def read_escrow_data(brand_identifier, escrowed_data, layer_count=2, sign_key=None, _recur=0): """ escrowed_data = binary data encoded to escrow keys sign_key = user's public key used to check signatures (optional) layer_count = number of layers to go through (2 by default) returns: plaintext escrowed data """ # TODO: make this talk to a remote key escrow service hardened/isolated by # policy layer_data = escrowed_data try: for layer_idx in range(layer_count): layer_data = read_escrow_layer( _ESCROW_KEYS_CACHE, layer_data, sign_key) except KeyError, err: if not "Key not available for ID" in str(err): raise if _recur: raise load_escrow_key_cache() return read_escrow_data(brand_identifier, escrowed_data, layer_count=layer_count, sign_key=sign_key, _recur=_recur+1)
def read_escrow_data(brand_identifier, escrowed_data, layer_count=2, sign_key=None, _recur=0): """ escrowed_data = binary data encoded to escrow keys sign_key = user's public key used to check signatures (optional) layer_count = number of layers to go through (2 by default) returns: plaintext escrowed data """ # TODO: make this talk to a remote key escrow service hardened/isolated by # policy layer_data = escrowed_data try: for layer_idx in range(layer_count): layer_data = read_escrow_layer(_ESCROW_KEYS_CACHE, layer_data, sign_key) except KeyError, err: if not "Key not available for ID" in str(err): raise if _recur: raise load_escrow_key_cache() return read_escrow_data(brand_identifier, escrowed_data, layer_count=layer_count, sign_key=sign_key, _recur=_recur + 1)
def test_write_and_read_layers(): """ test encapsulating data in many escrow layers and reading it back out """ userkey = make_keypair() layers = list() for _ in range(_TEST_LAYERS): layers.append(make_keypair()) # this is the data that goes in the innermost layer data = os.urandom(_TEST_DATA_SIZE) layer_data = data # we encapsulate this data in layers of key escrow for idx, layer in enumerate(layers): cipher_layer_data = make_escrow_layer( layer[0], layer[1].publickey(), layer_data, userkey[1]) # at every layer we test that we can read back the data plain_layer_data = read_escrow_layer( { layer[0]: layer[1] }, cipher_layer_data, userkey[1].publickey()) assert plain_layer_data == layer_data, \ "readback fail at layer %d" % (idx + 1) layer_data = cipher_layer_data # read back the layers in reverse for idx, layer in enumerate(layers[::-1]): plain_layer_data = read_escrow_layer( { layer[0]: layer[1] }, layer_data, userkey[1].publickey()) layer_data = plain_layer_data # we should get our original data back out assert layer_data == data return True
def test_write_and_read_layers(): """ test encapsulating data in many escrow layers and reading it back out """ userkey = make_keypair() layers = list() for _ in range(_TEST_LAYERS): layers.append(make_keypair()) # this is the data that goes in the innermost layer data = os.urandom(_TEST_DATA_SIZE) layer_data = data # we encapsulate this data in layers of key escrow for idx, layer in enumerate(layers): cipher_layer_data = make_escrow_layer(layer[0], layer[1].publickey(), layer_data, userkey[1]) # at every layer we test that we can read back the data plain_layer_data = read_escrow_layer({layer[0]: layer[1]}, cipher_layer_data, userkey[1].publickey()) assert plain_layer_data == layer_data, \ "readback fail at layer %d" % (idx + 1) layer_data = cipher_layer_data # read back the layers in reverse for idx, layer in enumerate(layers[::-1]): plain_layer_data = read_escrow_layer({layer[0]: layer[1]}, layer_data, userkey[1].publickey()) layer_data = plain_layer_data # we should get our original data back out assert layer_data == data return True