SecretStore Session¶
-
exception
secretstore.session.
SecretStoreSessionError
(*args, **kwargs)[source]¶ Thrown when an error has occured during the Secret Store session.
-
class
secretstore.session.
Session
(ss_endpoint_uri: str, logger: logging.Logger = None)[source]¶ The class holding together the secretstore session calls.
Parameters: - ss_endpoint_uri (str) – The endpoint where Secret Store is listening for requests (for sessions).
- logger (
logging.Logger
, optional) – The logger object. Defaults to None and instantiates a default logger in this case with log level INFO.
-
logger
¶ The logger object.
Type: logging.Logger
Raises: ValueError
– if the secret store’s url is not given-
generateServerAndDocumentKey
(server_key_id, signed_server_key_id, threshold, verbose=True) → str[source]¶ Generating document key by one of the participating nodes.
While it is possible (and more secure, if you’re not trusting the Secret Store nodes) to run separate server key generation and document key storing sessions, you can generate both keys simultaneously.
Parameters: Returns: The hex-encoded document key, encrypted with requester’s public key (ECIES encryption is used) .
Return type: Raises:
-
generateServerKey
(server_key_id: str, signed_server_key_id: str, threshold: Union[str, int], verbose=True) → str[source]¶ Generates server keys.
Parameters: Returns: The hex-encoded public portion of the server key.
Return type: Raises:
-
nodesSetChange
(node_ids_new_set, signature_old_set, signature_new_set, verbose=True) → str[source]¶ Node set change session.
Requires all added, removed and stable nodes to be online for the duration of the session. Before starting the session, you’ll need to generate two administrator’s signatures: old set signature and new set signature. To generate these signatures, the Secret Store RPC methods should be used: serversSetHash and signRawHash.
Parameters: - node_ids_new_set (list(str)) – Node IDs of the new set.
- signature_old_set (str) – ECDSA signature of all online node IDs keccak(ordered_list(staying + added + removing)).
- signature_new_set (str) – ECDSA signature of node IDs that should stay in the Secret Store after the session ends keccak(ordered_list(staying + added)).
- verbose (bool) – Whether to log errors. Default: True.
Returns: Empty string (probably).
Return type: Raises:
-
retrieveDocumentKey
(server_key_id, signed_server_key_id, verbose=True) → str[source]¶ Fetches the document key from the secret store.
This is the lighter version of the document key shadow retrieval session, which returns final document key (though, encrypted with requester public key) if you have enough trust in the Secret Store nodes. During document key shadow retrieval session, document key is not reconstructed on any node, but it requires Secret Store client either to have an access to Parity RPCs, or to run some EC calculations to decrypt the document key.
Parameters: Returns: The hex-encoded document key, encrypted with requester public key (ECIES encryption is used).
Return type: Raises:
-
shadowRetrieveDocumentKey
(server_key_id, signed_server_key_id, verbose=True) → web3.datastructures.AttributeDict[source]¶ This session is a preferable way of retrieving previously generated document key.
Parameters: Returns: The hex-encoded decrypted_secret, common_point and decrypt_shadows fields.
Return type: web3.datastructures.AttributeDict
Raises:
-
signEcdsa
(server_key_id, signed_server_key_id, message_hash, verbose=True) → str[source]¶ ECDSA signing session, for computing ECDSA signature of a given message hash.
Parameters: Returns: The hex-encoded ECDSA signature (serialized as r || s || v ), encrypted with requester public key (ECIES encryption is used).
Return type: Raises:
-
signSchnorr
(server_key_id, signed_server_key_id, message_hash, verbose=True) → str[source]¶ Schnorr signing session, for computing Schnorr signature of a given message hash.
Parameters: Returns: The hex-encoded Schnorr signature (serialized as c || s), encrypted with requester public key (ECIES encryption is used).
Return type: Raises:
-
storeDocumentKey
(server_key_id, signed_server_key_id, common_point, encrypted_point, verbose=True) → str[source]¶ Binds an externally-generated document key to a server key.
Useable after a server key generation session .
Parameters: - server_key_id (str) – The server key ID.
- signed_server_key_id (str) – The server key ID signed by the SS user.
- common_point (str) – The hex-encoded common point portion of encrypted document key.
- encrypted_point (str) – The hex-encoded encrypted point portion of encrypted document key.
- verbose (bool) – Whether to log errors. Default: True.
Returns: Empty string if everything was OK (status code 200).
Return type: Raises: