SecretStore Session

exception secretstore.session.SecretStoreSessionError(*args, **kwargs)[source]

Thrown when an error has occured during the Secret Store session.

class secretstore.session.Session(ss_endpoint_uri: str, logger: logging.Logger = None)[source]

The class holding together the secretstore session calls.

Parameters:
  • ss_endpoint_uri (str) – The endpoint where Secret Store is listening for requests (for sessions).
  • logger (logging.Logger, optional) – The logger object. Defaults to None and instantiates a default logger in this case with log level INFO.
ss_endpoint_uri

The endpoint where Secret Store is listening for requests (for sessions).

Type:str
logger

The logger object.

Type:logging.Logger
Raises:ValueError – if the secret store’s url is not given
generateServerAndDocumentKey(server_key_id, signed_server_key_id, threshold, verbose=True) → str[source]

Generating document key by one of the participating nodes.

While it is possible (and more secure, if you’re not trusting the Secret Store nodes) to run separate server key generation and document key storing sessions, you can generate both keys simultaneously.

Parameters:
  • server_key_id (str) – The server key ID.
  • signed_server_key_id (str) – The server key ID signed by the SS user.
  • threshold (str or int) – Key threshold value. Please consider the guidelines when choosing this value.
  • verbose (bool) – Whether to log errors. Default: True.
Returns:

The hex-encoded document key, encrypted with requester’s public key (ECIES encryption is used) .
Return type:

str
Raises:

SecretStoreSessionError, requests.RequestException
generateServerKey(server_key_id: str, signed_server_key_id: str, threshold: Union[str, int], verbose=True) → str[source]

Generates server keys.

Parameters:
  • server_key_id (str) – The server key ID.
  • signed_server_key_id (str) – The server key ID signed by the SS user.
  • threshold (str or int) –

    Key threshold value. Please consider the guidelines when choosing this value.

  • verbose (bool) – Whether to log errors. Default: True.
Returns:

The hex-encoded public portion of the server key.
Return type:

str
Raises:

SecretStoreSessionError, requests.RequestException
nodesSetChange(node_ids_new_set, signature_old_set, signature_new_set, verbose=True) → str[source]

Node set change session.

Requires all added, removed and stable nodes to be online for the duration of the session. Before starting the session, you’ll need to generate two administrator’s signatures: old set signature and new set signature. To generate these signatures, the Secret Store RPC methods should be used: serversSetHash and signRawHash.

Parameters:
  • node_ids_new_set (list(str)) – Node IDs of the new set.
  • signature_old_set (str) – ECDSA signature of all online node IDs keccak(ordered_list(staying + added + removing)).
  • signature_new_set (str) – ECDSA signature of node IDs that should stay in the Secret Store after the session ends keccak(ordered_list(staying + added)).
  • verbose (bool) – Whether to log errors. Default: True.
Returns:

Empty string (probably).
Return type:

str
Raises:

SecretStoreSessionError, requests.RequestException
retrieveDocumentKey(server_key_id, signed_server_key_id, verbose=True) → str[source]

Fetches the document key from the secret store.

This is the lighter version of the document key shadow retrieval session, which returns final document key (though, encrypted with requester public key) if you have enough trust in the Secret Store nodes. During document key shadow retrieval session, document key is not reconstructed on any node, but it requires Secret Store client either to have an access to Parity RPCs, or to run some EC calculations to decrypt the document key.

Parameters:
  • server_key_id (str) – The server key ID.
  • signed_server_key_id (str) – The server key ID signed by the SS user.
  • verbose (bool) – Whether to log errors. Default: True.
Returns:

The hex-encoded document key, encrypted with requester public key (ECIES encryption is used).
Return type:

str
Raises:

SecretStoreSessionError, requests.RequestException
shadowRetrieveDocumentKey(server_key_id, signed_server_key_id, verbose=True) → web3.datastructures.AttributeDict[source]

This session is a preferable way of retrieving previously generated document key.

Parameters:
  • server_key_id (str) – The server key ID.
  • signed_server_key_id (str) – The server key ID signed by the SS user.
  • verbose (bool) – Whether to log errors. Default: True.
Returns:

The hex-encoded decrypted_secret, common_point and decrypt_shadows fields.
Return type:

web3.datastructures.AttributeDict
Raises:

SecretStoreSessionError, requests.RequestException
signEcdsa(server_key_id, signed_server_key_id, message_hash, verbose=True) → str[source]

ECDSA signing session, for computing ECDSA signature of a given message hash.

Parameters:
  • server_key_id (str) – The server key ID.
  • signed_server_key_id (str) – The server key ID signed by the SS user.
  • message_hash (str) – The 256-bit hash of the message that needs to be signed.
  • verbose (bool) – Whether to log errors. Default: True.
Returns:

The hex-encoded ECDSA signature (serialized as r || s || v ), encrypted with requester public key (ECIES encryption is used).
Return type:

str
Raises:

SecretStoreSessionError, requests.RequestException
signSchnorr(server_key_id, signed_server_key_id, message_hash, verbose=True) → str[source]

Schnorr signing session, for computing Schnorr signature of a given message hash.

Parameters:
  • server_key_id (str) – The server key ID.
  • signed_server_key_id (str) – The server key ID signed by the SS user.
  • message_hash (str) – The 256-bit hash of the message that needs to be signed.
  • verbose (bool) – Whether to log errors. Default: True.
Returns:

The hex-encoded Schnorr signature (serialized as c || s), encrypted with requester public key (ECIES encryption is used).
Return type:

str
Raises:

SecretStoreSessionError, requests.RequestException
storeDocumentKey(server_key_id, signed_server_key_id, common_point, encrypted_point, verbose=True) → str[source]

Binds an externally-generated document key to a server key.

Useable after a server key generation session .

Parameters:
  • server_key_id (str) – The server key ID.
  • signed_server_key_id (str) – The server key ID signed by the SS user.
  • common_point (str) – The hex-encoded common point portion of encrypted document key.
  • encrypted_point (str) – The hex-encoded encrypted point portion of encrypted document key.
  • verbose (bool) – Whether to log errors. Default: True.
Returns:

Empty string if everything was OK (status code 200).
Return type:

str
Raises:

SecretStoreSessionError, requests.RequestException