• 
      

    Add base support for keys, including AES and EC keys.

    Review Request #15168 — Created July 14, 2026 and updated — Latest diff uploaded

    Information

    cryptozoology
    master

    Reviewers

    This introduces a foundation for encryption/signing keys, with specific
    implementations for AES symmetric keys and EC public/private keys.

    All keys derive from BaseKey, which can be deserialized from bytes or
    serialized to bytes, can optionally perform encryption/decryption and
    key wrapping/unwrapping, and has a SHA256 fingerprint and optional key
    ID.

    There are subclasses for bytes-based keys and for public/private keys.

    AES keys are a bytes-based key. They can be generated for a supported
    key size, can be derived from another key, or derived from a key
    exchange. They support CFB8, GCM, and GCM-SIV modes.

    EC public/private key pairs support ECDH key exchange.

    Keys can be invalidated, which will clear out state on the key. While
    optional, keys should be used as a context manager, which will
    automatically invalidate the key once the context manager exits. This is
    a precaution to keep key material in memory for as little time as
    possible.

    All bytes storage for key material is done using bytearrays. These can
    be cleared out, affecting all holders of the state. This can help
    prevent keys from accidentally staying around in memory long-term (as
    best as can be prevented in Python).

    Encryption returns a a representation of the encrypted state, providing
    a full resulting ciphertext and the component parts. Key wrapping does
    similar. This will be used to help with secrets storage and defining
    envelopes (in a future change).

    All crypto operations take an algorithm, which are standardized. Keys
    can indicate their support for different algorithms (which will be used
    for secrets management later), validate against them when performing
    the operation, and select the appropriate parameters for the operation.

    An upcoming change will build upon this to provide higher-level
    operations for secrets storage and key type registries, managing
    envelope creation and parsing.

    Unit tests pass.

    Commits

    Files