web-push-libs
diff --git a/‎.github/workflows/python.yml‎
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/python.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎python/.coveragerc‎
Lines changed: 0 additions & 2 deletions b/‎python/.coveragerc‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎python/http_ece/__init__.py‎
Lines changed: 3 additions & 3 deletions b/‎python/http_ece/__init__.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎python/http_ece/tests/test_ece.py‎
Lines changed: 25 additions & 42 deletions b/‎python/http_ece/tests/test_ece.py‎
Lines changed: 25 additions & 42 deletions
diff --git a/‎python/pyproject.toml‎
Lines changed: 70 additions & 0 deletions b/‎python/pyproject.toml‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎python/pytest.ini‎
Lines changed: 0 additions & 4 deletions b/‎python/pytest.ini‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎python/requirements.txt‎
Lines changed: 0 additions & 1 deletion b/‎python/requirements.txt‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎python/setup.cfg‎
Lines changed: 0 additions & 2 deletions b/‎python/setup.cfg‎
Lines changed: 0 additions & 2 deletions
@@ -40,11 +40,13 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install black tox tox-gh
-          cd python && pip install -r requirements.txt
+          cd python && pip install .[dev]
       - name: Run tests
         run: cd python && tox
         env:
           TOX_GH_MAJOR_MINOR: ${{ matrix.python-version }}
+      - uses: astral-sh/ruff-action@v3
+        with:
+          src: "./python"
       - name: Check formatting
         run: cd python && black --check .
@@ -5,10 +5,10 @@
 from cryptography.exceptions import InvalidTag
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.kdf.hkdf import HKDF
+from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.primitives.kdf.hkdf import HKDF
 from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
-from cryptography.hazmat.primitives.asymmetric import ec
 
 MAX_RECORD_SIZE = pow(2, 31) - 1
 MIN_RECORD_SIZE = 3
@@ -304,7 +304,7 @@ def unpad(data, last):
                 result += unpad_legacy(data)
             counter += 1
     except InvalidTag as ex:
-        raise ECEException("Decryption error: {}".format(repr(ex)))
+        raise ECEException(f"Decryption error: {ex!r}")
     return result
 
 
 
@@ -3,17 +3,17 @@
 import os
 import struct
 import unittest
+from pathlib import Path
+
+import pytest
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat
 
-from pytest import raises
-
 import http_ece as ece
 from http_ece import ECEException
 
-
-TEST_VECTORS = os.path.join(os.sep, "..", "encrypt_data.json")[1:]
+TEST_VECTORS = Path(__file__).parent.parent / "encrypt_data.json"
 
 
 def logmsg(arg):
@@ -59,7 +59,7 @@ def setUp(self):
         self.m_salt = os.urandom(16)
 
     def test_derive_key_invalid_mode(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="unknown 'mode' specified: invalid"):
             ece.derive_key(
                 "invalid",
                 version="aes128gcm",
@@ -70,10 +70,9 @@ def test_derive_key_invalid_mode(self):
                 auth_secret=None,
                 keyid="valid",
             )
-        assert ex.value.message == "unknown 'mode' specified: invalid"
 
     def test_derive_key_invalid_salt(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="'salt' must be a 16 octet value"):
             ece.derive_key(
                 "encrypt",
                 version="aes128gcm",
@@ -84,10 +83,9 @@ def test_derive_key_invalid_salt(self):
                 auth_secret=None,
                 keyid="valid",
             )
-        assert ex.value.message == "'salt' must be a 16 octet value"
 
     def test_derive_key_invalid_version(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Invalid version"):
             ece.derive_key(
                 "encrypt",
                 version="invalid",
@@ -98,10 +96,9 @@ def test_derive_key_invalid_version(self):
                 auth_secret=None,
                 keyid="valid",
             )
-        assert ex.value.message == "Invalid version"
 
     def test_derive_key_no_private_key(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="DH requires a private_key"):
             ece.derive_key(
                 "encrypt",
                 version="aes128gcm",
@@ -112,10 +109,9 @@ def test_derive_key_no_private_key(self):
                 auth_secret=None,
                 keyid="valid",
             )
-        assert ex.value.message == "DH requires a private_key"
 
     def test_derive_key_no_secret(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="unable to determine the secret"):
             ece.derive_key(
                 "encrypt",
                 version="aes128gcm",
@@ -126,12 +122,10 @@ def test_derive_key_no_secret(self):
                 auth_secret=None,
                 keyid="valid",
             )
-        assert ex.value.message == "unable to determine the secret"
 
     def test_iv_bad_counter(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Counter too big"):
             ece.iv(os.urandom(8), pow(2, 64) + 1)
-        assert ex.value.message == "Counter too big"
 
 
 class TestEceChecking(unittest.TestCase):
@@ -144,76 +138,69 @@ def setUp(self):
         self.m_header += struct.pack("!L", 32) + b"\0"
 
     def test_encrypt_small_rs(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Record size too small"):
             ece.encrypt(
                 self.m_input,
                 version="aes128gcm",
                 key=self.m_key,
                 rs=1,
             )
-        assert ex.value.message == "Record size too small"
 
     def test_decrypt_small_rs(self):
         header = os.urandom(16) + struct.pack("!L", 2) + b"\0"
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Record size too small"):
             ece.decrypt(
                 header + self.m_input,
                 version="aes128gcm",
                 key=self.m_key,
                 rs=1,
             )
-        assert ex.value.message == "Record size too small"
 
     def test_encrypt_bad_version(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Invalid version"):
             ece.encrypt(
                 self.m_input,
                 version="bogus",
                 key=self.m_key,
             )
-        assert ex.value.message == "Invalid version"
 
     def test_decrypt_bad_version(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Invalid version"):
             ece.decrypt(
                 self.m_input,
                 version="bogus",
                 key=self.m_key,
             )
-        assert ex.value.message == "Invalid version"
 
     def test_decrypt_bad_header(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Could not parse the content header"):
             ece.decrypt(
                 os.urandom(4),
                 version="aes128gcm",
                 key=self.m_key,
             )
-        assert ex.value.message == "Could not parse the content header"
 
     def test_encrypt_long_keyid(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="keyid is too long"):
             ece.encrypt(
                 self.m_input,
                 version="aes128gcm",
                 key=self.m_key,
                 keyid=b64e(os.urandom(192)),  # 256 bytes
             )
-        assert ex.value.message == "keyid is too long"
 
     def test_overlong_padding(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="all zero record plaintext"):
             ece.decrypt(
                 self.m_header + b"\xbb\xc7\xb9ev\x0b\xf0f+\x93\xf4"
                 b"\xe5\xd6\x94\xb7e\xf0\xcd\x15\x9b(\x01\xa5",
                 version="aes128gcm",
                 key=b"d\xc7\x0ed\xa7%U\x14Q\xf2\x08\xdf\xba\xa0\xb9r",
                 keyid=b64e(os.urandom(192)),  # 256 bytes
             )
-        assert ex.value.message == "all zero record plaintext"
 
     def test_bad_early_delimiter(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="record delimiter != 1"):
             ece.decrypt(
                 self.m_header + b"\xb9\xc7\xb9ev\x0b\xf0\x9eB\xb1\x08C8u"
                 b"\xa3\x06\xc9x\x06\n\xfc|}\xe9R\x85\x91"
@@ -224,29 +211,26 @@ def test_bad_early_delimiter(self):
                 key=b"d\xc7\x0ed\xa7%U\x14Q\xf2\x08\xdf\xba\xa0\xb9r",
                 keyid=b64e(os.urandom(192)),  # 256 bytes
             )
-        assert ex.value.message == "record delimiter != 1"
 
     def test_bad_final_delimiter(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="last record delimiter != 2"):
             ece.decrypt(
                 self.m_header + b"\xba\xc7\xb9ev\x0b\xf0\x9eB\xb1\x08Ji"
                 b"\xe4P\x1b\x8dI\xdb\xc6y#MG\xc2W\x16",
                 version="aes128gcm",
                 key=b"d\xc7\x0ed\xa7%U\x14Q\xf2\x08\xdf\xba\xa0\xb9r",
                 keyid=b64e(os.urandom(192)),  # 256 bytes
             )
-        assert ex.value.message == "last record delimiter != 2"
 
     def test_damage(self):
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match=r"Decryption error: InvalidTag()"):
             ece.decrypt(
                 self.m_header + b"\xbb\xc6\xb1\x1dF:~\x0f\x07+\xbe\xaaD"
                 b"\xe0\xd6.K\xe5\xf9]%\xe3\x86q\xe0}",
                 version="aes128gcm",
                 key=b"d\xc7\x0ed\xa7%U\x14Q\xf2\x08\xdf\xba\xa0\xb9r",
                 keyid=b64e(os.urandom(192)),  # 256 bytes
             )
-        assert ex.value.message == "Decryption error: InvalidTag()"
 
 
 class TestEceIntegration(unittest.TestCase):
@@ -350,9 +334,8 @@ def detect_truncation(self, version):
             chunk = encrypted[0 : 21 + rs]
         else:
             chunk = encrypted[0 : rs + 16]
-        with raises(ECEException) as ex:
+        with pytest.raises(ECEException, match="Message truncated"):
             ece.decrypt(chunk, salt=salt, key=key, rs=rs, version=version)
-        assert ex.value.message == "Message truncated"
 
     def use_dh(self, version):
         def pubbytes(k):
@@ -427,9 +410,9 @@ class TestNode(unittest.TestCase):
     """Testing using data from the node.js version."""
 
     def setUp(self):
-        if not os.path.exists(TEST_VECTORS):
-            self.skipTest("No %s file found" % TEST_VECTORS)
-        f = open(TEST_VECTORS, "r")
+        if not Path(TEST_VECTORS).exists():
+            self.skipTest(f"No {TEST_VECTORS} file found")
+        f = Path(TEST_VECTORS).open()
         self.legacy_data = json.loads(f.read())
         f.close()
 
@@ -446,7 +429,7 @@ def _run(self, mode):
             outp = "input"
 
         for data in self.legacy_data:
-            logmsg("%s: %s" % (mode, data["test"]))
+            logmsg("{}: {}".format(mode, data["test"]))
             p = data["params"][mode]
 
             if "pad" in p and mode == "encrypt":
 
@@ -0,0 +1,70 @@
+[build-system]
+requires = ["setuptools >= 77.0.3"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "http_ece"
+version = "1.2.1"
+license = "MIT"
+authors = [
+    { name = "Martin Thomson", email = "martin.thomson@gmail.com" }
+]
+keywords = ["crypto http"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
+]
+description = "Encrypted Content Encoding for HTTP"
+readme = { file = "README.rst", content-type = "text/x-rst" }
+requires-python = ">=3.10"
+dependencies = [
+    "cryptography>=45.0.1"
+]
+
+[project.optional-dependencies]
+dev = [
+    "black==25.12.0",
+    "pytest",
+    "pytest-cov",
+    "ruff==0.14.10",
+    "tox",
+    "tox-gh",
+]
+
+[project.urls]
+Repository = "https://github.com/web-push-libs/encrypted-content-encoding"
+
+[tool.distutils.bdist_wheel]
+universal = 1
+
+[tool.coverage.report]
+show_missing = true
+
+[tool.pytest.ini_options]
+addopts = "--verbose --cov=http_ece"
+log_format = "%(asctime)s,%(msecs)03d %(name)s: %(levelname)s: %(message)s"
+log_file_date_format = "%H:%M:%S"
+
+[tool.ruff]
+lint.select = [
+    "A",
+    "F",
+    "FURB",
+    "I",
+    "PERF",
+    "PT",
+    "PTH",
+    "RUF",
+    "S",
+    "UP",
+]
+[tool.ruff.lint.extend-per-file-ignores]
+"**/tests/**" = [
+    "A001",
+    "A002",
+    "S101",
+]