Sig class¶
- class cryptosyspki.Sig¶
Create and verify digital signatures.
- class Alg¶
Signature algorithm to use.
- DEFAULT = ''¶
Use default signature algorithm (
rsa-sha1
/sha1WithRSAEncryption
)
- ECDSA_SHA1 = 'ecdsaWithSHA1'¶
Use ecdsaWithSHA1 (ecdsa-sha1) signature algorithm
- ECDSA_SHA224 = 'ecdsaWithSHA224'¶
Use ecdsaWithSHA224 (ecdsa-sha224) signature algorithm
- ECDSA_SHA256 = 'ecdsaWithSHA256'¶
Use ecdsaWithSHA256 (ecdsa-sha256) signature algorithm
- ECDSA_SHA384 = 'ecdsaWithSHA384'¶
Use ecdsaWithSHA384 (ecdsa-sha384) signature algorithm
- ECDSA_SHA512 = 'ecdsaWithSHA512'¶
Use ecdsaWithSHA512 (ecdsa-sha512) signature algorithm
- ED25519 = 'Ed25519'¶
Use Ed25519, the Edwards-curve Digital Signature Algorithm (EdDSA) as per [RFC8032]
- ED448 = 'Ed448'¶
Use Ed448, the Edwards-curve Digital Signature Algorithm (EdDSA) as per [RFC8032]
- RSA_MD5 = 'md5WithRSAEncryption'¶
Use md5WithRSAEncryption (rsa-md5) signature algorithm [ legacy applications only]
- RSA_PSS_SHA1 = 'RSA-PSS-SHA1'¶
Use RSA-PSS signature algorithm with SHA-1
- RSA_PSS_SHA224 = 'RSA-PSS-SHA224'¶
Use RSA-PSS signature algorithm with SHA-224
- RSA_PSS_SHA256 = 'RSA-PSS-SHA256'¶
Use RSA-PSS signature algorithm with SHA-256
- RSA_PSS_SHA384 = 'RSA-PSS-SHA384'¶
Use RSA-PSS signature algorithm with SHA-384
- RSA_PSS_SHA512 = 'RSA-PSS-SHA512'¶
Use RSA-PSS signature algorithm with SHA-512
- RSA_SHA1 = 'sha1WithRSAEncryption'¶
Use sha1WithRSAEncryption (rsa-sha1) signature algorithm [default]
- RSA_SHA224 = 'sha224WithRSAEncryption'¶
Use sha224WithRSAEncryption (rsa-sha224) signature algorithm
- RSA_SHA256 = 'sha256WithRSAEncryption'¶
Use sha256WithRSAEncryption (rsa-sha256) signature algorithm [minimum recommended]
- RSA_SHA384 = 'sha384WithRSAEncryption'¶
Use sha384WithRSAEncryption (rsa-sha384) signature algorithm
- RSA_SHA512 = 'sha512WithRSAEncryption'¶
Use sha512WithRSAEncryption (rsa-sha512) signature algorithm
- class Encoding¶
Encodings for signature output.
- BASE64 = 0¶
Base64 encoding (default)
- BASE64URL = 262144¶
URL-safe base64 encoding as in section 5 of [RFC4648]
- DEFAULT = 0¶
Default encoding (base64)
- HEX = 196608¶
Hexadecimal encoding
- class Opts¶
Options for ECDSA and RSA-PSS signatures.
- ASN1DER = 16384¶
Form ECDSA signature value as a DER-encoded ASN.1 structure [default=
r||s
].- Type:
ECDSA only
- DEFAULT = 0¶
Use default options for signature.
- DETERMINISTIC = 8192¶
Use the deterministic digital signature generation procedure of [RFC6979] for ECDSA signature [default=random k]
- Type:
ECDSA only
- MGF1SHA1 = 8388608¶
Force the MGF hash function to be SHA-1 [default = same as signature hash algorithm].
- Type:
RSA-PSS only
- PSS_SALTLEN_20 = 3145728¶
Set the salt length to be exactly 20 bytes regardless of the hash algorithm.
- Type:
RSA-PSS only
- PSS_SALTLEN_HLEN = 0¶
Set the salt length to hLen, the length of the output of the hash function [default].
- Type:
RSA-PSS only
- PSS_SALTLEN_MAX = 2097152¶
Set the salt length to the maximum possible (like OpenSSL).
- Type:
RSA-PSS only
- PSS_SALTLEN_ZERO = 4194304¶
Set the salt length to be zero.
- Type:
RSA-PSS only
- class VerifyOpts¶
Specialist options for verifying a signature.
- DEFAULT = 0¶
Use default options.
- MGF1SHA1 = 8388608¶
Force the MGF hash function to be SHA-1 [default = same as signature hash algorithm].
- Type:
RSA-PSS only
- static data_is_verified(sig, data, certorkey, alg, verifyopts=0)¶
Verify a signature value over data in a byte array.
- Parameters:
sig (str) -- Containing the encoded signature value
data (bytes) -- Containing the input data to be verified
certorkey (str) -- Specifying the X.509 certificate or public key file name (or a string containing the certificate or key in PEM format or base64 representation, or an internal key string).
alg (Sig.Alg) -- Signature algorithm to be used
verifyopts (Sig.VerifyOpts) -- Advanced options for RSA-PSS only.
- Returns:
True if the signature is valid, False if invalid.
- Return type:
bool
- Raises:
PKIError -- If parameters or formats are bad, or if file is missing.
- Remarks:
A signature value is considered valid if it can be decrypted by the public key in
certorkey
and the digest value of the data matches the original digest of the data in the signature. Public keys in X.509 certificates are currently not supported for ECDSA signatures; only public key files or their string representations. Any supported encodings of the signature value are detected automatically.
- static digest_is_verified(sig, digest, certorkey, alg, verifyopts=0)¶
Verify a signature value over a message digest value of data .
- Parameters:
sig (str) -- Containing the encoded signature value
digest (bytes) -- Byte array containing the message digest value of the data to be verified
certorkey (str) -- Specifying the X.509 certificate or public key file name (or a string containing the certificate or key in PEM format or base64 representation, or an internal key string).
alg (Sig.Alg) -- Signature algorithm to be used
verifyopts (Sig.VerifyOpts) -- Advanced options for RSA-PSS only.
- Returns:
True if the signature is valid, False if invalid.
- Return type:
bool
- Raises:
PKIError -- If parameters or formats are bad, or if file is missing.
- static file_is_verified(sig, datafile, certorkey, alg, verifyopts=0)¶
Verify a signature value over data in a file.
- Parameters:
sig (str) -- Containing the encoded signature value
datafile (str) -- Name of file containing data to be verified.
certorkey (str) -- Specifying the X.509 certificate or public key file name (or a string containing the certificate or key in PEM format or base64 representation, or an internal key string).
alg (Sig.Alg) -- Signature algorithm to be used
verifyopts (Sig.VerifyOpts) -- Advanced options for RSA-PSS only.
- Returns:
True if the signature is valid, False if invalid.
- Return type:
bool
- Raises:
PKIError -- If parameters or formats are bad, or if file is missing.
- static sign_data(data, keyfile, password, alg, opts=0, encoding=0)¶
Compute a signature value over data in a byte array.
- Parameters:
data (bytes) -- input data to be signed
keyfile (str) -- Name of private key file (or a string containing the key in PEM format, or an internal private key)
password (str) -- Password for the private key, if encrypted
alg (Sig.Alg) -- Signature algorithm to be used.
opts (Sig.Opts) -- Options for ECDSA signatures.
encoding (Sig.Encoding) -- Optional encodings for output.
- Returns:
The encoded signature value. By default, a continuous string of base64 characters suitable for the
<SignatureValue>
of an XML-DSIG document.- Return type:
str
- static sign_digest(digest, keyfile, password, alg, opts=0, encoding=0)¶
Compute a signature value over a message digest value.
- Parameters:
digest (bytes) -- digest value in a byte array
keyfile (str) -- Name of private key file (or a string containing the key in PEM format, or an internal private key)
password (str) -- Password for the private key, if encrypted
alg (Sig.Alg) -- Signature algorithm to be used.
opts (Sig.Opts) -- Options for ECDSA signatures.
encoding (Sig.Encoding) -- Optional encodings for output.
- Returns:
The encoded signature value.
- Return type:
str
- static sign_file(datafile, keyfile, password, alg, opts=0, encoding=0)¶
Compute a signature value over binary data in a file.
- Parameters:
datafile (str) -- Name of input file containing data to be signed.
keyfile (str) -- Name of private key file (or a string containing the key in PEM format, or an internal private key)
password (str) -- Password for the private key, if encrypted
alg (Sig.Alg) -- Signature algorithm to be used.
opts (Sig.Opts) -- Options for ECDSA signatures.
encoding (Sig.Encoding) -- Optional encodings for output.
- Returns:
The encoded signature value.
- Return type:
str