Add base support for keys, including AES and EC keys.
Review Request #15168 — Created July 14, 2026 and updated — Latest diff uploaded
This introduces a foundation for encryption/signing keys, with specific
implementations for AES symmetric keys and EC public/private keys.All keys derive from
BaseKey, which can be deserialized from bytes or
serialized to bytes, can optionally perform encryption/decryption and
key wrapping/unwrapping, and has a SHA256 fingerprint and optional key
ID.There are subclasses for bytes-based keys and for public/private keys.
AES keys are a bytes-based key. They can be generated for a supported
key size, can be derived from another key, or derived from a key
exchange. They support CFB8, GCM, and GCM-SIV modes.EC public/private key pairs support ECDH key exchange.
Keys can be invalidated, which will clear out state on the key. While
optional, keys should be used as a context manager, which will
automatically invalidate the key once the context manager exits. This is
a precaution to keep key material in memory for as little time as
possible.All bytes storage for key material is done using
bytearrays. These can
be cleared out, affecting all holders of the state. This can help
prevent keys from accidentally staying around in memory long-term (as
best as can be prevented in Python).Encryption returns a a representation of the encrypted state, providing
a full resulting ciphertext and the component parts. Key wrapping does
similar. This will be used to help with secrets storage and defining
envelopes (in a future change).All crypto operations take an algorithm, which are standardized. Keys
can indicate their support for different algorithms (which will be used
for secrets management later), validate against them when performing
the operation, and select the appropriate parameters for the operation.An upcoming change will build upon this to provide higher-level
operations for secrets storage and key type registries, managing
envelope creation and parsing.
Unit tests pass.