src/pqc_enclave_sdk/backends/base.py
| 1 | """EnclaveBackend base - platform integration point.""" |
| 2 | |
| 3 | from __future__ import annotations |
| 4 | |
| 5 | from abc import ABC, abstractmethod |
| 6 | |
| 7 | from pqc_enclave_sdk.artifact import EncryptedArtifact |
| 8 | |
| 9 | |
| 10 | class EnclaveBackend(ABC): |
| 11 | """Abstract base for platform-specific enclave backends. |
| 12 | |
| 13 | A backend's responsibilities: |
| 14 | 1. Identify the device (device_id property) |
| 15 | 2. Store/load session keys within the enclave |
| 16 | 3. Persist EncryptedArtifacts via the device's secure storage |
| 17 | |
| 18 | Implementations MUST NEVER store the symmetric key in plaintext on the |
| 19 | untrusted host filesystem - it lives only inside the enclave. |
| 20 | """ |
| 21 | |
| 22 | name: str = "" |
| 23 | platform: str = "" |
| 24 | device_id: str = "" |
| 25 | device_model: str = "" |
| 26 | enclave_vendor: str = "" |
| 27 | |
| 28 | @abstractmethod |
| 29 | def store_session_key(self, key_id: str, key: bytes, expires_at: str) -> None: |
| 30 | """Store a derived session key inside the enclave.""" |
| 31 | |
| 32 | @abstractmethod |
| 33 | def load_session_key(self, key_id: str) -> bytes | None: |
| 34 | """Retrieve a session key from the enclave by ID.""" |
| 35 | |
| 36 | @abstractmethod |
| 37 | def save_artifacts(self, artifacts: dict[str, EncryptedArtifact]) -> None: |
| 38 | """Persist encrypted artifacts to device storage.""" |
| 39 | |
| 40 | @abstractmethod |
| 41 | def load_artifacts(self) -> dict[str, EncryptedArtifact]: |
| 42 | """Load encrypted artifacts from device storage.""" |
| 43 | |