Add a Cobblestone recipe implementing c2sp.org/chunked-encryption#15144
Add a Cobblestone recipe implementing c2sp.org/chunked-encryption#15144alex wants to merge 10 commits into
Conversation
These are the test vectors from the chunked reference implementation (https://github.com/FiloSottile/chunked), for use by the chunked encryption recipe being added in #15144. Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8 Co-authored-by: Claude <noreply@anthropic.com>
d94f3cf to
896f9cc
Compare
This adds cryptography.chunked_encryption, a top-level recipe (like Fernet) for streaming authenticated encryption of large messages, implementing the C2SP chunked-encryption specification (https://c2sp.org/chunked-encryption) instantiated with SHA-256 and AES-128-GCM. The core is implemented in Rust: for each message a fresh key, base nonce, and key commitment are derived with HKDF-Expand-SHA-256 from the input key, a random 24-byte salt, and a caller-provided context; the message is encrypted in 16 KiB chunks with AES-128-GCM, with the chunk counter XOR'd into the base nonce. Full chunks are encrypted/decrypted directly from the caller's input, so only sub-chunk remainders are buffered internally, and update_into variants allow callers to supply output buffers. The internals are parameterized over the AEAD so that additional AEADs could be supported later, but the public API is AES-128-GCM only. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
- Use the existing AesGcm AEAD implementation for chunk encryption/decryption instead of using OpenSSL's EVP interface directly (AESGCM.decrypt_into is now pub(crate) for this). - Use the existing HkdfExpand implementation for key derivation. - Fold the error state into the finalized state: a context that hit an error raises AlreadyFinalized on further use. - Replace the let-else in Decrypter::update_impl with a match that yields the cipher and buffer fields. - Replace the in-test reference implementation with the test vectors from the chunked reference implementation (https://github.com/FiloSottile/chunked), vendored into cryptography_vectors. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
- Extract the chunk counter/nonce logic into a ChunkNonces struct with Rust unit tests covering the 2**38-chunk limit, which can't be reached from Python tests. - Track the Decrypter state as Option<DecrypterState> and process both active states in a single exhaustive match, removing the unreachable!() arms; finalize() now consumes the state on all paths. - Drop the Encrypter's error poisoning: the only errors it guarded against are the capacity check (which fails before any state is modified) and internal OpenSSL errors. - Test that a Decrypter is unusable after update_into() raises InvalidTag. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
…ariant Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
C2SP/C2SP#296 names the chunked-encryption spec's two instantiations: Cobblestone-128 (SHA-512 and AES-128-GCM, recommended) and Cobblestone-256 (SHA-512 and AES-256-GCM, compliance-oriented). Replace the Encrypter/Decrypter classes with Cobblestone128Encryptor, Cobblestone128Decryptor, Cobblestone256Encryptor, and Cobblestone256Decryptor, sharing the core implementation, and switch the HKDF-Expand hash from SHA-256 to SHA-512 per the updated spec. The vendored reference test vectors predate this spec change (they were generated with HKDF-SHA-256), so the vector tests are removed until the reference implementation regenerates them. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
The four Cobblestone classes are now plain compositions over internal ChunkedEncryptor/ChunkedDecryptor types. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
6e59943 to
7d06bbe
Compare
| A message is encrypted in 16 KiB chunks, each of which is individually | ||
| authenticated, so decryption can also be performed as a stream: | ||
| decrypted data is returned incrementally, and only authenticated | ||
| plaintext is ever returned. Reordering, truncating, or extending the | ||
| ciphertext is detected. The scheme is also key committing: a ciphertext | ||
| can only be decrypted with the key it was encrypted with. |
There was a problem hiding this comment.
None of this information is useful, delete this paragraph.
| :meth:`generate_key`, :func:`os.urandom`, or a key derivation | ||
| function — never a password). A single key may be used to |
There was a problem hiding this comment.
you don't need to mention os.urandom, e.g. the output of generate key -- never a password is enough
| for a given call is included in the :class:`ValueError` | ||
| raised if the buffer is too small. |
There was a problem hiding this comment.
Delete everything after hte semicolon
| ciphertext. This must always be called, even if ``update`` | ||
| returned all but the last few bytes of ciphertext, and the |
There was a problem hiding this comment.
delete everything between the first and second commas, it makes no sense
| @staticmethod | ||
| def generate_key() -> bytes: ... |
There was a problem hiding this comment.
Decryptors shouldn't have a generate key method, only the encryptor side
| } | ||
|
|
||
| #[cfg(test)] | ||
| mod tests { |
There was a problem hiding this comment.
in general we should only have rust tests for things that are unreachable from python in normal operations, but needed for coverage. do these meet that?
There was a problem hiding this comment.
Partially: the counter-limit test does meet the bar (hitting the 2³⁸-chunk limit requires a 4 PiB message, and it's what covers the check_capacity/message_too_large_error error lines), but the nonce XOR test didn't — that path is fully exercised by the Python round-trip tests. Dropped the XOR test and kept only the limit test, with a comment explaining why it exists.
Generated by Claude Code
…e Rust tests - Simplify the docs per review: drop the intro properties paragraph, the os.urandom mention, and the redundant clauses in the update_into and finalize descriptions. - Remove generate_key from the Decryptor classes; key generation is an encryption-side operation. - Drop the nonce XOR unit test: that path is fully covered by the Python round-trip tests. The remaining Rust test covers only the chunk counter limit, which is unreachable from Python. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
| assert isinstance(key, bytes) | ||
| assert len(key) == key_len | ||
| assert len(decryptor_cls.generate_key()) == key_len | ||
| assert not hasattr(decryptor_cls, "generate_key") |
There was a problem hiding this comment.
this is a very stupid assert, delete it.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
| messages produced by :class:`Cobblestone256Encryptor` with a | ||
| 32-byte key. | ||
|
|
||
| Implementation |
There was a problem hiding this comment.
This whole section doesn’t feel useful since we already state that it’s an implementation of c2sp chunked encryption at the top
Per review: the module, docs page, stubs, and Rust module are renamed from chunked_encryption to cobblestone (the classes were already named for the Cobblestone instantiations), and the docs' Implementation section is dropped since the page already states it implements the C2SP chunked-encryption specification. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
|
At this point I think the only other thing we want is the wycheproof tests to land so we can use them. |
|
The consuming test is written and validated: I extracted the vectors from C2SP/wycheproof#265 as it stands and ran them against this branch — all 70 pass (35 per variant: valid decryptions checked against Generated by Claude Code |
Resolves #2358
This adds
cryptography.cobblestone, a top-level recipe (à la Fernet) for streaming authenticated encryption of large messages, implementing the C2SP chunked-encryption specification's two named instantiations (per C2SP/C2SP#296): Cobblestone-128 (SHA-512 + AES-128-GCM, recommended) and Cobblestone-256 (SHA-512 + AES-256-GCM, for environments that mandate 256-bit keys).Design notes:
AesGcmAEAD andHkdfExpandimplementations. The four classes are simple compositions over internalChunkedEncryptor/ChunkedDecryptortypes parameterized by the AEAD (IANA name, key/tag lengths). For each message a fresh AEAD key, base nonce, and 32-byte key commitment are derived with HKDF-Expand-SHA-512 from the input key, a random 24-byte salt, and a caller-provided context; the message is encrypted in 16 KiB chunks, with the chunk counter XOR'd into the base nonce. The ciphertext issalt || commitment || chunks.update_into()variants let callers supply their own output buffers.finalize().cryptography.exceptions.InvalidTag; any further use of a finalized or failed context raisesAlreadyFinalized.Tests cover round-trip, streaming-granularity, tampering, reordering, truncation, extension, and API misuse cases for both variants, plus a Rust unit test for the chunk counter limit (unreachable from Python). Note: the vendored FiloSottile/chunked test vectors (#15145) predate C2SP/C2SP#296 — they were generated with HKDF-SHA-256 — so the vector tests are removed until the reference implementation regenerates them for Cobblestone; they should be re-added (and the vendored file refreshed) once that happens.
🤖 Generated with Claude Code
https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8