salt.modules.asymmetric

New in version 3008.0.

Low-level asymmetric cryptographic operations.

depends:

cryptography

Note

All parameters that take a public key or private key can be specified either as a PEM/hex/base64 string or a path to a local file encoded in all supported formats for the type.

A signature can be specified as a base64 string or a path to a file with the raw signature or its base64 encoding.

Public keys and signatures can additionally be specified as a URL that can be retrieved using cp.cache_file.

salt.modules.asymmetric.sign(privkey, passphrase=None, text=None, filename=None, digest=None, raw=None, path=None)

Sign a file or text using an (RSA|ECDSA|Ed25519|Ed448) private key. You can employ x509.create_private_key to generate one. Returns the signature encoded in base64 by default.

CLI Example:

salt '*' asymmetric.sign /root/my_privkey.pem text='I like you'
salt '*' asymmetric.sign /root/my_privkey.pem filename=/data/to/be/signed

privkey

The private key to sign with.

passphrase

If the private key is encrypted, the passphrase to decrypt it. Optional.

text

Pass the text to sign. Either this or filename is required.

filename

Pass the path of a file to sign. Either this or text is required.

digest

The name of the hashing algorithm to use when creating signatures. Defaults to sha256. Only relevant for ECDSA or RSA.

raw

Return the raw bytes instead of encoding them to base64. Defaults to false.

path

Instead of returning the data, write it to a path on the local filesystem. Optional.

salt.modules.asymmetric.verify(text=None, filename=None, pubkey=None, signature=None, digest=None, signed_by_any=None, signed_by_all=None, **kwargs)

Verify signatures on a specific input against (RSA|ECDSA|Ed25519|Ed448) public keys.

Note

This function is supposed to be compatible with the same interface as gpg.verify <salt.modules.gpg.verify>`() regarding keyword arguments and return value format.

CLI Example:

salt '*' asymmetric.verify pubkey=/root/my_pubkey.pem text='I like you' signature=/root/ilikeyou.sig
salt '*' asymmetric.verify pubkey=/root/my_pubkey.pem path=/root/confidential signature=/root/confidential.sig

text

The text to verify. Either this or filename is required.

filename

The path of a file to verify. Either this or text is required.

pubkey

The single public key to verify signature against. Specify either this or make use of signed_by_any/signed_by_all for compound checks.

signature

If pubkey is specified, the single signature to verify. If signed_by_any and/or signed_by_all is specified, this can be a list of multiple signatures to check against the provided keys. Required.

digest

The name of the hashing algorithm to use when verifying signatures. Defaults to sha256. Only relevant for ECDSA or RSA.

signed_by_any

A list of pubkeys from which any valid signature will mark verification as passed. If none of the listed pubkeys provided a signature, verification fails. Works with signed_by_all, but mutually exclusive with pubkey.

signed_by_all

A list of pubkeys, all of which must provide a signature for verification to pass. If a single one of the listed pubkeys did not provide a signature, verification fails. Works with signed_by_any, but mutually exclusive with pubkey.