google.auth.crypt package¶

Cryptography helpers for verifying and signing messages.

The simplest way to verify signatures is usingverify_signature():

cert=open('certs.pem').read()valid=crypt.verify_signature(message,signature,cert)

If you’re going to verify many messages with the same certificate, you can useRSAVerifier:

cert=open('certs.pem').read()verifier=crypt.RSAVerifier.from_string(cert)valid=verifier.verify(message,signature)

To sign messages useRSASigner with a private key:

private_key=open('private_key.pem').read()signer=crypt.RSASigner.from_string(private_key)signature=signer.sign(message)

The code above also works forES256Signer andES256Verifier.Note that these two classes are only available if yourcryptography dependencyversion is at least 1.4.0.

classRSASigner(private_key,key_id=None)[source]¶

Bases:Signer,FromServiceAccountMixin

Signs messages with an RSA private key.

Parameters:

private_key (rsa.key.PrivateKey) – The private key to sign with.
key_id (str) – Optional key ID used to identify this private key. Thiscan be useful to associate the private key with its associatedpublic key or certificate.

propertykey_id¶

The key ID used to identify this private key.

Type:: Optionalstr

sign(message)[source]¶

Signs a message.

Parameters:: message (Unionstr,bytes) – The message to be signed.
Returns:: The signature of the message.
Return type:: bytes

classmethodfrom_string(key,key_id=None)[source]¶

Construct an Signer instance from a private key in PEM format.

Parameters:

key (str) – Private key in PEM format.
key_id (str) – An optional key id used to identify the private key.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

Raises:

ValueError – If the key cannot be parsed as PKCS#1 or PKCS#8 in PEM format.

classmethodfrom_service_account_file(filename)¶

Creates a Signer instance from a service account .json filein Google format.

Parameters:: filename (str) – The path to the service account .json file.
Returns:: The constructed signer.
Return type:: google.auth.crypt.Signer

classmethodfrom_service_account_info(info)¶

Creates a Signer instance instance from a dictionary containingservice account info in Google format.

Parameters:: info (Mappingstr,str) – The service account info in Googleformat.
Returns:: The constructed signer.
Return type:: google.auth.crypt.Signer
Raises:: ValueError – If the info is not in the expected format.

classRSAVerifier(public_key)[source]¶

Bases:Verifier

Verifies RSA cryptographic signatures using public keys.

Parameters:: public_key (rsa.key.PublicKey) – The public key used to verifysignatures.

verify(message,signature)[source]¶

Verifies a message against a cryptographic signature.

Parameters:

message (Unionstr,bytes) – The message to verify.
signature (Unionstr,bytes) – The cryptography signature to check.

Returns:

True if message was signed by the private key associatedwith the public key that this object was constructed with.

Return type:

bool

classmethodfrom_string(public_key)[source]¶

Construct an Verifier instance from a public key or publiccertificate string.

Parameters:: public_key (Unionstr,bytes) – The public key in PEM format or thex509 public key certificate.
Returns:: The constructed verifier.
Return type:: google.auth.crypt._python_rsa.RSAVerifier
Raises:: ValueError – If the public_key can’t be parsed.