The nova.signature_utils Module

Support signature verification.

class SignatureKeyType(name, public_key_type, create_verifier)

Bases: object

classmethod lookup(name)

Look up the signature key type.

Parameters:name – the name of the signature key type
Returns:the SignatureKeyType object
Raises:SignatureVerificationError if signature key type is invalid
classmethod register(name, public_key_type, create_verifier)

Register a signature key type.

Parameters:
  • name – the name of the signature key type
  • public_key_type – e.g. RSAPublicKey, DSAPublicKey, etc.
  • create_verifier – a function to create a verifier for this type
create_verifier_for_dsa(signature, hash_method, public_key)

Create the verifier to use when the key type is DSA

Parameters:
  • signature – the decoded signature to use
  • hash_method – the hash method to use, as a cryptography object
  • public_key – the public key to use, as a cryptography object
Returns:

the verifier to use to verify the signature for DSA
create_verifier_for_ecc(signature, hash_method, public_key)

Create the verifier to use when the key type is ECC_*.

Parameters:
  • signature – the decoded signature to use
  • hash_method – the hash method to use, as a cryptography object
  • public_key – the public key to use, as a cryptography object
Returns:

the verifier to use to verify the signature for ECC_*.
create_verifier_for_pss(signature, hash_method, public_key)

Create the verifier to use when the key type is RSA-PSS.

Parameters:
  • signature – the decoded signature to use
  • hash_method – the hash method to use, as a cryptography object
  • public_key – the public key to use, as a cryptography object
Raises:

SignatureVerificationError if the RSA-PSS specific properties are invalid
Returns:

the verifier to use to verify the signature for RSA-PSS
get_certificate(context, signature_certificate_uuid)

Create the certificate object from the retrieved certificate data.

Parameters:
  • context – the user context for authentication
  • signature_certificate_uuid – the uuid to use to retrieve the certificate
Returns:

the certificate cryptography object
Raises:

SignatureVerificationError if the retrieval fails or the format is invalid
get_hash_method(hash_method_name)

Verify the hash method name and create the hash method.

Parameters:hash_method_name – the name of the hash method to retrieve
Returns:the hash method, a cryptography object
Raises:SignatureVerificationError if the hash method name is invalid
get_public_key(context, signature_certificate_uuid, signature_key_type)

Create the public key object from a retrieved certificate.

Parameters:
  • context – the user context for authentication
  • signature_certificate_uuid – the uuid to use to retrieve the certificate
  • signature_key_type – a SignatureKeyType object
Returns:

the public key cryptography object
Raises:

SignatureVerificationError if public key format is invalid
get_signature(signature_data)

Decode the signature data and returns the signature.

Parameters:siganture_data – the base64-encoded signature data
Returns:the decoded signature
Raises:SignatureVerificationError if the signature data is malformatted
get_verifier(context, img_signature_certificate_uuid, img_signature_hash_method, img_signature, img_signature_key_type)

Instantiate signature properties and use them to create a verifier.

Parameters:
  • context – the user context for authentication
  • img_signature_certificate_uuid – uuid of signing certificate stored in key manager
  • img_signature_hash_method – string denoting hash method used to compute signature
  • img_signature – string of base64 encoding of signature
  • img_signature_key_type – string denoting type of keypair used to compute signature
Returns:

instance of cryptography.hazmat.primitives.asymmetric.AsymmetricVerificationContext
Raises:

SignatureVerificationError if we fail to build the verifier
verify_certificate(certificate)

Verify that the certificate has not expired.

Parameters:certificate – the cryptography certificate object
Raises:SignatureVerificationError if the certificate valid time range does not include now

Previous topic

The nova.servicegroup.drivers.mc Module

Next topic

The nova.test Module

Project Source

This Page

Navigation

© Copyright 2010-present, OpenStack Foundation. Last updated on 'Mon Feb 27 15:52:29 2017, commit 2e05c82'. Created using Sphinx 1.2.3.