# QualityLink encrypted header

Demo of <https://specs.quality-link.eu/data_exchange.html#access-control-header> in practice

## Part 1: Setup - Install Required Libraries

In [24]:
!pip3 install cryptography



In [25]:
try:
    import os
    from datetime import datetime, timedelta
    from cryptography import x509
    from cryptography.x509.oid import NameOID, ExtensionOID
    from cryptography.hazmat.primitives import hashes, serialization
    from cryptography.hazmat.primitives.asymmetric import rsa, padding
    from cryptography.hazmat.backends import default_backend
    import hashlib
    import base64
    import json

    print("‚úÖ Libraries imported successfully!")

except ImportError as e:
    print(f"Required module missing: {e.name}. Please install it before running the script.")
    exit(1)

‚úÖ Libraries imported successfully!


## Part 2: QL-Pipeline Generates 

This simulates QL-Pipeline creating their private/public key pair.

The private key will NEVER be shared with providers.

In [26]:
# Generate private key (4096-bit RSA)

print("\nGenerating QL-Pipeline's private key (4096-bit RSA)...")
ql_private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=4096,
    backend=default_backend()
)

print(f"‚úÖ Private key generated successfully: {ql_private_key}")


Generating QL-Pipeline's private key (4096-bit RSA)...
‚úÖ Private key generated successfully: <cryptography.hazmat.bindings._rust.openssl.rsa.RSAPrivateKey object at 0x773278c177b0>


In [27]:
# Extract public key from private key, convert both to PEM

ql_public_key = ql_private_key.public_key()

private_pem = ql_private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption()
)
public_pem = ql_public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)

print(f"\nüîê Private key:\n{private_pem.decode()}\n\n")
print(f"üîë Public key:\n{public_pem.decode()}\n\n")


üîê Private key:
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCoZ/BNQ8ezyhRd
mMw9d7n7uvpu4/QPTALLNtBoryZ/Lai/rezmmNfu9g1MRu28PybIQ9iy6BeCfojL
TF0NdOuXVFS3R4mkF6F+j2g2+sm9qwUES9FsdKBbUvZrYNiCD6U1vEbsfSBGXrLP
nYgMFFrYFEGpXuf6e0+L+snCKQAP6C6ylBL9lxOwcHot07H2jaQM1vEQnsBSjy1X
3yblUYFLSakPhizw78AqafAEMpy+5VVAuiqZZLlNJBGWf0L9qKCBR0t1W4GvnXA3
YRcaXV11Gv7B6q2i7pFGxeGi/GVggqXgffI9+qZ3rGv5DbQ1uZKlP6zA0AywlWjI
3GNV9VGBxm0xxviTUc0xxpkB9vN+3AIMi+BiDAYazBcXYTBimcsvo8LE7xR9HZVD
J5X4ViygNfA0a6hPi47Frh4qqu0eq14oQbe+8n1nAz6HQ7Q0Td5G9fWU8RD0gWey
ZetrmEmOstkkZyMShv1qTlIVcT91txevlguhNvC2kMYaS9Ao0G4v8QZsBBqctJaT
7mDLPdL+ssVTvf2j7D869uZt0t47cY91eBxYrfVaUHu00cEVsRIVjO8zhKpJMVd5
e0vJc4SYNmfGsC4TMMPsFGYKAv+stO35Ap1lzpw9ng6NUEzjDV13ZvdVfUgloJe6
Rkq7c/EliVRXdI+nKpKp+QTqf1MfPwIDAQABAoICAAMsYOTIRrBdq752Nj8K8Mu+
Ri9Co9TfEmqgqqEIJTosnV0KaM8fXocu1P6KIhCXbSmalT5FzXMp/8seQFCibwAO
9SSZ4uK0h4Mhg6pGAE5rX/fhs2udYW+DjmuBPWbAPGOR/2aVT3g3jPElJoJO36lb
tFvvoUfEizHNH4BFZ9jzHCd+Fgow8jcXGGOhPE9s5YR

## Part 3: provider A encrypts token with public key

Provider A receives the public key via email/portal. They use it to encrypt a token.

In [28]:
# Simulate Provider A receiving the certificate

print(f"\nüìß Provider A receives aggreator_pub.pem")

pubkey = serialization.load_pem_public_key(public_pem)

secret = "SUPER-SECRET-TOKEN-4711"

ciphertext = base64.b64encode(pubkey.encrypt(
    secret.encode('utf-8'),
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)).decode()

print(f"\nSecret: {secret}\nEncrypted: {ciphertext}")

manifest = {
    "meta": {
        "schac": "example.ac.at",
        "eterid": "AT4711",
        "deqarid": "DEQARINST0815"
    },
    "sources": [
        {
            "type": "ooapi",
            "path": "https://data.example.org/ooapi/v5/",
            "version": "5",
            "auth": {
                "type": "httpheader",
                "field": "X-API-Key",
                "value": ciphertext
            },
            "id": "eua-courses-virt",
            "name": "Courses offered on the Alliance's virtual campus"
        }
    ]
}

print(f"\nProvider includes this in manifest file, example:\n\n{json.dumps(manifest, indent=2)}")


üìß Provider A receives aggreator_pub.pem

Secret: SUPER-SECRET-TOKEN-4711
Encrypted: nKZcmqtcX+3Caz9EmsVq8DKasXe3A1M4QVT/0UqiL9sBTxMuipPMdtNY7EmgpDYP8Ck4kh3ZqRU9De55+yU/b0Rh65Kr6ssJBJTcbi0x8QVsC8qFO4Bz13+gGmR1ZKqbL088pWnu5/ds4PKxEgljzMJIUQIsdh0pH9uXh/YeSWsWLM6vhN+Ax4IzqBInKndmDCb9r3PDwH1yABIQzK9tXAoyySZ9BCQhCm955dz/C2UnygZkbo5sPK1XzOyxACKSj5qfwxPh4dVm9BIHg3c+WVYKJb7a11ErFIUW6zvpj5jbh/G5MqD3BOnh62yObrb46m4zwsN6LyYojcECswLZb28ik5vx/0TJYBdYnKRenq0CztD+fe68z9byErdZnSuBnkoK/vqn6TT/VzzLs1QHUVsyQxgTkie0q/9BgPUBXpAsywAGR+v0L+lxYFPdIGBicrzee3g901GSxUo99vkQ0vUccarZDFJ5IROwSXAgxgtAjGoUsxZQfazG2EsTbZqN0Hej/0aH7N4xSiEBbKP4hCV+q1soCc+meWJz02+4jhDBiLqdC+W+zG0nwya/UptuB6emJtgv1tI28D4VlhFSu3pEvbwjAkpi/AWIxIupNxxKu9IHJdM3/Y4FzTuHROMPNsdONKTVSG86jo+5crlYQfuMG5VEnNWlPEzTedW1yQQ=

Provider includes this in manifest file, example:

{
  "meta": {
    "schac": "example.ac.at",
    "eterid": "AT4711",
    "deqarid": "DEQARINST0815"
  },
  "sources": [
    {
      "type": "ooapi",
      "path": "https://data

## Part 4: QL-Pipeline decrypts provider secret

QL-Pipeline wants to fetch courses from Provider A. Pipeline takes the encrypted value from the manifest and sends it back.

In [31]:
print(f"üîë Encrypted data from manifest: {manifest['sources'][0]['auth']['value']}")

decrypted = ql_private_key.decrypt(
    base64.b64decode(manifest['sources'][0]['auth']['value']),
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
).decode()

print(f"üí¨ Cleartext: {decrypted}")


üîë Encrypted data from manifest: nKZcmqtcX+3Caz9EmsVq8DKasXe3A1M4QVT/0UqiL9sBTxMuipPMdtNY7EmgpDYP8Ck4kh3ZqRU9De55+yU/b0Rh65Kr6ssJBJTcbi0x8QVsC8qFO4Bz13+gGmR1ZKqbL088pWnu5/ds4PKxEgljzMJIUQIsdh0pH9uXh/YeSWsWLM6vhN+Ax4IzqBInKndmDCb9r3PDwH1yABIQzK9tXAoyySZ9BCQhCm955dz/C2UnygZkbo5sPK1XzOyxACKSj5qfwxPh4dVm9BIHg3c+WVYKJb7a11ErFIUW6zvpj5jbh/G5MqD3BOnh62yObrb46m4zwsN6LyYojcECswLZb28ik5vx/0TJYBdYnKRenq0CztD+fe68z9byErdZnSuBnkoK/vqn6TT/VzzLs1QHUVsyQxgTkie0q/9BgPUBXpAsywAGR+v0L+lxYFPdIGBicrzee3g901GSxUo99vkQ0vUccarZDFJ5IROwSXAgxgtAjGoUsxZQfazG2EsTbZqN0Hej/0aH7N4xSiEBbKP4hCV+q1soCc+meWJz02+4jhDBiLqdC+W+zG0nwya/UptuB6emJtgv1tI28D4VlhFSu3pEvbwjAkpi/AWIxIupNxxKu9IHJdM3/Y4FzTuHROMPNsdONKTVSG86jo+5crlYQfuMG5VEnNWlPEzTedW1yQQ=
üí¨ Cleartext: SUPER-SECRET-TOKEN-4711


## Part 5: QL-Pipeline makes request for data

With the decrypted secret, the QL-Pipeline makes a request with the expected HTTP header included. (The whole request is encrypted via HTTPS as usual.)

In [30]:
print("\nüì° HTTP request by QL-Pipeline ‚Üí Provider A:")
print("   GET /api/courses HTTP/1.1")
print("   Host: provider-a.edu")
print(f"   {manifest['sources'][0]['auth']['field']}: {decrypted}")


üì° HTTP request by QL-Pipeline ‚Üí Provider A:
   GET /api/courses HTTP/1.1
   Host: provider-a.edu
   X-API-Key: SUPER-SECRET-TOKEN-4711
