KeyManager¶
-
class
privex.helpers.crypto.KeyManager.
KeyManager
(key: Union[str, bytes, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey], password: Union[str, bytes] = None)[source]¶ Asymmetric key handling class - Generate, save, and load asymmetric keys, with signatures + encryption made easy.
A wrapper around
cryptography.hazmat.primitives.asymmetric
to make generation, saving, loading, AND usage of asymmetric keys easy.Basic Usage
Using
output_keypair()
- you can generate a key pair, and output it at the same time:>>> priv, pub = KeyManager.output_keypair('id_rsa', 'id_rsa.pub') >>> pub b'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbzCL+Dn8B9jS404mETt8fb6+TJek1afFthSBi2qZ0iL8dbv/Go0ig...'
If you don’t want to output the key pair to a file, you can also just generate one and have the private/public keys purely returned as bytes:
>>> priv, pub = KeyManager.generate_keypair(alg='ed25519') >>> priv b'-----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwB.....T2YxW/Xkz3PkMHrrYBvI0LbUPky -----END PRIVATE KEY-----' >>> pub b'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICJ9OK6v2UGfCgWxzGdPlCQIps+lffLTWwuMLPdqfco6'
Loading a key for signature/encryption operations
You can load a private or public key directly from the string/bytes returned by
generate_keypair()
like so:>>> km = KeyManager(priv)
Alternatively, you can load a key straight from disk using
load_keyfile()
- which will automatically detect the asymmetric algorithm, encoding/output format, and key type (public/private) and return aKeyManager
instance:>>> km = KeyManager.load_keyfile('id_rsa.pub')
Automatic public key generation
If you load a private key, then the constructor will automatically generate the matching public key for you, so that you can use all signature/encryption methods available for your key algorithm.
If you load a public key, then you will only be able to use methods which are available to public keys, such as
verify()
andencrypt()
- you will NOT be able to usesign()
ordecrypt()
Manually accessing the public/private key class instances
If you need to access the raw cryptography PublicKey/PrivateKey instances, you can access them via the two attributes
public_key
andprivate_key
after creating a KeyManager instance:>>> km.public_key <cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f953848c438> >>> km.private_key <cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7f95381c1ef0>
Signing, verification, and en/decryption
Once you have a
KeyManager
instance, you can now use the signing, verification, and en/decryption methods using the loaded key.Most key algorithms support signing and verification, which can be done using
sign()
andverify()
respectively.Sensible values for things like padding/hash algorithms are set by default, so you can simply call
sign()
with just a message, andverify()
with just the signature + message:>>> sig = km.sign('hello world') >>> km.verify(signature=sig, message='hello world') # Raises InvalidSignature if it was invalid True
With RSA keys, you can also
encrypt()
using the public key, anddecrypt()
using the private key:>>> msg = km.encrypt('my secret message') >>> km.decrypt(msg) b'my secret message'
-
__init__
(key: Union[str, bytes, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey], password: Union[str, bytes] = None)[source] Create an instance of
KeyManager
using the public/private key datakey
If you want to load the key from a file instead of passing it’s data / key class instance, then you should use
load_keyfile()
instead to create the class instance.You do NOT need to initialize this class if you’re simply using the class methods / static methods such as
generate_keypair()
orload_key()
- only to use the normal instance methods which require a loaded public/private key, such assign()
- Parameters
key – The public/private key data, as either a string, bytes, or one of the various private key class instances or public key class instances (see
public_key_types
andprivate_key_types
)password (str|bytes) – If your key data is encrypted, pass the password in this argument to decrypt it.
Methods
__init__
(key[, password])Create an instance of
KeyManager
using the public/private key datakey
decrypt
(message[, pad, hashing])Decrypt a message using the loaded
private_key
- returns the decrypted message as bytes.encrypt
(message[, pad, hashing])Encrypt a message using the loaded
public_key
- returns the ciphertext as base64 encoded bytes.export_key
(key, **kwargs)Export/serialize a given public/private key object as bytes.
export_private
(**kwargs)Serialize the cryptography private key instance loaded into
KeyManager
into storable bytes.export_public
(**kwargs)Serialize the cryptography public key instance loaded into
KeyManager
into storable bytes.generate_keypair
([alg])Generate a key pair, returning private + public key as serialized bytes based on
default_formats
and the kwargformat
if it’s present.generate_keypair_raw
([alg])Generate a key pair, returning private + public key instances from the cryptography module.
identify_algorithm
(key)Identifies a cryptography public/private key instance, such as
RSAPrivateKey
and returns the algorithm name that can be used with other KeyManager methods, e.g.load_key
(data[, password])Load a private/public key from a string or bytes
data
containing the key in some format, such as PEM or OpenSSH.load_keyfile
(filename[, password])Returns an instance of
KeyManager
using a public/private key loaded from disk, instead of from string/bytes key data.output_keypair
(priv, pub, *args, **kwargs)Similar to
generate_keypair()
- except this also writes the private key and public key to the file locations and/or byte streams specified in the first two arguments (priv
andpub
)sign
(message[, pad, hashing])Generate a signature for a given message using the loaded
private_key
.verify
(signature, message[, pad, hashing])Verify a signature against a given message using an asymmetric public key.
-
class
Format
(private_format, private_encoding, public_format='ssh', public_encoding='ssh')¶ A class alias, allowing for access to the Format class via a class attribute
-
classmethod
get_format
(fmtype, key) → Union[cryptography.hazmat.primitives.serialization.base.Encoding, cryptography.hazmat.primitives.serialization.base.PublicFormat, cryptography.hazmat.primitives.serialization.base.PrivateFormat]¶
-
classmethod
-
combined_key_types
= typing.Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey]¶ A Union which just combines
private_key_types
andpublic_key_types
into one type.
-
curves
= {'brainpoolP256r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1'>, 'brainpoolP384r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1'>, 'brainpoolP512r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1'>, 'prime192v1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP192R1'>, 'prime256v1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP256R1'>, 'secp192r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP192R1'>, 'secp224r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP224R1'>, 'secp256k1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP256K1'>, 'secp256r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP256R1'>, 'secp384r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP384R1'>, 'secp521r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECP521R1'>, 'sect163k1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT163K1'>, 'sect163r2': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT163R2'>, 'sect233k1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT233K1'>, 'sect233r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT233R1'>, 'sect283k1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT283K1'>, 'sect283r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT283R1'>, 'sect409k1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT409K1'>, 'sect409r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT409R1'>, 'sect571k1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT571K1'>, 'sect571r1': <class 'cryptography.hazmat.primitives.asymmetric.ec.SECT571R1'>}¶ An alias for Cryptography’s map of string curve names (e.g.
secp521r1
) to their respective classes
-
decrypt
(message: Union[str, bytes], pad=None, hashing: cryptography.hazmat.primitives.hashes.HashAlgorithm = <cryptography.hazmat.primitives.hashes.SHA256 object>) → bytes[source]¶ Decrypt a message using the loaded
private_key
- returns the decrypted message as bytes.NOTE: Only works for RSA private keys
- Parameters
message (str|bytes) – The ciphertext to decrypt, as base64 or raw bytes
pad – (RSA only) An instance of a cryptography padding class, e.g.
padding.PSS
hashing (HashAlgorithm) – (ECDSA/RSA) Use this hashing method for padding/signatures
- Return bytes decoded
The decrypted version of
message
as bytes
-
default_formats
= {'ecdsa': {'private_encoding': 'pem', 'private_format': 'pkcs8'}, 'ed25519': {'private_encoding': 'pem', 'private_format': 'pkcs8'}, 'rsa': {'private_encoding': 'pem', 'private_format': 'pkcs8'}}¶ Default
Format
formatting options for serialising each key algorithm
-
default_gen
= {'ecdsa': {'backend': <cryptography.hazmat.backends.openssl.backend.Backend object>, 'curve': <cryptography.hazmat.primitives.asymmetric.ec.SECP384R1 object>}, 'ed25519': {}, 'rsa': {'backend': <cryptography.hazmat.backends.openssl.backend.Backend object>, 'key_size': 2048, 'public_exponent': 65537}}¶ A map of key algorithms to their generator’s default kwargs
-
encrypt
(message: Union[str, bytes], pad=None, hashing: cryptography.hazmat.primitives.hashes.HashAlgorithm = <cryptography.hazmat.primitives.hashes.SHA256 object>) → bytes[source]¶ Encrypt a message using the loaded
public_key
- returns the ciphertext as base64 encoded bytes.NOTE: Only works for RSA public keys
- Parameters
message (str|bytes) – The message to encrypt, e.g.
hello world
pad – (RSA only) An instance of a cryptography padding class, e.g.
padding.PSS
hashing (HashAlgorithm) – (ECDSA/RSA) Use this hashing method for padding/signatures
- Return bytes ciphertext
The encrypted version of
message
- encoded with Base64 for easy storage/transport
-
classmethod
export_key
(key: Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey], **kwargs) → bytes[source]¶ Export/serialize a given public/private key object as bytes.
Uses the default formatting arguments for the detected algorithm from
identify_algorithm()
, but you can also force it to treat it as a certain algorithm by passingalg
Uses default formatting options by looking up the algorithm in
default_formats
Uses the private key serialization arguments for the detected algorithm out of
generators
Example:
>>> priv, pub = KeyManager.generate_keypair_raw('ed25519') >>> key = KeyManager.export_key(pub) >>> print(key.decode()) -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEIOeLS2XOcQz11VUnzh6KIZaNtT10YfzHv779zjm95XSy -----END PRIVATE KEY-----
- Parameters
alg (str) – An algorithm name as a string, e.g.
rsa
ored25519
key (combined_key_types) – An instance of a public/private key type listed in
combined_key_types
format (Format) – Override some or all of the default format/encoding for the keys. Dict Keys: private_format,public_format,private_encoding,public_encoding
format – If passed a
Format
instance, then this instance will be used for serialization instead of merging defaults fromdefault_formats
alg – Use this algorithm name e.g.
'rsa'
instead of detecting usingidentify_algorithm()
- Return bytes key
The serialized key.
-
export_private
(**kwargs) → bytes[source]¶ Serialize the cryptography private key instance loaded into
KeyManager
into storable bytes.This method requires that you’ve instantiated KeyManager with the private key. It will raise a
EncryptionError
exception if theprivate_key
instance attribute is empty.Example:
>>> km = KeyManager.load_keyfile('id_ed25519') >>> print(km.export_private().decode()) -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEIOeLS2XOcQz11VUnzh6KIZaNtT10YfzHv779zjm95XSy -----END PRIVATE KEY-----
- Parameters
format (Format) – Override some or all of the default format/encoding for the keys. Dict Keys: private_format,public_format,private_encoding,public_encoding
format – If passed a
Format
instance, then this instance will be used for serialization instead of merging defaults fromdefault_formats
- Return bytes key
The serialized key.
-
export_public
(**kwargs) → bytes[source]¶ Serialize the cryptography public key instance loaded into
KeyManager
into storable bytes.This method works whether you’ve instantiated KeyManager with the public key directly, or the private key, as the public key is automatically interpolated from the private key by
__init__()
Example:
>>> km = KeyManager.load_keyfile('id_ed25519.pub') >>> km.export_public() b'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6vtKgeNSBERSY1xmr47Ve3uyRALxPR+qOeFeUHrUaf'
- Parameters
format (Format) – Override some or all of the default format/encoding for the keys. Dict Keys: private_format,public_format,private_encoding,public_encoding
format – If passed a
Format
instance, then this instance will be used for serialization instead of merging defaults fromdefault_formats
- Return bytes key
The serialized key.
-
classmethod
generate_keypair
(alg='rsa', **kwargs) → Tuple[bytes, bytes][source]¶ Generate a key pair, returning private + public key as serialized bytes based on
default_formats
and the kwargformat
if it’s present.By default, private keys are generally returned in PKCS8 format with PEM encoding, while public keys are OpenSSH format and OpenSSH encoding.
Example:
>>> priv, pub = KeyManager.generate_keypair(alg='rsa', key_size=2048) >>> priv b'-----BEGIN PRIVATE KEY-----\nMIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjkl ...Pw6eZGFwBEYY\n-----END PRIVATE KEY-----\n' >>> priv, pub = KeyManager.generate_keypair(alg='ecdsa', curve=ec.SECP521R1) >>> pub b'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1...dJCxguBQnb1hL6aDH4fHCjpy6A=='
To override the formatting/encoding:
>>> priv, pub = KeyManager.generate_keypair( ... alg='ecdsa', format=dict(private_format='openssl', private_encoding='der') ... ) >>> priv b'0\x81\xa4\x02\x01\x01\x040u\x1e\x8cI\xcd\xfa\xc8\x97\x83\xf8\xed\x1f\xe5\xbd...'
- Parameters
alg (str) – The algorithm to generate a key for, e.g.
'rsa'
kwargs – All kwargs are forwarded to the matching generator in
generators
key_size (int) – (for rsa and similar algorithms) Number of bits for the RSA key. Minimum of 512 bits.
format (dict) – Override some or all of the default format/encoding for the keys. Dict Keys: private_format,public_format,private_encoding,public_encoding
- Returns
-
classmethod
generate_keypair_raw
(alg='rsa', **kwargs) → Tuple[Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey], Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey]][source]¶ Generate a key pair, returning private + public key instances from the cryptography module.
Example:
>>> priv, pub = KeyManager.generate_keypair_raw(alg='rsa', key_size=1024) >>> priv.private_bytes(encoding=Encoding.PEM, format=PrivateFormat.PKCS8) b'-----BEGIN PRIVATE KEY-----\nMIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjkl ...Pw6eZGFwBEYY\n-----END PRIVATE KEY-----\n' >>> priv, pub = KeyManager.generate_keypair_raw(alg='ecdsa', curve=ec.SECP521R1) >>> pub.public_bytes(encoding=Encoding.OpenSSH, format=PublicFormat.OpenSSH) b'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1...dJCxguBQnb1hL6aDH4fHCjpy6A=='
- Parameters
alg (str) – The algorithm to generate a key for, e.g.
'rsa'
kwargs – All kwargs are forwarded to the matching generator in
generators
- Return tuple keys
A tuple containing a private key instance, and public key instance
-
generators
= {'ecdsa': (<function generate_private_key>, {'encryption_algorithm': <cryptography.hazmat.primitives.serialization.base.NoEncryption object>}), 'ed25519': (<bound method Ed25519PrivateKey.generate of <class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey'>>, {'encryption_algorithm': <cryptography.hazmat.primitives.serialization.base.NoEncryption object>}), 'rsa': (<function generate_private_key>, {'encryption_algorithm': <cryptography.hazmat.primitives.serialization.base.NoEncryption object>})}¶ Maps each key algorithm to a tuple containing the algorithm’s generation function, and any extra kwargs needed for generating a private key
-
classmethod
identify_algorithm
(key: Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey]) → str[source]¶ Identifies a cryptography public/private key instance, such as
RSAPrivateKey
and returns the algorithm name that can be used with other KeyManager methods, e.g.'rsa'
or'ed25519'
Example:
>>> priv, pub = KeyManager.generate_keypair_raw(alg='ecdsa', curve=ec.SECP521R1) >>> KeyManager.identify_algorithm(priv) 'ecdsa' >>> priv, pub = KeyManager.generate_keypair_raw() >>> KeyManager.identify_algorithm(priv) 'rsa' >>> KeyManager.identify_algorithm(pub) 'rsa'
- Parameters
key (combined_key_types) – A cryptography public/private key instance
- Return str algorithm
The name of the algorithm used by this key
-
classmethod
load_key
(data: Union[str, bytes], password: bytes = None) → Tuple[Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey], str][source]¶ Load a private/public key from a string or bytes
data
containing the key in some format, such as PEM or OpenSSH. Useload_keyfile()
to load a key from a file + auto-instantiate KeyManager with it.Example:
>>> key = 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3v6guHpI/j7AIl3F/EWMSReX8fH8MOSq1bC3ZuEjjC' >>> KeyManager.load_key(key) (<cryptography.hazmat.backends.openssl.ed25519._Ed25519PublicKey object at 0x7fa118289ba8>, 'public')
- Parameters
data (str|bytes) – The public/private key data, as a string or bytes
password (str|bytes) – If your key data is encrypted, pass the password in this argument to decrypt it.
- Raises
InvalidFormat – When the key could not be identified, is not supported, or is corrupted
- Return tuple key_data
A tuple containing an instance of the key, and a string
public
orprivate
Example:(<_Ed25519PublicKey object>, 'public')
-
classmethod
load_keyfile
(filename: Union[str, bytes], password: Union[str, bytes] = None)[source]¶ Returns an instance of
KeyManager
using a public/private key loaded from disk, instead of from string/bytes key data.Example:
>>> km = KeyManager.load_keyfile('id_rsa') >>> d = km.encrypt('hello world') >>> km.decrypt(d) b'hello world'
- Parameters
filename (str|bytes) – The file location where the key is stored
password (str|bytes) – If the key is encrypted, specify the password to decrypt it
- Raises
InvalidFormat – When the key could not be identified, is not supported, or is corrupted
FileNotFoundError – The given
filename
couldn’t be found.
- Return KeyManager cls
An instance of
KeyManager
(or child class) initialised with the key
-
classmethod
output_keypair
(priv: Union[str, _io.BufferedWriter], pub: Union[str, _io.TextIOWrapper], *args, **kwargs) → Tuple[bytes, bytes][source]¶ Similar to
generate_keypair()
- except this also writes the private key and public key to the file locations and/or byte streams specified in the first two arguments (priv
andpub
)Example
Generate a 4096-bit RSA key pair, and output the private key to the file
id_rsa
, and the public key toid_rsa.pub
.The generated keypair is also returned as a tuple pair (bytes) containing the private and public key:
>>> priv, pub = KeyManager.output_keypair('id_rsa', 'id_rsa.pub', alg='rsa', key_size=4096)
- Parameters
priv (str|BufferedWriter) – File location to save private key, or writable byte stream
pub (str|BufferedWriter) – File location to save public key, or writable byte stream
args – All additional args are forwarded to
generate_keypair()
kwargs – All kwargs are forwarded to
generate_keypair()
-
private_key
: Optional[Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey]]¶ When the class is initialised, this instance attribute holds a cryptography private key class instance, or None if we don’t have a private key available.
-
private_key_types
= typing.Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey]¶ The cryptography library doesn’t have a standard parent type for private keys, so we need a Union to hold the various private key types for return types, type/instance comparison etc.
-
public_key
: Optional[Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey]]¶ When the class is initialised, this instance attribute holds a cryptography public key class instance, or None if we don’t have a public key available.
-
public_key_types
= typing.Union[cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey, cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey, cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey]¶ Same as
private_key_types
but for public key types.
-
raw_priv_types
= (<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization'>, <class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey'>)¶ This extracts the actual class types from the Union[] for isinstance() checks
-
raw_pub_types
= (<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey'>, <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey'>, <class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey'>)¶ This extracts the actual class types from the Union[] for isinstance() checks
-
sign
(message: Union[str, bytes], pad=None, hashing: cryptography.hazmat.primitives.hashes.HashAlgorithm = <cryptography.hazmat.primitives.hashes.SHA256 object>) → bytes[source]¶ Generate a signature for a given message using the loaded
private_key
. The signature is Base64 encoded to allow for easy storage and transmission of the signature, and can later be verified byverify()
usingpublic_key
>>> km = KeyManager.load_keyfile('id_rsa') >>> sig = km.sign('hello world') # Sign 'hello world' using the id_rsa private key >>> try: ... km.verify(sig, 'hello world') # Verify it using the public key (automatically generated) ... print('Signature is valid') >>> except cryptography.exceptions.InvalidSignature: ... print('Signature IS NOT VALID!')
Alternatively, you can manually run
base64.urlsafe_b64decode()
to decode the signature back into raw bytes, then you can verify it using theverify
method of acryptography
public key instance, such asEd25519PublicKey
orRSAPublicKey
- Parameters
message (str|bytes) – The message to verify, e.g.
hello world
pad – (RSA only) An instance of a cryptography padding class, e.g.
padding.PSS
hashing (HashAlgorithm) – (ECDSA/RSA) Use this hashing method for padding/signatures
- Raises
cryptography.exceptions.InvalidSignature – When the signature does not match the message
- Return bytes sig
A base64 urlsafe encoded signature
-
type_name_map
= {<class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey'>: 'rsa', <class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey'>: 'rsa', <class 'cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization'>: 'rsa', <class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey'>: 'ed25519', <class 'cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey'>: 'ed25519', <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey'>: 'ecdsa', <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey'>: 'ecdsa', <class 'cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization'>: 'ecdsa'}¶ Maps public/private key types to their associated algorithm name for type/instance identification
-
verify
(signature: Union[str, bytes], message: Union[str, bytes], pad=None, hashing: cryptography.hazmat.primitives.hashes.HashAlgorithm = <cryptography.hazmat.primitives.hashes.SHA256 object>) → bool[source]¶ Verify a signature against a given message using an asymmetric public key.
>>> km = KeyManager.load_keyfile('id_rsa') >>> sig = km.sign('hello world') # Sign 'hello world' using the id_rsa private key >>> try: ... km.verify(sig, 'hello world') # Verify it using the public key (automatically generated) ... print('Signature is valid') >>> except cryptography.exceptions.InvalidSignature: ... print('Signature IS NOT VALID!')
- Parameters
signature (str|bytes) – The binary, or base64 urlsafe encoded signature to check
message
againstmessage (str|bytes) – The message to verify, e.g.
hello world
pad – (RSA only) An instance of a cryptography padding class, e.g.
padding.PSS
hashing (HashAlgorithm) – (ECDSA/RSA) Use this hashing method for padding/signatures
- Raises
cryptography.exceptions.InvalidSignature – When the signature does not match the message
- Return bool is_valid
True
if signature is valid, otherwise raises InvalidSignature.
-
Attributes¶
Attributes
A Union which just combines
private_key_types
andpublic_key_types
into one type.An alias for Cryptography’s map of string curve names (e.g.
Default
Format
formatting options for serialising each key algorithmA map of key algorithms to their generator’s default kwargs
Maps each key algorithm to a tuple containing the algorithm’s generation function, and any extra kwargs needed for generating a private key
The cryptography library doesn’t have a standard parent type for private keys, so we need a Union to hold the various private key types for return types, type/instance comparison etc.
Same as
private_key_types
but for public key types.This extracts the actual class types from the Union[] for isinstance() checks
This extracts the actual class types from the Union[] for isinstance() checks
Maps public/private key types to their associated algorithm name for type/instance identification