google.auth.crypt package

Cryptography helpers for verifying and signing messages.

The simplest way to verify signatures is using verify_signature():

cert = open('certs.pem').read()
valid = crypt.verify_signature(message, signature, cert)

If you’re going to verify many messages with the same certificate, you can use RSAVerifier:

cert = open('certs.pem').read()
verifier = crypt.RSAVerifier.from_string(cert)
valid = verifier.verify(message, signature)

To sign messages use RSASigner with a private key:

private_key = open('private_key.pem').read()
signer = crypt.RSASigner.from_string(private_key)
signature = signer.sign(message)

The code above also works for ES256Signer and ES256Verifier. Note that these two classes are only available if your cryptography dependency version is at least 1.4.0.

class EsSigner(private_key: EllipticCurvePrivateKey, key_id: str | None = None)

Bases: Signer, FromServiceAccountMixin

Signs messages with an ECDSA private key.

Parameters:

• ( (private_key) – cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey): The private key to sign with.

• key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.

property algorithm: str

Name of the algorithm used to sign messages. :returns: The algorithm name. :rtype: str

property key_id: str | None

The key ID used to identify this private key.

Type:

Optionalstr

sign(message: bytes) → bytes

Signs a message.

Parameters:

message (Unionstr, bytes) – The message to be signed.

Returns:

The signature of the message.

Return type:

bytes

classmethod from_string(key: bytes | str, key_id: str | None = None) → EsSigner

Construct a RSASigner from a private key in PEM format.

Parameters:

• key (Unionbytes, str) – Private key in PEM format.

• key_id (str) – An optional key id used to identify the private key.

Returns:

The constructed signer.

Return type:

google.auth.crypt._cryptography_rsa.RSASigner

Raises:

• ValueError – If key is not bytes or str (unicode).

• UnicodeDecodeError – If key is bytes but cannot be decoded into a UTF-8 str.

• ValueError – If cryptography “Could not deserialize key data.”

classmethod from_service_account_file(filename)

Creates a Signer instance from a service account .json file in Google format.

Parameters:

filename (str) – The path to the service account .json file.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

classmethod from_service_account_info(info)

Creates a Signer instance instance from a dictionary containing service account info in Google format.

Parameters:

info (Mappingstr, str) – The service account info in Google format.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

Raises:

ValueError – If the info is not in the expected format.

class EsVerifier(public_key: EllipticCurvePublicKey)

Bases: Verifier

Verifies ECDSA cryptographic signatures using public keys.

Parameters:

( (public_key) – cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey): The public key used to verify signatures.

verify(message: bytes, signature: bytes) → bool

Verifies a message against a cryptographic signature.

Parameters:

• message (Unionstr, bytes) – The message to verify.

• signature (Unionstr, bytes) – The cryptography signature to check.

Returns:

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type:

bool

classmethod from_string(public_key: str | bytes) → EsVerifier

Construct a Verifier instance from a public key or public certificate string.

Parameters:

public_key (Unionstr, bytes) – The public key in PEM format or the x509 public key certificate.

Returns:

The constructed verifier.

Return type:

google.auth.crypt.Verifier

Raises:

ValueError – If the public key can’t be parsed.

class ES256Signer(private_key: EllipticCurvePrivateKey, key_id: str | None = None)

Bases: EsSigner

Signs messages with an ECDSA private key.

Parameters:

• ( (private_key) – cryptography.hazmat.primitives.asymmetric.ec.ECDSAPrivateKey): The private key to sign with.

• key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.

property algorithm: str

Name of the algorithm used to sign messages. :returns: The algorithm name. :rtype: str

classmethod from_service_account_file(filename)

Creates a Signer instance from a service account .json file in Google format.

Parameters:

filename (str) – The path to the service account .json file.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

classmethod from_service_account_info(info)

Creates a Signer instance instance from a dictionary containing service account info in Google format.

Parameters:

info (Mappingstr, str) – The service account info in Google format.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

Raises:

ValueError – If the info is not in the expected format.

classmethod from_string(key: bytes | str, key_id: str | None = None) → EsSigner

Construct a RSASigner from a private key in PEM format.

Parameters:

• key (Unionbytes, str) – Private key in PEM format.

• key_id (str) – An optional key id used to identify the private key.

Returns:

The constructed signer.

Return type:

google.auth.crypt._cryptography_rsa.RSASigner

Raises:

• ValueError – If key is not bytes or str (unicode).

• UnicodeDecodeError – If key is bytes but cannot be decoded into a UTF-8 str.

• ValueError – If cryptography “Could not deserialize key data.”

property key_id: str | None

The key ID used to identify this private key.

Type:

Optionalstr

sign(message: bytes) → bytes

Signs a message.

Parameters:

message (Unionstr, bytes) – The message to be signed.

Returns:

The signature of the message.

Return type:

bytes

class ES256Verifier(public_key: EllipticCurvePublicKey)

Bases: EsVerifier

Verifies ECDSA cryptographic signatures using public keys.

Parameters:

public_key (cryptography.hazmat.primitives.asymmetric.ec.ECDSAPublicKey) – The public key used to verify signatures.

classmethod from_string(public_key: str | bytes) → EsVerifier

Construct a Verifier instance from a public key or public certificate string.

Parameters:

public_key (Unionstr, bytes) – The public key in PEM format or the x509 public key certificate.

Returns:

The constructed verifier.

Return type:

google.auth.crypt.Verifier

Raises:

ValueError – If the public key can’t be parsed.

verify(message: bytes, signature: bytes) → bool

Verifies a message against a cryptographic signature.

Parameters:

• message (Unionstr, bytes) – The message to verify.

• signature (Unionstr, bytes) – The cryptography signature to check.

Returns:

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type:

bool

class RSASigner(private_key, key_id=None)

Bases: Signer, FromServiceAccountMixin

Signs messages with an RSA private key.

Parameters:

• private_key (Union, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey) – The private key to sign with.

• key_id (str) – Optional key ID used to identify this private key. This can be useful to associate the private key with its associated public key or certificate.

Raises:

• ImportError – if called with an rsa.key.PrivateKey, when the rsa library is not installed

• ValueError – if an unrecognized public key is provided

property key_id

The key ID used to identify this private key.

Type:

Optionalstr

sign(message)

Signs a message.

Parameters:

message (Unionstr, bytes) – The message to be signed.

Returns:

The signature of the message.

Return type:

bytes

classmethod from_string(key, key_id=None)

Construct a Signer instance from a private key in PEM format.

Parameters:

• key (str) – Private key in PEM format.

• key_id (str) – An optional key id used to identify the private key.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

Raises:

ValueError – If the key cannot be parsed as PKCS#1 or PKCS#8 in PEM format.

classmethod from_service_account_file(filename)

Creates a Signer instance from a service account .json file in Google format.

Parameters:

filename (str) – The path to the service account .json file.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

classmethod from_service_account_info(info)

Creates a Signer instance instance from a dictionary containing service account info in Google format.

Parameters:

info (Mappingstr, str) – The service account info in Google format.

Returns:

The constructed signer.

Return type:

google.auth.crypt.Signer

Raises:

ValueError – If the info is not in the expected format.

class RSAVerifier(public_key)

Bases: Verifier

Verifies RSA cryptographic signatures using public keys.

Parameters:

public_key (Union, cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey) – The public key used to verify signatures.

Raises:

• ImportError – if called with an rsa.key.PublicKey, when the rsa library is not installed

• ValueError – if an unrecognized public key is provided

verify(message, signature)

Verifies a message against a cryptographic signature.

Parameters:

• message (Unionstr, bytes) – The message to verify.

• signature (Unionstr, bytes) – The cryptography signature to check.

Returns:

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type:

bool

classmethod from_string(public_key)

Construct a Verifier instance from a public key or public certificate string.

Parameters:

public_key (Unionstr, bytes) – The public key in PEM format or the x509 public key certificate.

Returns:

The constructed verifier.

Return type:

google.auth.crypt.Verifier

Raises:

ValueError – If the public_key can’t be parsed.

class Signer

Bases: object

Abstract base class for cryptographic signers.

abstract property key_id

The key ID used to identify this private key.

Type:

Optionalstr

abstract sign(message)

Signs a message.

Parameters:

message (Unionstr, bytes) – The message to be signed.

Returns:

The signature of the message.

Return type:

bytes

class Verifier

Bases: object

Abstract base class for crytographic signature verifiers.

abstract verify(message, signature)

Verifies a message against a cryptographic signature.

Parameters:

• message (Unionstr, bytes) – The message to verify.

• signature (Unionstr, bytes) – The cryptography signature to check.

Returns:

True if message was signed by the private key associated with the public key that this object was constructed with.

Return type:

bool

Submodules

• google.auth.crypt.base module
  • Verifier
    • Verifier.verify()
  • Signer
    • Signer.key_id
    • Signer.sign()
  • FromServiceAccountMixin
    • FromServiceAccountMixin.from_string()
    • FromServiceAccountMixin.from_service_account_info()
    • FromServiceAccountMixin.from_service_account_file()
• google.auth.crypt.es256 module
  • ES256Verifier
    • ES256Verifier.from_string()
    • ES256Verifier.verify()
  • ES256Signer
    • ES256Signer.algorithm
    • ES256Signer.from_service_account_file()
    • ES256Signer.from_service_account_info()
    • ES256Signer.from_string()
    • ES256Signer.key_id
    • ES256Signer.sign()
• google.auth.crypt.rsa module
  • RSAVerifier
    • RSAVerifier.verify()
    • RSAVerifier.from_string()
  • RSASigner
    • RSASigner.key_id
    • RSASigner.sign()
    • RSASigner.from_string()
    • RSASigner.from_service_account_file()
    • RSASigner.from_service_account_info()