# Getting Started
This is a basic overview of the oneID Python SDK.

In [1]:
import os

oneid_dir = os.path.join(os.path.expanduser('~'), '.oneid')
os.makedirs(oneid_dir, exist_ok=True)
private_key_filename = os.path.join(oneid_dir, 'example_key.pem')
public_key_filename = os.path.join(oneid_dir, 'example_key-pub.pem')

### Here we create a key using openssl

In [2]:
%%script env private_key_filename="$private_key_filename" public_key_filename="$public_key_filename" bash
openssl ecparam -name prime256v1 -genkey -conv_form uncompressed -noout -out "$private_key_filename"
openssl pkcs8 -topk8 -nocrypt -in "$private_key_filename" 
echo ""
openssl ec -in "$private_key_filename" -pubout -out "$public_key_filename" 2> /dev/null
cat "$public_key_filename"

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBj261TvQfkpT1rek
jDkati3r5TsIEHrbsR5C4ATDasWhRANCAAQp7CVFaO6kh6/0eWKek/CHi+Ys8oH5
IJyC7q0QzU/jCxyhkPl6R/p3+mAYtCEDnJHs9J2rswgs3adAUOJ1L+l/
-----END PRIVATE KEY-----

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKewlRWjupIev9HlinpPwh4vmLPKB
+SCcgu6tEM1P4wscoZD5ekf6d/pgGLQhA5yR7PSdq7MILN2nQFDidS/pfw==
-----END PUBLIC KEY-----


### Now we read that key and print it out

In [3]:
import oneid
import json
import uuid

import logging
logging.basicConfig(format='%(name)s: [%(levelname)s] %(message)s', level=logging.DEBUG)

private_key = oneid.keychain.Keypair.from_secret_pem(path=private_key_filename)
private_key.identity = str(uuid.uuid4())
print(private_key.secret_as_pem.decode('utf-8'))
print(private_key.public_key_pem.decode('utf-8'))
print(json.dumps(private_key.jwk, indent=2, sort_keys=True))

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgBj261TvQfkpT1rek
jDkati3r5TsIEHrbsR5C4ATDasWhRANCAAQp7CVFaO6kh6/0eWKek/CHi+Ys8oH5
IJyC7q0QzU/jCxyhkPl6R/p3+mAYtCEDnJHs9J2rswgs3adAUOJ1L+l/
-----END PRIVATE KEY-----

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKewlRWjupIev9HlinpPwh4vmLPKB
+SCcgu6tEM1P4wscoZD5ekf6d/pgGLQhA5yR7PSdq7MILN2nQFDidS/pfw==
-----END PUBLIC KEY-----

{
  "crv": "P-256",
  "d": "Bj261TvQfkpT1rekjDkati3r5TsIEHrbsR5C4ATDasU",
  "kid": "1ce57ae2-780f-4b5b-85d5-a186a2f279fc",
  "kty": "EC",
  "x": "KewlRWjupIev9HlinpPwh4vmLPKB-SCcgu6tEM1P4ws",
  "y": "HKGQ-XpH-nf6YBi0IQOckez0nauzCCzdp0BQ4nUv6X8"
}


### Next we will create a signed message with the private key, and verify it with the public key

In [4]:
app_claims = { "name": "Alice", "data": "I am a secure message" }
msg = oneid.jwts.make_jws({"app": app_claims}, private_key)
print(json.dumps(json.loads(msg), indent=2))

{
  "payload": "eyJhcHAiOiB7ImRhdGEiOiAiSSBhbSBhIHNlY3VyZSBtZXNzYWdlIiwgIm5hbWUiOiAiQWxpY2UifSwgImp0aSI6ICIwMDIyMDE3LTAyLTEzVDE1OjIyOjUzWnB0ZFo0MCIsICJuYmYiOiAxNDg2OTk1NzczLCAiZXhwIjogMTQ4Njk5OTM3M30",
  "signatures": [
    {
      "signature": "DImtijSUi2FzFQYVX3_VdshURL5VZTVgDR8_Sadgv0UWjcPduLOSVEs0Ly98_-AKU5fUpqX6El3C9z9gqLwPnw",
      "protected": "eyJhbGciOiAiRVMyNTYiLCAidHlwIjogIkpPU0UrSlNPTiIsICJzaWR4IjogMCwgImtpZCI6ICIxY2U1N2FlMi03ODBmLTRiNWItODVkNS1hMTg2YTJmMjc5ZmMifQ"
    }
  ]
}


  ec_key


In [5]:
recovered_claims = oneid.jwts.verify_jws(msg)
print(json.dumps(recovered_claims, indent=2))

{
  "app": {
    "data": "I am a secure message",
    "name": "Alice"
  },
  "jti": "0022017-02-13T15:22:53ZptdZ40",
  "nbf": 1486995773,
  "exp": 1486999373
}


* * *
_*Note that if you re-run the code above, it will produce an error. This is because the nonce ("jti") was already seen, and oneID will not verify the same message twice, to prevent replay attacks.*_
* * *

### Let's send that same data, encrypted to a peer

In [6]:
peer_key = oneid.service.create_secret_key()  # only the public key is required to encrypt, we're taking a shortcut
peer_key.identity = str(uuid.uuid4())

enc_msg = oneid.jwes.make_jwe({"app": app_claims}, private_key, peer_key, jsonify=False)
print(json.dumps(enc_msg, indent=2))

{
  "ciphertext": "65A36IEAgjcylxGotFFWpidMhM1H8SSd5RmlTWe-E0ND5ijkhVsx9an1JDAb7wBvvxZNlawiJ55Gqt_Vo13BTdDLQVJxcMvB8JoBCaURHA2lntA5WN-JoD-3rlQPc2ewZgPnw8fGefehmnpytwGeew40ZIqf9dLi_BBLlEFVCZvAA7qcRYGQ0RM",
  "unprotected": {
    "jti": "0022017-02-13T15:22:53ZddeOvL",
    "nbf": 1486995773,
    "alg": "ECDH-ES+A256KW",
    "apu": "MWNlNTdhZTItNzgwZi00YjViLTg1ZDUtYTE4NmEyZjI3OWZjMDAyMjAxNy0wMi0xM1QxNToyMjo1M1pkZGVPdkw",
    "enc": "A256GCM",
    "epk": {
      "crv": "P-256",
      "y": "Utf1Vxtkzl7kDj4Fc3sMgpLES4thOMhI5RvXM5o4Iy0",
      "x": "9J-qVvHUuyc3vkk4H6CEJglzXt93FdsDhQDdQrONYtI",
      "kty": "EC"
    },
    "exp": 1486999373
  },
  "iv": "jFlrq2lFVNea_NWPr3LIUQ",
  "recipients": [
    {
      "encrypted_key": "LtNbVN7OW1xDFhYa_mYHXrPotMSMtUwa5H8Hqp2nMxVuJ8h4gqgk1Q",
      "header": {
        "apv": "ZGY4ZDFhZGYtYzg1MS00NThiLTlmZDctMzZhNDUyYzAwMTFhMDAyMjAxNy0wMi0xM1QxNToyMjo1M1pkZGVPdkw",
        "kid": "df8d1adf-c851-458b-9fd7-36a452c0011a"
      }
    }
  ],
  "tag": "jx0JDkK

### Now the peer can decrypt it

In [7]:
dec_msg = oneid.jwes.decrypt_jwe(enc_msg, peer_key)  # private key required to decrypt
print(json.dumps(dec_msg, indent=2))

{
  "app": {
    "data": "I am a secure message",
    "name": "Alice"
  },
  "jti": "0022017-02-13T15:22:53ZddeOvL",
  "nbf": 1486995773,
  "exp": 1486999373
}


### But no one else can, not even the sender

In [8]:
hacked_msg = oneid.jwes.decrypt_jwe(enc_msg, private_key)
print(json.dumps(hacked_msg), indent=2)



InvalidRecipient: 

### "Ah," you say. "That wasn't a cryptographic check, only an ID check!"
Right you are. So let's try hacking the message:

In [9]:
enc_msg['recipients'][0]['header']['kid'] = private_key.identity

hacked_msg = oneid.jwes.decrypt_jwe(enc_msg, private_key)
print(json.dumps(hacked_msg), indent=2)



DecryptionFailed: 

### Try for yourself
* * *
Feel free to play with the code above, and see if you can get further, using only the public part of `peer_key`!
* * *