google.auth.crypt package

Cryptography helpers for verifying and signing messages.

The simplest way to verify signatures is using verify_signature():

cert = open('certs.pem').read()
valid = crypt.verify_signature(message, signature, cert)

If you’re going to verify many messages with the same certificate, you can use RSAVerifier:

cert = open('certs.pem').read()
verifier = crypt.RSAVerifier.from_string(cert)
valid = verifier.verify(message, signature)

To sign messages use RSASigner with a private key:

private_key = open('private_key.pem').read()
signer = crypt.RSASigner.from_string(private_key)
signature = signer.sign(message)

The code above also works for ES256Signer and ES256Verifier. Note that these two classes are only available if your cryptography dependency version is at least 1.4.0.

class Signer[source]

Bases: object

Abstract base class for cryptographic signers.

abstract property key_id

The key ID used to identify this private key.

Type

Optional [ str ]

abstract sign(message)[source]

Signs a message.

Parameters

message (Union [ str, bytes ]) – The message to be signed.

Returns

The signature of the message.

Return type

bytes

class Verifier[source]

Bases: object

Abstract base class for crytographic signature verifiers.

abstract verify(message, signature)[source]

Verifies a message against a cryptographic signature.

Parameters
  • message (Union [ str, bytes ]) – The message to verify.

  • signature (Union [ str, bytes ]) – The cryptography signature to check.

Returns

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type

bool

class RSASigner(private_key, key_id=None)[source]

Bases: google.auth.crypt.base.Signer, google.auth.crypt.base.FromServiceAccountMixin

Signs messages with an RSA private key.

Parameters
  • ( (private_key) – cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey): The private key to sign with.

  • key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.

property key_id

The key ID used to identify this private key.

Type

Optional [ str ]

sign(message)[source]

Signs a message.

Parameters

message (Union [ str, bytes ]) – The message to be signed.

Returns

The signature of the message.

Return type

bytes

classmethod from_string(key, key_id=None)[source]

Construct a RSASigner from a private key in PEM format.

Parameters
  • key (Union [ bytes, str ]) – Private key in PEM format.

  • key_id (str) – An optional key id used to identify the private key.

Returns

The constructed signer.

Return type

google.auth.crypt._cryptography_rsa.RSASigner

Raises
  • ValueError – If key is not bytes or str (unicode).

  • UnicodeDecodeError – If key is bytes but cannot be decoded into a UTF-8 str.

  • ValueError – If cryptography “Could not deserialize key data.”

classmethod from_service_account_file(filename)

Creates a Signer instance from a service account .json file in Google format.

Parameters

filename (str) – The path to the service account .json file.

Returns

The constructed signer.

Return type

google.auth.crypt.Signer

classmethod from_service_account_info(info)

Creates a Signer instance instance from a dictionary containing service account info in Google format.

Parameters

info (Mapping [ str, str ]) – The service account info in Google format.

Returns

The constructed signer.

Return type

google.auth.crypt.Signer

Raises

ValueError – If the info is not in the expected format.

class RSAVerifier(public_key)[source]

Bases: google.auth.crypt.base.Verifier

Verifies RSA cryptographic signatures using public keys.

Parameters

( (public_key) – cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey): The public key used to verify signatures.

verify(message, signature)[source]

Verifies a message against a cryptographic signature.

Parameters
  • message (Union [ str, bytes ]) – The message to verify.

  • signature (Union [ str, bytes ]) – The cryptography signature to check.

Returns

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type

bool

classmethod from_string(public_key)[source]

Construct an Verifier instance from a public key or public certificate string.

Parameters

public_key (Union [ str, bytes ]) – The public key in PEM format or the x509 public key certificate.

Returns

The constructed verifier.

Return type

Verifier

Raises

ValueError – If the public key can’t be parsed.

class ES256Signer(private_key, key_id=None)[source]

Bases: google.auth.crypt.base.Signer, google.auth.crypt.base.FromServiceAccountMixin

Signs messages with an ECDSA private key.

Parameters
  • ( (private_key) – cryptography.hazmat.primitives.asymmetric.ec.ECDSAPrivateKey): The private key to sign with.

  • key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.

property key_id

The key ID used to identify this private key.

Type

Optional [ str ]

sign(message)[source]

Signs a message.

Parameters

message (Union [ str, bytes ]) – The message to be signed.

Returns

The signature of the message.

Return type

bytes

classmethod from_string(key, key_id=None)[source]

Construct a RSASigner from a private key in PEM format.

Parameters
  • key (Union [ bytes, str ]) – Private key in PEM format.

  • key_id (str) – An optional key id used to identify the private key.

Returns

The constructed signer.

Return type

google.auth.crypt._cryptography_rsa.RSASigner

Raises
  • ValueError – If key is not bytes or str (unicode).

  • UnicodeDecodeError – If key is bytes but cannot be decoded into a UTF-8 str.

  • ValueError – If cryptography “Could not deserialize key data.”

classmethod from_service_account_file(filename)

Creates a Signer instance from a service account .json file in Google format.

Parameters

filename (str) – The path to the service account .json file.

Returns

The constructed signer.

Return type

google.auth.crypt.Signer

classmethod from_service_account_info(info)

Creates a Signer instance instance from a dictionary containing service account info in Google format.

Parameters

info (Mapping [ str, str ]) – The service account info in Google format.

Returns

The constructed signer.

Return type

google.auth.crypt.Signer

Raises

ValueError – If the info is not in the expected format.

class ES256Verifier(public_key)[source]

Bases: google.auth.crypt.base.Verifier

Verifies ECDSA cryptographic signatures using public keys.

Parameters

( (public_key) – cryptography.hazmat.primitives.asymmetric.ec.ECDSAPublicKey): The public key used to verify signatures.

verify(message, signature)[source]

Verifies a message against a cryptographic signature.

Parameters
  • message (Union [ str, bytes ]) – The message to verify.

  • signature (Union [ str, bytes ]) – The cryptography signature to check.

Returns

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type

bool

classmethod from_string(public_key)[source]

Construct an Verifier instance from a public key or public certificate string.

Parameters

public_key (Union [ str, bytes ]) – The public key in PEM format or the x509 public key certificate.

Returns

The constructed verifier.

Return type

Verifier

Raises

ValueError – If the public key can’t be parsed.