Add key validation utilities and integrate

2025-09-08 07:18:47 +00:00 · 2025-08-01 10:38:40 -04:00
parent 20896812a4
commit cc8fba9f12
14 changed files with 206 additions and 12 deletions
--- a/src/utils/key_validation.py
+++ b/src/utils/key_validation.py
@@ -0,0 +1,69 @@
+"""Key validation helper functions."""
+
+import logging
+from cryptography.hazmat.primitives import serialization
+from pgpy import PGPKey
+import pyotp
+from nostr.coincurve_keys import Keys
+from mnemonic import Mnemonic
+
+logger = logging.getLogger(__name__)
+
+
+def validate_totp_secret(secret: str) -> bool:
+    """Return True if ``secret`` is a valid Base32 TOTP secret."""
+    try:
+        pyotp.TOTP(secret).at(0)
+        return True
+    except Exception as e:  # pragma: no cover - pyotp errors vary
+        logger.debug(f"Invalid TOTP secret: {e}")
+        return False
+
+
+def validate_ssh_key_pair(priv_pem: str, pub_pem: str) -> bool:
+    """Ensure ``priv_pem`` corresponds to ``pub_pem``."""
+    try:
+        priv = serialization.load_pem_private_key(priv_pem.encode(), password=None)
+        derived = (
+            priv.public_key()
+            .public_bytes(
+                serialization.Encoding.PEM,
+                serialization.PublicFormat.SubjectPublicKeyInfo,
+            )
+            .decode()
+        )
+        return derived == pub_pem
+    except Exception as e:  # pragma: no cover - serialization errors vary
+        logger.debug(f"SSH key validation failed: {e}")
+        return False
+
+
+def validate_pgp_private_key(priv_key: str, fingerprint: str) -> bool:
+    """Return True if ``priv_key`` matches ``fingerprint``."""
+    try:
+        key, _ = PGPKey.from_blob(priv_key)
+        return key.fingerprint == fingerprint
+    except Exception as e:  # pragma: no cover - pgpy errors vary
+        logger.debug(f"PGP key validation failed: {e}")
+        return False
+
+
+def validate_nostr_keys(npub: str, nsec: str) -> bool:
+    """Return True if ``nsec`` decodes to ``npub``."""
+    try:
+        priv_hex = Keys.bech32_to_hex(nsec)
+        derived = Keys(priv_k=priv_hex)
+        encoded = Keys.hex_to_bech32(derived.public_key_hex(), "npub")
+        return encoded == npub
+    except Exception as e:  # pragma: no cover - nostr errors vary
+        logger.debug(f"Nostr key validation failed: {e}")
+        return False
+
+
+def validate_seed_phrase(mnemonic: str) -> bool:
+    """Return True if ``mnemonic`` is a valid BIP-39 seed phrase."""
+    try:
+        return Mnemonic("english").check(mnemonic)
+    except Exception as e:  # pragma: no cover - mnemonic errors vary
+        logger.debug(f"Seed phrase validation failed: {e}")
+        return False