Encrypts environment variables using a one-time X25519 key exchange and AES-GCM. This function does the following: 1. Converts the given environment variables to JSON bytes. 2. Removes a leading "0x" from the provided public key (if present) and converts it to bytes. 3. Genera
(envs, hex_public_key: str)
| 258 | |
| 259 | |
| 260 | def encrypt_env(envs, hex_public_key: str) -> str: |
| 261 | """Encrypts environment variables using a one-time X25519 key exchange and AES-GCM. |
| 262 | |
| 263 | This function does the following: |
| 264 | 1. Converts the given environment variables to JSON bytes. |
| 265 | 2. Removes a leading "0x" from the provided public key (if present) and converts it to bytes. |
| 266 | 3. Generates an ephemeral X25519 key pair. |
| 267 | 4. Computes a shared secret using this ephemeral private key and the remote public key. |
| 268 | 5. Uses the shared key directly as the 32-byte key for AES-GCM. |
| 269 | 6. Encrypts the JSON string with AES-GCM using a randomly generated IV. |
| 270 | 7. Concatenates the ephemeral public key, IV, and ciphertext and returns it as a hex string. |
| 271 | |
| 272 | Args: |
| 273 | envs: The environment variables to encrypt. This can be any JSON-serializable data structure. |
| 274 | hex_public_key: The remote encryption public key in hexadecimal format. |
| 275 | |
| 276 | Returns: |
| 277 | A hexadecimal string that is the concatenation of: |
| 278 | (ephemeral public key || IV || ciphertext). |
| 279 | |
| 280 | """ |
| 281 | if not CRYPTO_AVAILABLE: |
| 282 | raise ImportError( |
| 283 | "Cryptography libraries not available. Please install them with:\n" |
| 284 | "pip install cryptography eth-keys eth-utils" |
| 285 | ) |
| 286 | |
| 287 | # Serialize the environment variables to JSON and encode to bytes. |
| 288 | envs_json = json.dumps({"env": envs}).encode("utf-8") |
| 289 | |
| 290 | # Remove the "0x" prefix if present. |
| 291 | if hex_public_key.startswith("0x"): |
| 292 | hex_public_key = hex_public_key[2:] |
| 293 | |
| 294 | # Convert the hexadecimal public key to bytes. |
| 295 | remote_pubkey_bytes = bytes.fromhex(hex_public_key) |
| 296 | |
| 297 | # Generate an ephemeral X25519 key pair. |
| 298 | ephemeral_private_key = x25519.X25519PrivateKey.generate() |
| 299 | ephemeral_public_key = ephemeral_private_key.public_key() |
| 300 | |
| 301 | # Compute the shared secret using X25519. |
| 302 | peer_public_key = x25519.X25519PublicKey.from_public_bytes(remote_pubkey_bytes) |
| 303 | shared = ephemeral_private_key.exchange(peer_public_key) |
| 304 | |
| 305 | # Use the shared secret as a key for AES-GCM encryption (AES-256 needs 32 bytes). |
| 306 | aesgcm = AESGCM(shared) |
| 307 | iv = os.urandom(12) # 12-byte nonce (IV) for AES-GCM. |
| 308 | ciphertext = aesgcm.encrypt(iv, envs_json, None) |
| 309 | |
| 310 | # Serialize the ephemeral public key to raw bytes. |
| 311 | ephemeral_public_bytes = ephemeral_public_key.public_bytes( |
| 312 | encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw |
| 313 | ) |
| 314 | |
| 315 | # Combine ephemeral public key, IV, and ciphertext. |
| 316 | result = ephemeral_public_bytes + iv + ciphertext |
| 317 |
no test coverage detected