baseplate.lib.crypto

Utilities for common cryptographic operations.

message = "Hello, world!"

secret = secrets.get_versioned("some_signing_key")
signature = make_signature(
    secret, message, max_age=datetime.timedelta(days=1))

try:
    validate_signature(secret, message, signature)
except SignatureError:
    print("Oh no, it was invalid!")
else:
    print("Message was valid!")
Message was valid!

Message Signing

baseplate.lib.crypto.make_signature(secret, message, max_age)[source]

Return a signature for the given message.

To ensure that key rotation works automatically, always fetch the secret token from the secret store immediately before use and do not cache / save the token anywhere. The current version of the secret will be used to sign the token.

Parameters:
  • secret (VersionedSecret) – The secret signing key from the secret store.
  • message (str) – The message to sign.
  • max_age (timedelta) – The amount of time in the future the signature will be valid for.
Return type:

bytes

Returns:

An encoded signature.

baseplate.lib.crypto.validate_signature(secret, message, signature)[source]

Validate and assert a message’s signature is correct.

If the signature is valid, the function will return normally with a SignatureInfo with some details about the signature. Otherwise, an exception will be raised.

To ensure that key rotation works automatically, always fetch the secret token from the secret store immediately before use and do not cache / save the token anywhere. All active versions of the secret will be checked when validating the signature.

Parameters:
  • secret (VersionedSecret) – The secret signing key from the secret store.
  • message (str) – The message payload to validate.
  • signature (bytes) – The signature supplied with the message.
Raises:

UnreadableSignatureError The signature is corrupt.

Raises:

IncorrectSignatureError The digest is incorrect.

Raises:

ExpiredSignatureError The signature expired.

Return type:

SignatureInfo

class baseplate.lib.crypto.SignatureInfo[source]

Information about a valid signature.

Variables:
  • version – The version of the packed signature format.
  • expiration – The time, in seconds since the UNIX epoch, at which the signature will expire.

Exceptions

exception baseplate.lib.crypto.SignatureError[source]

Base class for all message signing related errors.

exception baseplate.lib.crypto.UnreadableSignatureError[source]

Raised when the signature is corrupt or wrongly formatted.

exception baseplate.lib.crypto.IncorrectSignatureError[source]

Raised when the signature is readable but does not match the message.

exception baseplate.lib.crypto.ExpiredSignatureError(expiration)[source]

Raised when the signature is valid but has expired.

The expiration attribute is the time (as seconds since the UNIX epoch) at which the signature expired.