google.auth.crypt package¶
Cryptography helpers for verifying and signing messages.
The simplest way to verify signatures is using verify_signature()
:
cert = open('certs.pem').read()
valid = crypt.verify_signature(message, signature, cert)
If you’re going to verify many messages with the same certificate, you can use
RSAVerifier
:
cert = open('certs.pem').read()
verifier = crypt.RSAVerifier.from_string(cert)
valid = verifier.verify(message, signature)
To sign messages use RSASigner
with a private key:
private_key = open('private_key.pem').read()
signer = crypt.RSASigner.from_string(private_key)
signature = signer.sign(message)
The code above also works for ES256Signer
and ES256Verifier
.
Note that these two classes are only available if your cryptography dependency
version is at least 1.4.0.
-
class
Verifier
[source]¶ Bases:
object
Abstract base class for crytographic signature verifiers.
-
class
RSASigner
(private_key, key_id=None)[source]¶ Bases:
google.auth.crypt.base.Signer
,google.auth.crypt.base.FromServiceAccountMixin
Signs messages with an RSA private key.
Parameters: - ( (private_key) – cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey): The private key to sign with.
- key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.
-
sign
(message)[source]¶ Signs a message.
Parameters: message ( Union
[str
,bytes
]) – The message to be signed.Returns: The signature of the message. Return type: bytes
-
classmethod
from_string
(key, key_id=None)[source]¶ Construct a RSASigner from a private key in PEM format.
Parameters: Returns: The constructed signer.
Return type: google.auth.crypt._cryptography_rsa.RSASigner
Raises: ValueError
– Ifkey
is notbytes
orstr
(unicode).UnicodeDecodeError
– Ifkey
isbytes
but cannot be decoded into a UTF-8str
.ValueError
– Ifcryptography
“Could not deserialize key data.”
-
classmethod
from_service_account_file
(filename)¶ Creates a Signer instance from a service account .json file in Google format.
Parameters: filename (str) – The path to the service account .json file. Returns: The constructed signer. Return type: google.auth.crypt.Signer
-
classmethod
from_service_account_info
(info)¶ Creates a Signer instance instance from a dictionary containing service account info in Google format.
Parameters: info ( Mapping
[str
,str
]) – The service account info in Google format.Returns: The constructed signer. Return type: google.auth.crypt.Signer Raises: ValueError
– If the info is not in the expected format.
-
class
RSAVerifier
(public_key)[source]¶ Bases:
google.auth.crypt.base.Verifier
Verifies RSA cryptographic signatures using public keys.
Parameters: ( (public_key) – cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey): The public key used to verify signatures. -
verify
(message, signature)[source]¶ Verifies a message against a cryptographic signature.
Parameters: Returns: True if message was signed by the private key associated with the public key that this object was constructed with.
Return type:
-
classmethod
from_string
(public_key)[source]¶ Construct an Verifier instance from a public key or public certificate string.
Parameters: public_key ( Union
[str
,bytes
]) – The public key in PEM format or the x509 public key certificate.Returns: The constructed verifier. Return type: Verifier Raises: ValueError
– If the public key can’t be parsed.
-
-
class
ES256Signer
(private_key, key_id=None)[source]¶ Bases:
google.auth.crypt.base.Signer
,google.auth.crypt.base.FromServiceAccountMixin
Signs messages with an ECDSA private key.
Parameters: - ( (private_key) – cryptography.hazmat.primitives.asymmetric.ec.ECDSAPrivateKey): The private key to sign with.
- key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.
-
sign
(message)[source]¶ Signs a message.
Parameters: message ( Union
[str
,bytes
]) – The message to be signed.Returns: The signature of the message. Return type: bytes
-
classmethod
from_string
(key, key_id=None)[source]¶ Construct a RSASigner from a private key in PEM format.
Parameters: Returns: The constructed signer.
Return type: google.auth.crypt._cryptography_rsa.RSASigner
Raises: ValueError
– Ifkey
is notbytes
orstr
(unicode).UnicodeDecodeError
– Ifkey
isbytes
but cannot be decoded into a UTF-8str
.ValueError
– Ifcryptography
“Could not deserialize key data.”
-
classmethod
from_service_account_file
(filename)¶ Creates a Signer instance from a service account .json file in Google format.
Parameters: filename (str) – The path to the service account .json file. Returns: The constructed signer. Return type: google.auth.crypt.Signer
-
classmethod
from_service_account_info
(info)¶ Creates a Signer instance instance from a dictionary containing service account info in Google format.
Parameters: info ( Mapping
[str
,str
]) – The service account info in Google format.Returns: The constructed signer. Return type: google.auth.crypt.Signer Raises: ValueError
– If the info is not in the expected format.
-
class
ES256Verifier
(public_key)[source]¶ Bases:
google.auth.crypt.base.Verifier
Verifies ECDSA cryptographic signatures using public keys.
Parameters: ( (public_key) – cryptography.hazmat.primitives.asymmetric.ec.ECDSAPublicKey): The public key used to verify signatures. -
verify
(message, signature)[source]¶ Verifies a message against a cryptographic signature.
Parameters: Returns: True if message was signed by the private key associated with the public key that this object was constructed with.
Return type:
-
classmethod
from_string
(public_key)[source]¶ Construct an Verifier instance from a public key or public certificate string.
Parameters: public_key ( Union
[str
,bytes
]) – The public key in PEM format or the x509 public key certificate.Returns: The constructed verifier. Return type: Verifier Raises: ValueError
– If the public key can’t be parsed.
-