You are viewing docs from the master branch, some of these features are not yet released.

salt.modules.asymmetric¶

New in version 3008.0.

Low-level asymmetric cryptographic operations.

depends:: cryptography

Note

All parameters that take a public key or private key can be specified either as a PEM/hex/base64 string or a path to a local file encoded in all supported formats for the type.

A signature can be specified as a base64 string or a path to a file with the raw signature or its base64 encoding.

Public keys and signatures can additionally be specified as a URL that can be retrieved using cp.cache_file.

salt.modules.asymmetric.sign(privkey, passphrase=None, text=None, filename=None, digest=None, raw=None, path=None)¶

Sign a file or text using an (RSA|ECDSA|Ed25519|Ed448) private key. You can employ x509.create_private_key to generate one. Returns the signature encoded in base64 by default.

CLI Example:

salt '*' asymmetric.sign /root/my_privkey.pem text='I like you'
salt '*' asymmetric.sign /root/my_privkey.pem filename=/data/to/be/signed

privkey: The private key to sign with.
passphrase: If the private key is encrypted, the passphrase to decrypt it. Optional.
text: Pass the text to sign. Either this or filename is required.
filename: Pass the path of a file to sign. Either this or text is required.
digest: The name of the hashing algorithm to use when creating signatures. Defaults to sha256. Only relevant for ECDSA or RSA.
raw: Return the raw bytes instead of encoding them to base64. Defaults to false.
path: Instead of returning the data, write it to a path on the local filesystem. Optional.

salt.modules.asymmetric.verify(text=None, filename=None, pubkey=None, signature=None, digest=None, signed_by_any=None, signed_by_all=None, **kwargs)¶

Verify signatures on a specific input against (RSA|ECDSA|Ed25519|Ed448) public keys.

Note

This function is supposed to be compatible with the same interface as gpg.verify <salt.modules.gpg.verify>`() regarding keyword arguments and return value format.

CLI Example:

salt '*' asymmetric.verify pubkey=/root/my_pubkey.pem text='I like you' signature=/root/ilikeyou.sig
salt '*' asymmetric.verify pubkey=/root/my_pubkey.pem path=/root/confidential signature=/root/confidential.sig

text: The text to verify. Either this or filename is required.
filename: The path of a file to verify. Either this or text is required.
pubkey: The single public key to verify signature against. Specify either this or make use of signed_by_any/signed_by_all for compound checks.
signature: If pubkey is specified, the single signature to verify. If signed_by_any and/or signed_by_all is specified, this can be a list of multiple signatures to check against the provided keys. Required.
digest: The name of the hashing algorithm to use when verifying signatures. Defaults to sha256. Only relevant for ECDSA or RSA.
signed_by_any: A list of pubkeys from which any valid signature will mark verification as passed. If none of the listed pubkeys provided a signature, verification fails. Works with signed_by_all, but mutually exclusive with pubkey.
signed_by_all: A list of pubkeys, all of which must provide a signature for verification to pass. If a single one of the listed pubkeys did not provide a signature, verification fails. Works with signed_by_any, but mutually exclusive with pubkey.