awscrt.crypto¶

class awscrt.crypto.RSAEncryptionAlgorithm(value)¶

RSA Encryption Algorithm

PKCS1_5 = 0¶: PKCSv1.5 padding

OAEP_SHA256 = 1¶: OAEP padding with sha256 hash function

OAEP_SHA512 = 2¶: OAEP padding with sha512 hash function

class awscrt.crypto.RSASignatureAlgorithm(value)¶

RSA Encryption Algorithm

PKCS1_5_SHA256 = 0¶: PKCSv1.5 padding with sha256 hash function

PKCS1_5_SHA1 = 1¶: PKCSv1.5 padding with sha1 hash function

PSS_SHA256 = 2¶: PSS padding with sha256 hash function

class awscrt.crypto.RSA(binding)¶

static new_private_key_from_pem_data(pem_data: str | bytes | bytearray | memoryview) → RSA¶: Creates a new instance of private RSA key pair from pem data. Raises ValueError if pem does not have private key object.

static new_public_key_from_pem_data(pem_data: str | bytes | bytearray | memoryview) → RSA¶: Creates a new instance of public RSA key pair from pem data. Raises ValueError if pem does not have public key object.

static new_private_key_from_der_data(der_data: bytes | bytearray | memoryview) → RSA¶: Creates a new instance of private RSA key pair from der data. Expects key in PKCS1 format. Raises ValueError if pem does not have private key object.

static new_public_key_from_der_data(der_data: bytes | bytearray | memoryview) → RSA¶: Creates a new instance of public RSA key pair from der data. Expects key in PKCS1 format. Raises ValueError if pem does not have public key object.

encrypt(encryption_algorithm: RSAEncryptionAlgorithm, plaintext: bytes | bytearray | memoryview) → bytes¶: Encrypts data using a given algorithm.

decrypt(encryption_algorithm: RSAEncryptionAlgorithm, ciphertext: bytes | bytearray | memoryview) → bytes¶: Decrypts data using a given algorithm.

sign(signature_algorithm: RSASignatureAlgorithm, digest: bytes | bytearray | memoryview) → bytes¶: Signs data using a given algorithm. Note: function expects digest of the message, ex sha256

verify(signature_algorithm: RSASignatureAlgorithm, digest: bytes | bytearray | memoryview, signature: bytes | bytearray | memoryview) → bool¶: Verifies signature against digest. Returns True if signature matches and False if not.

class awscrt.crypto.ED25519ExportFormat(value)¶

ED25519 Export format

RAW = 0¶: Raw bytes.

OPENSSH_B64 = 1¶: Base64 encoded OpenSSH format as defined in RFC 8709.

class awscrt.crypto.ED25519(binding)¶

static new_generate() → ED25519¶: Generates a new instance of ED25159 key pair.

export_public_key(export_format: ED25519ExportFormat) → bytes¶: Exports public part of the key in specified format.

export_private_key(export_format: ED25519ExportFormat) → bytes¶: Exports public part of the key in specified format.

class awscrt.crypto.ECType(value)¶

Elliptic Curve Type

P_256 = 0¶: P-256 curve aka secp256r1

P_384 = 1¶: P-384 curve aka secp384r1

class awscrt.crypto.ECExportFormat(value)¶

EC Export format

SEC1 = 0¶: Raw bytes for the private key as defined in Sec1 (“EC Private Key” in pem)

PKCS8 = 1¶: Raw bytes for the private key as defined in PKCS8 (“Private Key” in pem)

SPKI = 2¶: Raw bytes for the public key as defined in x509/SPKI (“EC Public Key” or “Public Key” in pem)

class awscrt.crypto.ECRawSignature(r, s)¶

r: bytes¶: Alias for field number 0

s: bytes¶: Alias for field number 1

class awscrt.crypto.ECPublicCoords(x, y)¶

x: bytes¶: Alias for field number 0

y: bytes¶: Alias for field number 1

class awscrt.crypto.EC(binding)¶

static new_generate(type: ECType) → EC¶: Generates a new instance of EC key pair.

static new_key_from_der_data(der_data: bytes | bytearray | memoryview) → EC¶: Creates a new instance of EC key pair from der data. Will figure out what type of key it is without hint (i.e. pem header). Supports all formats specified in ECExportFormat. Expects raw bytes (i.e. strip b64 you get when reading pem). Raises ValueError if pem does not have private key object.

static decode_der_signature(signature: bytes) → ECRawSignature¶: Decodes ec signature into raw r and s.

static encode_raw_signature(signature: ECRawSignature) → bytes¶: Encodes raw signature into der.

export_key(export_format: ECExportFormat) → bytes¶: Exports the key in specified format.

get_public_coords() → ECPublicCoords¶: Get public coords of the key

sign(digest: bytes | bytearray | memoryview) → bytes¶: Signs data using a given algorithm. Returns DER encoded signature. Note: function expects digest of the message, ex sha256

verify(digest: bytes | bytearray | memoryview, signature: bytes | bytearray | memoryview) → bool¶: Verifies signature against digest. Returns True if signature matches and False if not.