continue fixing NanoTDF support

b-long · b-long · commit 32ac14785b54 · 2025-11-07T06:36:04.000-05:00
diff --git a/src/otdf_python/header.py b/src/otdf_python/header.py
@@ -107,6 +107,16 @@ def set_policy_info(self, policy_info: PolicyInfo):
     def get_policy_info(self) -> PolicyInfo | None:
         return self.policy_info
 
+    def set_policy_binding(self, policy_binding: bytes):
+        if len(policy_binding) != 8:
+            raise ValueError(
+                f"Policy binding must be exactly 8 bytes (GMAC), got {len(policy_binding)}"
+            )
+        self.policy_binding = policy_binding
+
+    def get_policy_binding(self) -> bytes | None:
+        return self.policy_binding
+
     def set_ephemeral_key(self, ephemeral_key: bytes):
         if self.ecc_mode is not None:
             expected_size = ECCMode.get_ec_compressed_pubkey_size(
@@ -148,8 +158,12 @@ def write_into_buffer(self, buffer: bytearray) -> int:
         offset += n
         # Policy binding (GMAC - 8 bytes)
         if self.policy_binding:
-            buffer[offset : offset + len(self.policy_binding)] = self.policy_binding
-            offset += len(self.policy_binding)
+            if len(self.policy_binding) != 8:
+                raise ValueError(
+                    f"Policy binding must be exactly 8 bytes (GMAC), got {len(self.policy_binding)}"
+                )
+            buffer[offset : offset + 8] = self.policy_binding
+            offset += 8
         else:
             # Write zeros if no binding provided
             buffer[offset : offset + 8] = b"\x00" * 8
diff --git a/src/otdf_python/nanotdf.py b/src/otdf_python/nanotdf.py
@@ -9,7 +9,7 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 
-from otdf_python.asym_crypto import AsymDecryption, AsymEncryption
+from otdf_python.asym_crypto import AsymDecryption
 from otdf_python.collection_store import CollectionStore, NoOpCollectionStore
 from otdf_python.config import KASInfo, NanoTDFConfig
 from otdf_python.constants import MAGIC_NUMBER_AND_VERSION
@@ -435,25 +435,13 @@ def create_nano_tdf(
         (
             derived_key,
             ephemeral_public_key_compressed,
-            kas_public_key,
+            kas_public_key,  # noqa: RUF059
         ) = self._derive_key_with_ecdh(config)
 
-        # Determine if we're using RSA wrapping or ECDH
-        use_rsa_wrapping = False
-
-        if kas_public_key and not ephemeral_public_key_compressed:
-            # We have a KAS key but no ephemeral key - this means RSA mode
-            use_rsa_wrapping = True
-
-        # If ECDH or RSA worked, use the derived key; otherwise use/generate symmetric key
+        # Use ECDH-derived key if available; otherwise use/generate symmetric key
         # Fallback to symmetric key (for testing or when KAS is not available)
         key = derived_key or self._prepare_encryption_key(config)
 
-        # If using RSA wrapping, wrap the symmetric key
-        if use_rsa_wrapping and kas_public_key:
-            asym_enc = AsymEncryption(kas_public_key)
-            asym_enc.encrypt(key)
-
         # Create header with ephemeral public key (if ECDH was used)
         header_bytes = self._create_header(
             policy_body, policy_type, config, ephemeral_public_key_compressed
