# QualityLink encrypted header

Demo of <https://specs.quality-link.eu/data_exchange.html#access-control-header> in practice

## Part 1: Setup - Install Required Libraries

In [29]:
%pip install cryptography

570.82s - pydevd: Sending message related to process being replaced timed-out after 5 seconds


Defaulting to user installation because normal site-packages is not writeable
Collecting cryptography
  Using cached cryptography-46.0.3-cp311-abi3-macosx_10_9_universal2.whl.metadata (5.7 kB)
Using cached cryptography-46.0.3-cp311-abi3-macosx_10_9_universal2.whl (7.2 MB)
Installing collected packages: cryptography
Successfully installed cryptography-46.0.3
Note: you may need to restart the kernel to use updated packages.


In [30]:
try:
    import os
    from datetime import datetime, timedelta
    from cryptography import x509
    from cryptography.x509.oid import NameOID, ExtensionOID
    from cryptography.hazmat.primitives import hashes, serialization
    from cryptography.hazmat.primitives.asymmetric import rsa, padding
    from cryptography.hazmat.backends import default_backend
    import hashlib
    import base64
    import json

    print("‚úÖ Libraries imported successfully!")

except ImportError as e:
    print(f"Required module missing: {e.name}. Please install it before running the script.")
    exit(1)

‚úÖ Libraries imported successfully!


## Part 2: QL-Pipeline Generates 

This simulates QL-Pipeline creating their private/public key pair.

The private key will NEVER be shared with providers.

In [31]:
# Generate private key (4096-bit RSA)

print("\nGenerating QL-Pipeline's private key (4096-bit RSA)...")
ql_private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=4096,
    backend=default_backend()
)

print(f"‚úÖ Private key generated successfully: {ql_private_key}")


Generating QL-Pipeline's private key (4096-bit RSA)...
‚úÖ Private key generated successfully: <cryptography.hazmat.bindings._rust.openssl.rsa.RSAPrivateKey object at 0x7fe5e556c970>


In [32]:
# Extract public key from private key, convert both to PEM

ql_public_key = ql_private_key.public_key()

private_pem = ql_private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption()
)
public_pem = ql_public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)

print(f"\nüîê Private key:\n{private_pem.decode()}\n\n")
print(f"üîë Public key:\n{public_pem.decode()}\n\n")


üîê Private key:
-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDHOHjH9Ae7MRcV
tltY9368HJ+PSSeMFhUMVAHNze7d/0mOADgqTjBU7RrA4WBmnI/6rgBDy8wAHbqf
QfLH//c9cf37W9q7cuPvPrckC+yiBRGunTNB5tvkygoGutHgd3wruPJbgCw3A43S
CbGzyvlsHGqqOTe1LFOgTfMat7K2ob3M/7nP8myEKj9SqDZK7c6xfyXmeWjB40pb
xjfL1R2RHlo/u/RwcDRI0U4RJUHjq2wFlycVeIKdfFeYgcf5bCDKprZwNAcxRDb0
NsKfpNVYQk1MpXq29yt6hJOq1h7YgDXcUyxtCOj+eZ48LC0Ftp4VjO6/M2SkuVEx
xqU3dmy7GUKjs0Lu4vV0Q66Aya6UKhlyRnBe2IQbZmcIIywQ/BUmHWXQGYXocXZP
dXwwqrR1/LpmwR/mA+jr1uPDlEtj20vdXcFPyJnkO0IMDbi78Q+XVAWiPSEO2nDi
PYRgHovb+0UappFA2ac1hDGsaaZL/gpssdI5N0V5Td/LNJjuRtR2uMqSe8DHKhyP
foJDApAK0k3wv5y5+0l90o8fpdxxrttemtP60Lb76M1DgVk9uNbMkjSzMl26jZIC
3AT3qXmGeSxtT4IYTmwDNk4N+OarKrJxs4ghgAVVojRb3YwYD50ByiwfaLerbiWw
kySLOltp4Et+q1DdknkfNUMHlkChpwIDAQABAoICAA38FFpw8nP9A7JV/T6XDRH2
bmr4Byspx6t4YDIKwThbOdYahNbPa0wi4sxkZch+OAswWLtpnHXroFSapAjPGpN5
I4uYDJg4/fAm9mM05RUQhwe7aEQ5iPkcB60mQyJfMNu+3WB39GKeQL/cR1moJ28j
5YbygksZA/vOTQD0oTp5yyGPWANVcLGsZ4qNXVZQMEC

## Part 3: provider A encrypts token with public key

Provider A receives the public key via email/portal. They use it to encrypt a token.

Equivalent with openssl-pkeyutl(1):

```
echo SUPER-SECRET-TOKEN-4711 | openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pubin -inkey aggregator_pub.pem | base64
```

In [33]:
# Simulate Provider A receiving the certificate

print(f"\nüìß Provider A receives aggreator_pub.pem")

pubkey = serialization.load_pem_public_key(public_pem)

secret = "SUPER-SECRET-TOKEN-4711"

ciphertext = base64.b64encode(pubkey.encrypt(
    secret.encode('utf-8'),
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA1()),
        algorithm=hashes.SHA1(),
        label=None
    )
)).decode()

print(f"\nSecret: {secret}\nEncrypted: {ciphertext}")

manifest = {
    "meta": {
        "schac": "example.ac.at",
        "eterid": "AT4711",
        "deqarid": "DEQARINST0815"
    },
    "sources": [
        {
            "type": "ooapi",
            "path": "https://data.example.org/ooapi/v5/",
            "version": "5",
            "auth": {
                "type": "httpheader",
                "field": "X-API-Key",
                "value": ciphertext
            },
            "id": "eua-courses-virt",
            "name": "Courses offered on the Alliance's virtual campus"
        }
    ]
}

print(f"\nProvider includes this in manifest file, example:\n\n{json.dumps(manifest, indent=2)}")


üìß Provider A receives aggreator_pub.pem

Secret: SUPER-SECRET-TOKEN-4711
Encrypted: USrS/f/2eOQdZL8SSxhv8rkvJKlPxyXe33jFLotqBMgX9/jzR6TL5abhvhfYhxQJYDDKlEcYQZOwABn/+/0OTviG3vLXSRN5Ge/Ta2VOIVhXX9IJ+OXRA3iPUIVyLDpN1z9pOUrB+ljdfCgjx4r/c6823DzuWA/HP14q08p87ysNxbH1zZkvc2a+1TY3R/oHb9ALnBVqGXzw0l/svoGnf+Q6VTEq3Ni+sB3mP6tgkcDw+pwVnTe1doUlm9w3acs1OFa0NrVkz2O6I5chdQr91K7PEKhnxb7dNzUwBzB+m2Uhj4WMP2BYAosleF1TM0+844y/DfHimOUs03MH808ptw6GMi2ctiZJ9jnPCpHbiMhipKkWA6/aphNAdEC2ZIkh4WG6wgWNTO+0Zy4deNLyPiWwgMu5jBXwYSb8ETedv29OC5pvLBp7eWRLsbVA1cBLvcPf0iPEMUo9RP8/J1OB531hQNzGlvue87Gby2fGZkKILsTgxkk4RNGOS198vBIm+fbWwjjWYQyu2v++cylzEfQlUI2Y5O6c35Z9qnuk/kBjT+FIe4vbOasWo0DBuX9+1TxAbJamMk9qqWf9O7i3vugy7YVwTDiIUqjlpzV1pzvKoU1jKJwFbx0JdsbjWw/43z2CAQx/S1UsQOFSY6QO2oaiGZ4pKpRHXsjelK1CeUA=

Provider includes this in manifest file, example:

{
  "meta": {
    "schac": "example.ac.at",
    "eterid": "AT4711",
    "deqarid": "DEQARINST0815"
  },
  "sources": [
    {
      "type": "ooapi",
      "path": "https://data

## Part 4: QL-Pipeline decrypts provider secret

QL-Pipeline wants to fetch courses from Provider A. Pipeline takes the encrypted value from the manifest and sends it back.

Equivalent with openssl-pkeyutl(1):

```
echo $ENCRYPTED_VALUE | base64 -d | openssl pkeyutl -decrypt -inkey aggregator_priv.pem -pkeyopt rsa_padding_mode:oaep
```

In [34]:
encrypted = manifest['sources'][0]['auth']['value']

print(f"üîë Encrypted data from manifest: {encrypted}")

decrypted = ql_private_key.decrypt(
    base64.b64decode(encrypted),
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA1()),
        algorithm=hashes.SHA1(),
        label=None
    )
).decode()

print(f"üí¨ Cleartext: {decrypted}")


üîë Encrypted data from manifest: USrS/f/2eOQdZL8SSxhv8rkvJKlPxyXe33jFLotqBMgX9/jzR6TL5abhvhfYhxQJYDDKlEcYQZOwABn/+/0OTviG3vLXSRN5Ge/Ta2VOIVhXX9IJ+OXRA3iPUIVyLDpN1z9pOUrB+ljdfCgjx4r/c6823DzuWA/HP14q08p87ysNxbH1zZkvc2a+1TY3R/oHb9ALnBVqGXzw0l/svoGnf+Q6VTEq3Ni+sB3mP6tgkcDw+pwVnTe1doUlm9w3acs1OFa0NrVkz2O6I5chdQr91K7PEKhnxb7dNzUwBzB+m2Uhj4WMP2BYAosleF1TM0+844y/DfHimOUs03MH808ptw6GMi2ctiZJ9jnPCpHbiMhipKkWA6/aphNAdEC2ZIkh4WG6wgWNTO+0Zy4deNLyPiWwgMu5jBXwYSb8ETedv29OC5pvLBp7eWRLsbVA1cBLvcPf0iPEMUo9RP8/J1OB531hQNzGlvue87Gby2fGZkKILsTgxkk4RNGOS198vBIm+fbWwjjWYQyu2v++cylzEfQlUI2Y5O6c35Z9qnuk/kBjT+FIe4vbOasWo0DBuX9+1TxAbJamMk9qqWf9O7i3vugy7YVwTDiIUqjlpzV1pzvKoU1jKJwFbx0JdsbjWw/43z2CAQx/S1UsQOFSY6QO2oaiGZ4pKpRHXsjelK1CeUA=
üí¨ Cleartext: SUPER-SECRET-TOKEN-4711


## Part 5: QL-Pipeline makes request for data

With the decrypted secret, the QL-Pipeline makes a request with the expected HTTP header included. (The whole request is encrypted via HTTPS as usual.)

In [35]:
print("\nüì° HTTP request by QL-Pipeline ‚Üí Provider A:")
print("   GET /api/courses HTTP/1.1")
print("   Host: provider-a.edu")
print(f"   {manifest['sources'][0]['auth']['field']}: {decrypted}")


üì° HTTP request by QL-Pipeline ‚Üí Provider A:
   GET /api/courses HTTP/1.1
   Host: provider-a.edu
   X-API-Key: SUPER-SECRET-TOKEN-4711
