google.auth.crypt package

Cryptography helpers for verifying and signing messages.

The simplest way to verify signatures is using verify_signature():

cert = open('certs.pem').read()
valid = crypt.verify_signature(message, signature, cert)

If you’re going to verify many messages with the same certificate, you can use RSAVerifier:

cert = open('certs.pem').read()
verifier = crypt.RSAVerifier.from_string(cert)
valid = verifier.verify(message, signature)

To sign messages use RSASigner with a private key:

private_key = open('private_key.pem').read()
signer = crypt.RSASigner.from_string(private_key)
signature = signer.sign(message)

The code above also works for ES256Signer and ES256Verifier. Note that these two classes are only available if your cryptography dependency version is at least 1.4.0.

class Signer[source]

Bases: object

Abstract base class for cryptographic signers.

key_id

The key ID used to identify this private key.

Type:Optional [ str ]
sign(message)[source]

Signs a message.

Parameters:message (Union [ str, bytes ]) – The message to be signed.
Returns:The signature of the message.
Return type:bytes
class Verifier[source]

Bases: object

Abstract base class for crytographic signature verifiers.

verify(message, signature)[source]

Verifies a message against a cryptographic signature.

Parameters:
  • message (Union [ str, bytes ]) – The message to verify.
  • signature (Union [ str, bytes ]) – The cryptography signature to check.
Returns:

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type:

bool

class RSASigner(private_key, key_id=None)[source]

Bases: google.auth.crypt.base.Signer, google.auth.crypt.base.FromServiceAccountMixin

Signs messages with an RSA private key.

Parameters:
  • ( (private_key) – cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey): The private key to sign with.
  • key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.
key_id

The key ID used to identify this private key.

Type:Optional [ str ]
sign(message)[source]

Signs a message.

Parameters:message (Union [ str, bytes ]) – The message to be signed.
Returns:The signature of the message.
Return type:bytes
classmethod from_string(key, key_id=None)[source]

Construct a RSASigner from a private key in PEM format.

Parameters:
  • key (Union [ bytes, str ]) – Private key in PEM format.
  • key_id (str) – An optional key id used to identify the private key.
Returns:

The constructed signer.

Return type:

google.auth.crypt._cryptography_rsa.RSASigner

Raises:
  • ValueError – If key is not bytes or str (unicode).
  • UnicodeDecodeError – If key is bytes but cannot be decoded into a UTF-8 str.
  • ValueError – If cryptography “Could not deserialize key data.”
classmethod from_service_account_file(filename)

Creates a Signer instance from a service account .json file in Google format.

Parameters:filename (str) – The path to the service account .json file.
Returns:The constructed signer.
Return type:google.auth.crypt.Signer
classmethod from_service_account_info(info)

Creates a Signer instance instance from a dictionary containing service account info in Google format.

Parameters:info (Mapping [ str, str ]) – The service account info in Google format.
Returns:The constructed signer.
Return type:google.auth.crypt.Signer
Raises:ValueError – If the info is not in the expected format.
class RSAVerifier(public_key)[source]

Bases: google.auth.crypt.base.Verifier

Verifies RSA cryptographic signatures using public keys.

Parameters:( (public_key) – cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey): The public key used to verify signatures.
verify(message, signature)[source]

Verifies a message against a cryptographic signature.

Parameters:
  • message (Union [ str, bytes ]) – The message to verify.
  • signature (Union [ str, bytes ]) – The cryptography signature to check.
Returns:

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type:

bool

classmethod from_string(public_key)[source]

Construct an Verifier instance from a public key or public certificate string.

Parameters:public_key (Union [ str, bytes ]) – The public key in PEM format or the x509 public key certificate.
Returns:The constructed verifier.
Return type:Verifier
Raises:ValueError – If the public key can’t be parsed.
class ES256Signer(private_key, key_id=None)[source]

Bases: google.auth.crypt.base.Signer, google.auth.crypt.base.FromServiceAccountMixin

Signs messages with an ECDSA private key.

Parameters:
  • ( (private_key) – cryptography.hazmat.primitives.asymmetric.ec.ECDSAPrivateKey): The private key to sign with.
  • key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.
key_id

The key ID used to identify this private key.

Type:Optional [ str ]
sign(message)[source]

Signs a message.

Parameters:message (Union [ str, bytes ]) – The message to be signed.
Returns:The signature of the message.
Return type:bytes
classmethod from_string(key, key_id=None)[source]

Construct a RSASigner from a private key in PEM format.

Parameters:
  • key (Union [ bytes, str ]) – Private key in PEM format.
  • key_id (str) – An optional key id used to identify the private key.
Returns:

The constructed signer.

Return type:

google.auth.crypt._cryptography_rsa.RSASigner

Raises:
  • ValueError – If key is not bytes or str (unicode).
  • UnicodeDecodeError – If key is bytes but cannot be decoded into a UTF-8 str.
  • ValueError – If cryptography “Could not deserialize key data.”
classmethod from_service_account_file(filename)

Creates a Signer instance from a service account .json file in Google format.

Parameters:filename (str) – The path to the service account .json file.
Returns:The constructed signer.
Return type:google.auth.crypt.Signer
classmethod from_service_account_info(info)

Creates a Signer instance instance from a dictionary containing service account info in Google format.

Parameters:info (Mapping [ str, str ]) – The service account info in Google format.
Returns:The constructed signer.
Return type:google.auth.crypt.Signer
Raises:ValueError – If the info is not in the expected format.
class ES256Verifier(public_key)[source]

Bases: google.auth.crypt.base.Verifier

Verifies ECDSA cryptographic signatures using public keys.

Parameters:( (public_key) – cryptography.hazmat.primitives.asymmetric.ec.ECDSAPublicKey): The public key used to verify signatures.
verify(message, signature)[source]

Verifies a message against a cryptographic signature.

Parameters:
  • message (Union [ str, bytes ]) – The message to verify.
  • signature (Union [ str, bytes ]) – The cryptography signature to check.
Returns:

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type:

bool

classmethod from_string(public_key)[source]

Construct an Verifier instance from a public key or public certificate string.

Parameters:public_key (Union [ str, bytes ]) – The public key in PEM format or the x509 public key certificate.
Returns:The constructed verifier.
Return type:Verifier
Raises:ValueError – If the public key can’t be parsed.