baseplate.lib.crypto
¶
Utilities for common cryptographic operations.
message = "Hello, world!"
secret = secrets.get_versioned("some_signing_key")
signature = make_signature(
secret, message, max_age=datetime.timedelta(days=1))
try:
validate_signature(secret, message, signature)
except SignatureError:
print("Oh no, it was invalid!")
else:
print("Message was valid!")
Message was valid!
Message Signing¶
-
baseplate.lib.crypto.
make_signature
(secret, message, max_age)[source]¶ Return a signature for the given message.
To ensure that key rotation works automatically, always fetch the secret token from the secret store immediately before use and do not cache / save the token anywhere. The
current
version of the secret will be used to sign the token.Parameters: - secret (
VersionedSecret
) – The secret signing key from the secret store. - message (
str
) – The message to sign. - max_age (
timedelta
) – The amount of time in the future the signature will be valid for.
Return type: Returns: An encoded signature.
- secret (
-
baseplate.lib.crypto.
validate_signature
(secret, message, signature)[source]¶ Validate and assert a message’s signature is correct.
If the signature is valid, the function will return normally with a
SignatureInfo
with some details about the signature. Otherwise, an exception will be raised.To ensure that key rotation works automatically, always fetch the secret token from the secret store immediately before use and do not cache / save the token anywhere. All active versions of the secret will be checked when validating the signature.
Parameters: - secret (
VersionedSecret
) – The secret signing key from the secret store. - message (
str
) – The message payload to validate. - signature (
bytes
) – The signature supplied with the message.
Raises: UnreadableSignatureError
The signature is corrupt.Raises: IncorrectSignatureError
The digest is incorrect.Raises: ExpiredSignatureError
The signature expired.Return type: - secret (
-
class
baseplate.lib.crypto.
SignatureInfo
[source]¶ Information about a valid signature.
Variables: - version – The version of the packed signature format.
- expiration – The time, in seconds since the UNIX epoch, at which the signature will expire.
Exceptions¶
-
exception
baseplate.lib.crypto.
SignatureError
[source]¶ Base class for all message signing related errors.
-
exception
baseplate.lib.crypto.
UnreadableSignatureError
[source]¶ Raised when the signature is corrupt or wrongly formatted.