.event_bus import EventBus
 from parsec.utils import open_service_nursery, trio_run
 from parsec.cli_utils import operation, cli_exception_handler, debug_config_options
-from parsec.sequester_crypto import (
- sequester_authority_sign,
- SequesterEncryptionKeyDer,
- SequesterVerifyKeyDer,
- CryptoError,
-)
+from parsec.crypto import CryptoError
 from parsec.sequester_export_reader import extract_workspace, RealmExportProgress
 from parsec.api.data import SequesterServiceCertificate, DataError
 from parsec.api.protocol import OrganizationID, UserID, RealmID, SequesterServiceID, HumanHandle
@@ -49,11 +48,9 @@
 
 def dump_sequester_service_certificate_pem(
  certificate_data: SequesterServiceCertificate,
- authority_signing_key: PrivateKey,
+ authority_signing_key: SequesterSigningKeyDer,
 ) -> str:
- certificate = sequester_authority_sign(
- signing_key=authority_signing_key, data=certificate_data.dump()
- )
+ certificate = authority_signing_key.sign(certificate_data.dump())
  return "\n".join(
  (
  SEQUESTER_SERVICE_CERTIFICATE_PEM_HEADER,
@@ -216,8 +213,10 @@ def generate_service_certificate(
 ) -> None:
  with cli_exception_handler(debug):
  # Load key files
- service_key = SequesterEncryptionKeyDer(service_public_key.read_bytes())
- authority_key = oscrypto.asymmetric.load_private_key(authority_private_key.read_bytes())
+ service_key = SequesterPublicKeyDer.load_pem(service_public_key.read_text())
+ authority_key = SequesterPrivateKeyDer.load_pem(
+ authority_private_key.read_text()
+ ).signing_key
 
  # Generate data schema
  service_id = SequesterServiceID.new()
@@ -426,8 +425,8 @@ def create_service(
  "Webhook sequester service requires webhook_url argument"
  )
  # Load key files
- service_key = SequesterEncryptionKeyDer(service_public_key.read_bytes())
- authority_key = oscrypto.asymmetric.load_private_key(authority_private_key.read_bytes())
+ service_key = SequesterPublicKeyDer.load_pem(service_public_key.read_text())
+ authority_key = SequesterPrivateKeyDer.load_pem(authority_private_key.read_text())
  # Generate data schema
  service_id = SequesterServiceID.new()
  now = DateTime.now()
@@ -437,7 +436,7 @@ def create_service(
  service_label=service_label,
  encryption_key_der=service_key,
  )
- certificate = sequester_authority_sign(signing_key=authority_key, data=certif_data.dump())
+ certificate = authority_key.signing_key.sign(certif_data.dump())
 
  sequester_service: BaseSequesterService
  if cooked_service_type == SequesterServiceType.STORAGE:
@@ -786,7 +785,7 @@ def extract_realm_export(
  # Finally a command that is not async !
  # This is because here we do only a single thing at a time and sqlite3 provide
  # a synchronous api anyway
- decryption_key = oscrypto.asymmetric.load_private_key(service_decryption_key.read_bytes())
+ decryption_key = SequesterPrivateKeyDer.load_pem(service_decryption_key.read_text())
 
  ret = 0
  for fs_path, event_type, event_msg in extract_workspace(

parsec/backend/organization.py

@@ -17,11 +17,11 @@
  OrganizationConfigRep,
  OrganizationConfigRepOk,
  OrganizationConfigRepNotFound,
+ SequesterVerifyKeyDer,
  UsersPerProfileDetailItem,
+ VerifyKey,
 )
 from parsec.utils import timestamps_in_the_ballpark
-from parsec.crypto import VerifyKey
-from parsec.sequester_crypto import SequesterVerifyKeyDer
 from parsec.api.data import (
  UserCertificate,
  DeviceCertificate,

parsec/backend/postgresql/organization.py

@@ -6,10 +6,8 @@
 from functools import lru_cache
 from triopg import UniqueViolationError
 
-from parsec._parsec import DateTime
+from parsec._parsec import DateTime, SequesterVerifyKeyDer, VerifyKey
 from parsec.api.protocol import OrganizationID, UserProfile
-from parsec.crypto import VerifyKey
-from parsec.sequester_crypto import SequesterVerifyKeyDer
 from parsec.backend.events import BackendEvent
 from parsec.backend.user import UserError, User, Device
 from parsec.backend.utils import UnsetType, Unset

parsec/backend/postgresql/sequester.py

@@ -5,7 +5,7 @@
 from collections import defaultdict
 from typing import Any, List, Tuple
 
-from parsec.sequester_crypto import SequesterVerifyKeyDer
+from parsec._parsec import DateTime, SequesterVerifyKeyDer
 from parsec.api.data import DataError, SequesterServiceCertificate
 from parsec.api.protocol import OrganizationID, RealmID, SequesterServiceID, VlobID
 from parsec.backend.organization import SequesterAuthority
@@ -28,7 +28,6 @@
  SequesterWrongServiceTypeError,
 )
 from parsec.crypto import CryptoError
-from parsec._parsec import DateTime
 
 
 # Sequester authority never gets modified past organization bootstrap, hence no need

parsec/core/cli/bootstrap_organization.py

@@ -6,7 +6,7 @@
 import platform
 from typing import Any, Protocol
 
-from parsec.sequester_crypto import SequesterVerifyKeyDer
+from parsec._parsec import LocalDevice, SequesterVerifyKeyDer
 from parsec.utils import trio_run
 from parsec.cli_utils import spinner, cli_exception_handler, async_prompt, async_confirm
 from parsec.api.protocol import HumanHandle, DeviceLabel
@@ -16,8 +16,6 @@
 from parsec.core.invite import bootstrap_organization as do_bootstrap_organization
 from parsec.core.cli.utils import cli_command_base_options, core_config_options, save_device_options
 
-from parsec._parsec import LocalDevice
-
 
 SEQUESTER_BRIEF = """A sequestered organization is able to ask it users to encrypt
 their data with third party asymmetric keys (called "sequester service").
@@ -63,7 +61,7 @@ async def _bootstrap_organization(
  )
  if not answer:
  raise SystemExit("Bootstrap aborted")
- sequester_vrf_key = SequesterVerifyKeyDer(sequester_verify_key.read_bytes())
+ sequester_vrf_key = SequesterVerifyKeyDer.load_pem(sequester_verify_key.read_text())
 
  human_label: str = human_label or await async_prompt("User fullname")
  human_email: str = human_email or await async_prompt("User email")

parsec/core/invite/organization.py

@@ -1,8 +1,11 @@
 # Parsec Cloud (https://parsec.cloud) Copyright (c) AGPL-3.0 2016-present Scille SAS
 from __future__ import annotations
 
-from parsec.crypto import SigningKey, VerifyKey
-from parsec.sequester_crypto import SequesterVerifyKeyDer
+from parsec._parsec import (
+ SigningKey,
+ VerifyKey,
+ SequesterVerifyKeyDer,
+)
 from parsec.api.data import (
  UserCertificate,
  DeviceCertificate,