Sig class

class cryptosyspki.Sig

Create and verify digital signatures.

class Alg

Signature algorithm to use.

DEFAULT = ''

Use default signature algorithm (rsa-sha1/sha1WithRSAEncryption)

ECDSA_SHA1 = 'ecdsaWithSHA1'

Use ecdsaWithSHA1 (ecdsa-sha1) signature algorithm

ECDSA_SHA224 = 'ecdsaWithSHA224'

Use ecdsaWithSHA224 (ecdsa-sha224) signature algorithm

ECDSA_SHA256 = 'ecdsaWithSHA256'

Use ecdsaWithSHA256 (ecdsa-sha256) signature algorithm

ECDSA_SHA384 = 'ecdsaWithSHA384'

Use ecdsaWithSHA384 (ecdsa-sha384) signature algorithm

ECDSA_SHA512 = 'ecdsaWithSHA512'

Use ecdsaWithSHA512 (ecdsa-sha512) signature algorithm

ED25519 = 'Ed25519'

Use Ed25519, the Edwards-curve Digital Signature Algorithm (EdDSA) as per [RFC8032]

ED448 = 'Ed448'

Use Ed448, the Edwards-curve Digital Signature Algorithm (EdDSA) as per [RFC8032]

RSA_MD5 = 'md5WithRSAEncryption'

Use md5WithRSAEncryption (rsa-md5) signature algorithm [ legacy applications only]

RSA_PSS_SHA1 = 'RSA-PSS-SHA1'

Use RSA-PSS signature algorithm with SHA-1

RSA_PSS_SHA224 = 'RSA-PSS-SHA224'

Use RSA-PSS signature algorithm with SHA-224

RSA_PSS_SHA256 = 'RSA-PSS-SHA256'

Use RSA-PSS signature algorithm with SHA-256

RSA_PSS_SHA384 = 'RSA-PSS-SHA384'

Use RSA-PSS signature algorithm with SHA-384

RSA_PSS_SHA512 = 'RSA-PSS-SHA512'

Use RSA-PSS signature algorithm with SHA-512

RSA_SHA1 = 'sha1WithRSAEncryption'

Use sha1WithRSAEncryption (rsa-sha1) signature algorithm [default]

RSA_SHA224 = 'sha224WithRSAEncryption'

Use sha224WithRSAEncryption (rsa-sha224) signature algorithm

RSA_SHA256 = 'sha256WithRSAEncryption'

Use sha256WithRSAEncryption (rsa-sha256) signature algorithm [minimum recommended]

RSA_SHA384 = 'sha384WithRSAEncryption'

Use sha384WithRSAEncryption (rsa-sha384) signature algorithm

RSA_SHA512 = 'sha512WithRSAEncryption'

Use sha512WithRSAEncryption (rsa-sha512) signature algorithm

class Encoding

Encodings for signature output.

BASE64 = 0

Base64 encoding (default)

BASE64URL = 262144

URL-safe base64 encoding as in section 5 of [RFC4648]

DEFAULT = 0

Default encoding (base64)

HEX = 196608

Hexadecimal encoding

class Opts

Options for ECDSA and RSA-PSS signatures.

ASN1DER = 16384

Form ECDSA signature value as a DER-encoded ASN.1 structure [default= r||s].

Type:

ECDSA only

DEFAULT = 0

Use default options for signature.

DETERMINISTIC = 8192

Use the deterministic digital signature generation procedure of [RFC6979] for ECDSA signature [default=random k]

Type:

ECDSA only

MGF1SHA1 = 8388608

Force the MGF hash function to be SHA-1 [default = same as signature hash algorithm].

Type:

RSA-PSS only

PSS_SALTLEN_20 = 3145728

Set the salt length to be exactly 20 bytes regardless of the hash algorithm.

Type:

RSA-PSS only

PSS_SALTLEN_HLEN = 0

Set the salt length to hLen, the length of the output of the hash function [default].

Type:

RSA-PSS only

PSS_SALTLEN_MAX = 2097152

Set the salt length to the maximum possible (like OpenSSL).

Type:

RSA-PSS only

PSS_SALTLEN_ZERO = 4194304

Set the salt length to be zero.

Type:

RSA-PSS only

class VerifyOpts

Specialist options for verifying a signature.

DEFAULT = 0

Use default options.

MGF1SHA1 = 8388608

Force the MGF hash function to be SHA-1 [default = same as signature hash algorithm].

Type:

RSA-PSS only

static data_is_verified(sig, data, certorkey, alg, verifyopts=0)

Verify a signature value over data in a byte array.

Parameters:

  • sig (str) -- Containing the encoded signature value

  • data (bytes) -- Containing the input data to be verified

  • certorkey (str) -- Specifying the X.509 certificate or public key file name (or a string containing the certificate or key in PEM format or base64 representation, or an internal key string).

  • alg (Sig.Alg) -- Signature algorithm to be used

  • verifyopts (Sig.VerifyOpts) -- Advanced options for RSA-PSS only.

Returns:

True if the signature is valid, False if invalid.

Return type:

bool

Raises:

PKIError -- If parameters or formats are bad, or if file is missing.

Remarks:

A signature value is considered valid if it can be decrypted by the public key in certorkey and the digest value of the data matches the original digest of the data in the signature. Public keys in X.509 certificates are currently not supported for ECDSA signatures; only public key files or their string representations. Any supported encodings of the signature value are detected automatically.

static digest_is_verified(sig, digest, certorkey, alg, verifyopts=0)

Verify a signature value over a message digest value of data .

Parameters:

  • sig (str) -- Containing the encoded signature value

  • digest (bytes) -- Byte array containing the message digest value of the data to be verified

  • certorkey (str) -- Specifying the X.509 certificate or public key file name (or a string containing the certificate or key in PEM format or base64 representation, or an internal key string).

  • alg (Sig.Alg) -- Signature algorithm to be used

  • verifyopts (Sig.VerifyOpts) -- Advanced options for RSA-PSS only.

Returns:

True if the signature is valid, False if invalid.

Return type:

bool

Raises:

PKIError -- If parameters or formats are bad, or if file is missing.

static file_is_verified(sig, datafile, certorkey, alg, verifyopts=0)

Verify a signature value over data in a file.

Parameters:

  • sig (str) -- Containing the encoded signature value

  • datafile (str) -- Name of file containing data to be verified.

  • certorkey (str) -- Specifying the X.509 certificate or public key file name (or a string containing the certificate or key in PEM format or base64 representation, or an internal key string).

  • alg (Sig.Alg) -- Signature algorithm to be used

  • verifyopts (Sig.VerifyOpts) -- Advanced options for RSA-PSS only.

Returns:

True if the signature is valid, False if invalid.

Return type:

bool

Raises:

PKIError -- If parameters or formats are bad, or if file is missing.

static sign_data(data, keyfile, password, alg, opts=0, encoding=0)

Compute a signature value over data in a byte array.

Parameters:

  • data (bytes) -- input data to be signed

  • keyfile (str) -- Name of private key file (or a string containing the key in PEM format, or an internal private key)

  • password (str) -- Password for the private key, if encrypted

  • alg (Sig.Alg) -- Signature algorithm to be used.

  • opts (Sig.Opts) -- Options for ECDSA signatures.

  • encoding (Sig.Encoding) -- Optional encodings for output.

Returns:

The encoded signature value. By default, a continuous string of base64 characters suitable for the <SignatureValue> of an XML-DSIG document.

Return type:

str

static sign_digest(digest, keyfile, password, alg, opts=0, encoding=0)

Compute a signature value over a message digest value.

Parameters:

  • digest (bytes) -- digest value in a byte array

  • keyfile (str) -- Name of private key file (or a string containing the key in PEM format, or an internal private key)

  • password (str) -- Password for the private key, if encrypted

  • alg (Sig.Alg) -- Signature algorithm to be used.

  • opts (Sig.Opts) -- Options for ECDSA signatures.

  • encoding (Sig.Encoding) -- Optional encodings for output.

Returns:

The encoded signature value.

Return type:

str

static sign_file(datafile, keyfile, password, alg, opts=0, encoding=0)

Compute a signature value over binary data in a file.

Parameters:

  • datafile (str) -- Name of input file containing data to be signed.

  • keyfile (str) -- Name of private key file (or a string containing the key in PEM format, or an internal private key)

  • password (str) -- Password for the private key, if encrypted

  • alg (Sig.Alg) -- Signature algorithm to be used.

  • opts (Sig.Opts) -- Options for ECDSA signatures.

  • encoding (Sig.Encoding) -- Optional encodings for output.

Returns:

The encoded signature value.

Return type:

str