[new] Add utils to de/serialize public part of KeyChains

ptaoussanis · ptaoussanis · commit 4383ed5d6931 · 2025-11-06T07:32:09.000+01:00
diff --git a/src/taoensso/tempel.clj b/src/taoensso/tempel.clj
@@ -446,7 +446,7 @@
               ?key-id   (bytes/read-dynamic-?str in)]
           (enc/assoc-when
             {:kind :encrypted-keychain, :version 1,
-             :keychain (keys/keychain-restore nil ba-kc-pub)}
+             :keychain (keys/keychain-thaw nil ba-kc-pub)}
             :ba-aad          ?ba-aad
             :key-id          ?key-id
             :has-hmac?       has-hmac?
@@ -464,6 +464,22 @@
       :aad (bytes/?utf8-ba->?str ba-aad)
       :cnt (bytes/?utf8-ba->?str ba-content))))
 
+(defn keychain-freeze-public
+  "Takes a `KeyChain` and serializes any public keys it contains
+  to a storable byte[]. Returns the byte[].
+
+  Thaw (deserialize) output with: `keychain-thaw-public`."
+  ^bytes [keychain]
+  (get (keys/keychain-freeze keychain) :ba-kc-pub))
+
+(defn keychain-thaw-public
+  "Complement of `keychain-freeze-public`.
+  Takes a serialized byte[] of public keys and returns
+  a `KeyChain` that contains those public keys."
+  [ba-kc-pub] (keys/keychain-thaw nil ba-kc-pub))
+
+(comment (let [kc (keychain)] (enc/submap? @kc @(keychain-thaw-public (keychain-freeze-public kc)))))
+
 ;;;; Cipher API
 
 (defn- return-val [context return-kind ?ba-cnt ?ba-aad]
diff --git a/src/taoensso/tempel/keys.clj b/src/taoensso/tempel/keys.clj
@@ -265,7 +265,7 @@
     (delay (mkc-freeze  m-keychain))
     ?meta))
 
-(defn keychain-restore
+(defn keychain-thaw
   "Thaws `KeyChain` from frozen byte[]s."
   ([ba-kc-prv ba-kc-pub] (-keychain nil (mkc-thaw ba-kc-prv ba-kc-pub)))
   ([ba-kc_             ] (-keychain nil (mkc-thaw ba-kc_))))
@@ -1162,7 +1162,7 @@
             (let [?ba-kc-prv (bytes/read-dynamic-?ba in)
                   ?ba-ucnt   (bytes/read-dynamic-?ba in) ; User content
                   _          (df/read-resv!          in)
-                  keychain   (keychain-restore ?ba-kc-prv ?ba-kc-pub)]
+                  keychain   (keychain-thaw ?ba-kc-prv ?ba-kc-pub)]
 
               (case return
                 :keychain   keychain
diff --git a/test/taoensso/tempel_tests.clj b/test/taoensso/tempel_tests.clj
@@ -16,6 +16,13 @@
   (remove-ns      'taoensso.tempel-tests)
   (test/run-tests 'taoensso.tempel-tests))
 
+;;;; Utils
+
+(defn keychain->pub-keys [kc] (into #{} (comp (map :key-pub)                        (filter some?)) (vals (enc/force-ref kc))))
+(defn keychain->prv-keys [kc] (into #{} (comp (map #(or (:key-sym %) (:key-prv %))) (filter some?)) (vals (enc/force-ref kc))))
+
+(comment (keychain->pub-keys (keys/keychain)))
+
 ;;;; Implementation
 
 (deftest _headers
@@ -368,7 +375,18 @@
       (is (= (kci kc1) {:n-sym 1, :n-prv 2, :n-pub 2, :secret? true}))
       (is (= (kci kc3) {:n-sym 1, :n-prv 1, :n-pub 2, :secret? true}))])
 
-   (testing "Serialization and encryption"
+   (testing "Serialization of public keys in KeyChains"
+     (let [kc1 (keys/keychain {:empty? true})
+           kc2 (keys/keychain {:symmetric-keys      [#_1 :random]
+                               :asymmetric-keypairs [#_2 :rsa-1024 #_3 :dh-1024 #_4 :ec-secp256r1]})]
+       (every? boolean
+         (flatten
+           (for [kc [kc1 kc2]]
+             (let [kc-thawed (tempel/keychain-thaw-public (tempel/keychain-freeze-public kc))]
+               [(is (empty? (keychain->prv-keys kc-thawed))                         "No private keys in public KeyChain")
+                (is (=      (keychain->pub-keys kc-thawed) (keychain->pub-keys kc)) "All public keys in public KeyChain")]))))))
+
+   (testing "Serialization of encrypted KeyChains"
      (let [kc (->
                 (keys/keychain {:symmetric-keys      [#_1 :random]
                                 :asymmetric-keypairs [#_2 :rsa-1024 #_3 :dh-1024 #_4 :ec-secp256r1]})
@@ -405,10 +423,9 @@
                 (is (= (set (keys (get @kc-dec "c"))) #{:key-prv :key-algo :priority}))
 
                 (is (= (keys/keychain-decrypt ba-enc !key-opts) nil)             "Bad key")
-                (is (= (kci (:keychain (pd ba-enc))) {:n-pub 4, :secret? false}) "Public keychain in public data")
+                (is (= (kci (:keychain (pd ba-enc))) {:n-pub 4, :secret? false}) "Public KeyChain is in public data")
 
-                (is (every? nil? (mapv #(or (:key-sym %) (:key-prv %)) (vals @(:keychain (pd ba-enc)))))
-                  "No private data in public keychain")]))))))])
+                (is (empty? (keychain->prv-keys (:keychain (pd ba-enc)))) "No private keys in public KeyChain")]))))))])
 
 ;;;; Core API
 
