seedPass/src/utils/key_validation.py

"""Key validation helper functions."""

import logging
from cryptography.hazmat.primitives import serialization
from pgpy import PGPKey
import pyotp
from nostr.coincurve_keys import Keys
from mnemonic import Mnemonic

logger = logging.getLogger(__name__)


def validate_totp_secret(secret: str) -> bool:
    """Return True if ``secret`` is a valid Base32 TOTP secret."""
    try:
        pyotp.TOTP(secret).at(0)
        return True
    except Exception as e:  # pragma: no cover - pyotp errors vary
        logger.debug(f"Invalid TOTP secret: {e}")
        return False


def validate_ssh_key_pair(priv_pem: str, pub_pem: str) -> bool:
    """Ensure ``priv_pem`` corresponds to ``pub_pem``."""
    try:
        priv = serialization.load_pem_private_key(priv_pem.encode(), password=None)
        derived = (
            priv.public_key()
            .public_bytes(
                serialization.Encoding.PEM,
                serialization.PublicFormat.SubjectPublicKeyInfo,
            )
            .decode()
        )
        return derived == pub_pem
    except Exception as e:  # pragma: no cover - serialization errors vary
        logger.debug(f"SSH key validation failed: {e}")
        return False


def validate_pgp_private_key(priv_key: str, fingerprint: str) -> bool:
    """Return True if ``priv_key`` matches ``fingerprint``."""
    try:
        key, _ = PGPKey.from_blob(priv_key)
        return key.fingerprint == fingerprint
    except Exception as e:  # pragma: no cover - pgpy errors vary
        logger.debug(f"PGP key validation failed: {e}")
        return False


def validate_nostr_keys(npub: str, nsec: str) -> bool:
    """Return True if ``nsec`` decodes to ``npub``."""
    try:
        priv_hex = Keys.bech32_to_hex(nsec)
        derived = Keys(priv_k=priv_hex)
        encoded = Keys.hex_to_bech32(derived.public_key_hex(), "npub")
        return encoded == npub
    except Exception as e:  # pragma: no cover - nostr errors vary
        logger.debug(f"Nostr key validation failed: {e}")
        return False


def validate_seed_phrase(mnemonic: str) -> bool:
    """Return True if ``mnemonic`` is a valid BIP-39 seed phrase."""
    try:
        return Mnemonic("english").check(mnemonic)
    except Exception as e:  # pragma: no cover - mnemonic errors vary
        logger.debug(f"Seed phrase validation failed: {e}")
        return False