o 2Ji' @srdZddlZddlZddlZddlZddlmZddlmZz ddl m Z dZ Wn e y3dZ Ynwzddl mZdd lmZdZWne ySdZddlZYnwd,d ed efd dZd-deded efddZded efddZded efddZd.dedededed ef ddZd/d ed!eed efd"d#Zd$ed efd%d&ZGd'd(d(Zd)d*Ze d+kredSdS)0ul Rook Key Derivation Module Derives all system keys from a BIP39 mnemonic + optional key file + Google Drive folder ID. Derivation chain: mnemonic → BIP39 seed (512-bit) seed + salt(keyfile_hash, folder_id) → HKDF-SHA256 → purpose-specific keys Three independent keys from one root: info="bitwarden-master" → Vaultwarden master password (Base85) info="luks-container" → LUKS2 passphrase (hex) info="backup-aes-key" → AES-256-GCM key for backups (raw bytes) Usage: from keygen import RookKeyDerivation kd = RookKeyDerivation( mnemonic="abandon abandon abandon ... about", folder_id="1a2b3c4d5e6f", keyfile_path="/path/to/photo.jpg", # optional ) print(kd.bitwarden_password) # Base85 string print(kd.luks_passphrase) # hex string backup_key = kd.backup_key # 32 raw bytes N)Path)Optional)MnemonicTF)HKDF)hashesstrengthreturncCstr td}||Std)uGGenerate a BIP39 mnemonic. strength=128 → 12 words, 256 → 24 words.englishzTpython-mnemonic required for mnemonic generation. Install with: pip install mnemonic)HAS_MNEMONIC_LIBrgenerate ImportError)rmr3/home/geodesix/Jetson/tests/../src/crypto/keygen.pygenerate_mnemonic>s  rmnemonic passphrasecCsRtrtd}||stdt||S|d}d|d}td||dS)z>Convert BIP39 mnemonic to 512-bit seed via PBKDF2-HMAC-SHA512.r Invalid BIP39 mnemonicutf-8rsha512i)r rcheck ValueErrorto_seedencodehashlib pbkdf2_hmac)rrrmnemonic_bytessaltrrrmnemonic_to_seedJs   r cCs*tr td|S|}t|dvS)z#Check if a mnemonic is valid BIP39.r ) )r rrstripsplitlen)rwordsrrrvalidate_mnemonicXs  r*pathcCs^t}t|d} |d}|sn||q Wd|S1s&wY|S)z%SHA256 hash of a key file's contents.rbTiN)rsha256openreadupdatedigest)r+hfchunkrrr hash_keyfilees    r5 ikmrinfolengthc Cstrtt|||d}||S|sd}t||tj }|dd}d}d}t d|dD]} t|||t | gtj }||7}q0|d|S)zDerive a key using HKDF-SHA256.) algorithmr9rr8s r6N) HAS_CRYPTOGRAPHYrrSHA256derivehmacnewrr-r1rangebytes) r7rr8r9hkdfprknokmtirrr _hkdf_deriveus$  "  rK folder_id keyfile_hashcCs*|r||d}t|S|dS)zGBuild the combined HKDF salt from folder ID and optional key file hash.r)rrr-r1)rLrMcombinedrrr build_salts rOdatacCsddl}||dS)z(Encode bytes as Base85 (ASCII85) string.rNascii)base64 b85encodedecode)rPrRrrr base85_encodesrUc@s~eZdZdZ ddededeefddZedefd d Zedefd d Z ede fd dZ edefddZ ddZ dS)RookKeyDerivationu3 Derives all Hermes system keys from a BIP39 mnemonic. Attributes: bitwarden_password: str — Base85-encoded Vaultwarden master password luks_passphrase: str — Hex-encoded LUKS2 container passphrase backup_key: bytes — 32-byte AES-256-GCM key for backup encryption NrrL keyfile_pathcCst|std|stdt||_d}|r(t|s$td|t|}t|||_ t |j|j dd|_ t |j|j dd|_ t |j|j dd|_ dS)Nrz"Google Drive folder ID is requiredzKey file not found: sbitwarden-masterr6sluks-containersbackup-aes-key)r*rr _seedrexistsFileNotFoundErrorr5rO_saltrK_bw_key _luks_key _backup_key)selfrrLrWrMrrr__init__s   zRookKeyDerivation.__init__r cCs t|jS)uEVaultwarden master password (Base85-encoded, 32 bytes → ~40 chars).)rUr\r_rrrbitwarden_password z$RookKeyDerivation.bitwarden_passwordcC |jS)u@LUKS2 container passphrase (hex-encoded, 32 bytes → 64 chars).)r]hexrarrrluks_passphrasercz!RookKeyDerivation.luks_passphrasecCs|jS)z5AES-256-GCM key for backup encryption (32 raw bytes).)r^rarrr backup_keyszRookKeyDerivation.backup_keycCrd)z9AES-256-GCM key as hex string (for display/verification).)r^rerarrrbackup_key_hexrcz RookKeyDerivation.backup_key_hexcCsdddl}dD])}t||d}|r)t|tr)|t|t|t|dt|t ||dqdS)z'Overwrite sensitive material in memory.rN)rXr[r\r]r^) ctypesgetattr isinstancerDmemsetidsys getsizeofr(setattr)r_riattrvalrrrwipes (zRookKeyDerivation.wipeN)__name__ __module__ __qualname____doc__strrr`propertyrbrfrDrgrhrsrrrrrVs&   rVcCsddl}|jdd}|jdd}|jddd }|jd td d gd d |jddd }|jdddd|jdddd|jddd |jdddd|jddd }|jddd |}|jdkr|jd krfd nd!}t |}t d"|jd#| } t | d$D]\} } t d%| d&d'| q~t d(dS|jdkrt |j|j|jd)} t d*t d+|jt d,|jpd-|jrt d.t d/| jt d0| jt d1| jnt d2| dS|jdkrt|j} t d3| rd4nd5dS|dS)6zCLI for testing key derivation.rNzRook Key Derivation) descriptioncommand)destr zGenerate a new BIP39 mnemonic)helpz--wordsr!r%)typechoicesdefaultr@zDerive keys from mnemonicz --mnemonicTzBIP39 mnemonic (quoted))requiredr~z --folder-idzGoogle Drive folder IDz --keyfilezOptional key file pathz --show-keys store_truezPrint derived keys (DANGER))actionr~validatezCheck if a mnemonic is validrzBIP39 mnemonic to validaterz Generated z-word mnemonic: r=z 2z. z+ WRITE THESE DOWN. Do not store digitally. )rrLrWz Key derivation successful.z Folder ID: z Key file: noneu% *** SENSITIVE — DO NOT SHARE ***z Bitwarden pw: z LUKS phrase: z Backup key: z= Keys derived but not displayed. Use --show-keys to reveal.z Mnemonic is VALIDINVALID)argparseArgumentParseradd_subparsers add_parser add_argumentint parse_argsr|r)rprintr' enumeraterVrrLkeyfile show_keysrbrfrhrsr* print_help)rparsersubgenr@rrargsrrr)rJwkdvalidrrrmainsR         r__main__)r)r)r6rt)!rxrossecretsrnpathlibrtypingrrrr r 'cryptography.hazmat.primitives.kdf.hkdfrcryptography.hazmat.primitivesrr>rArryrrDr boolr*r5rKrOrUrVrrurrrrsB            J;