1.14. security_keys
¶
This module provides functionality for working with security keys that are used for data integrity checks. Verification is performed using ECDSA keys.
1.14.1. Data¶
1.14.2. Functions¶
-
openssl_decrypt_data
(ciphertext, password, digest='sha256', encoding='utf-8')[source]¶ Decrypt ciphertext in the same way as OpenSSL. For the meaning of digest see the
openssl_derive_key_and_iv()
function documentation.Note
This function can be used to decrypt ciphertext created with the
openssl
command line utility.openssl enc -e -aes-256-cbc -in file -out file.enc -md sha256
Parameters: Returns: The decrypted data.
Return type:
-
openssl_derive_key_and_iv
(password, salt, key_length, iv_length, digest='sha256', encoding='utf-8')[source]¶ Derive an encryption key and initialization vector (IV) in the same way as OpenSSL.
Note
Different versions of OpenSSL use a different default value for the digest function used to derive keys and initialization vectors. A specific one can be used by passing the
-md
option to theopenssl
command which corresponds to the digest parameter of this function.Parameters: - password (str) – The password to use when deriving the key and IV.
- salt (bytes) – A value to use as a salt for the operation.
- key_length (int) – The length in bytes of the key to return.
- iv_length (int) – The length in bytes of the IV to return.
- digest (str) – The name of hashing function to use to generate the key.
- encoding (str) – The name of the encoding to use for the password.
Returns: The key and IV as a tuple.
Return type:
1.14.3. Classes¶
-
class
SecurityKeys
[source]¶ Bases:
object
The security keys that are installed on the system. These are then used to validate the signatures of downloaded files to ensure they have not been corrupted or tampered with.
Note
Keys are first loaded from the security.json file included with the application source code and then from an optional security.local.json file. Keys loaded from the optional file can not over write keys loaded from the system file.
-
verify
(key_id, data, signature)[source]¶ Verify the data with the specified signature as signed by the specified key. This function will raise an exception if the verification fails for any reason, including if the key can not be found.
Parameters:
-
-
class
SigningKey
(*args, **kwargs)[source]¶ Bases:
ecdsa.keys.SigningKey
,object
-
classmethod
from_dict
(value, encoding='base64', **kwargs)[source]¶ Load the signing key from the specified dict object.
Parameters: Returns: The new signing key.
Return type:
-
classmethod
from_file
(file_path, password=None, encoding='utf-8')[source]¶ Load the signing key from the specified file. If password is specified, the file is assumed to have been encrypted using OpenSSL with
aes-256-cbc
as the cipher andsha256
as the message digest. This usesopenssl_decrypt_data()
internally for decrypting the data.Parameters: Returns: A tuple of the key’s ID, and the new
SigningKey
instance.Return type:
-
sign_dict
(data, signature_encoding='base64')[source]¶ Sign a dictionary object. The dictionary will have a ‘signature’ key added is required by the
VerifyingKey.verify_dict()
method. To serialize the dictionary to data suitable for the operation thejson.dumps()
function is used and the resulting data is then UTF-8 encoded.Parameters: Returns: The dictionary object is returned with the ‘signature’ key added.
-
classmethod
-
class
VerifyingKey
(*args, **kwargs)[source]¶ Bases:
ecdsa.keys.VerifyingKey
,object
-
classmethod
from_dict
(value, encoding='base64', **kwargs)[source]¶ Load the verifying key from the specified dict object.
Parameters: Returns: The new verifying key.
Return type:
-
verify_dict
(data, signature_encoding='base64')[source]¶ Verify a signed dictionary object. The dictionary must have a ‘signature’ key as added by the
SigningKey.sign_dict()
method. To serialize the dictionary to data suitable for the operation thejson.dumps()
function is used and the resulting data is then UTF-8 encoded.Parameters:
-
classmethod