In [None]:
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes
import os
from base64 import urlsafe_b64encode, urlsafe_b64decode

# Step 1: Generate Master Key Pair
def generate_master_key_pair():
    master_private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )
    master_public_key = master_private_key.public_key()
    return master_private_key, master_public_key

# Step 2: Generate User Key Pair
def generate_user_key_pair():
    user_private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=2048,
        backend=default_backend()
    )
    user_public_key = user_private_key.public_key()
    return user_private_key, user_public_key

# Step 3: Encrypt User's Private Key with Master Private Key
def encrypt_user_private_key(user_private_key, master_private_key):
    # Serialize the user private key
    user_private_key_bytes = user_private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.PKCS8,
        encryption_algorithm=serialization.NoEncryption()
    )

    # Encrypt the user private key with master private key
    encrypted_private_key = master_private_key.private_encrypt(
        user_private_key_bytes,
        padding.PKCS1v15()
    )
    return encrypted_private_key

# Step 4: Decrypt User's Private Key using Master Public Key
def decrypt_user_private_key(encrypted_private_key, master_public_key):
    # Decrypt the user private key using master public key
    decrypted_private_key_bytes = master_public_key.decrypt(
        encrypted_private_key,
        padding.PKCS1v15()
    )

    # Load the decrypted private key
    user_private_key = serialization.load_pem_private_key(
        decrypted_private_key_bytes,
        password=None,
        backend=default_backend()
    )
    return user_private_key

# Step 5: Sign a Message using the Decrypted User's Private Key
def sign_message(user_private_key, message):
    signature = user_private_key.sign(
        message,
        padding.PSS(
            mgf=padding.MGF1(hashes.SHA256()),
            salt_length=padding.PSS.MAX_LENGTH
        ),
        hashes.SHA256()
    )
    return signature

# Step 6: Verify the Signature using the User's Public Key
def verify_signature(user_public_key, message, signature):
    try:
        user_public_key.verify(
            signature,
            message,
            padding.PSS(
                mgf=padding.MGF1(hashes.SHA256()),
                salt_length=padding.PSS.MAX_LENGTH
            ),
            hashes.SHA256()
        )
        return True
    except Exception as e:
        return False

# Demo
if __name__ == "__main__":
    # Generate Master Key Pair
    master_private_key, master_public_key = generate_master_key_pair()

    # Generate User Key Pair
    user_private_key, user_public_key = generate_user_key_pair()

    # Encrypt the User's Private Key with the Master Private Key
    encrypted_private_key = encrypt_user_private_key(user_private_key, master_private_key)

    # Decrypt the User's Private Key using the Master Public Key
    decrypted_user_private_key = decrypt_user_private_key(encrypted_private_key, master_public_key)

    # Message to be signed
    message = b"Hello, this is a secure message!"

    # Sign the Message using the Decrypted User's Private Key
    signature = sign_message(decrypted_user_private_key, message)
    print(f"Signature: {signature.hex()}")

    # Verify the Signature using the User's Public Key
    is_valid = verify_signature(user_public_key, message, signature)
    print(f"Is the signature valid? {'Yes' if is_valid else 'No'}")
