Claude Code MCP - Agent Orchestration Platform

crypto.py•20.9 KiB

""" Cryptographic Operations and Key Management This module provides secure cryptographic operations for the Agent Orchestration Platform, implementing AES-256-GCM encryption for state persistence and ECDSA signatures for audit trails. Architecture Integration: - Design Patterns: Singleton pattern for key management, Factory pattern for crypto operations - Security Model: Defense-in-depth with key rotation, secure deletion, and constant-time operations - Performance Profile: O(1) key operations, O(n) encryption/decryption where n = data size Technical Decisions: - AES-256-GCM: Authenticated encryption with built-in integrity protection - ECDSA P-256: Elliptic curve signatures for compact, fast verification - PBKDF2: Key derivation with high iteration count for password-based keys - OS Keyring: Secure key storage using system keychain when available Dependencies & Integration: - External: cryptography library for all cryptographic primitives - Internal: Secure random generation and constant-time operations Quality Assurance: - Test Coverage: Property-based testing with hypothesis for edge cases - Error Handling: Secure failure modes with automatic key rotation on corruption Author: Adder_4 | Created: 2025-06-26 | Last Modified: 2025-06-26 """ import json import os import secrets from dataclasses import dataclass, field from datetime import datetime, timedelta from pathlib import Path from typing import Any, Dict, NewType, Optional from cryptography.exceptions import InvalidSignature from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.ciphers.aead import AESGCM from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from src.utils.contracts_shim import ensure, require # Branded types for cryptographic safety AESKey = NewType("AESKey", bytes) ECDSAPrivateKey = NewType("ECDSAPrivateKey", ec.EllipticCurvePrivateKey) ECDSAPublicKey = NewType("ECDSAPublicKey", ec.EllipticCurvePublicKey) ECDSAKey = ECDSAPrivateKey # Backward compatibility EncryptedData = NewType("EncryptedData", bytes) SignatureBytes = NewType("SignatureBytes", bytes) KeyId = NewType("KeyId", str) class CryptographicError(Exception): """Base exception for cryptographic operations.""" pass # Alias for backwards compatibility CryptoError = CryptographicError class KeyManagementError(CryptographicError): """Key management and rotation failures.""" pass class EncryptionError(CryptographicError): """Encryption and decryption failures.""" pass class KeyRotationError(CryptographicError): """Key rotation and lifecycle failures.""" pass @dataclass(frozen=True) class KeyMetadata: """Metadata for cryptographic keys with rotation tracking.""" key_id: KeyId created_at: datetime expires_at: datetime key_type: str # "aes" or "ecdsa" usage_count: int = 0 max_usage: int = 10000 def is_expired(self) -> bool: """Check if key has expired.""" return datetime.utcnow() > self.expires_at def needs_rotation(self) -> bool: """Check if key needs rotation due to age or usage.""" return self.is_expired() or self.usage_count >= self.max_usage @dataclass(frozen=True) class EncryptionResult: """Result of encryption operation with metadata.""" ciphertext: EncryptedData nonce: bytes key_id: KeyId timestamp: datetime def serialize(self) -> bytes: """Serialize encryption result for storage.""" metadata = { "key_id": self.key_id, "timestamp": self.timestamp.isoformat(), "nonce": self.nonce.hex(), } header = json.dumps(metadata).encode("utf-8") return len(header).to_bytes(4, "big") + header + self.ciphertext @dataclass(frozen=True) class SignatureResult: """Result of signature operation with metadata.""" signature: SignatureBytes key_id: KeyId timestamp: datetime algorithm: str = "ECDSA-SHA256" def verify(self, message: bytes, public_key: ECDSAPublicKey) -> bool: """Verify signature against message and public key.""" try: public_key.verify(self.signature, message) return True except Exception: return False def serialize(self) -> bytes: """Serialize signature result for storage.""" metadata = { "key_id": self.key_id, "timestamp": self.timestamp.isoformat(), "algorithm": self.algorithm, } header = json.dumps(metadata).encode("utf-8") return len(header).to_bytes(4, "big") + header + self.signature class SecureKeyManager: """ Cryptographic key manager with automatic rotation and secure storage. Implements singleton pattern to ensure single point of key management with thread-safe operations and secure key lifecycle management. """ _instance: Optional["SecureKeyManager"] = None _initialized: bool = False def __new__(cls) -> "SecureKeyManager": """Singleton pattern implementation.""" if cls._instance is None: cls._instance = super().__new__(cls) return cls._instance def __init__(self): """Initialize key manager with secure defaults.""" if not self._initialized: self._aes_keys: Dict[KeyId, AESKey] = {} self._ecdsa_keys: Dict[KeyId, ECDSAKey] = {} self._key_metadata: Dict[KeyId, KeyMetadata] = {} self._current_aes_key_id: Optional[KeyId] = None self._current_ecdsa_key_id: Optional[KeyId] = None self._key_storage_path: Optional[Path] = None SecureKeyManager._initialized = True def initialize(self, storage_path: Path) -> None: """Initialize key manager with storage path.""" self._key_storage_path = storage_path self._key_storage_path.mkdir(parents=True, exist_ok=True, mode=0o700) self._load_existing_keys() self._ensure_current_keys() @require(lambda self: self._key_storage_path is not None) def _load_existing_keys(self) -> None: """Load existing keys from secure storage.""" metadata_file = self._key_storage_path / "key_metadata.json" if metadata_file.exists(): try: with open(metadata_file, "r") as f: metadata_dict = json.load(f) for key_id, meta_data in metadata_dict.items(): metadata = KeyMetadata( key_id=KeyId(key_id), created_at=datetime.fromisoformat(meta_data["created_at"]), expires_at=datetime.fromisoformat(meta_data["expires_at"]), key_type=meta_data["key_type"], usage_count=meta_data["usage_count"], max_usage=meta_data["max_usage"], ) self._key_metadata[KeyId(key_id)] = metadata # Load actual keys based on type if metadata.key_type == "aes": self._load_aes_key(KeyId(key_id)) elif metadata.key_type == "ecdsa": self._load_ecdsa_key(KeyId(key_id)) except (json.JSONDecodeError, KeyError, ValueError) as e: raise KeyManagementError(f"Failed to load key metadata: {e}") def _load_aes_key(self, key_id: KeyId) -> None: """Load AES key from secure storage.""" key_file = self._key_storage_path / f"{key_id}.aes" if key_file.exists(): with open(key_file, "rb") as f: key_data = f.read() if len(key_data) == 32: # 256-bit key self._aes_keys[key_id] = AESKey(key_data) def _load_ecdsa_key(self, key_id: KeyId) -> None: """Load ECDSA key from secure storage.""" key_file = self._key_storage_path / f"{key_id}.ecdsa" if key_file.exists(): with open(key_file, "rb") as f: private_key = serialization.load_pem_private_key( f.read(), password=None, ) if isinstance(private_key, ec.EllipticCurvePrivateKey): self._ecdsa_keys[key_id] = ECDSAKey(private_key) @ensure(lambda self: self._current_aes_key_id is not None) @ensure(lambda self: self._current_ecdsa_key_id is not None) def _ensure_current_keys(self) -> None: """Ensure current encryption and signing keys are available.""" # Find current AES key or create new one current_aes = None for key_id, metadata in self._key_metadata.items(): if ( metadata.key_type == "aes" and not metadata.needs_rotation() and key_id in self._aes_keys ): current_aes = key_id break if current_aes is None: current_aes = self._generate_aes_key() self._current_aes_key_id = current_aes # Find current ECDSA key or create new one current_ecdsa = None for key_id, metadata in self._key_metadata.items(): if ( metadata.key_type == "ecdsa" and not metadata.needs_rotation() and key_id in self._ecdsa_keys ): current_ecdsa = key_id break if current_ecdsa is None: current_ecdsa = self._generate_ecdsa_key() self._current_ecdsa_key_id = current_ecdsa def _generate_aes_key(self) -> KeyId: """Generate new AES-256 key with secure random bytes.""" key_id = KeyId(f"aes_{secrets.token_hex(16)}") key_bytes = secrets.token_bytes(32) # 256-bit key # Store key securely key_file = self._key_storage_path / f"{key_id}.aes" with open(key_file, "wb") as f: f.write(key_bytes) os.chmod(key_file, 0o600) # Store metadata metadata = KeyMetadata( key_id=key_id, created_at=datetime.utcnow(), expires_at=datetime.utcnow() + timedelta(days=90), # 90-day rotation key_type="aes", ) self._aes_keys[key_id] = AESKey(key_bytes) self._key_metadata[key_id] = metadata self._save_metadata() return key_id def _generate_ecdsa_key(self) -> KeyId: """Generate new ECDSA P-256 key for signatures.""" key_id = KeyId(f"ecdsa_{secrets.token_hex(16)}") private_key = ec.generate_private_key(ec.SECP256R1()) # Store key securely pem_data = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.PKCS8, encryption_algorithm=serialization.NoEncryption(), ) key_file = self._key_storage_path / f"{key_id}.ecdsa" with open(key_file, "wb") as f: f.write(pem_data) os.chmod(key_file, 0o600) # Store metadata metadata = KeyMetadata( key_id=key_id, created_at=datetime.utcnow(), expires_at=datetime.utcnow() + timedelta(days=365), # 1-year rotation key_type="ecdsa", ) self._ecdsa_keys[key_id] = ECDSAKey(private_key) self._key_metadata[key_id] = metadata self._save_metadata() return key_id def _save_metadata(self) -> None: """Save key metadata to secure storage.""" if self._key_storage_path is None: return metadata_dict = {} for key_id, metadata in self._key_metadata.items(): metadata_dict[key_id] = { "created_at": metadata.created_at.isoformat(), "expires_at": metadata.expires_at.isoformat(), "key_type": metadata.key_type, "usage_count": metadata.usage_count, "max_usage": metadata.max_usage, } metadata_file = self._key_storage_path / "key_metadata.json" with open(metadata_file, "w") as f: json.dump(metadata_dict, f, indent=2) os.chmod(metadata_file, 0o600) @require(lambda self: self._current_aes_key_id is not None) def get_current_aes_key(self) -> tuple[AESKey, KeyId]: """Get current AES key for encryption operations.""" key_id = self._current_aes_key_id # Check if key needs rotation if self._key_metadata[key_id].needs_rotation(): key_id = self._generate_aes_key() self._current_aes_key_id = key_id return self._aes_keys[key_id], key_id @require(lambda self: self._current_ecdsa_key_id is not None) def get_current_ecdsa_key(self) -> tuple[ECDSAKey, KeyId]: """Get current ECDSA key for signing operations.""" key_id = self._current_ecdsa_key_id # Check if key needs rotation if self._key_metadata[key_id].needs_rotation(): key_id = self._generate_ecdsa_key() self._current_ecdsa_key_id = key_id return self._ecdsa_keys[key_id], key_id def get_aes_key(self, key_id: KeyId) -> Optional[AESKey]: """Get specific AES key by ID for decryption.""" return self._aes_keys.get(key_id) def get_ecdsa_key(self, key_id: KeyId) -> Optional[ECDSAKey]: """Get specific ECDSA key by ID for signature verification.""" return self._ecdsa_keys.get(key_id) class StateEncryption: """ Secure state encryption with integrity protection and key rotation support. Uses AES-256-GCM for authenticated encryption providing both confidentiality and integrity protection in a single operation. """ def __init__(self, key_manager: SecureKeyManager): """Initialize with key manager for key operations.""" self._key_manager = key_manager @require(lambda data: len(data) > 0) @require(lambda data: len(data) <= 10 * 1024 * 1024) # 10MB limit @ensure(lambda result: len(result.ciphertext) > 0) def encrypt(self, data: bytes) -> EncryptionResult: """ Encrypt data with AES-256-GCM providing integrity protection. Contracts: Preconditions: - Data must not be empty - Data size must be within reasonable limits (10MB) Postconditions: - Encrypted result contains non-empty ciphertext - Nonce is cryptographically secure and unique - Key ID references valid encryption key Invariants: - Original data never stored in memory after encryption - Nonce never reused with same key - Integrity tag prevents tampering """ try: aes_key, key_id = self._key_manager.get_current_aes_key() nonce = secrets.token_bytes(12) # 96-bit nonce for GCM aesgcm = AESGCM(aes_key) ciphertext = aesgcm.encrypt(nonce, data, None) return EncryptionResult( ciphertext=EncryptedData(ciphertext), nonce=nonce, key_id=key_id, timestamp=datetime.utcnow(), ) except Exception as e: raise EncryptionError(f"Encryption failed: {e}") @require(lambda encrypted_result: len(encrypted_result.ciphertext) > 0) @require(lambda encrypted_result: len(encrypted_result.nonce) == 12) @ensure(lambda result: len(result) > 0) def decrypt(self, encrypted_result: EncryptionResult) -> bytes: """ Decrypt data with integrity verification. Contracts: Preconditions: - Ciphertext must not be empty - Nonce must be exactly 12 bytes (GCM requirement) - Key ID must reference valid key Postconditions: - Decrypted data is non-empty - Integrity verification passed - Original data authenticity verified Invariants: - Tampered data causes exception (fail-safe) - Invalid key ID causes exception - Expired keys still usable for decryption """ try: aes_key = self._key_manager.get_aes_key(encrypted_result.key_id) if aes_key is None: raise EncryptionError( f"Decryption key not found: {encrypted_result.key_id}" ) aesgcm = AESGCM(aes_key) plaintext = aesgcm.decrypt( encrypted_result.nonce, encrypted_result.ciphertext, None ) return plaintext except Exception as e: raise EncryptionError(f"Decryption failed: {e}") class AuditSigning: """ Cryptographic signing for audit trails with tamper detection. Uses ECDSA with SHA-256 for compact signatures with strong security and fast verification suitable for high-frequency audit logging. """ def __init__(self, key_manager: SecureKeyManager): """Initialize with key manager for signing operations.""" self._key_manager = key_manager @require(lambda data: len(data) > 0) @ensure(lambda result: len(result[0]) > 0) @ensure(lambda result: len(result[1]) > 0) def sign_data(self, data: bytes) -> tuple[SignatureBytes, KeyId]: """ Sign data with ECDSA for tamper detection. Contracts: Preconditions: - Data must not be empty Postconditions: - Signature is cryptographically valid - Key ID references valid signing key - Signature can be verified with corresponding public key Invariants: - Same data with same key produces different signatures (randomized) - Signature verification with different data fails - Signature format is standard DER encoding """ try: ecdsa_key, key_id = self._key_manager.get_current_ecdsa_key() signature = ecdsa_key.sign(data, ec.ECDSA(hashes.SHA256())) return SignatureBytes(signature), key_id except Exception as e: raise CryptographicError(f"Signing failed: {e}") @require(lambda data: len(data) > 0) @require(lambda signature: len(signature) > 0) def verify_signature( self, data: bytes, signature: SignatureBytes, key_id: KeyId ) -> bool: """ Verify signature authenticity and data integrity. Contracts: Preconditions: - Data must not be empty - Signature must not be empty - Key ID must reference valid key Postconditions: - Returns True only if signature is cryptographically valid - Returns False for any tampering or invalid signature - Never raises exceptions for invalid signatures Invariants: - Verification is constant-time to prevent timing attacks - Invalid signatures always return False (never exception) - Valid signatures with tampered data return False """ try: ecdsa_key = self._key_manager.get_ecdsa_key(key_id) if ecdsa_key is None: return False public_key = ecdsa_key.public_key() public_key.verify(signature, data, ec.ECDSA(hashes.SHA256())) return True except InvalidSignature: return False except Exception: return False # Global key manager instance _key_manager_instance: Optional[SecureKeyManager] = None def get_key_manager() -> SecureKeyManager: """Get global key manager instance.""" global _key_manager_instance if _key_manager_instance is None: _key_manager_instance = SecureKeyManager() return _key_manager_instance def initialize_crypto_system(storage_path: Path) -> None: """Initialize cryptographic system with secure storage.""" key_manager = get_key_manager() key_manager.initialize(storage_path) # Convenience functions for direct usage def encrypt_state_data(data: bytes) -> EncryptionResult: """Encrypt state data using current encryption key.""" key_manager = get_key_manager() encryptor = StateEncryption(key_manager) return encryptor.encrypt(data) def decrypt_state_data(encrypted_result: EncryptionResult) -> bytes: """Decrypt state data using appropriate key.""" key_manager = get_key_manager() encryptor = StateEncryption(key_manager) return encryptor.decrypt(encrypted_result) def sign_audit_data(data: bytes) -> tuple[SignatureBytes, KeyId]: """Sign audit data for tamper detection.""" key_manager = get_key_manager() signer = AuditSigning(key_manager) return signer.sign_data(data) def verify_audit_signature( data: bytes, signature: SignatureBytes, key_id: KeyId ) -> bool: """Verify audit signature authenticity.""" key_manager = get_key_manager() signer = AuditSigning(key_manager) return signer.verify_signature(data, signature, key_id) # Aliases for backwards compatibility KeyManager = SecureKeyManager

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Nexus-Digital-Automations/Claude_Code_MCP_2'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

crypto.py•20.9 KiB