def read_escrow_data(brand_identifier, escrowed_data, layer_count=2,
sign_key=None, _recur=0):
"""
escrowed_data = binary data encoded to escrow keys
sign_key = user's public key used to check signatures (optional)
layer_count = number of layers to go through (2 by default)
returns: plaintext escrowed data
"""
# TODO: make this talk to a remote key escrow service hardened/isolated by
# policy
layer_data = escrowed_data
try:
for layer_idx in range(layer_count):
layer_data = read_escrow_layer(
_ESCROW_KEYS_CACHE, layer_data, sign_key)
except KeyError, err:
if not "Key not available for ID" in str(err):
raise
if _recur:
raise
load_escrow_key_cache()
return read_escrow_data(brand_identifier, escrowed_data,
layer_count=layer_count, sign_key=sign_key, _recur=_recur+1)
def read_escrow_data(brand_identifier,
escrowed_data,
layer_count=2,
sign_key=None,
_recur=0):
"""
escrowed_data = binary data encoded to escrow keys
sign_key = user's public key used to check signatures (optional)
layer_count = number of layers to go through (2 by default)
returns: plaintext escrowed data
"""
# TODO: make this talk to a remote key escrow service hardened/isolated by
# policy
layer_data = escrowed_data
try:
for layer_idx in range(layer_count):
layer_data = read_escrow_layer(_ESCROW_KEYS_CACHE, layer_data,
sign_key)
except KeyError, err:
if not "Key not available for ID" in str(err):
raise
if _recur:
raise
load_escrow_key_cache()
return read_escrow_data(brand_identifier,
escrowed_data,
layer_count=layer_count,
sign_key=sign_key,
_recur=_recur + 1)
def test_write_and_read_layers():
"""
test encapsulating data in many escrow layers and reading it back out
"""
userkey = make_keypair()
layers = list()
for _ in range(_TEST_LAYERS):
layers.append(make_keypair())
# this is the data that goes in the innermost layer
data = os.urandom(_TEST_DATA_SIZE)
layer_data = data
# we encapsulate this data in layers of key escrow
for idx, layer in enumerate(layers):
cipher_layer_data = make_escrow_layer(
layer[0], layer[1].publickey(), layer_data, userkey[1])
# at every layer we test that we can read back the data
plain_layer_data = read_escrow_layer(
{ layer[0]: layer[1] }, cipher_layer_data, userkey[1].publickey())
assert plain_layer_data == layer_data, \
"readback fail at layer %d" % (idx + 1)
layer_data = cipher_layer_data
# read back the layers in reverse
for idx, layer in enumerate(layers[::-1]):
plain_layer_data = read_escrow_layer(
{ layer[0]: layer[1] }, layer_data, userkey[1].publickey())
layer_data = plain_layer_data
# we should get our original data back out
assert layer_data == data
return True
def test_write_and_read_layers():
"""
test encapsulating data in many escrow layers and reading it back out
"""
userkey = make_keypair()
layers = list()
for _ in range(_TEST_LAYERS):
layers.append(make_keypair())
# this is the data that goes in the innermost layer
data = os.urandom(_TEST_DATA_SIZE)
layer_data = data
# we encapsulate this data in layers of key escrow
for idx, layer in enumerate(layers):
cipher_layer_data = make_escrow_layer(layer[0], layer[1].publickey(),
layer_data, userkey[1])
# at every layer we test that we can read back the data
plain_layer_data = read_escrow_layer({layer[0]: layer[1]},
cipher_layer_data,
userkey[1].publickey())
assert plain_layer_data == layer_data, \
"readback fail at layer %d" % (idx + 1)
layer_data = cipher_layer_data
# read back the layers in reverse
for idx, layer in enumerate(layers[::-1]):
plain_layer_data = read_escrow_layer({layer[0]: layer[1]}, layer_data,
userkey[1].publickey())
layer_data = plain_layer_data
# we should get our original data back out
assert layer_data == data
return True
