Bases¶
Bases: base classes for signers.
blake2signer.bases.Base
¶
Base class containing the minimum for a signer.
DEFAULT_DIGEST_SIZE: int
¶
Default digest size to use when no digest size is indicated.
MIN_DIGEST_SIZE: int
¶
Minimum digest size allowed (during instantiation).
MIN_SECRET_SIZE: int
¶
Minimum secret size allowed (during instantiation).
Hashers
¶
Hasher selection choices.
__init__(self, secret, *, personalisation=b'', digest_size=None, hasher=<HasherChoice.blake2b: 'blake2b'>, deterministic=False, separator=b'.')
special
¶
Sign and verify signed data using BLAKE2 in keyed hashing mode.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
secret |
Union[str, bytes] |
Secret value which will be derived using BLAKE2 to produce the signing key. The minimum secret size is enforced to 16 bytes and there is no maximum since the key will be derived to the maximum supported size. |
required |
personalisation |
Union[str, bytes] |
Personalisation string to force the hash function to produce different digests for the same input. It is derived using BLAKE2 to ensure it fits the hasher limits, so it has no practical size limit. It defaults to the class name. |
b'' |
digest_size |
Optional[int] |
Size of output signature (digest) in bytes (defaults to 16 bytes). The minimum size is enforced to 16 bytes. |
None |
hasher |
Union[blake2signer.bases.HasherChoice, str] |
Hash function to use: blake2b (default) or blake2s. |
<HasherChoice.blake2b: 'blake2b'> |
deterministic |
bool |
Define if signatures are deterministic or non-deterministic (default). Non-deterministic sigs are preferred, and achieved through the use of a random salt. For deterministic sigs, no salt is used: this means that for the same payload, the same sig is obtained (the advantage is that the sig is shorter). |
False |
separator |
Union[str, bytes] |
Character to separate the signature and the payload. It must not belong to the encoder alphabet and be ASCII (defaults to "."). |
b'.' |
Exceptions:
Type | Description |
---|---|
ConversionError |
A bytes parameter is not bytes and can't be converted to bytes. |
InvalidOptionError |
A parameter is out of bounds. |
Source code in blake2signer/bases.py
def __init__(
self,
secret: typing.Union[str, bytes],
*,
personalisation: typing.Union[str, bytes] = b'',
digest_size: typing.Optional[int] = None,
hasher: typing.Union[HasherChoice, str] = HasherChoice.blake2b,
deterministic: bool = False,
separator: typing.Union[str, bytes] = b'.',
) -> None:
"""Sign and verify signed data using BLAKE2 in keyed hashing mode.
Args:
secret: Secret value which will be derived using BLAKE2 to
produce the signing key. The minimum secret size is enforced to
16 bytes and there is no maximum since the key will be derived to
the maximum supported size.
personalisation (optional): Personalisation string to force the hash
function to produce different digests for the same input. It is
derived using BLAKE2 to ensure it fits the hasher limits, so it
has no practical size limit. It defaults to the class name.
digest_size (optional): Size of output signature (digest) in bytes
(defaults to 16 bytes). The minimum size is enforced to 16 bytes.
hasher (optional): Hash function to use: blake2b (default) or blake2s.
deterministic (optional): Define if signatures are deterministic or
non-deterministic (default). Non-deterministic sigs are preferred,
and achieved through the use of a random salt. For deterministic
sigs, no salt is used: this means that for the same payload, the
same sig is obtained (the advantage is that the sig is shorter).
separator (optional): Character to separate the signature and the
payload. It must not belong to the encoder alphabet and be ASCII
(defaults to ".").
Raises:
ConversionError: A bytes parameter is not bytes and can't be converted
to bytes.
InvalidOptionError: A parameter is out of bounds.
"""
self._hasher: typing.Union[
typing.Type[hashlib.blake2b],
typing.Type[hashlib.blake2s],
]
self._hasher = self._validate_hasher(hasher)
digest_size = self._validate_digest_size(digest_size)
separator = self._validate_separator(separator)
person = self._validate_person(personalisation)
secret = self._validate_secret(secret)
if deterministic:
person += b'Deterministic'
person += self.__class__.__name__.encode()
self._deterministic: bool = deterministic
self._digest_size: int = digest_size
self._separator: bytes = separator
self._person: bytes = self._derive_person(person)
self._key: bytes = self._derive_key(secret, person=self._person) # bye secret :)
blake2signer.bases.Blake2SignerBase
¶
Base class for a signer based on BLAKE2 in keyed hashing mode.
__init__(self, secret, *, personalisation=b'', digest_size=None, hasher=<HasherChoice.blake2b: 'blake2b'>, deterministic=False, separator=b'.', encoder=<class 'blake2signer.encoders.B64URLEncoder'>)
special
¶
Sign and verify signed data using BLAKE2 in keyed hashing mode.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
secret |
Union[str, bytes] |
Secret value which will be derived using BLAKE2 to produce the signing key. The minimum secret size is enforced to 16 bytes and there is no maximum since the key will be derived to the maximum supported size. |
required |
personalisation |
Union[str, bytes] |
Personalisation string to force the hash function to produce different digests for the same input. It is derived using BLAKE2 to ensure it fits the hasher limits, so it has no practical size limit. It defaults to the class name. |
b'' |
digest_size |
Optional[int] |
Size of output signature (digest) in bytes (defaults to 16 bytes). The minimum size is enforced to 16 bytes. |
None |
hasher |
Union[blake2signer.bases.HasherChoice, str] |
Hash function to use: blake2b (default) or blake2s. |
<HasherChoice.blake2b: 'blake2b'> |
deterministic |
bool |
Define if signatures are deterministic or non-deterministic (default). Non-deterministic sigs are preferred, and achieved through the use of a random salt. For deterministic sigs, no salt is used: this means that for the same payload, the same sig is obtained (the advantage is that the sig is shorter). |
False |
separator |
Union[str, bytes] |
Character to separate the signature and the payload. It must not belong to the encoder alphabet and be ASCII (defaults to "."). |
b'.' |
encoder |
Type[blake2signer.interfaces.EncoderInterface] |
Encoder class to use for the signature, nothing else is encoded (defaults to a Base64 URL safe encoder). |
<class 'blake2signer.encoders.B64URLEncoder'> |
Exceptions:
Type | Description |
---|---|
ConversionError |
A bytes parameter is not bytes and can't be converted to bytes. |
InvalidOptionError |
A parameter is out of bounds. |
Source code in blake2signer/bases.py
def __init__(
self,
secret: typing.Union[str, bytes],
*,
personalisation: typing.Union[str, bytes] = b'',
digest_size: typing.Optional[int] = None,
hasher: typing.Union[HasherChoice, str] = HasherChoice.blake2b,
deterministic: bool = False,
separator: typing.Union[str, bytes] = b'.',
encoder: typing.Type[EncoderInterface] = B64URLEncoder,
) -> None:
"""Sign and verify signed data using BLAKE2 in keyed hashing mode.
Args:
secret: Secret value which will be derived using BLAKE2 to
produce the signing key. The minimum secret size is enforced to
16 bytes and there is no maximum since the key will be derived to
the maximum supported size.
personalisation (optional): Personalisation string to force the hash
function to produce different digests for the same input. It is
derived using BLAKE2 to ensure it fits the hasher limits, so it
has no practical size limit. It defaults to the class name.
digest_size (optional): Size of output signature (digest) in bytes
(defaults to 16 bytes). The minimum size is enforced to 16 bytes.
hasher (optional): Hash function to use: blake2b (default) or blake2s.
deterministic (optional): Define if signatures are deterministic or
non-deterministic (default). Non-deterministic sigs are preferred,
and achieved through the use of a random salt. For deterministic
sigs, no salt is used: this means that for the same payload, the
same sig is obtained (the advantage is that the sig is shorter).
separator (optional): Character to separate the signature and the
payload. It must not belong to the encoder alphabet and be ASCII
(defaults to ".").
encoder (optional): Encoder class to use for the signature, nothing
else is encoded (defaults to a Base64 URL safe encoder).
Raises:
ConversionError: A bytes parameter is not bytes and can't be converted
to bytes.
InvalidOptionError: A parameter is out of bounds.
"""
super().__init__(
secret,
personalisation=personalisation,
digest_size=digest_size,
hasher=hasher,
separator=separator,
deterministic=deterministic,
encoder=encoder,
)
blake2signer.bases.Blake2TimestampSignerBase
¶
Base class for a timestamp signer based on BLAKE2 in keyed hashing mode.
blake2signer.bases.Blake2DualSignerBase
¶
Base class for a dual signer: with and without timestamp.
__init__(self, secret, *, max_age=None, personalisation=b'', digest_size=None, hasher=<HasherChoice.blake2b: 'blake2b'>, deterministic=False, separator=b'.', encoder=<class 'blake2signer.encoders.B64URLEncoder'>)
special
¶
Sign and verify signed and optionally timestamped data using BLAKE2.
It uses BLAKE2 in keyed hashing mode.
Setting max_age
will produce a timestamped signed stream.
Parameters:
Name | Type | Description | Default |
---|---|---|---|
secret |
Union[str, bytes] |
Secret value which will be derived using BLAKE2 to produce the signing key. The minimum secret size is enforced to 16 bytes and there is no maximum since the key will be derived to the maximum supported size. |
required |
max_age |
Union[NoneType, int, float, datetime.timedelta] |
Use a timestamp signer instead of a regular one to ensure that the signature is not older than this time in seconds. |
None |
personalisation |
Union[str, bytes] |
Personalisation string to force the hash function to produce different digests for the same input. It is derived using BLAKE2 to ensure it fits the hasher limits, so it has no practical size limit. It defaults to the class name. |
b'' |
digest_size |
Optional[int] |
Size of output signature (digest) in bytes (defaults to 16 bytes). The minimum size is enforced to 16 bytes. |
None |
hasher |
Union[blake2signer.bases.HasherChoice, str] |
Hash function to use: blake2b (default) or blake2s. |
<HasherChoice.blake2b: 'blake2b'> |
deterministic |
bool |
Define if signatures are deterministic or non-deterministic (default). Non-deterministic sigs are preferred, and achieved through the use of a random salt. For deterministic sigs, no salt is used: this means that for the same payload, the same sig is obtained (the advantage is that the sig is shorter). |
False |
separator |
Union[str, bytes] |
Character to separate the signature and the payload. It must not belong to the encoder alphabet and be ASCII (defaults to "."). |
b'.' |
encoder |
Type[blake2signer.interfaces.EncoderInterface] |
Encoder class to use (defaults to a Base64 URL safe encoder). |
<class 'blake2signer.encoders.B64URLEncoder'> |
Exceptions:
Type | Description |
---|---|
ConversionError |
A bytes parameter is not bytes and can't be converted to bytes. |
InvalidOptionError |
A parameter is out of bounds. |
Source code in blake2signer/bases.py
def __init__(
self,
secret: typing.Union[str, bytes],
*,
max_age: typing.Union[None, int, float, timedelta] = None,
personalisation: typing.Union[str, bytes] = b'',
digest_size: typing.Optional[int] = None,
hasher: typing.Union[HasherChoice, str] = HasherChoice.blake2b,
deterministic: bool = False,
separator: typing.Union[str, bytes] = b'.',
encoder: typing.Type[EncoderInterface] = B64URLEncoder,
) -> None:
"""Sign and verify signed and optionally timestamped data using BLAKE2.
It uses BLAKE2 in keyed hashing mode.
Setting `max_age` will produce a timestamped signed stream.
Args:
secret: Secret value which will be derived using BLAKE2 to
produce the signing key. The minimum secret size is enforced to
16 bytes and there is no maximum since the key will be derived to
the maximum supported size.
max_age (optional): Use a timestamp signer instead of a regular one
to ensure that the signature is not older than this time in seconds.
personalisation (optional): Personalisation string to force the hash
function to produce different digests for the same input. It is
derived using BLAKE2 to ensure it fits the hasher limits, so it
has no practical size limit. It defaults to the class name.
digest_size (optional): Size of output signature (digest) in bytes
(defaults to 16 bytes). The minimum size is enforced to 16 bytes.
hasher (optional): Hash function to use: blake2b (default) or blake2s.
deterministic (optional): Define if signatures are deterministic or
non-deterministic (default). Non-deterministic sigs are preferred,
and achieved through the use of a random salt. For deterministic
sigs, no salt is used: this means that for the same payload, the
same sig is obtained (the advantage is that the sig is shorter).
separator (optional): Character to separate the signature and the
payload. It must not belong to the encoder alphabet and be ASCII
(defaults to ".").
encoder (optional): Encoder class to use (defaults to a Base64 URL
safe encoder).
Raises:
ConversionError: A bytes parameter is not bytes and can't be converted
to bytes.
InvalidOptionError: A parameter is out of bounds.
"""
if max_age is not None:
personalisation = self._force_bytes(personalisation) + b'Timestamp'
self._max_age: typing.Union[None, int, float, timedelta] = max_age
super().__init__(
secret,
personalisation=personalisation,
digest_size=digest_size,
hasher=hasher,
deterministic=deterministic,
separator=separator,
encoder=encoder,
)
blake2signer.bases.Blake2SerializerSignerBase
¶
Base class for a serializer signer that implements dumps
and loads
.
Signatures¶
blake2signer.bases.Blake2Signature
dataclass
¶
Signature container.
blake2signer.bases.Blake2SignatureDump
dataclass
¶
Signature container.