gemstone_utils.key_mgmt.registry

KDF registry and derive_kek dispatch.

gemstone_utils.key_mgmt.registry.SUPPORTED_KDF_NAMES: frozenset[str] = frozenset({'pbkdf2-hmac-sha256'})

Registered KDF ids (read-only; updated when built-in modules load).

gemstone_utils.key_mgmt.registry.derive_kek(passphrase, params)[source]

Derive a KEK using the KDF named in params["kdf"].

Parameters:
  • passphrase (str) – Vault passphrase.

  • params (dict) – Persisted KDF parameters (must include "kdf").

Returns:

Derived KEK bytes.

Raises:

ValueError – If params omit "kdf" or name an unsupported KDF.

Return type:

bytes

gemstone_utils.key_mgmt.registry.is_supported_kdf(name)[source]

Return whether name is a registered KDF id.

Parameters:

name (str) – KDF registry id.

Returns:

True if registered.

Return type:

bool

gemstone_utils.key_mgmt.registry.register_kdf(name)[source]

Decorator to register a first-party KDF implementation.

Only ids in _ALLOWED_KDF_NAMES may register. Third-party runtime registration is not supported.

Parameters:

name (str) – Registry id stored in persisted params as "kdf".

Returns:

Decorator that registers the wrapped function.

gemstone_utils.key_mgmt.registry.require_supported_kdf(name)[source]

Return the registered KDF callable for name.

Parameters:

name (str) – KDF registry id.

Returns:

Callable (passphrase, params) -> kek_bytes.

Raises:

ValueError – If name is not registered.

Return type:

Callable[[str, Dict[str, Any]], bytes]