Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Copyright 2016 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
15"""Cryptography helpers for verifying and signing messages.
17The simplest way to verify signatures is using :func:`verify_signature`::
19 cert = open('certs.pem').read()
20 valid = crypt.verify_signature(message, signature, cert)
22If you're going to verify many messages with the same certificate, you can use
23:class:`RSAVerifier`::
25 cert = open('certs.pem').read()
26 verifier = crypt.RSAVerifier.from_string(cert)
27 valid = verifier.verify(message, signature)
29To sign messages use :class:`RSASigner` with a private key::
31 private_key = open('private_key.pem').read()
32 signer = crypt.RSASigner.from_string(private_key)
33 signature = signer.sign(message)
35The code above also works for :class:`ES256Signer` and :class:`ES256Verifier`.
36Note that these two classes are only available if your `cryptography` dependency
37version is at least 1.4.0.
38"""
40from google.auth.crypt import base
41from google.auth.crypt import rsa
43# google.auth.crypt.es depends on the crytpography module which may not be
44# successfully imported depending on the system.
45try:
46 from google.auth.crypt import es
47 from google.auth.crypt import es256
48except ImportError: # pragma: NO COVER
49 es = None # type: ignore
50 es256 = None # type: ignore
52if es is not None and es256 is not None: # pragma: NO COVER
53 __all__ = [
54 "EsSigner",
55 "EsVerifier",
56 "ES256Signer",
57 "ES256Verifier",
58 "RSASigner",
59 "RSAVerifier",
60 "Signer",
61 "Verifier",
62 ]
64 EsSigner = es.EsSigner
65 EsVerifier = es.EsVerifier
66 ES256Signer = es256.ES256Signer
67 ES256Verifier = es256.ES256Verifier
68else: # pragma: NO COVER
69 __all__ = ["RSASigner", "RSAVerifier", "Signer", "Verifier"]
72# Aliases to maintain the v1.0.0 interface, as the crypt module was split
73# into submodules.
74Signer = base.Signer
75Verifier = base.Verifier
76RSASigner = rsa.RSASigner
77RSAVerifier = rsa.RSAVerifier
80def verify_signature(message, signature, certs, verifier_cls=rsa.RSAVerifier):
81 """Verify an RSA or ECDSA cryptographic signature.
83 Checks that the provided ``signature`` was generated from ``bytes`` using
84 the private key associated with the ``cert``.
86 Args:
87 message (Union[str, bytes]): The plaintext message.
88 signature (Union[str, bytes]): The cryptographic signature to check.
89 certs (Union[Sequence, str, bytes]): The certificate or certificates
90 to use to check the signature.
91 verifier_cls (Optional[~google.auth.crypt.base.Signer]): Which verifier
92 class to use for verification. This can be used to select different
93 algorithms, such as RSA or ECDSA. Default value is :class:`RSAVerifier`.
95 Returns:
96 bool: True if the signature is valid, otherwise False.
97 """
98 if isinstance(certs, (str, bytes)):
99 certs = [certs]
101 for cert in certs:
102 verifier = verifier_cls.from_string(cert)
103 if verifier.verify(message, signature):
104 return True
105 return False