KeyVaultRSAPublicKey Class

Reference

An RSAPublicKey implementation based on a key managed by Key Vault.

This class should not be instantiated directly. Instead, use the create_rsa_public_key method to create a key based on the client's key. Only synchronous clients and operations are supported at this time.

Inheritance: cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey

KeyVaultRSAPublicKey

Constructor

KeyVaultRSAPublicKey(client: CryptographyClient, key_material: JsonWebKey | None = None)

Parameters

Name	Description
client Required
key_material	Default value: None

Methods

encrypt	Encrypts the given plaintext.
public_bytes	Allows serialization of the key to bytes. This function uses the cryptography library's implementation. Encoding (PEM or DER) and format (SubjectPublicKeyInfo or PKCS1) are chosen to define the exact serialization.
public_numbers	Returns an RSAPublicNumbers representing the key's public numbers.
recover_data_from_signature	Recovers the signed data from the signature. Only supported with cryptography version 3.3 and above. This function uses the cryptography library's implementation. The data typically contains the digest of the original message string. The padding and algorithm parameters must match the ones used when the signature was created for the recovery to succeed. The algorithm parameter can also be set to None to recover all the data present in the signature, without regard to its format or the hash algorithm used for its creation. For PKCS1v15 padding, this method returns the data after removing the padding layer. For standard signatures the data contains the full DigestInfo structure. For non-standard signatures, any data can be returned, including zero-length data. Normally you should use the verify() function to validate the signature. But for some non-standard signature formats you may need to explicitly recover and validate the signed data. The following are some examples: Some old Thawte and Verisign timestamp certificates without DigestInfo. Signed MD5/SHA1 hashes in TLS 1.1 or earlier (RFC 4346, section 4.7). IKE version 1 signatures without DigestInfo (RFC 2409, section 5.1).
verifier	Not implemented. This method was deprecated in cryptography 2.0 and removed in 37.0.0.
verify	Verifies the signature of the data.

encrypt

Encrypts the given plaintext.

encrypt(plaintext: bytes, padding: AsymmetricPadding) -> bytes

Parameters

Name	Description
plaintext Required	bytes Plaintext to encrypt.
padding Required	<xref:cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding> The padding to use. Supported paddings are OAEP and PKCS1v15. For OAEP padding, supported hash algorithms are SHA1 and SHA256. The only supported mask generation function is MGF1. See https://learn.microsoft.com/azure/key-vault/keys/about-keys-details for details.

Returns

Type	Description
bytes	The encrypted ciphertext, as bytes.

public_bytes

Allows serialization of the key to bytes.

This function uses the cryptography library's implementation. Encoding (PEM or DER) and format (SubjectPublicKeyInfo or PKCS1) are chosen to define the exact serialization.

public_bytes(encoding: Encoding, format: PublicFormat) -> bytes

Parameters

Name	Description
encoding Required	<xref:cryptography.hazmat.primitives.serialization.Encoding> A value from the Encoding enum.
format Required	<xref:cryptography.hazmat.primitives.serialization.PublicFormat> A value from the PublicFormat enum.

Returns

Type	Description
bytes	The serialized key.

Exceptions

Type	Description
ValueError	if the client is unable to obtain the key material from Key Vault.

public_numbers

Returns an RSAPublicNumbers representing the key's public numbers.

public_numbers() -> RSAPublicNumbers

Returns

Type	Description
<xref:RSAPublicNumbers>	The public numbers of the key.

Exceptions

Type	Description
ValueError	if the client is unable to obtain the key material from Key Vault.

recover_data_from_signature

Recovers the signed data from the signature. Only supported with cryptography version 3.3 and above.

This function uses the cryptography library's implementation. The data typically contains the digest of the original message string. The padding and algorithm parameters must match the ones used when the signature was created for the recovery to succeed. The algorithm parameter can also be set to None to recover all the data present in the signature, without regard to its format or the hash algorithm used for its creation.

For PKCS1v15 padding, this method returns the data after removing the padding layer. For standard signatures the data contains the full DigestInfo structure. For non-standard signatures, any data can be returned, including zero-length data.

Normally you should use the verify() function to validate the signature. But for some non-standard signature formats you may need to explicitly recover and validate the signed data. The following are some examples:

Some old Thawte and Verisign timestamp certificates without DigestInfo.
Signed MD5/SHA1 hashes in TLS 1.1 or earlier (RFC 4346, section 4.7).
IKE version 1 signatures without DigestInfo (RFC 2409, section 5.1).

recover_data_from_signature(signature: bytes, padding: AsymmetricPadding, algorithm: HashAlgorithm | None) -> bytes

Parameters

Name	Description
signature Required	bytes The signature.
padding Required	<xref:cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding> An instance of AsymmetricPadding. Recovery is only supported with some of the padding types.
algorithm Required	<xref:cryptography.hazmat.primitives.hashes.HashAlgorithm> An instance of HashAlgorithm. Can be None to return all the data present in the signature.

Returns

Type	Description
bytes	The signed data.

Exceptions

Type	Description
NotImplementedError	if the local version of cryptography doesn't support this method.
cryptography.exceptions.InvalidSignature	if the signature is invalid.
cryptography.exceptions.UnsupportedAlgorithm	if the signature data recovery is not supported with the provided padding type.
ValueError	if the client is unable to obtain the key material from Key Vault.

verifier

Not implemented. This method was deprecated in cryptography 2.0 and removed in 37.0.0.

verifier(signature: bytes, padding: AsymmetricPadding, algorithm: HashAlgorithm) -> NoReturn

Parameters

Name	Description
signature Required
padding Required
algorithm Required

verify

Verifies the signature of the data.

verify(signature: bytes, data: bytes, padding: AsymmetricPadding, algorithm: Prehashed | HashAlgorithm) -> None

Parameters

Name	Description
signature Required	bytes The signature to sign, as bytes.
data Required	bytes The message string that was signed., as bytes.
padding Required	<xref:cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding> The padding to use. Supported paddings are PKCS1v15 and PSS. For PSS, the only supported mask generation function is MGF1. See https://learn.microsoft.com/azure/key-vault/keys/about-keys-details for details.
algorithm Required	<xref:cryptography.hazmat.primitives.asymmetric.utils.Prehashed> or <xref:cryptography.hazmat.primitives.hashes.HashAlgorithm> The algorithm to sign with. Only HashAlgorithm`s are supported – specifically,` SHA256, SHA384, and SHA512.

Exceptions

Type	Description
InvalidSignature	If the signature does not validate.

Attributes

key_size

The bit length of the public modulus.

Returns

Type	Description
int	The key's size.

Exceptions

Type	Description
ValueError	if the client is unable to obtain the key material from Key Vault.

Поделиться через

KeyVaultRSAPublicKey Class

Constructor

Parameters

Methods

encrypt

Parameters

Returns

public_bytes

Parameters

Returns

Exceptions

public_numbers

Returns

Exceptions

recover_data_from_signature

Parameters

Returns

Exceptions

verifier

Parameters

verify

Parameters

Exceptions

Attributes

key_size

Returns

Exceptions

Дополнительные ресурсы