1.. hazmat:: 2 3Key Serialization 4================= 5 6.. module:: cryptography.hazmat.primitives.serialization 7 8.. testsetup:: 9 10 import base64 11 12 pem_data = b""" 13 -----BEGIN RSA PRIVATE KEY----- 14 MIICXgIBAAKBgQDn09PV9KPE7Q+N5K5UtNLT1DLl8z/pKM2pP5tXqWx2OsEw00lC 15 kDHdHESwzS050s/8rtkERKKyusCzCm9+vC1pQzUlmtibfF4PQAQc1pJL6KHqlidg 16 Hw49atYmnC25CaeXt65pAYXoIacOZ8k5X7FW3Eagex8nG0iMw4ObOtg6CwIDAQAB 17 AoGBAL31l/4YYN1rNrSZLrQgGyUSGsbLxJHEKolFon95R3O1fzoH117gkstQb4TE 18 Cwv3jw/JIfBaYUq8tku/AE9D2Jx51x7kYaCuQIMTavKIgkXKfxTQCQDjSEfkvXMW 19 4WOIj5sYdSCNbzLbaeFsWG32bSsBTy/sSheDIlCEFnqDuqwBAkEA+wYfJEMDf5nS 20 VCQd9VKGM4HVeTWBioaWBFCflFdhc1Vb65dsNDp8iIMZgAHC2LEX5dMUmgqXk7AT 21 lwFlIeW4CwJBAOxsSfuIVMuPKyx1xQ6ebpC7zeVxIOdswcM8ain91MSGDdKZw6pF 22 ioFh3kUbKHw4yqqHbdRmUDAJ1mcgGJQOxgECQQCmQaGylKfmhWymyd0FtIip6J4I 23 z4ViyEznwrZOu6kRiEF/QiUqWmpMx/fFrmTsvC5Fy43jkIxgBsiSxRvEXa+NAkB+ 24 5m0bhwTEslchKSGZhC6inzuYAQ4BSh4C1mXBnk5bIf0/Ymtk9KiwY8CzZS1o5+7Y 25 c5LfI/+8mTss5UxsBDYBAkEA6NqhcsNWndIJZiWUU4u+RjFUQXqH8WCyJmEDCNxs 26 7SGRS1DTUGX4Y70m9dQpguy6Zg+gpHC+o+ERZR06uEQr+w== 27 -----END RSA PRIVATE KEY----- 28 """.strip() 29 public_pem_data = b""" 30 -----BEGIN PUBLIC KEY----- 31 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDn09PV9KPE7Q+N5K5UtNLT1DLl 32 8z/pKM2pP5tXqWx2OsEw00lCkDHdHESwzS050s/8rtkERKKyusCzCm9+vC1pQzUl 33 mtibfF4PQAQc1pJL6KHqlidgHw49atYmnC25CaeXt65pAYXoIacOZ8k5X7FW3Eag 34 ex8nG0iMw4ObOtg6CwIDAQAB 35 -----END PUBLIC KEY----- 36 """.strip() 37 der_data = base64.b64decode( 38 b"MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALskegl+DrI3Msw5Z63x" 39 b"nj1rgoPR0KykwBi+jZgAwHv/B0TJyhy6NuEnaf+x442L7lepOqoWQzlUGXyuaSQU9mT/" 40 b"vHTGZ2xM8QJJaccr4eGho0MU9HePyNCFWjWVrGKpwSEAd6CLlzC0Wiy4kC9IoAUoS/IP" 41 b"jeyLTQNCddatgcARAgMBAAECgYAA/LlKJgeJUStTcpHgGD6mXjHvnAwWJELQKDP5+tA8" 42 b"VAQGwBX1G5qzJDGrPGtHQ7DSqdwF4YFZtgTpZmGq1wsAjz3lv6L4XiVsHiIPtP1B4gMx" 43 b"X9ogxcDzVQ7hyezXPioMAcp7Isus9Csn8HhftcL56BRabn6GvWqbIAy6zJcgEQJBAMlZ" 44 b"nymKW5/jKth+wkCfqEXlPhGNPO1uq87QZUbYxwdjtSM09J9+HMfH+WXR9ARCOL46DJ0I" 45 b"JfyjcdmuDDlh9IkCQQDt76up1Tmc7lkb/89IRBu2MudGJPMEf96VCG11nmcXulyk1OLi" 46 b"TXfO62YpxZbgYrvlrNxEYlSG7WQMztBgA51JAkBU2RhyJ+S+drsaaigvlVgSxCyotszi" 47 b"/Q0XZMgY18bfPUwanvkqsLkuEv3sw1HB7an9t3aTQdjIIpQad/acw8OJAkEAjvmnCK21" 48 b"KgTbjQShtQYgNNLPwImxcjG4OYvP4o6l2k9FHlNCZsQwSymOwWkXKYyK5g+CaKFBs7Zw" 49 b"mXWpJxjk6QJBAInqbm1w3yVfGD9I2mMQi/6oDJQP3pdWU4mU4h4sdDyRgTQLpkD4yypg" 50 b"jOACt4mTzxifSVT9fT+a79SkT8FFmZE=" 51 ) 52 public_der_data = base64.b64decode( 53 b"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7JHoJfg6yNzLMOWet8Z49a4KD0dCs" 54 b"pMAYvo2YAMB7/wdEycocujbhJ2n/seONi+5XqTqqFkM5VBl8rmkkFPZk/7x0xmdsTPEC" 55 b"SWnHK+HhoaNDFPR3j8jQhVo1laxiqcEhAHegi5cwtFosuJAvSKAFKEvyD43si00DQnXW" 56 b"rYHAEQIDAQAB" 57 ) 58 message = b"" 59 60 def sign_with_rsa_key(key, message): 61 return b"" 62 63 def sign_with_dsa_key(key, message): 64 return b"" 65 66 parameters_pem_data = b""" 67 -----BEGIN DH PARAMETERS----- 68 MIGHAoGBALsrWt44U1ojqTy88o0wfjysBE51V6Vtarjm2+5BslQK/RtlndHde3gx 69 +ccNs+InANszcuJFI8AHt4743kGRzy5XSlul4q4dDJENOHoyqYxueFuFVJELEwLQ 70 XrX/McKw+hS6GPVQnw6tZhgGo9apdNdYgeLQeQded8Bum8jqzP3rAgEC 71 -----END DH PARAMETERS----- 72 """.strip() 73 74 parameters_der_data = base64.b64decode( 75 b"MIGHAoGBALsrWt44U1ojqTy88o0wfjysBE51V6Vtarjm2+5BslQK/RtlndHde3gx+ccNs+In" 76 b"ANsz\ncuJFI8AHt4743kGRzy5XSlul4q4dDJENOHoyqYxueFuFVJELEwLQXrX/McKw+hS6GP" 77 b"VQnw6tZhgG\no9apdNdYgeLQeQded8Bum8jqzP3rAgEC" 78 ) 79 80There are several common schemes for serializing asymmetric private and public 81keys to bytes. They generally support encryption of private keys and additional 82key metadata. 83 84Many serialization formats support multiple different types of asymmetric keys 85and will return an instance of the appropriate type. You should check that 86the returned key matches the type your application expects when using these 87methods. 88 89 .. doctest:: 90 91 >>> from cryptography.hazmat.backends import default_backend 92 >>> from cryptography.hazmat.primitives.asymmetric import dsa, rsa 93 >>> from cryptography.hazmat.primitives.serialization import load_pem_private_key 94 >>> key = load_pem_private_key(pem_data, password=None, backend=default_backend()) 95 >>> if isinstance(key, rsa.RSAPrivateKey): 96 ... signature = sign_with_rsa_key(key, message) 97 ... elif isinstance(key, dsa.DSAPrivateKey): 98 ... signature = sign_with_dsa_key(key, message) 99 ... else: 100 ... raise TypeError 101 102Key dumping 103~~~~~~~~~~~ 104 105The ``serialization`` module contains functions for loading keys from 106``bytes``. To dump a ``key`` object to ``bytes``, you must call the appropriate 107method on the key object. Documentation for these methods in found in the 108:mod:`~cryptography.hazmat.primitives.asymmetric.rsa`, 109:mod:`~cryptography.hazmat.primitives.asymmetric.dsa`, and 110:mod:`~cryptography.hazmat.primitives.asymmetric.ec` module documentation. 111 112PEM 113~~~ 114 115PEM is an encapsulation format, meaning keys in it can actually be any of 116several different key types. However these are all self-identifying, so you 117don't need to worry about this detail. PEM keys are recognizable because they 118all begin with ``-----BEGIN {format}-----`` and end with ``-----END 119{format}-----``. 120 121.. note:: 122 123 A PEM block which starts with ``-----BEGIN CERTIFICATE-----`` is not a 124 public or private key, it's an :doc:`X.509 Certificate </x509/index>`. You 125 can load it using :func:`~cryptography.x509.load_pem_x509_certificate` and 126 extract the public key with 127 :meth:`Certificate.public_key <cryptography.x509.Certificate.public_key>`. 128 129.. function:: load_pem_private_key(data, password, backend) 130 131 .. versionadded:: 0.6 132 133 Deserialize a private key from PEM encoded data to one of the supported 134 asymmetric private key types. 135 136 :param data: The PEM encoded key data. 137 :type data: :term:`bytes-like` 138 139 :param password: The password to use to decrypt the data. Should 140 be ``None`` if the private key is not encrypted. 141 :type data: :term:`bytes-like` 142 143 :param backend: An instance of 144 :class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend`. 145 146 :returns: One of 147 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, 148 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, 149 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`, 150 or 151 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` 152 depending on the contents of ``data``. 153 154 :raises ValueError: If the PEM data could not be decrypted or if its 155 structure could not be decoded successfully. 156 157 :raises TypeError: If a ``password`` was given and the private key was 158 not encrypted. Or if the key was encrypted but no 159 password was supplied. 160 161 :raises cryptography.exceptions.UnsupportedAlgorithm: If the serialized key 162 is of a type that is not supported by the backend or if the key is 163 encrypted with a symmetric cipher that is not supported by the backend. 164 165.. function:: load_pem_public_key(data, backend) 166 167 .. versionadded:: 0.6 168 169 Deserialize a public key from PEM encoded data to one of the supported 170 asymmetric public key types. The PEM encoded data is typically a 171 ``subjectPublicKeyInfo`` payload as specified in :rfc:`5280`. 172 173 .. doctest:: 174 175 >>> from cryptography.hazmat.primitives.serialization import load_pem_public_key 176 >>> key = load_pem_public_key(public_pem_data, backend=default_backend()) 177 >>> isinstance(key, rsa.RSAPublicKey) 178 True 179 180 :param bytes data: The PEM encoded key data. 181 182 :param backend: An instance of 183 :class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend`. 184 185 186 :returns: One of 187 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, 188 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, 189 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`, 190 or 191 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` 192 depending on the contents of ``data``. 193 194 :raises ValueError: If the PEM data's structure could not be decoded 195 successfully. 196 197 :raises cryptography.exceptions.UnsupportedAlgorithm: If the serialized key 198 is of a type that is not supported by the backend. 199 200.. function:: load_pem_parameters(data, backend) 201 202 .. versionadded:: 2.0 203 204 Deserialize parameters from PEM encoded data to one of the supported 205 asymmetric parameters types. 206 207 .. doctest:: 208 209 >>> from cryptography.hazmat.primitives.serialization import load_pem_parameters 210 >>> from cryptography.hazmat.primitives.asymmetric import dh 211 >>> parameters = load_pem_parameters(parameters_pem_data, backend=default_backend()) 212 >>> isinstance(parameters, dh.DHParameters) 213 True 214 215 :param bytes data: The PEM encoded parameters data. 216 217 :param backend: An instance of 218 :class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend`. 219 220 221 :returns: Currently only 222 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters` 223 supported. 224 225 :raises ValueError: If the PEM data's structure could not be decoded 226 successfully. 227 228 :raises cryptography.exceptions.UnsupportedAlgorithm: If the serialized parameters 229 is of a type that is not supported by the backend. 230 231DER 232~~~ 233 234DER is an ASN.1 encoding type. There are no encapsulation boundaries and the 235data is binary. DER keys may be in a variety of formats, but as long as you 236know whether it is a public or private key the loading functions will handle 237the rest. 238 239.. function:: load_der_private_key(data, password, backend) 240 241 .. versionadded:: 0.8 242 243 Deserialize a private key from DER encoded data to one of the supported 244 asymmetric private key types. 245 246 :param data: The DER encoded key data. 247 :type data: :term:`bytes-like` 248 249 :param password: The password to use to decrypt the data. Should 250 be ``None`` if the private key is not encrypted. 251 :type password: :term:`bytes-like` 252 253 :param backend: An instance of 254 :class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend`. 255 256 :returns: One of 257 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, 258 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, 259 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`, 260 or 261 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey` 262 depending on the contents of ``data``. 263 264 :raises ValueError: If the DER data could not be decrypted or if its 265 structure could not be decoded successfully. 266 267 :raises TypeError: If a ``password`` was given and the private key was 268 not encrypted. Or if the key was encrypted but no 269 password was supplied. 270 271 :raises cryptography.exceptions.UnsupportedAlgorithm: If the serialized key is of a type that 272 is not supported by the backend or if the key is encrypted with a 273 symmetric cipher that is not supported by the backend. 274 275 .. doctest:: 276 277 >>> from cryptography.hazmat.backends import default_backend 278 >>> from cryptography.hazmat.primitives.asymmetric import rsa 279 >>> from cryptography.hazmat.primitives.serialization import load_der_private_key 280 >>> key = load_der_private_key(der_data, password=None, backend=default_backend()) 281 >>> isinstance(key, rsa.RSAPrivateKey) 282 True 283 284.. function:: load_der_public_key(data, backend) 285 286 .. versionadded:: 0.8 287 288 Deserialize a public key from DER encoded data to one of the supported 289 asymmetric public key types. The DER encoded data is typically a 290 ``subjectPublicKeyInfo`` payload as specified in :rfc:`5280`. 291 292 :param bytes data: The DER encoded key data. 293 294 :param backend: An instance of 295 :class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend`. 296 297 :returns: One of 298 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, 299 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, 300 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`, 301 or 302 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` 303 depending on the contents of ``data``. 304 305 :raises ValueError: If the DER data's structure could not be decoded 306 successfully. 307 308 :raises cryptography.exceptions.UnsupportedAlgorithm: If the serialized key is of a type that 309 is not supported by the backend. 310 311 .. doctest:: 312 313 >>> from cryptography.hazmat.backends import default_backend 314 >>> from cryptography.hazmat.primitives.asymmetric import rsa 315 >>> from cryptography.hazmat.primitives.serialization import load_der_public_key 316 >>> key = load_der_public_key(public_der_data, backend=default_backend()) 317 >>> isinstance(key, rsa.RSAPublicKey) 318 True 319 320.. function:: load_der_parameters(data, backend) 321 322 .. versionadded:: 2.0 323 324 Deserialize parameters from DER encoded data to one of the supported 325 asymmetric parameters types. 326 327 :param bytes data: The DER encoded parameters data. 328 329 :param backend: An instance of 330 :class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend`. 331 332 :returns: Currently only 333 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters` 334 supported. 335 336 :raises ValueError: If the DER data's structure could not be decoded 337 successfully. 338 339 :raises cryptography.exceptions.UnsupportedAlgorithm: If the serialized key is of a type that 340 is not supported by the backend. 341 342 .. doctest:: 343 344 >>> from cryptography.hazmat.backends import default_backend 345 >>> from cryptography.hazmat.primitives.asymmetric import dh 346 >>> from cryptography.hazmat.primitives.serialization import load_der_parameters 347 >>> parameters = load_der_parameters(parameters_der_data, backend=default_backend()) 348 >>> isinstance(parameters, dh.DHParameters) 349 True 350 351 352OpenSSH Public Key 353~~~~~~~~~~~~~~~~~~ 354 355The format used by OpenSSH to store public keys, as specified in :rfc:`4253`. 356 357An example RSA key in OpenSSH format (line breaks added for formatting 358purposes):: 359 360 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDu/XRP1kyK6Cgt36gts9XAk 361 FiiuJLW6RU0j3KKVZSs1I7Z3UmU9/9aVh/rZV43WQG8jaR6kkcP4stOR0DEtll 362 PDA7ZRBnrfiHpSQYQ874AZaAoIjgkv7DBfsE6gcDQLub0PFjWyrYQUJhtOLQEK 363 vY/G0vt2iRL3juawWmCFdTK3W3XvwAdgGk71i6lHt+deOPNEPN2H58E4odrZ2f 364 sxn/adpDqfb2sM0kPwQs0aWvrrKGvUaustkivQE4XWiSFnB0oJB/lKK/CKVKuy 365 ///ImSCGHQRvhwariN2tvZ6CBNSLh3iQgeB0AkyJlng7MXB2qYq/Ci2FUOryCX 366 2MzHvnbv testkey@localhost 367 368DSA keys look almost identical but begin with ``ssh-dss`` rather than 369``ssh-rsa``. ECDSA keys have a slightly different format, they begin with 370``ecdsa-sha2-{curve}``. 371 372.. function:: load_ssh_public_key(data, backend) 373 374 .. versionadded:: 0.7 375 376 Deserialize a public key from OpenSSH (:rfc:`4253`) encoded data to an 377 instance of the public key type for the specified backend. 378 379 .. note:: 380 381 Currently Ed25519 keys are not supported. 382 383 :param bytes data: The OpenSSH encoded key data. 384 385 :param backend: A backend which implements 386 :class:`~cryptography.hazmat.backends.interfaces.RSABackend`, 387 :class:`~cryptography.hazmat.backends.interfaces.DSABackend`, or 388 :class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend` 389 depending on the key's type. 390 391 :returns: One of 392 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, 393 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`, 394 or 395 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey` 396 depending on the contents of ``data``. 397 398 :raises ValueError: If the OpenSSH data could not be properly decoded or 399 if the key is not in the proper format. 400 401 :raises cryptography.exceptions.UnsupportedAlgorithm: If the serialized 402 key is of a type that is not supported. 403 404PKCS12 405~~~~~~ 406 407.. currentmodule:: cryptography.hazmat.primitives.serialization.pkcs12 408 409PKCS12 is a binary format described in :rfc:`7292`. It can contain 410certificates, keys, and more. PKCS12 files commonly have a ``pfx`` or ``p12`` 411file suffix. 412 413.. note:: 414 415 ``cryptography`` only supports a single private key and associated 416 certificates when parsing PKCS12 files at this time. 417 418.. function:: load_key_and_certificates(data, password, backend) 419 420 .. versionadded:: 2.5 421 422 Deserialize a PKCS12 blob. 423 424 :param data: The binary data. 425 :type data: :term:`bytes-like` 426 427 :param password: The password to use to decrypt the data. ``None`` 428 if the PKCS12 is not encrypted. 429 :type password: :term:`bytes-like` 430 431 :param backend: A backend instance. 432 433 :returns: A tuple of 434 ``(private_key, certificate, additional_certificates)``. 435 ``private_key`` is a private key type or ``None``, ``certificate`` 436 is either the :class:`~cryptography.x509.Certificate` whose public key 437 matches the private key in the PKCS 12 object or ``None``, and 438 ``additional_certificates`` is a list of all other 439 :class:`~cryptography.x509.Certificate` instances in the PKCS12 object. 440 441Serialization Formats 442~~~~~~~~~~~~~~~~~~~~~ 443 444.. currentmodule:: cryptography.hazmat.primitives.serialization 445 446.. class:: PrivateFormat 447 448 .. versionadded:: 0.8 449 450 An enumeration for private key formats. Used with the ``private_bytes`` 451 method available on 452 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization` 453 , 454 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization` 455 , :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKeyWithSerialization` 456 and 457 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization`. 458 459 .. attribute:: TraditionalOpenSSL 460 461 Frequently known as PKCS#1 format. Still a widely used format, but 462 generally considered legacy. 463 464 A PEM encoded RSA key will look like:: 465 466 -----BEGIN RSA PRIVATE KEY----- 467 ... 468 -----END RSA PRIVATE KEY----- 469 470 .. attribute:: PKCS8 471 472 A more modern format for serializing keys which allows for better 473 encryption. Choose this unless you have explicit legacy compatibility 474 requirements. 475 476 A PEM encoded key will look like:: 477 478 -----BEGIN PRIVATE KEY----- 479 ... 480 -----END PRIVATE KEY----- 481 482 .. attribute:: Raw 483 484 .. versionadded:: 2.5 485 486 A raw format used by :doc:`/hazmat/primitives/asymmetric/x448`. It is a 487 binary format and is invalid for other key types. 488 489.. class:: PublicFormat 490 491 .. versionadded:: 0.8 492 493 An enumeration for public key formats. Used with the ``public_bytes`` 494 method available on 495 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithSerialization` 496 , 497 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithSerialization` 498 , :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKeyWithSerialization` 499 , and 500 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization`. 501 502 .. attribute:: SubjectPublicKeyInfo 503 504 This is the typical public key format. It consists of an algorithm 505 identifier and the public key as a bit string. Choose this unless 506 you have specific needs. 507 508 A PEM encoded key will look like:: 509 510 -----BEGIN PUBLIC KEY----- 511 ... 512 -----END PUBLIC KEY----- 513 514 .. attribute:: PKCS1 515 516 Just the public key elements (without the algorithm identifier). This 517 format is RSA only, but is used by some older systems. 518 519 A PEM encoded key will look like:: 520 521 -----BEGIN RSA PUBLIC KEY----- 522 ... 523 -----END RSA PUBLIC KEY----- 524 525 .. attribute:: OpenSSH 526 527 .. versionadded:: 1.4 528 529 The public key format used by OpenSSH (e.g. as found in 530 ``~/.ssh/id_rsa.pub`` or ``~/.ssh/authorized_keys``). 531 532 .. attribute:: Raw 533 534 .. versionadded:: 2.5 535 536 A raw format used by :doc:`/hazmat/primitives/asymmetric/x448`. It is a 537 binary format and is invalid for other key types. 538 539 .. attribute:: CompressedPoint 540 541 .. versionadded:: 2.5 542 543 A compressed elliptic curve public key as defined in ANSI X9.62 section 544 4.3.6 (as well as `SEC 1 v2.0`_). 545 546 .. attribute:: UncompressedPoint 547 548 .. versionadded:: 2.5 549 550 An uncompressed elliptic curve public key as defined in ANSI X9.62 551 section 4.3.6 (as well as `SEC 1 v2.0`_). 552 553.. class:: ParameterFormat 554 555 .. versionadded:: 2.0 556 557 An enumeration for parameters formats. Used with the ``parameter_bytes`` 558 method available on 559 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParametersWithSerialization`. 560 561 .. attribute:: PKCS3 562 563 ASN1 DH parameters sequence as defined in `PKCS3`_. 564 565Serialization Encodings 566~~~~~~~~~~~~~~~~~~~~~~~ 567 568.. class:: Encoding 569 570 An enumeration for encoding types. Used with the ``private_bytes`` method 571 available on 572 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization` 573 , 574 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization` 575 , :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKeyWithSerialization`, 576 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization`, 577 and 578 :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey` 579 as well as ``public_bytes`` on 580 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`, 581 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`, 582 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`, 583 and 584 :class:`~cryptography.hazmat.primitives.asymmetric.x448.X448PublicKey`. 585 586 .. attribute:: PEM 587 588 .. versionadded:: 0.8 589 590 For PEM format. This is a base64 format with delimiters. 591 592 .. attribute:: DER 593 594 .. versionadded:: 0.9 595 596 For DER format. This is a binary format. 597 598 .. attribute:: OpenSSH 599 600 .. versionadded:: 1.4 601 602 The format used by OpenSSH public keys. This is a text format. 603 604 .. attribute:: Raw 605 606 .. versionadded:: 2.5 607 608 A raw format used by :doc:`/hazmat/primitives/asymmetric/x448`. It is a 609 binary format and is invalid for other key types. 610 611 .. attribute:: X962 612 613 .. versionadded:: 2.5 614 615 The format used by elliptic curve point encodings. This is a binary 616 format. 617 618 619Serialization Encryption Types 620~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 621 622.. class:: KeySerializationEncryption 623 624 Objects with this interface are usable as encryption types with methods 625 like ``private_bytes`` available on 626 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization` 627 , 628 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization` 629 , :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKeyWithSerialization` 630 and 631 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization`. 632 All other classes in this section represent the available choices for 633 encryption and have this interface. They are used with 634 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization.private_bytes`. 635 636.. class:: BestAvailableEncryption(password) 637 638 Encrypt using the best available encryption for a given key's backend. 639 This is a curated encryption choice and the algorithm may change over 640 time. 641 642 :param bytes password: The password to use for encryption. 643 644.. class:: NoEncryption 645 646 Do not encrypt. 647 648 649.. _`PKCS3`: https://www.teletrust.de/fileadmin/files/oid/oid_pkcs-3v1-4.pdf 650.. _`SEC 1 v2.0`: http://www.secg.org/sec1-v2.pdf 651