GoogleKMS Class

Properties   Methods   Events   Config Settings   Errors  

The GoogleKMS class provides an easy-to-use interface for the Google Cloud Key Management Service.

Syntax

class cloudkeys.GoogleKMS

Remarks

The GoogleKMS class makes it easy to work with the Google Cloud Key Management Service (KMS) in a secure manner using TLS. Google KMS allows you to create and manage key rings that contain symmetric and asymmetric keys. Each key has one or more versions which can be used for cryptographic operations.

To begin, register for a Google Cloud account. Set the google_project_id property to your full Google Cloud project Id, and set the location property to the Google Cloud location you'd like to make requests against (by default, the us multi-regional location is used). Note that each location's resources are completely separate from the others'.

This class requires authentication via OAuth 2.0. First, perform OAuth authentication using the o_auth property to set the appropriate fields for the chosen o_auth_client_profile and o_auth_grant_type.

The class has the following defaults:

Application Profile

This profile encompasses the most basic grant types that OAuth supports. When this profile is set, all the requests and response handling is done by the class. Depending on the grant type, this may involve launching a browser so a user can login to authenticate with a authorization server. It may also involve starting an embedded web server to receive a response from a redirect.

To start the authentication and authorization process, the authorize method should be called. If the authorization and authentication was successful, then the o_auth_access_token property will be populated. Additionally, if a refresh token was provided the o_auth_refresh_token property will be populated as well. These values of the fields are for informational purposes. The class will also cache these tokens along with when the o_auth_access_token will be expired. When a method that makes requests to the service provider is called or the authorize method is called the class will automatically check to see if the access token is expired. If it is, it will then automatically try to get a new o_auth_access_token. If the authorize method was not used and user interaction would be required, the class will throw an error which can be caught. When user interaction is needed depends on what grant type is set in the o_auth_grant_type property. To force the component to only check the access token when the authorize method is called, the OAuthAutomaticRefresh configuration setting can be set to false.

A brief description of the supported values for the o_auth_grant_type property are below. For more information, see the service documentation.

Authorization Code

When using the Authorization Code grant type, the class will use an authorization code to get an access token. For this o_auth_grant_type the class expects a o_auth_client_id, o_auth_client_secret, o_auth_server_auth_url, and o_auth_server_token_url to be set. When the authorize method is called, the component will start the embedded web server and launch the browser so the user can authorize the application. Once the user authorizes, the service provider will redirect them to the embedded web server and the class will parse the authorization code, setting the o_auth_authorization_code property, from the redirect. Immediately, the class will make a request to the token server to exchange the authorization code for an access token. The token server will return an access token and possibly a refresh token. If the o_auth_refresh_token property is set, or a refresh token is cached, then the class will not launch the browser and use the refresh token in its request to the token server instead of an authorization code.

Example: GoogleKMS googlekms = new GoogleKMS(); googlekms.OAuth.ClientProfile = CloudOAuthClientProfiles.cocpApplication; googlekms.OAuth.GrantType = OAuthSettingsGrantTypes.cogtAuthorizationCode; googlekms.OAuth.ClientId = CLIENT_ID; googlekms.OAuth.ClientSecret = CLIENT_SECRET; googlekms.Authorize();

Implicit

Note: This grant type is considered insecure and should only be used when necessary.

When using the Implicit grant type, the class will request the authorization server to get an access token. For this o_auth_grant_type the class expects a o_auth_client_id, o_auth_client_secret, and o_auth_server_auth_url to be set. When the authorize method is called, the component will start the embedded web server and launch the browser so the user can authorize the application. Once the user authorizes, the service provider will redirect them to the embedded web server and the class will parse the access token from the redirect.

A disadvantage of the grant type is that can not use a refresh token to silently get a new access token. Most service providers offer a way to silently get a new access token. See the service documentation for specifics. This means the class will not be able to automatically get a fresh token once it expires.

Web Profile

External OAuth Support

Bearer ACCESS_TOKEN_VALUE

Assign this value to the authorization property before attempting any operations. Setting the authorization property will cause the class to ignore the values set in the o_auth property.

For Example: Oauth oauth = new Oauth(); oauth.ClientId = "CLIENT_ID"; oauth.ClientSecret = "CLIENT_SECRET"; oauth.AuthorizationScope = "https://www.googleapis.com/auth/cloud-platform"; oauth.ServerAuthURL = "https://accounts.google.com/o/oauth2/auth"; oauth.ServerTokenURL = "https://accounts.google.com/o/oauth2/token"; oauth.GrantType = OauthGrantTypes.ogtAuthorizationCode; googlekms.Authorization = oauth.GetAuthorization(); Consult the documentation for the service for more information about supported scope values and more details on OAuth authentication.

Using the Class

First, select which key ring the class should interact with using the key_ring property. If the selected key ring does not yet exist, use the create_key_ring method to create it. Note that key rings cannot be deleted later, and therefore key ring names can never be reused within a given location (unless you create a new Google Cloud project).

Once a key ring has been selected (and created, if necessary), keys can be created in it using the create_key method. A key consists of one or more key versions (which themselves can be thought of as distinct resources), each of which has its own cryptographic material. Symmetric keys have a primary version which is used when encrypting data. Asymmetric keys do not have a primary version; a specific version must always be targeted.

When a key is created, a single key version is automatically created for it as well (and for symmetric keys, this becomes the primary version). Additional key versions can be created using the create_version method. Each key version receives a sequentially-assigned version Id, and the first version's Id is always 1. As will become apparent, most operations are performed with key versions, not keys. googlekms.KeyRing = "MyKeyRing"; googlekms.CreateKeyRing(); // When a key is created, you specify its name, purpose, algorithm, and protection level. // Refer to the CreateKey method's documentation for more information. googlekms.CreateKey("MyKey", 1, "GOOGLE_SYMMETRIC_ENCRYPTION", false); // When a new version is created, the algorithm and protection level are reused. googlekms.CreateVersion("MyKey");

Like key rings, keys and key versions cannot be deleted. However, a key version can be disabled, or its cryptographic material can be destroyed, making it permanently unusable. To enable or disable a key version, use the set_version_enabled method; to destroy a key version's cryptographic material, use the destroy_version method. Note that the latter doesn't destroy the cryptographic material immediately; instead, it schedules it for destruction 24 hours from the time of the call. The cancel_destruction method can be called within this waiting period to cancel the destruction. // Disable a key version to make it unusable until it is re-enabled. googlekms.SetVersionEnabled("MyKey", "7", false); // Destroy a key version's cryptographic material to make it permanently unusable. googlekms.DestroyVersion("MyKey", "7"); // The destruction takes place after a 24 hour waiting period; it can be canceled during that period. // If destruction is canceled, the key version is always placed into a disabled state. googlekms.CancelDestruction("MyKey", "7");

To list key rings, keys, or key versions, use the list_key_rings, list_keys, or list_versions method. If there are multiple pages of results when listing a resource, the appropriate marker property will be populated, and all pages of results can be accumulated by continuing to call the relevant listing method until the marker property is empty. do { googlekms.ListKeyRings(); } while (!string.IsNullOrEmpty(googlekms.KeyRingMarker)); foreach (GoogleKeyRing keyring in googlekms.KeyRings) { Console.WriteLine(keyring.Name); } googlekms.KeyRing = "MyKeyRing"; do { googlekms.ListKeys(); } while (!string.IsNullOrEmpty(googlekms.KeyMarker)); foreach (GoogleKey key in googlekms.Keys) { Console.WriteLine(key.Name); } do { googlekms.ListKeyVersions("MyKey"); } while (!string.IsNullOrEmpty(googlekms.VersionMarker)); foreach (GoogleKeyVersion version in googlekms.Versions) { Console.WriteLine(version.Name + " " + version.VersionId); }

Depending on a key's purpose, it can be used to perform different cryptographic operations. Keys whose purpose is encryption/decryption can be used in encrypt and decrypt operations. Keys whose purpose is sign/verify can be used in sign and verify operations. To perform a cryptographic operation, use input_data or input_file to supply the input data that should be processed. All operations will output the result data to output_data or output_file (except verify; refer to its documentation for more information).

Note that Google does not support server-side asymmetric encryption or asymmetric verification. The class performs these operations locally as a convenience to account for this. // Create an asymmetric key whose purpose is encryption/decryption. googlekms.CreateKey("MyAsymmEncKey", 3, "RSA_DECRYPT_OAEP_3072_SHA256", false); // Encrypt the string "Test123" and write the encrypted data to an output file. googlekms.InputData = "Test123"; googlekms.OutputFile = "C:/temp/enc.dat"; googlekms.Encrypt("MyAsymmEncKey", "1"); // ...Later, decrypt the data again. googlekms.InputFile = "C:/temp/enc.dat"; googlekms.OutputFile = ""; // So that the data will be output to the OutputData property. googlekms.Decrypt("MyAsymmEncKey", "1");

The class also supports a variety of other functionality, including:

• Retrieval of a single resource's information with get_key_ring_info, get_key_info, or get_version_info.
• Getting an asymmetric key's public key using get_public_key.
• Label support using add_label and the labels properties.
• Updating key information with update_key and set_primary_version.
• And more!

Property List

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

additional_data Property

Additional data to send when performing symmetric encryption or decryption.

Syntax

def get_additional_data() -> bytes: ...
def set_additional_data(value: bytes) -> None: ...

additional_data = property(get_additional_data, set_additional_data)

Default Value

""

Remarks

This property can be set before calling encrypt or decrypt with a symmetric key to have the server include the specified data, known as additional authenticated data, when performing the cryptographic operation. If such data is provided during encryption, it must also be provided in order to successfully decrypt the data. Refer to the Google Cloud KMS documentation for more information.

Up to 65536 bytes of data may be provided. Note that this property is ignored when asymmetric encryption or decryption is performed.

authorization Property

OAuth 2.0 Authorization Token.

Syntax

def get_authorization() -> str: ...
def set_authorization(value: str) -> None: ...

authorization = property(get_authorization, set_authorization)

Default Value

""

Remarks

This class supports authentication via OAuth 2.0. First, perform OAuth authentication using the OAuth class or a separate process. Once complete you should have an authorization string which looks like:

Bearer ACCESS_TOKEN

firewall_auto_detect Property

Whether to automatically detect and use firewall system settings, if available.

Syntax

def get_firewall_auto_detect() -> bool: ...
def set_firewall_auto_detect(value: bool) -> None: ...

firewall_auto_detect = property(get_firewall_auto_detect, set_firewall_auto_detect)

Default Value

FALSE

Remarks

Whether to automatically detect and use firewall system settings, if available.

firewall_type Property

The type of firewall to connect through.

Syntax

def get_firewall_type() -> int: ...
def set_firewall_type(value: int) -> None: ...

firewall_type = property(get_firewall_type, set_firewall_type)

Default Value

0

Remarks

The type of firewall to connect through. The applicable values are as follows:

firewall_host Property

The name or IP address of the firewall (optional).

Syntax

def get_firewall_host() -> str: ...
def set_firewall_host(value: str) -> None: ...

firewall_host = property(get_firewall_host, set_firewall_host)

Default Value

""

Remarks

The name or IP address of the firewall (optional). If a firewall_host is given, the requested connections will be authenticated through the specified firewall when connecting.

If this property is set to a Domain Name, a DNS request is initiated. Upon successful termination of the request, this property is set to the corresponding address. If the search is not successful, the class fails with an error.

firewall_password Property

A password if authentication is to be used when connecting through the firewall.

Syntax

def get_firewall_password() -> str: ...
def set_firewall_password(value: str) -> None: ...

firewall_password = property(get_firewall_password, set_firewall_password)

Default Value

""

Remarks

A password if authentication is to be used when connecting through the firewall. If firewall_host is specified, the firewall_user and firewall_password properties are used to connect and authenticate to the given firewall. If the authentication fails, the class fails with an error.

firewall_port Property

The Transmission Control Protocol (TCP) port for the firewall Host .

Syntax

def get_firewall_port() -> int: ...
def set_firewall_port(value: int) -> None: ...

firewall_port = property(get_firewall_port, set_firewall_port)

Default Value

0

Remarks

The Transmission Control Protocol (TCP) port for the firewall firewall_host. See the description of the firewall_host property for details.

Note: This property is set automatically when firewall_type is set to a valid value. See the description of the firewall_type property for details.

firewall_user Property

A username if authentication is to be used when connecting through a firewall.

Syntax

def get_firewall_user() -> str: ...
def set_firewall_user(value: str) -> None: ...

firewall_user = property(get_firewall_user, set_firewall_user)

Default Value

""

Remarks

A username if authentication is to be used when connecting through a firewall. If firewall_host is specified, this property and the firewall_password property are used to connect and authenticate to the given Firewall. If the authentication fails, the class fails with an error.

google_project_id Property

The Id of the Google Cloud project to make requests against.

Syntax

def get_google_project_id() -> str: ...
def set_google_project_id(value: str) -> None: ...

google_project_id = property(get_google_project_id, set_google_project_id)

Default Value

""

Remarks

This property specifies the Id of the Google Cloud project that the class should make requests against; it must be set before attempting any operations.

Note that the full Google Cloud project Id must be specified, not just the project number.

idle Property

The current status of the class.

Syntax

def get_idle() -> bool: ...

idle = property(get_idle, None)

Default Value

TRUE

Remarks

This property will be False if the component is currently busy (communicating or waiting for an answer), and True at all other times.

This property is read-only.

input_data Property

The data to process.

Syntax

def get_input_data() -> bytes: ...
def set_input_data(value: bytes) -> None: ...

input_data = property(get_input_data, set_input_data)

Default Value

""

Remarks

This property specifies the data that should be processed in a cryptographic operation.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. The input_file property
2. The input_data property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. The output_file property
2. The output_data property

input_file Property

The file whose data should be processed.

Syntax

def get_input_file() -> str: ...
def set_input_file(value: str) -> None: ...

input_file = property(get_input_file, set_input_file)

Default Value

""

Remarks

This property specifies the file whose data should be processed in a cryptographic operation. It accepts both absolute and relative file paths.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. The input_file property
2. The input_data property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. The output_file property
2. The output_data property

key_marker Property

A marker indicating what page of keys to return next.

Syntax

def get_key_marker() -> str: ...
def set_key_marker(value: str) -> None: ...

key_marker = property(get_key_marker, set_key_marker)

Default Value

""

Remarks

This property will be populated when list_keys is called if the results are paged and there are more pages. To list all keys, continue to call list_keys until this property returns empty string.

Refer to list_keys for more information.

key_ring Property

Selects a key ring for the class to interact with.

Syntax

def get_key_ring() -> str: ...
def set_key_ring(value: str) -> None: ...

key_ring = property(get_key_ring, set_key_ring)

Default Value

""

Remarks

This property specifies the key ring, by name, that the class should interact with.

key_ring_marker Property

A marker indicating what page of key rings to return next.

Syntax

def get_key_ring_marker() -> str: ...
def set_key_ring_marker(value: str) -> None: ...

key_ring_marker = property(get_key_ring_marker, set_key_ring_marker)

Default Value

""

Remarks

This property will be populated when list_key_rings is called if the results are paged and there are more pages. To list all key rings, continue to call list_key_rings until this property returns empty string.

Refer to list_key_rings for more information.

key_ring_count Property

The number of records in the KeyRing arrays.

Syntax

def get_key_ring_count() -> int: ...

key_ring_count = property(get_key_ring_count, None)

Default Value

0

Remarks

This property controls the size of the following arrays:

• key_ring_creation_date
• key_ring_name

The array indices start at 0 and end at key_ring_count - 1.

This property is read-only.

key_ring_creation_date Property

The key ring's creation date.

Syntax

def get_key_ring_creation_date(key_ring_index: int) -> str: ...

Default Value

""

Remarks

The key ring's creation date.

This property reflects the key ring's creation date, formatted as an RFC 3339 UTC timestamp.

The key_ring_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_ring_count property.

This property is read-only.

key_ring_name Property

The name of the key ring.

Syntax

def get_key_ring_name(key_ring_index: int) -> str: ...

Default Value

""

Remarks

The name of the key ring.

This property reflects the name of the key ring.

The key_ring_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_ring_count property.

This property is read-only.

key_count Property

The number of records in the Key arrays.

Syntax

def get_key_count() -> int: ...

key_count = property(get_key_count, None)

Default Value

0

Remarks

This property controls the size of the following arrays:

• key_creation_date
• key_name
• key_next_rotate_date
• key_primary_version
• key_purpose
• key_ring_creation_date
• key_ring_name
• key_rotation_period
• key_template_algorithm
• key_template_protection_level

The array indices start at 0 and end at key_count - 1.

This property is read-only.

key_creation_date Property

The key's creation date.

Syntax

def get_key_creation_date(key_index: int) -> str: ...

Default Value

""

Remarks

The key's creation date.

This property reflects the key's creation date, formatted as an RFC 3339 UTC timestamp.

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

key_name Property

The name of the key.

Syntax

def get_key_name(key_index: int) -> str: ...

Default Value

""

Remarks

The name of the key.

This property reflects the name of the key.

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

key_next_rotate_date Property

The key's next rotation date.

Syntax

def get_key_next_rotate_date(key_index: int) -> str: ...

Default Value

""

Remarks

The key's next rotation date.

This property reflects the key's next rotation date, formatted as an RFC 3339 UTC timestamp, or empty string if automatic rotation is not enabled.

Note that automatic rotation is only supported for symmetric keys.

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

key_primary_version Property

The Id of the key's primary version.

Syntax

def get_key_primary_version(key_index: int) -> str: ...

Default Value

""

Remarks

The Id of the key's primary version.

For symmetric keys, this property reflects the Id of the key's primary version. For asymmetric keys, this property is always empty, since asymmetric keys cannot have a primary version.

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

key_purpose Property

The key's purpose.

Syntax

def get_key_purpose(key_index: int) -> int: ...

Default Value

0

Remarks

The key's purpose.

This property reflects the key's purpose. Possible values are:

• gkpUnspecified (0)
• gkpEncryptDecrypt (1) (indicates the key is symmetric)
• gkpAsymmetricSign (2)
• gkpAsymmetricDecrypt (3)

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

key_rotation_period Property

The key's rotation period.

Syntax

def get_key_rotation_period(key_index: int) -> str: ...

Default Value

""

Remarks

The key's rotation period.

This property reflects the key's rotation period, formatted as a number of seconds with up to nine fractional digits with a trailing s (e.g., 3.5984s); or empty string if automatic rotation is not enabled.

Note that automatic rotation is only supported for symmetric keys.

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

key_template_algorithm Property

The algorithm to use when new versions of the key are created.

Syntax

def get_key_template_algorithm(key_index: int) -> str: ...

Default Value

""

Remarks

The algorithm to use when new versions of the key are created.

This property reflects the algorithm to use when new versions of the key are created by create_version.

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

key_template_protection_level Property

The protection level to use when new versions of the key are created.

Syntax

def get_key_template_protection_level(key_index: int) -> str: ...

Default Value

""

Remarks

The protection level to use when new versions of the key are created.

This property reflects the protection level to use when new versions of the key are created by create_version. Possible values are:

• SOFTWARE
• HSM
• EXTERNAL

The key_index parameter specifies the index of the item in the array. The size of the array is controlled by the key_count property.

This property is read-only.

label_count Property

The number of records in the Label arrays.

Syntax

def get_label_count() -> int: ...
def set_label_count(value: int) -> None: ...

label_count = property(get_label_count, set_label_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• label_name
• label_value

The array indices start at 0 and end at label_count - 1.

label_name Property

The name of the label.

Syntax

def get_label_name(label_index: int) -> str: ...
def set_label_name(label_index: int, value: str) -> None: ...

Default Value

""

Remarks

The name of the label.

This property specifies the name of the label.

The label_index parameter specifies the index of the item in the array. The size of the array is controlled by the label_count property.

label_value Property

The value of the label.

Syntax

def get_label_value(label_index: int) -> str: ...
def set_label_value(label_index: int, value: str) -> None: ...

Default Value

""

Remarks

The value of the label.

This property specifies the value of the label.

The label_index parameter specifies the index of the item in the array. The size of the array is controlled by the label_count property.

local_host Property

The name of the local host or user-assigned IP interface through which connections are initiated or accepted.

Syntax

def get_local_host() -> str: ...
def set_local_host(value: str) -> None: ...

local_host = property(get_local_host, set_local_host)

Default Value

""

Remarks

This property contains the name of the local host as obtained by the gethostname() system call, or if the user has assigned an IP address, the value of that address.

In multihomed hosts (machines with more than one IP interface) setting LocalHost to the IP address of an interface will make the class initiate connections (or accept in the case of server classs) only through that interface. It is recommended to provide an IP address rather than a hostname when setting this property to ensure the desired interface is used.

If the class is connected, the local_host property shows the IP address of the interface through which the connection is made in internet dotted format (aaa.bbb.ccc.ddd). In most cases, this is the address of the local host, except for multihomed hosts (machines with more than one IP interface).

Note: local_host is not persistent. You must always set it in code, and never in the property window.

location Property

The Google Cloud location to make requests against.

Syntax

def get_location() -> str: ...
def set_location(value: str) -> None: ...

location = property(get_location, set_location)

Default Value

"us"

Remarks

This property specifies the Google Cloud location that the class should make requests against.

Regional Locations:

A regional location's data centers exist in a specific geographical place.

Dual-Regional Locations:

A dual-regional location's data centers exist in two specific geographical places (plus a third region included for data replication and durability).

Multi-Regional Locations:

A multi-regional location's data centers are spread across a geographical area; it is not possible to predict or control exactly which data centers are selected or where they are located.

The class will always convert this property's value to lowercase. If this property is cleared, the class will reset it to the default value.

o_auth_access_token Property

The access token returned by the authorization server.

Syntax

def get_o_auth_access_token() -> str: ...
def set_o_auth_access_token(value: str) -> None: ...

o_auth_access_token = property(get_o_auth_access_token, set_o_auth_access_token)

Default Value

""

Remarks

The access token returned by the authorization server. This is set when the class makes a request to the token server.

o_auth_authorization_code Property

The authorization code that is exchanged for an access token.

Syntax

def get_o_auth_authorization_code() -> str: ...
def set_o_auth_authorization_code(value: str) -> None: ...

o_auth_authorization_code = property(get_o_auth_authorization_code, set_o_auth_authorization_code)

Default Value

""

Remarks

The authorization code that is exchanged for an access token. This is required to be set when the o_auth_client_profile property is set to the Web profile. Otherwise, this field is for information purposes only.

o_auth_authorization_scope Property

The scope request or response parameter used during authorization.

Syntax

def get_o_auth_authorization_scope() -> str: ...
def set_o_auth_authorization_scope(value: str) -> None: ...

o_auth_authorization_scope = property(get_o_auth_authorization_scope, set_o_auth_authorization_scope)

Default Value

""

Remarks

The scope request or response parameter used during authorization.

o_auth_client_id Property

The id of the client assigned when registering the application.

Syntax

def get_o_auth_client_id() -> str: ...
def set_o_auth_client_id(value: str) -> None: ...

o_auth_client_id = property(get_o_auth_client_id, set_o_auth_client_id)

Default Value

""

Remarks

The id of the client assigned when registering the application.

o_auth_client_profile Property

The type of client that is requesting authorization.

Syntax

def get_o_auth_client_profile() -> int: ...
def set_o_auth_client_profile(value: int) -> None: ...

o_auth_client_profile = property(get_o_auth_client_profile, set_o_auth_client_profile)

Default Value

0

Remarks

The type of client that is requesting authorization. See the introduction section for more information. Possible values are:

o_auth_client_secret Property

The secret value for the client assigned when registering the application.

Syntax

def get_o_auth_client_secret() -> str: ...
def set_o_auth_client_secret(value: str) -> None: ...

o_auth_client_secret = property(get_o_auth_client_secret, set_o_auth_client_secret)

Default Value

""

Remarks

The secret value for the client assigned when registering the application.

o_auth_grant_type Property

The OAuth grant type used to acquire an OAuth access token.

Syntax

def get_o_auth_grant_type() -> int: ...
def set_o_auth_grant_type(value: int) -> None: ...

o_auth_grant_type = property(get_o_auth_grant_type, set_o_auth_grant_type)

Default Value

0

Remarks

The OAuth grant type used to acquire an OAuth access token. See the introduction section for more information. Possible values are:

o_auth_refresh_token Property

Specifies the refresh token received from or sent to the authorization server.

Syntax

def get_o_auth_refresh_token() -> str: ...
def set_o_auth_refresh_token(value: str) -> None: ...

o_auth_refresh_token = property(get_o_auth_refresh_token, set_o_auth_refresh_token)

Default Value

""

Remarks

Specifies the refresh token received from or sent to the authorization server. This property is set automatically if a refresh token is retrieved from the token server. If the OAuthAutomaticRefresh configuration setting is set to true, and the o_auth_grant_type property is set to a grant that can use refresh tokens.

o_auth_request_refresh_token Property

Specifies whether the class will request a refresh token during authorization.

Syntax

def get_o_auth_request_refresh_token() -> bool: ...
def set_o_auth_request_refresh_token(value: bool) -> None: ...

o_auth_request_refresh_token = property(get_o_auth_request_refresh_token, set_o_auth_request_refresh_token)

Default Value

TRUE

Remarks

Specifies whether the class will request a refresh token during authorization. By default, this value is True.

When True, the class will automatically add the necessary scopes or parameters to obtain a refresh token. When False, this property will have no effect. If the necessary scopes or parameters are specified manually, a refresh token can still be obtained.

Note: This property is only applicable when the o_auth_grant_type property is set to cogtAuthorizationCode.

o_auth_return_url Property

The URL where the user (browser) returns after authenticating.

Syntax

def get_o_auth_return_url() -> str: ...
def set_o_auth_return_url(value: str) -> None: ...

o_auth_return_url = property(get_o_auth_return_url, set_o_auth_return_url)

Default Value

""

Remarks

The URL where the user (browser) returns after authenticating. This property is mapped to the redirect_uri parameter when making a request to the authorization server. Typically, this is automatically set by the class when using the embedded web server. If the OAuthWebServerPort or OAuthWebServerHost configuration settings is set, then this property should be set to match. If using the Web client profile, this should be set to the place where the authorization code will be parsed out of the response after the user finishes authorizing.

o_auth_server_auth_url Property

The URL of the authorization server.

Syntax

def get_o_auth_server_auth_url() -> str: ...
def set_o_auth_server_auth_url(value: str) -> None: ...

o_auth_server_auth_url = property(get_o_auth_server_auth_url, set_o_auth_server_auth_url)

Default Value

""

Remarks

The URL of the authorization server.

o_auth_server_token_url Property

The URL of the token server used to obtain the access token.

Syntax

def get_o_auth_server_token_url() -> str: ...
def set_o_auth_server_token_url(value: str) -> None: ...

o_auth_server_token_url = property(get_o_auth_server_token_url, set_o_auth_server_token_url)

Default Value

""

Remarks

The URL of the token server used to obtain the access token.

o_auth_web_auth_url Property

The URL to which the user should be re-directed for authorization.

Syntax

def get_o_auth_web_auth_url() -> str: ...

o_auth_web_auth_url = property(get_o_auth_web_auth_url, None)

Default Value

""

Remarks

The URL to which the user should be re-directed for authorization. This field is used to get the URL that the user should be redirected to when using the Web client profile. See introduction section for more information.

This property is read-only.

other_headers Property

Other headers as determined by the user (optional).

Syntax

def get_other_headers() -> str: ...
def set_other_headers(value: str) -> None: ...

other_headers = property(get_other_headers, set_other_headers)

Default Value

""

Remarks

This property can be set to a string of headers to be appended to the HTTP request headers created from other properties like content_type and from_.

The headers must follow the format Header: Value as described in the HTTP specifications. Header lines should be separated by CRLF ("\r\n") .

Use this property with caution. If this property contains invalid headers, HTTP requests may fail.

This property is useful for extending the functionality of the class beyond what is provided.

output_data Property

The output data.

Syntax

def get_output_data() -> bytes: ...
def set_output_data(value: bytes) -> None: ...

output_data = property(get_output_data, set_output_data)

Default Value

""

Remarks

This property is populated with the data that was output from a successful cryptographic operation.

Note: For the verify operation, this property functions as a secondary input property instead (along with input_data); refer to the verify method for more information.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. The input_file property
2. The input_data property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. The output_file property
2. The output_data property

output_file Property

The file to which output data should be written.

Syntax

def get_output_file() -> str: ...
def set_output_file(value: str) -> None: ...

output_file = property(get_output_file, set_output_file)

Default Value

""

Remarks

This property specifies the file to which data output from a successful cryptographic operation should be written.

Note: For the verify operation, the specified file functions as a secondary input file instead (along with input_file); refer to the verify method for more information.

Input Sources & Output Destinations

The class automatically determines the source and destination of the input and output based on which properties are set.

The order in which the input properties are checked is as follows:

1. The input_file property
2. The input_data property

The first valid input source found is used. The order in which the output properties are considered is as follows:

1. The output_file property
2. The output_data property

overwrite Property

Whether the output file should be overwritten if necessary.

Syntax

def get_overwrite() -> bool: ...
def set_overwrite(value: bool) -> None: ...

overwrite = property(get_overwrite, set_overwrite)

Default Value

FALSE

Remarks

This property controls whether the specified output_file should be overwritten if it already exists.

parsed_header_count Property

The number of records in the ParsedHeader arrays.

Syntax

def get_parsed_header_count() -> int: ...

parsed_header_count = property(get_parsed_header_count, None)

Default Value

0

Remarks

This property controls the size of the following arrays:

• parsed_header_field
• parsed_header_value

The array indices start at 0 and end at parsed_header_count - 1.

This property is read-only.

parsed_header_field Property

This property contains the name of the HTTP header (this is the same case as it is delivered).

Syntax

def get_parsed_header_field(parsed_header_index: int) -> str: ...

Default Value

""

Remarks

This property contains the name of the HTTP Header (this is the same case as it is delivered).

The parsed_header_index parameter specifies the index of the item in the array. The size of the array is controlled by the parsed_header_count property.

This property is read-only.

parsed_header_value Property

This property contains the header contents.

Syntax

def get_parsed_header_value(parsed_header_index: int) -> str: ...

Default Value

""

Remarks

This property contains the Header contents.

The parsed_header_index parameter specifies the index of the item in the array. The size of the array is controlled by the parsed_header_count property.

This property is read-only.

proxy_auth_scheme Property

The type of authorization to perform when connecting to the proxy.

Syntax

def get_proxy_auth_scheme() -> int: ...
def set_proxy_auth_scheme(value: int) -> None: ...

proxy_auth_scheme = property(get_proxy_auth_scheme, set_proxy_auth_scheme)

Default Value

0

Remarks

The type of authorization to perform when connecting to the proxy. This is used only when the proxy_user and proxy_password properties are set.

proxy_auth_scheme should be set to authNone (3) when no authentication is expected.

By default, proxy_auth_scheme is authBasic (0), and if the proxy_user and proxy_password properties are set, the class will attempt basic authentication.

If proxy_auth_scheme is set to authDigest (1), digest authentication will be attempted instead.

If proxy_auth_scheme is set to authProprietary (2), then the authorization token will not be generated by the class. Look at the configuration file for the class being used to find more information about manually setting this token.

If proxy_auth_scheme is set to authNtlm (4), NTLM authentication will be used.

For security reasons, setting this property will clear the values of proxy_user and proxy_password.

proxy_auto_detect Property

Whether to automatically detect and use proxy system settings, if available.

Syntax

def get_proxy_auto_detect() -> bool: ...
def set_proxy_auto_detect(value: bool) -> None: ...

proxy_auto_detect = property(get_proxy_auto_detect, set_proxy_auto_detect)

Default Value

FALSE

Remarks

Whether to automatically detect and use proxy system settings, if available. The default value is False.

proxy_password Property

A password if authentication is to be used for the proxy.

Syntax

def get_proxy_password() -> str: ...
def set_proxy_password(value: str) -> None: ...

proxy_password = property(get_proxy_password, set_proxy_password)

Default Value

""

Remarks

A password if authentication is to be used for the proxy.

If proxy_auth_scheme is set to Basic Authentication, the proxy_user and proxy_password properties are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If proxy_auth_scheme is set to Digest Authentication, the proxy_user and proxy_password properties are used to respond to the Digest Authentication challenge from the server.

If proxy_auth_scheme is set to NTLM Authentication, the proxy_user and proxy_password properties are used to authenticate through NTLM negotiation.

proxy_port Property

The Transmission Control Protocol (TCP) port for the proxy Server (default 80).

Syntax

def get_proxy_port() -> int: ...
def set_proxy_port(value: int) -> None: ...

proxy_port = property(get_proxy_port, set_proxy_port)

Default Value

80

Remarks

The Transmission Control Protocol (TCP) port for the proxy proxy_server (default 80). See the description of the proxy_server property for details.

proxy_server Property

If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

Syntax

def get_proxy_server() -> str: ...
def set_proxy_server(value: str) -> None: ...

proxy_server = property(get_proxy_server, set_proxy_server)

Default Value

""

Remarks

If a proxy proxy_server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.

If the proxy_server property is set to a domain name, a DNS request is initiated. Upon successful termination of the request, the proxy_server property is set to the corresponding address. If the search is not successful, an error is returned.

proxy_ssl Property

When to use a Secure Sockets Layer (SSL) for the connection to the proxy.

Syntax

def get_proxy_ssl() -> int: ...
def set_proxy_ssl(value: int) -> None: ...

proxy_ssl = property(get_proxy_ssl, set_proxy_ssl)

Default Value

0

Remarks

When to use a Secure Sockets Layer (SSL) for the connection to the proxy. The applicable values are as follows:

proxy_user Property

A username if authentication is to be used for the proxy.

Syntax

def get_proxy_user() -> str: ...
def set_proxy_user(value: str) -> None: ...

proxy_user = property(get_proxy_user, set_proxy_user)

Default Value

""

Remarks

A username if authentication is to be used for the proxy.

If proxy_auth_scheme is set to Basic Authentication, the proxy_user and proxy_password properties are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].

If proxy_auth_scheme is set to Digest Authentication, the proxy_user and proxy_password properties are used to respond to the Digest Authentication challenge from the server.

If proxy_auth_scheme is set to NTLM Authentication, the proxy_user and proxy_password properties are used to authenticate through NTLM negotiation.

public_key Property

The public key of an asymmetric key pair.

Syntax

def get_public_key() -> str: ...

public_key = property(get_public_key, None)

Default Value

""

Remarks

This property reflects the public key of an asymmetric key pair stored on the server, in PEM format; it is populated anytime the get_public_key method is called successfully.

This property is read-only.

public_key_algorithm Property

The algorithm of an asymmetric key pair.

Syntax

def get_public_key_algorithm() -> str: ...

public_key_algorithm = property(get_public_key_algorithm, None)

Default Value

""

Remarks

This property reflects the algorithm of an asymmetric key pair stored on the server; it is populated anytime the get_public_key method is called successfully. Possible values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

This property is read-only.

query_param_count Property

The number of records in the QueryParam arrays.

Syntax

def get_query_param_count() -> int: ...
def set_query_param_count(value: int) -> None: ...

query_param_count = property(get_query_param_count, set_query_param_count)

Default Value

0

Remarks

This property controls the size of the following arrays:

• query_param_name
• query_param_value

The array indices start at 0 and end at query_param_count - 1.

query_param_name Property

The name of the query parameter.

Syntax

def get_query_param_name(query_param_index: int) -> str: ...
def set_query_param_name(query_param_index: int, value: str) -> None: ...

Default Value

""

Remarks

The name of the query parameter.

This property specifies the name of the query parameter.

The query_param_index parameter specifies the index of the item in the array. The size of the array is controlled by the query_param_count property.

query_param_value Property

The value of the query parameter.

Syntax

def get_query_param_value(query_param_index: int) -> str: ...
def set_query_param_value(query_param_index: int, value: str) -> None: ...

Default Value

""

Remarks

The value of the query parameter.

This property specifies the value of the query parameter. The class will automatically URL-encode this value when sending the request.

The query_param_index parameter specifies the index of the item in the array. The size of the array is controlled by the query_param_count property.

ssl_accept_server_cert_effective_date Property

The date on which this certificate becomes valid.

Syntax

def get_ssl_accept_server_cert_effective_date() -> str: ...

ssl_accept_server_cert_effective_date = property(get_ssl_accept_server_cert_effective_date, None)

Default Value

""

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

ssl_accept_server_cert_expiration_date Property

The date on which the certificate expires.

Syntax

def get_ssl_accept_server_cert_expiration_date() -> str: ...

ssl_accept_server_cert_expiration_date = property(get_ssl_accept_server_cert_expiration_date, None)

Default Value

""

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

ssl_accept_server_cert_extended_key_usage Property

A comma-delimited list of extended key usage identifiers.

Syntax

def get_ssl_accept_server_cert_extended_key_usage() -> str: ...

ssl_accept_server_cert_extended_key_usage = property(get_ssl_accept_server_cert_extended_key_usage, None)

Default Value

""

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

ssl_accept_server_cert_fingerprint Property

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Syntax

def get_ssl_accept_server_cert_fingerprint() -> str: ...

ssl_accept_server_cert_fingerprint = property(get_ssl_accept_server_cert_fingerprint, None)

Default Value

""

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

ssl_accept_server_cert_fingerprint_sha1 Property

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Syntax

def get_ssl_accept_server_cert_fingerprint_sha1() -> str: ...

ssl_accept_server_cert_fingerprint_sha1 = property(get_ssl_accept_server_cert_fingerprint_sha1, None)

Default Value

""

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

ssl_accept_server_cert_fingerprint_sha256 Property

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Syntax

def get_ssl_accept_server_cert_fingerprint_sha256() -> str: ...

ssl_accept_server_cert_fingerprint_sha256 = property(get_ssl_accept_server_cert_fingerprint_sha256, None)

Default Value

""

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

ssl_accept_server_cert_issuer Property

The issuer of the certificate.

Syntax

def get_ssl_accept_server_cert_issuer() -> str: ...

ssl_accept_server_cert_issuer = property(get_ssl_accept_server_cert_issuer, None)

Default Value

""

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

ssl_accept_server_cert_private_key Property

The private key of the certificate (if available).

Syntax

def get_ssl_accept_server_cert_private_key() -> str: ...

ssl_accept_server_cert_private_key = property(get_ssl_accept_server_cert_private_key, None)

Default Value

""

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

Note: The ssl_accept_server_cert_private_key may be available but not exportable. In this case, ssl_accept_server_cert_private_key returns an empty string.

This property is read-only.

ssl_accept_server_cert_private_key_available Property

Whether a PrivateKey is available for the selected certificate.

Syntax

def get_ssl_accept_server_cert_private_key_available() -> bool: ...

ssl_accept_server_cert_private_key_available = property(get_ssl_accept_server_cert_private_key_available, None)

Default Value

FALSE

Remarks

Whether a ssl_accept_server_cert_private_key is available for the selected certificate. If ssl_accept_server_cert_private_key_available is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

ssl_accept_server_cert_private_key_container Property

The name of the PrivateKey container for the certificate (if available).

Syntax

def get_ssl_accept_server_cert_private_key_container() -> str: ...

ssl_accept_server_cert_private_key_container = property(get_ssl_accept_server_cert_private_key_container, None)

Default Value

""

Remarks

The name of the ssl_accept_server_cert_private_key container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

ssl_accept_server_cert_public_key Property

The public key of the certificate.

Syntax

def get_ssl_accept_server_cert_public_key() -> str: ...

ssl_accept_server_cert_public_key = property(get_ssl_accept_server_cert_public_key, None)

Default Value

""

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

ssl_accept_server_cert_public_key_algorithm Property

The textual description of the certificate's public key algorithm.

Syntax

def get_ssl_accept_server_cert_public_key_algorithm() -> str: ...

ssl_accept_server_cert_public_key_algorithm = property(get_ssl_accept_server_cert_public_key_algorithm, None)

Default Value

""

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

ssl_accept_server_cert_public_key_length Property

The length of the certificate's public key (in bits).

Syntax

def get_ssl_accept_server_cert_public_key_length() -> int: ...

ssl_accept_server_cert_public_key_length = property(get_ssl_accept_server_cert_public_key_length, None)

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

ssl_accept_server_cert_serial_number Property

The serial number of the certificate encoded as a string.

Syntax

def get_ssl_accept_server_cert_serial_number() -> str: ...

ssl_accept_server_cert_serial_number = property(get_ssl_accept_server_cert_serial_number, None)

Default Value

""

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

ssl_accept_server_cert_signature_algorithm Property

The text description of the certificate's signature algorithm.

Syntax

def get_ssl_accept_server_cert_signature_algorithm() -> str: ...

ssl_accept_server_cert_signature_algorithm = property(get_ssl_accept_server_cert_signature_algorithm, None)

Default Value

""

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

ssl_accept_server_cert_store Property

The name of the certificate store for the client certificate.

Syntax

def get_ssl_accept_server_cert_store() -> bytes: ...
def set_ssl_accept_server_cert_store(value: bytes) -> None: ...

ssl_accept_server_cert_store = property(get_ssl_accept_server_cert_store, set_ssl_accept_server_cert_store)

Default Value

"MY"

Remarks

The name of the certificate store for the client certificate.

The ssl_accept_server_cert_store_type property denotes the type of the certificate store specified by ssl_accept_server_cert_store. If the store is password-protected, specify the password in ssl_accept_server_cert_store_password.

ssl_accept_server_cert_store is used in conjunction with the ssl_accept_server_cert_subject property to specify client certificates. If ssl_accept_server_cert_store has a value, and ssl_accept_server_cert_subject or ssl_accept_server_cert_encoded is set, a search for a certificate is initiated. Please see the ssl_accept_server_cert_subject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

ssl_accept_server_cert_store_password Property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_ssl_accept_server_cert_store_password() -> str: ...
def set_ssl_accept_server_cert_store_password(value: str) -> None: ...

ssl_accept_server_cert_store_password = property(get_ssl_accept_server_cert_store_password, set_ssl_accept_server_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

ssl_accept_server_cert_store_type Property

The type of certificate store for this certificate.

Syntax

def get_ssl_accept_server_cert_store_type() -> int: ...
def set_ssl_accept_server_cert_store_type(value: int) -> None: ...

ssl_accept_server_cert_store_type = property(get_ssl_accept_server_cert_store_type, set_ssl_accept_server_cert_store_type)

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

ssl_accept_server_cert_subject_alt_names Property

Comma-separated lists of alternative subject names for the certificate.

Syntax

def get_ssl_accept_server_cert_subject_alt_names() -> str: ...

ssl_accept_server_cert_subject_alt_names = property(get_ssl_accept_server_cert_subject_alt_names, None)

Default Value

""

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

ssl_accept_server_cert_thumbprint_md5 Property

The MD5 hash of the certificate.

Syntax

def get_ssl_accept_server_cert_thumbprint_md5() -> str: ...

ssl_accept_server_cert_thumbprint_md5 = property(get_ssl_accept_server_cert_thumbprint_md5, None)

Default Value

""

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_accept_server_cert_thumbprint_sha1 Property

The SHA-1 hash of the certificate.

Syntax

def get_ssl_accept_server_cert_thumbprint_sha1() -> str: ...

ssl_accept_server_cert_thumbprint_sha1 = property(get_ssl_accept_server_cert_thumbprint_sha1, None)

Default Value

""

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_accept_server_cert_thumbprint_sha256 Property

The SHA-256 hash of the certificate.

Syntax

def get_ssl_accept_server_cert_thumbprint_sha256() -> str: ...

ssl_accept_server_cert_thumbprint_sha256 = property(get_ssl_accept_server_cert_thumbprint_sha256, None)

Default Value

""

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_accept_server_cert_usage Property

The text description of UsageFlags .

Syntax

def get_ssl_accept_server_cert_usage() -> str: ...

ssl_accept_server_cert_usage = property(get_ssl_accept_server_cert_usage, None)

Default Value

""

Remarks

The text description of ssl_accept_server_cert_usage_flags.

This value will be one or more of the following strings and will be separated by commas:

• Digital Signature
• Non-Repudiation
• Key Encipherment
• Data Encipherment
• Key Agreement
• Certificate Signing
• CRL Signing
• Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

ssl_accept_server_cert_usage_flags Property

The flags that show intended use for the certificate.

Syntax

def get_ssl_accept_server_cert_usage_flags() -> int: ...

ssl_accept_server_cert_usage_flags = property(get_ssl_accept_server_cert_usage_flags, None)

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of ssl_accept_server_cert_usage_flags is a combination of the following flags:

Please see the ssl_accept_server_cert_usage property for a text representation of ssl_accept_server_cert_usage_flags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

ssl_accept_server_cert_version Property

The certificate's version number.

Syntax

def get_ssl_accept_server_cert_version() -> str: ...

ssl_accept_server_cert_version = property(get_ssl_accept_server_cert_version, None)

Default Value

""

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

ssl_accept_server_cert_subject Property

The subject of the certificate used for client authentication.

Syntax

def get_ssl_accept_server_cert_subject() -> str: ...
def set_ssl_accept_server_cert_subject(value: str) -> None: ...

ssl_accept_server_cert_subject = property(get_ssl_accept_server_cert_subject, set_ssl_accept_server_cert_subject)

Default Value

""

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:

If a field value contains a comma, it must be quoted.

ssl_accept_server_cert_encoded Property

The certificate (PEM/Base64 encoded).

Syntax

def get_ssl_accept_server_cert_encoded() -> bytes: ...
def set_ssl_accept_server_cert_encoded(value: bytes) -> None: ...

ssl_accept_server_cert_encoded = property(get_ssl_accept_server_cert_encoded, set_ssl_accept_server_cert_encoded)

Default Value

""

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The ssl_accept_server_cert_store and ssl_accept_server_cert_subject properties also may be used to specify a certificate.

When ssl_accept_server_cert_encoded is set, a search is initiated in the current ssl_accept_server_cert_store for the private key of the certificate. If the key is found, ssl_accept_server_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, ssl_accept_server_cert_subject is set to an empty string.

ssl_cert_effective_date Property

The date on which this certificate becomes valid.

Syntax

def get_ssl_cert_effective_date() -> str: ...

ssl_cert_effective_date = property(get_ssl_cert_effective_date, None)

Default Value

""

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

ssl_cert_expiration_date Property

The date on which the certificate expires.

Syntax

def get_ssl_cert_expiration_date() -> str: ...

ssl_cert_expiration_date = property(get_ssl_cert_expiration_date, None)

Default Value

""

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

ssl_cert_extended_key_usage Property

A comma-delimited list of extended key usage identifiers.

Syntax

def get_ssl_cert_extended_key_usage() -> str: ...

ssl_cert_extended_key_usage = property(get_ssl_cert_extended_key_usage, None)

Default Value

""

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

ssl_cert_fingerprint Property

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Syntax

def get_ssl_cert_fingerprint() -> str: ...

ssl_cert_fingerprint = property(get_ssl_cert_fingerprint, None)

Default Value

""

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

ssl_cert_fingerprint_sha1 Property

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Syntax

def get_ssl_cert_fingerprint_sha1() -> str: ...

ssl_cert_fingerprint_sha1 = property(get_ssl_cert_fingerprint_sha1, None)

Default Value

""

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

ssl_cert_fingerprint_sha256 Property

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Syntax

def get_ssl_cert_fingerprint_sha256() -> str: ...

ssl_cert_fingerprint_sha256 = property(get_ssl_cert_fingerprint_sha256, None)

Default Value

""

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

ssl_cert_issuer Property

The issuer of the certificate.

Syntax

def get_ssl_cert_issuer() -> str: ...

ssl_cert_issuer = property(get_ssl_cert_issuer, None)

Default Value

""

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

ssl_cert_private_key Property

The private key of the certificate (if available).

Syntax

def get_ssl_cert_private_key() -> str: ...

ssl_cert_private_key = property(get_ssl_cert_private_key, None)

Default Value

""

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

Note: The ssl_cert_private_key may be available but not exportable. In this case, ssl_cert_private_key returns an empty string.

This property is read-only.

ssl_cert_private_key_available Property

Whether a PrivateKey is available for the selected certificate.

Syntax

def get_ssl_cert_private_key_available() -> bool: ...

ssl_cert_private_key_available = property(get_ssl_cert_private_key_available, None)

Default Value

FALSE

Remarks

Whether a ssl_cert_private_key is available for the selected certificate. If ssl_cert_private_key_available is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

ssl_cert_private_key_container Property

The name of the PrivateKey container for the certificate (if available).

Syntax

def get_ssl_cert_private_key_container() -> str: ...

ssl_cert_private_key_container = property(get_ssl_cert_private_key_container, None)

Default Value

""

Remarks

The name of the ssl_cert_private_key container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

ssl_cert_public_key Property

The public key of the certificate.

Syntax

def get_ssl_cert_public_key() -> str: ...

ssl_cert_public_key = property(get_ssl_cert_public_key, None)

Default Value

""

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

ssl_cert_public_key_algorithm Property

The textual description of the certificate's public key algorithm.

Syntax

def get_ssl_cert_public_key_algorithm() -> str: ...

ssl_cert_public_key_algorithm = property(get_ssl_cert_public_key_algorithm, None)

Default Value

""

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

ssl_cert_public_key_length Property

The length of the certificate's public key (in bits).

Syntax

def get_ssl_cert_public_key_length() -> int: ...

ssl_cert_public_key_length = property(get_ssl_cert_public_key_length, None)

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

ssl_cert_serial_number Property

The serial number of the certificate encoded as a string.

Syntax

def get_ssl_cert_serial_number() -> str: ...

ssl_cert_serial_number = property(get_ssl_cert_serial_number, None)

Default Value

""

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

ssl_cert_signature_algorithm Property

The text description of the certificate's signature algorithm.

Syntax

def get_ssl_cert_signature_algorithm() -> str: ...

ssl_cert_signature_algorithm = property(get_ssl_cert_signature_algorithm, None)

Default Value

""

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

ssl_cert_store Property

The name of the certificate store for the client certificate.

Syntax

def get_ssl_cert_store() -> bytes: ...
def set_ssl_cert_store(value: bytes) -> None: ...

ssl_cert_store = property(get_ssl_cert_store, set_ssl_cert_store)

Default Value

"MY"

Remarks

The name of the certificate store for the client certificate.

The ssl_cert_store_type property denotes the type of the certificate store specified by ssl_cert_store. If the store is password-protected, specify the password in ssl_cert_store_password.

ssl_cert_store is used in conjunction with the ssl_cert_subject property to specify client certificates. If ssl_cert_store has a value, and ssl_cert_subject or ssl_cert_encoded is set, a search for a certificate is initiated. Please see the ssl_cert_subject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

ssl_cert_store_password Property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_ssl_cert_store_password() -> str: ...
def set_ssl_cert_store_password(value: str) -> None: ...

ssl_cert_store_password = property(get_ssl_cert_store_password, set_ssl_cert_store_password)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

ssl_cert_store_type Property

The type of certificate store for this certificate.

Syntax

def get_ssl_cert_store_type() -> int: ...
def set_ssl_cert_store_type(value: int) -> None: ...

ssl_cert_store_type = property(get_ssl_cert_store_type, set_ssl_cert_store_type)

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

ssl_cert_subject_alt_names Property

Comma-separated lists of alternative subject names for the certificate.

Syntax

def get_ssl_cert_subject_alt_names() -> str: ...

ssl_cert_subject_alt_names = property(get_ssl_cert_subject_alt_names, None)

Default Value

""

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

ssl_cert_thumbprint_md5 Property

The MD5 hash of the certificate.

Syntax

def get_ssl_cert_thumbprint_md5() -> str: ...

ssl_cert_thumbprint_md5 = property(get_ssl_cert_thumbprint_md5, None)

Default Value

""

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_cert_thumbprint_sha1 Property

The SHA-1 hash of the certificate.

Syntax

def get_ssl_cert_thumbprint_sha1() -> str: ...

ssl_cert_thumbprint_sha1 = property(get_ssl_cert_thumbprint_sha1, None)

Default Value

""

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_cert_thumbprint_sha256 Property

The SHA-256 hash of the certificate.

Syntax

def get_ssl_cert_thumbprint_sha256() -> str: ...

ssl_cert_thumbprint_sha256 = property(get_ssl_cert_thumbprint_sha256, None)

Default Value

""

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_cert_usage Property

The text description of UsageFlags .

Syntax

def get_ssl_cert_usage() -> str: ...

ssl_cert_usage = property(get_ssl_cert_usage, None)

Default Value

""

Remarks

The text description of ssl_cert_usage_flags.

This value will be one or more of the following strings and will be separated by commas:

• Digital Signature
• Non-Repudiation
• Key Encipherment
• Data Encipherment
• Key Agreement
• Certificate Signing
• CRL Signing
• Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

ssl_cert_usage_flags Property

The flags that show intended use for the certificate.

Syntax

def get_ssl_cert_usage_flags() -> int: ...

ssl_cert_usage_flags = property(get_ssl_cert_usage_flags, None)

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of ssl_cert_usage_flags is a combination of the following flags:

Please see the ssl_cert_usage property for a text representation of ssl_cert_usage_flags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

ssl_cert_version Property

The certificate's version number.

Syntax

def get_ssl_cert_version() -> str: ...

ssl_cert_version = property(get_ssl_cert_version, None)

Default Value

""

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

ssl_cert_subject Property

The subject of the certificate used for client authentication.

Syntax

def get_ssl_cert_subject() -> str: ...
def set_ssl_cert_subject(value: str) -> None: ...

ssl_cert_subject = property(get_ssl_cert_subject, set_ssl_cert_subject)

Default Value

""

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:

If a field value contains a comma, it must be quoted.

ssl_cert_encoded Property

The certificate (PEM/Base64 encoded).

Syntax

def get_ssl_cert_encoded() -> bytes: ...
def set_ssl_cert_encoded(value: bytes) -> None: ...

ssl_cert_encoded = property(get_ssl_cert_encoded, set_ssl_cert_encoded)

Default Value

""

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The ssl_cert_store and ssl_cert_subject properties also may be used to specify a certificate.

When ssl_cert_encoded is set, a search is initiated in the current ssl_cert_store for the private key of the certificate. If the key is found, ssl_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, ssl_cert_subject is set to an empty string.

ssl_provider Property

The Secure Sockets Layer/Transport Layer Security (SSL/TLS) implementation to use.

Syntax

def get_ssl_provider() -> int: ...
def set_ssl_provider(value: int) -> None: ...

ssl_provider = property(get_ssl_provider, set_ssl_provider)

Default Value

0

Remarks

This property specifies the SSL/TLS implementation to use. In most cases the default value of 0 (Automatic) is recommended and should not be changed. When set to 0 (Automatic), the class will select whether to use the platform implementation or the internal implementation depending on the operating system as well as the TLS version being used.

Possible values are as follows:

In most cases using the default value (Automatic) is recommended. The class will select a provider depending on the current platform.

When Automatic is selected, on Windows, the class will use the platform implementation. On Linux/macOS, the class will use the internal implementation. When TLS 1.3 is enabled via SSLEnabledProtocols, the internal implementation is used on all platforms.

ssl_server_cert_effective_date Property

The date on which this certificate becomes valid.

Syntax

def get_ssl_server_cert_effective_date() -> str: ...

ssl_server_cert_effective_date = property(get_ssl_server_cert_effective_date, None)

Default Value

""

Remarks

The date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2000 15:00:00.

This property is read-only.

ssl_server_cert_expiration_date Property

The date on which the certificate expires.

Syntax

def get_ssl_server_cert_expiration_date() -> str: ...

ssl_server_cert_expiration_date = property(get_ssl_server_cert_expiration_date, None)

Default Value

""

Remarks

The date on which the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:

23-Jan-2001 15:00:00.

This property is read-only.

ssl_server_cert_extended_key_usage Property

A comma-delimited list of extended key usage identifiers.

Syntax

def get_ssl_server_cert_extended_key_usage() -> str: ...

ssl_server_cert_extended_key_usage = property(get_ssl_server_cert_extended_key_usage, None)

Default Value

""

Remarks

A comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).

This property is read-only.

ssl_server_cert_fingerprint Property

The hex-encoded, 16-byte MD5 fingerprint of the certificate.

Syntax

def get_ssl_server_cert_fingerprint() -> str: ...

ssl_server_cert_fingerprint = property(get_ssl_server_cert_fingerprint, None)

Default Value

""

Remarks

The hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02

This property is read-only.

ssl_server_cert_fingerprint_sha1 Property

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate.

Syntax

def get_ssl_server_cert_fingerprint_sha1() -> str: ...

ssl_server_cert_fingerprint_sha1 = property(get_ssl_server_cert_fingerprint_sha1, None)

Default Value

""

Remarks

The hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84

This property is read-only.

ssl_server_cert_fingerprint_sha256 Property

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate.

Syntax

def get_ssl_server_cert_fingerprint_sha256() -> str: ...

ssl_server_cert_fingerprint_sha256 = property(get_ssl_server_cert_fingerprint_sha256, None)

Default Value

""

Remarks

The hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.

The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53

This property is read-only.

ssl_server_cert_issuer Property

The issuer of the certificate.

Syntax

def get_ssl_server_cert_issuer() -> str: ...

ssl_server_cert_issuer = property(get_ssl_server_cert_issuer, None)

Default Value

""

Remarks

The issuer of the certificate. This property contains a string representation of the name of the issuing authority for the certificate.

This property is read-only.

ssl_server_cert_private_key Property

The private key of the certificate (if available).

Syntax

def get_ssl_server_cert_private_key() -> str: ...

ssl_server_cert_private_key = property(get_ssl_server_cert_private_key, None)

Default Value

""

Remarks

The private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.

Note: The ssl_server_cert_private_key may be available but not exportable. In this case, ssl_server_cert_private_key returns an empty string.

This property is read-only.

ssl_server_cert_private_key_available Property

Whether a PrivateKey is available for the selected certificate.

Syntax

def get_ssl_server_cert_private_key_available() -> bool: ...

ssl_server_cert_private_key_available = property(get_ssl_server_cert_private_key_available, None)

Default Value

FALSE

Remarks

Whether a ssl_server_cert_private_key is available for the selected certificate. If ssl_server_cert_private_key_available is True, the certificate may be used for authentication purposes (e.g., server authentication).

This property is read-only.

ssl_server_cert_private_key_container Property

The name of the PrivateKey container for the certificate (if available).

Syntax

def get_ssl_server_cert_private_key_container() -> str: ...

ssl_server_cert_private_key_container = property(get_ssl_server_cert_private_key_container, None)

Default Value

""

Remarks

The name of the ssl_server_cert_private_key container for the certificate (if available). This functionality is available only on Windows platforms.

This property is read-only.

ssl_server_cert_public_key Property

The public key of the certificate.

Syntax

def get_ssl_server_cert_public_key() -> str: ...

ssl_server_cert_public_key = property(get_ssl_server_cert_public_key, None)

Default Value

""

Remarks

The public key of the certificate. The key is provided as PEM/Base64-encoded data.

This property is read-only.

ssl_server_cert_public_key_algorithm Property

The textual description of the certificate's public key algorithm.

Syntax

def get_ssl_server_cert_public_key_algorithm() -> str: ...

ssl_server_cert_public_key_algorithm = property(get_ssl_server_cert_public_key_algorithm, None)

Default Value

""

Remarks

The textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.

This property is read-only.

ssl_server_cert_public_key_length Property

The length of the certificate's public key (in bits).

Syntax

def get_ssl_server_cert_public_key_length() -> int: ...

ssl_server_cert_public_key_length = property(get_ssl_server_cert_public_key_length, None)

Default Value

0

Remarks

The length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.

This property is read-only.

ssl_server_cert_serial_number Property

The serial number of the certificate encoded as a string.

Syntax

def get_ssl_server_cert_serial_number() -> str: ...

ssl_server_cert_serial_number = property(get_ssl_server_cert_serial_number, None)

Default Value

""

Remarks

The serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.

This property is read-only.

ssl_server_cert_signature_algorithm Property

The text description of the certificate's signature algorithm.

Syntax

def get_ssl_server_cert_signature_algorithm() -> str: ...

ssl_server_cert_signature_algorithm = property(get_ssl_server_cert_signature_algorithm, None)

Default Value

""

Remarks

The text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.

This property is read-only.

ssl_server_cert_store Property

The name of the certificate store for the client certificate.

Syntax

def get_ssl_server_cert_store() -> bytes: ...

ssl_server_cert_store = property(get_ssl_server_cert_store, None)

Default Value

"MY"

Remarks

The name of the certificate store for the client certificate.

The ssl_server_cert_store_type property denotes the type of the certificate store specified by ssl_server_cert_store. If the store is password-protected, specify the password in ssl_server_cert_store_password.

ssl_server_cert_store is used in conjunction with the ssl_server_cert_subject property to specify client certificates. If ssl_server_cert_store has a value, and ssl_server_cert_subject or ssl_server_cert_encoded is set, a search for a certificate is initiated. Please see the ssl_server_cert_subject property for details.

Designations of certificate stores are platform dependent.

The following designations are the most common User and Machine certificate stores in Windows:

When the certificate store type is cstPFXFile, this property must be set to the name of the file. When the type is cstPFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).

This property is read-only.

ssl_server_cert_store_password Property

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

Syntax

def get_ssl_server_cert_store_password() -> str: ...

ssl_server_cert_store_password = property(get_ssl_server_cert_store_password, None)

Default Value

""

Remarks

If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.

This property is read-only.

ssl_server_cert_store_type Property

The type of certificate store for this certificate.

Syntax

def get_ssl_server_cert_store_type() -> int: ...

ssl_server_cert_store_type = property(get_ssl_server_cert_store_type, None)

Default Value

0

Remarks

The type of certificate store for this certificate.

The class supports both public and private keys in a variety of formats. When the cstAuto value is used, the class will automatically determine the type. This property can take one of the following values:

This property is read-only.

ssl_server_cert_subject_alt_names Property

Comma-separated lists of alternative subject names for the certificate.

Syntax

def get_ssl_server_cert_subject_alt_names() -> str: ...

ssl_server_cert_subject_alt_names = property(get_ssl_server_cert_subject_alt_names, None)

Default Value

""

Remarks

Comma-separated lists of alternative subject names for the certificate.

This property is read-only.

ssl_server_cert_thumbprint_md5 Property

The MD5 hash of the certificate.

Syntax

def get_ssl_server_cert_thumbprint_md5() -> str: ...

ssl_server_cert_thumbprint_md5 = property(get_ssl_server_cert_thumbprint_md5, None)

Default Value

""

Remarks

The MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_server_cert_thumbprint_sha1 Property

The SHA-1 hash of the certificate.

Syntax

def get_ssl_server_cert_thumbprint_sha1() -> str: ...

ssl_server_cert_thumbprint_sha1 = property(get_ssl_server_cert_thumbprint_sha1, None)

Default Value

""

Remarks

The SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_server_cert_thumbprint_sha256 Property

The SHA-256 hash of the certificate.

Syntax

def get_ssl_server_cert_thumbprint_sha256() -> str: ...

ssl_server_cert_thumbprint_sha256 = property(get_ssl_server_cert_thumbprint_sha256, None)

Default Value

""

Remarks

The SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.

This property is read-only.

ssl_server_cert_usage Property

The text description of UsageFlags .

Syntax

def get_ssl_server_cert_usage() -> str: ...

ssl_server_cert_usage = property(get_ssl_server_cert_usage, None)

Default Value

""

Remarks

The text description of ssl_server_cert_usage_flags.

This value will be one or more of the following strings and will be separated by commas:

• Digital Signature
• Non-Repudiation
• Key Encipherment
• Data Encipherment
• Key Agreement
• Certificate Signing
• CRL Signing
• Encipher Only

If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.

This property is read-only.

ssl_server_cert_usage_flags Property

The flags that show intended use for the certificate.

Syntax

def get_ssl_server_cert_usage_flags() -> int: ...

ssl_server_cert_usage_flags = property(get_ssl_server_cert_usage_flags, None)

Default Value

0

Remarks

The flags that show intended use for the certificate. The value of ssl_server_cert_usage_flags is a combination of the following flags:

Please see the ssl_server_cert_usage property for a text representation of ssl_server_cert_usage_flags.

This functionality currently is not available when the provider is OpenSSL.

This property is read-only.

ssl_server_cert_version Property

The certificate's version number.

Syntax

def get_ssl_server_cert_version() -> str: ...

ssl_server_cert_version = property(get_ssl_server_cert_version, None)

Default Value

""

Remarks

The certificate's version number. The possible values are the strings "V1", "V2", and "V3".

This property is read-only.

ssl_server_cert_subject Property

The subject of the certificate used for client authentication.

Syntax

def get_ssl_server_cert_subject() -> str: ...

ssl_server_cert_subject = property(get_ssl_server_cert_subject, None)

Default Value

""

Remarks

The subject of the certificate used for client authentication.

This property must be set after all other certificate properties are set. When this property is set, a search is performed in the current certificate store to locate a certificate with a matching subject.

If a matching certificate is found, the property is set to the full subject of the matching certificate.

If an exact match is not found, the store is searched for subjects containing the value of the property.

If a match is still not found, the property is set to an empty string, and no certificate is selected.

The special value "*" picks a random certificate in the certificate store.

The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:

If a field value contains a comma, it must be quoted.

This property is read-only.

ssl_server_cert_encoded Property

The certificate (PEM/Base64 encoded).

Syntax

def get_ssl_server_cert_encoded() -> bytes: ...

ssl_server_cert_encoded = property(get_ssl_server_cert_encoded, None)

Default Value

""

Remarks

The certificate (PEM/Base64 encoded). This property is used to assign a specific certificate. The ssl_server_cert_store and ssl_server_cert_subject properties also may be used to specify a certificate.

When ssl_server_cert_encoded is set, a search is initiated in the current ssl_server_cert_store for the private key of the certificate. If the key is found, ssl_server_cert_subject is updated to reflect the full subject of the selected certificate; otherwise, ssl_server_cert_subject is set to an empty string.

This property is read-only.

timeout Property

The timeout for the class.

Syntax

def get_timeout() -> int: ...
def set_timeout(value: int) -> None: ...

timeout = property(get_timeout, set_timeout)

Default Value

60

Remarks

If the timeout property is set to 0, all operations will run uninterrupted until successful completion or an error condition is encountered.

If timeout is set to a positive value, the class will wait for the operation to complete before returning control.

The class will use do_events to enter an efficient wait loop during any potential waiting period, making sure that all system events are processed immediately as they arrive. This ensures that the host application does not freeze and remains responsive.

If timeout expires, and the operation is not yet complete, the class fails with an error.

Note: By default, all timeouts are inactivity timeouts, that is, the timeout period is extended by timeout seconds when any amount of data is successfully sent or received.

The default value for the timeout property is 60 seconds.

version_marker Property

A marker indicating what page of key versions to return next.

Syntax

def get_version_marker() -> str: ...
def set_version_marker(value: str) -> None: ...

version_marker = property(get_version_marker, set_version_marker)

Default Value

""

Remarks

This property will be populated when list_versions is called if the results are paged and there are more pages. To list all key versions, continue to call list_versions until this property returns empty string.

Refer to list_versions for more information.

version_count Property

The number of records in the Version arrays.

Syntax

def get_version_count() -> int: ...

version_count = property(get_version_count, None)

Default Value

0

Remarks

This property controls the size of the following arrays:

• version_algorithm
• version_creation_date
• version_destruction_date
• version_generation_date
• version_name
• version_protection_level
• version_state
• version_version_id

The array indices start at 0 and end at version_count - 1.

This property is read-only.

version_algorithm Property

The key version's algorithm.

Syntax

def get_version_algorithm(version_index: int) -> str: ...

Default Value

""

Remarks

The key version's algorithm.

This property reflects the key version's algorithm. For symmetric keys, this property will always be GOOGLE_SYMMETRIC_ENCRYPTION. For asymmetric keys, this value describes both the key type and the algorithm that must be used during cryptographic operations, and possible values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

version_creation_date Property

The key version's creation date.

Syntax

def get_version_creation_date(version_index: int) -> str: ...

Default Value

""

Remarks

The key version's creation date.

This property reflects the key version's creation date, formatted as an RFC 3339 UTC timestamp.

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

version_destruction_date Property

The key version's destruction date.

Syntax

def get_version_destruction_date(version_index: int) -> str: ...

Default Value

""

Remarks

The key version's destruction date.

This property reflects the date at which the key version's cryptographic material was (or will be) destroyed, formatted as an RFC 3339 UTC timestamp; or empty string if the key version's cryptographic material has not been, and is not scheduled to be, destroyed.

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

version_generation_date Property

The generation date of the key version's cryptographic material.

Syntax

def get_version_generation_date(version_index: int) -> str: ...

Default Value

""

Remarks

The generation date of the key version's cryptographic material.

This property reflects the generation date of the key version's cryptographic material, formatted as an RFC 3339 UTC timestamp.

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

version_name Property

The name of the key.

Syntax

def get_version_name(version_index: int) -> str: ...

Default Value

""

Remarks

The name of the key.

This property reflects the name of the key that the key version is associated with.

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

version_protection_level Property

The key version's protection level.

Syntax

def get_version_protection_level(version_index: int) -> str: ...

Default Value

""

Remarks

The key version's protection level.

This property reflects the key version's protection level. Possible values are:

• SOFTWARE
• HSM
• EXTERNAL

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

version_state Property

The key version's state.

Syntax

def get_version_state(version_index: int) -> str: ...

Default Value

""

Remarks

The key version's state.

This property reflects the key version's state. Possible values are:

• PENDING_GENERATION: The version is still being generated, and cannot be used yet. Once generation has finished, it will become ENABLED.
• ENABLED: The version is enabled and available for use.
• DISABLED: The version is disabled; it cannot be used unless it is enabled again. It may be destroyed.
• DESTROY_SCHEDULED: The version's cryptographic material is scheduled for destruction, and will be destroyed at the time reflected by version_destruction_date unless cancel_destruction before then.
• DESTROYED: The version's cryptographic material has been destroyed, and the version is no longer usable. This state is permanent once entered.
• PENDING_IMPORT*: Cryptographic material has not finished importing, and the version cannot be used yet. Once the import has finished, it will become ENABLED.
• IMPORT_FAILED*: The version was not imported successfully; it cannot be used, and any imported cryptographic material has been discarded.

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

version_version_id Property

The Id of the key version.

Syntax

def get_version_version_id(version_index: int) -> str: ...

Default Value

""

Remarks

The Id of the key version.

This property reflects the Id of the key version.

The version_index parameter specifies the index of the item in the array. The size of the array is controlled by the version_count property.

This property is read-only.

add_label Method

Adds an item to the Labels properties.

Syntax

def add_label(name: str, value: str) -> None: ...

Remarks

This method adds an item to the labels properties. Name specifies the name of the item, and Value specifies the value of the item.

A resource may have up to 64 labels. Label names and values must consist solely of lowercase letters, numbers, underscores, and hyphens; and may be up to 63 characters in length. Label names must also be unique and begin with a lowercase letter.

add_query_param Method

Adds a query parameter to the QueryParams properties.

Syntax

def add_query_param(name: str, value: str) -> None: ...

Remarks

This method is used to add a query parameter to the query_params properties. Name specifies the name of the parameter, and Value specifies the value of the parameter.

All specified Values will be URL encoded by the class automatically. Consult the service documentation for details on the available parameters.

authorize Method

Get the authorization string required to access the protected resource.

Syntax

def authorize() -> None: ...

Remarks

This method is used to get an access token that is required to access the protected resource. The method will act differently based on what is set in the o_auth_client_profile property and the o_auth_grant_type property. This method is not to be used in conjunction with the authorization property. It should instead be used when setting the o_auth property.

For more information, see the introduction section.

cancel_destruction Method

Cancels the destruction of a key version's cryptographic material.

Syntax

def cancel_destruction(key_name: str, version_id: str) -> None: ...

Remarks

This method cancels the destruction of the cryptographic material for the key version specified by KeyName and VersionId. If successful, the key version's version_state changes to DISABLED.

config Method

Sets or retrieves a configuration setting.

Syntax

def config(configuration_string: str) -> str: ...

Remarks

config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

create_key Method

Creates a new key.

Syntax

def create_key(key_name: str, purpose: int, algorithm: str, use_hsm: bool) -> None: ...

Remarks

This method creates a new key with the specified KeyName in the currently-selected key_ring. A key version is automatically created when this occurs (and for symmetric keys, it automatically becomes the primary version).

The value passed for KeyName must consist solely of alphanumeric characters, underscores, and hyphens; and may be up to 63 characters in length.

The Purpose parameter specifies what the key's purpose should be. Possible values are:

• 1: A symmetric key used for encryption and decryption.
• 2: An asymmetric key used for signing and verification.
• 3: An asymmetric key used for encryption and decryption.

For symmetric keys, the only valid value for Algorithm is GOOGLE_SYMMETRIC_ENCRYPTION (which is assumed if empty string is passed). For asymmetric keys, the algorithm specifies the key type, repeats the purpose (either SIGN or DECRYPT), and dictates the algorithm that will be used for the relevant cryptographic operations; and valid values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The UseHSM parameter specifies whether the key's protection level should be SOFTWARE (false) or HSM (true).

Note that the values passed for Algorithm and UseHSM will be stored on the server as template values, and used again anytime a new key version is created with create_version. The template algorithm can be changed at any time using update_key; the template protection level cannot be changed.

If there are any items in the labels properties, they will be applied to the newly-created key. Keys may have up to 64 labels.

For symmetric keys, the RotationPeriod and NextRotateDate configuration settings can also be used to enable automatic rotation, refer to their documentation for more information.

create_key_ring Method

Creates a new key ring.

Syntax

def create_key_ring() -> None: ...

Remarks

This method creates a new key ring using the name specified by the key_ring property.

create_version Method

Creates a new key version.

Syntax

def create_version(key_name: str) -> str: ...

Remarks

This method creates a new version of the key specified by KeyName and returns the Id of the version. Note that, for symmetric keys, the new version will not become the primary version; set_primary_version can be used to update the primary version if desired.

The key's current key_template_algorithm and key_template_protection_level are used to create the key version. To change the key's template algorithm prior to creating a new version, use the update_key method.

decrypt Method

Decrypts data using a key.

Syntax

def decrypt(key_name: str, version_id: str) -> None: ...

Remarks

This method decrypts data using the key specified by KeyName and (for asymmetric keys) VersionId.

The data to decrypt is taken from the the specified input_file or the input_data property. The decrypted data is output to the the specified output_file or the output_data property.

For symmetric keys, VersionId must be empty; the server automatically detects which version of the symmetric key to use for decryption.

For asymmetric keys, VersionId must be specified.

destroy_version Method

Schedules the specified key version's cryptographic material for destruction.

Syntax

def destroy_version(key_name: str, version_id: str) -> None: ...

Remarks

This method schedules the destruction of the cryptographic material for the key version specified by KeyName and VersionId. The key version itself is not deleted, just its cryptographic material.

If this method is successful, the key version's version_state changes to DESTROY_SCHEDULED, and the its cryptographic material will be destroyed after 24 hours. During this waiting period, the destruction can be canceled using the cancel_destruction method.

Important: Destroying a key version's cryptographic material makes the key version permanently unusable. If a key version must not be used by may be needed again in the future, disable using set_version_enabled instead.

do_events Method

This method processes events from the internal message queue.

Syntax

def do_events() -> None: ...

Remarks

When do_events is called, the class processes any available events. If no events are available, it waits for a preset period of time, and then returns.

encrypt Method

Encrypts data using a key.

Syntax

def encrypt(key_name: str, version_id: str) -> None: ...

Remarks

This method encrypts data using the key specified by KeyName and (for asymmetric keys) VersionId.

The data to encrypt is taken from the the specified input_file or the input_data property. The encrypted data is output to the the specified output_file or the output_data property.

For symmetric keys, VersionId must be empty; the server always uses the primary version of the symmetric key. (Unless the ForceSymmetricEncryption configuration setting is enabled, in which case VersionId can be used to specify a non-primary version.)

For asymmetric keys, VersionId must be specified. Note, however, that Google does not support server-side asymmetric encryption (only decryption), so this method will instead call get_public_key internally and then use the public key to encrypt the input data locally. This functionality is offered as a convenience.

get_key_info Method

Gets information about a key.

Syntax

def get_key_info(key_name: str) -> None: ...

Remarks

This method gets information about the key specified by KeyName.

When the information is returned, the class clears the keys properties and repopulates it properties. The on_key_list and on_label_list events are also fired.

get_key_ring_info Method

Gets information about a key ring.

Syntax

def get_key_ring_info() -> None: ...

Remarks

This method gets information about the currently-selected key_ring.

When the information is returned, the class clears the key_rings properties and repopulates them with a single item that contains the key ring's information. The on_key_ring_list event is also fired.

get_public_key Method

Retrieves the public key of an asymmetric key pair.

Syntax

def get_public_key(key_name: str, version_id: str) -> None: ...

Remarks

This method retrieves the public key of the asymmetric key pair version specified by KeyName and VersionId. The algorithm of the key pair version is also retrieved. If successful, this method populates the public_key and public_key_algorithm properties.

get_version_info Method

Gets information about a key version.

Syntax

def get_version_info(key_name: str, version_id: str) -> None: ...

Remarks

This method gets information about the key version specified by KeyName and VersionId.

When the information is returned, the class clears the versions properties and repopulates them with a single item that contains the key version's information. The on_version_list event is also fired.

list_key_rings Method

Lists the key rings in the currently-selected location.

Syntax

def list_key_rings() -> None: ...

Remarks

This method lists the key rings in the currently-selected location.

Calling this method will fire the on_key_ring_list event once for each key ring, and will also populate the key_rings properties.

If there are still more key rings available to list when this method returns, the key_ring_marker property will be populated. Continue to call this method until key_ring_marker is empty to accumulate all pages of results in the key_rings properties.

The MaxKeyRings configuration setting can be used to control the maximum number of results to return at once.

list_keys Method

Lists the keys in the currently-selected key ring.

Syntax

def list_keys() -> None: ...

Remarks

This method lists the keys in the currently-selected key_ring.

Calling this method will fire the on_key_list event once for each key, and will also populate the keys properties.

If there are still more keys available to list when this method returns, the key_marker property will be populated. Continue to call this method until key_marker is empty to accumulate all pages of results in the keys properties.

The MaxKeys configuration setting can be used to control the maximum number of results to return at once.

list_versions Method

Lists the key versions for the specified key.

Syntax

def list_versions(key_name: str) -> None: ...

Remarks

This method lists the key versions for the key specified by KeyName.

Calling this method will fire the on_version_list event once for each key version, and will also populate the versions properties.

If there are still more key versions available to list when this method returns, the version_marker property will be populated. Continue to call this method until version_marker is empty to accumulate all pages of results in the versions properties.

The MaxVersions configuration setting can be used to control the maximum number of results to return at once.

reset Method

Resets the class to its initial state.

Syntax

def reset() -> None: ...

Remarks

This method resets the class to its initial state.

send_custom_request Method

Sends a custom request to the server.

Syntax

def send_custom_request(http_method: str, key_name: str, version_id: str, action: str) -> None: ...

Remarks

This method can be used to send arbitrary requests to the server.

Valid values for HttpMethod are:

• GET (default if empty)
• HEAD
• POST
• PUT
• PATCH
• DELETE

KeyName and VersionId are optional. The former must be specified if the latter is specified; both are ignored if key_ring is empty. Action is also optional.

When this method is called, the class does the following:

1. Builds a request URL, including query parameters, like https://cloudkms.googleapis.com/v1/projects/{GoogleProjectId}/locations/{Location}[/keyRings/{KeyRing}[/cryptoKeys/{KeyName}[/cryptoKeyVersions/{VersionId}]]][{Action}] using:
   • The google_project_id, location, and (if non-empty) key_ring properties.
   • The KeyName, VersionId, and Action parameters.
   • All query parameters from query_params.
2. Adds an Authorization header with the value specified by authorization.
3. Adds any request headers from other_headers.
4. Adds any request body supplied via the specified input_file or input_data.
5. Sends the request to the server.
6. Stores the response headers in the parsed_headers properties; and the response body in the specified output_file or output_data.

If the response body is JSON data, the XPath, XText, and other X* configuration settings can then be used to navigate and extract information from it.

set_primary_version Method

Sets the primary version of a symmetric key.

Syntax

def set_primary_version(key_name: str, version_id: str) -> None: ...

Remarks

This method sets the primary version of the symmetric key specified by KeyName to the version identified by VersionId.

A symmetric key's primary version is the one used by the server when encrypt is called. It can be changed at any time. Asymmetric keys cannot have primary versions.

set_version_enabled Method

Enables or disables a key version.

Syntax

def set_version_enabled(key_name: str, version_id: str, enabled: bool) -> None: ...

Remarks

This method enables or disables the key version specified by KeyName and VersionId.

sign Method

Signs a message using a key.

Syntax

def sign(key_name: str, version_id: str, algorithm: str, is_digest: bool) -> None: ...

Remarks

This method signs a message using the asymmetric key version specified by KeyName and VersionId.

The message data to sign is taken from the the specified input_file or the input_data property. The signature data is output to the the specified output_file or the output_data property.

The Algorithm parameter specifies the hash algorithm used to generate a message digest; this must be the same algorithm that appears in the key version's version_algorithm string. The value passed must contain one of the following strings (passing the key version's complete algorithm string is acceptable):

• SHA256
• SHA384
• SHA512

The IsDigest parameter specifies whether the message data is the original message (False) or a message digest (True). When supplying a message digest, keep in mind that the same digest will need to be provided in order to verify the signature later.

If IsDigest is False, the class will automatically compute an appropriate message digest before the request is made. In such cases, the computed digest is made available via the MessageDigest configuration setting.

update_key Method

Updates a key.

Syntax

def update_key(key_name: str, template_algorithm: str, update_labels: bool) -> None: ...

Remarks

This method updates the key specified by KeyName.

The TemplateAlgorithm parameter specifies the algorithm value that the server should use when creating new versions of the key (i.e., when create_version is called). If TemplateAlgorithm is empty, the existing template value remains unchanged; otherwise, TemplateAlgorithm must be one of the following:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

The UpdateLabels parameter determines whether the class replaces the key's current labels with the items in the labels properties (which may be empty). Keys may have up to 64 labels.

The RotationPeriod and NextRotateDate configuration settings may also be used to send additional values, refer to their documentation for more information.

verify Method

Verifies a digital signature using a key.

Syntax

def verify(key_name: str, version_id: str, is_digest: bool) -> bool: ...

Remarks

This method verifies a digital signature using the asymmetric key version specified by KeyName and VersionId. If the signature is successfully verified, this method return True, otherwise it returns False.

The message data is taken from the the specified input_file or the input_data property. The digital signature data is taken from the specified output_file or the output_data property.

The IsDigest parameter specifies whether the message data is the original message (False) or a message digest (True). When a message digest is supplied, keep in mind that it must be the exact same digest that was used at signing time, regardless of whether it has been recomputed.

Google does not support server-side signature verification, so this method will call get_public_key internally and then use the public key to verify the digital signature locally. This functionality is offered as a convenience.

on_end_transfer Event

This event fires when a document finishes transferring.

Syntax

class GoogleKMSEndTransferEventParams(object):
  @property
  def direction() -> int: ...

# In class GoogleKMS:
@property
def on_end_transfer() -> Callable[[GoogleKMSEndTransferEventParams], None]: ...
@on_end_transfer.setter
def on_end_transfer(event_hook: Callable[[GoogleKMSEndTransferEventParams], None]) -> None: ...

Remarks

The on_end_transfer event is fired when the document text finishes transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

on_error Event

Fired when information is available about errors during data delivery.

Syntax

class GoogleKMSErrorEventParams(object):
  @property
  def error_code() -> int: ...

  @property
  def description() -> str: ...

# In class GoogleKMS:
@property
def on_error() -> Callable[[GoogleKMSErrorEventParams], None]: ...
@on_error.setter
def on_error(event_hook: Callable[[GoogleKMSErrorEventParams], None]) -> None: ...

Remarks

The on_error event is fired in case of exceptional conditions during message processing. Normally the class fails with an error.

The ErrorCode parameter contains an error code, and the Description parameter contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

on_header Event

Fired every time a header line comes in.

Syntax

class GoogleKMSHeaderEventParams(object):
  @property
  def field() -> str: ...

  @property
  def value() -> str: ...

# In class GoogleKMS:
@property
def on_header() -> Callable[[GoogleKMSHeaderEventParams], None]: ...
@on_header.setter
def on_header(event_hook: Callable[[GoogleKMSHeaderEventParams], None]) -> None: ...

Remarks

The Field parameter contains the name of the HTTP header (which is the same as it is delivered). The Value parameter contains the header contents.

If the header line being retrieved is a continuation header line, then the Field parameter contains "" (empty string).

on_key_list Event

Fires once for each key when listing keys.

Syntax

class GoogleKMSKeyListEventParams(object):
  @property
  def name() -> str: ...

  @property
  def purpose() -> int: ...

  @property
  def creation_date() -> str: ...

  @property
  def primary_version() -> str: ...

# In class GoogleKMS:
@property
def on_key_list() -> Callable[[GoogleKMSKeyListEventParams], None]: ...
@on_key_list.setter
def on_key_list(event_hook: Callable[[GoogleKMSKeyListEventParams], None]) -> None: ...

Remarks

This event fires once for each key returned when list_keys or get_key_info is called.

Name reflects the name of the key.

Purpose reflects the key's purpose. Possible values are:

• 0: Unspecified.
• 1: A symmetric key used for encryption and decryption.
• 2: An asymmetric key used for signing and verification.
• 3: An asymmetric key used for encryption and decryption.

CreationDate reflects the key's creation date, formatted as an RFC 3339 UTC timestamp.

PrimaryVersion reflects the Id of the key's primary version if it is symmetric. For asymmetric keys, it is always empty, since asymmetric keys cannot have a primary version.

on_key_ring_list Event

Fires once for each key ring when listing key rings.

Syntax

class GoogleKMSKeyRingListEventParams(object):
  @property
  def name() -> str: ...

  @property
  def creation_date() -> str: ...

# In class GoogleKMS:
@property
def on_key_ring_list() -> Callable[[GoogleKMSKeyRingListEventParams], None]: ...
@on_key_ring_list.setter
def on_key_ring_list(event_hook: Callable[[GoogleKMSKeyRingListEventParams], None]) -> None: ...

Remarks

This event fires once for each key ring returned when list_key_rings or get_key_ring_info is called.

Name reflects the name of the key ring.

CreationDate reflects the key ring's creation date, formatted as an RFC 3339 UTC timestamp.

on_label_list Event

Fires once for each label returned when a key's information is retrieved.

Syntax

class GoogleKMSLabelListEventParams(object):
  @property
  def key_name() -> str: ...

  @property
  def name() -> str: ...

  @property
  def value() -> str: ...

# In class GoogleKMS:
@property
def on_label_list() -> Callable[[GoogleKMSLabelListEventParams], None]: ...
@on_label_list.setter
def on_label_list(event_hook: Callable[[GoogleKMSLabelListEventParams], None]) -> None: ...

Remarks

This event fires once for each label returned when get_key_info is called.

KeyName reflects the name of the key.

Name reflects the name of the label.

Value reflects the value of the label.

on_log Event

Fired once for each log message.

Syntax

class GoogleKMSLogEventParams(object):
  @property
  def log_level() -> int: ...

  @property
  def message() -> str: ...

  @property
  def log_type() -> str: ...

# In class GoogleKMS:
@property
def on_log() -> Callable[[GoogleKMSLogEventParams], None]: ...
@on_log.setter
def on_log(event_hook: Callable[[GoogleKMSLogEventParams], None]) -> None: ...

Remarks

This event is fired once for each log message generated by the class. The verbosity is controlled by the LogLevel setting.

LogLevel indicates the level of message. Possible values are as follows:

The value 1 (Info) logs basic information, including the URL, HTTP version, and status details.

The value 2 (Verbose) logs additional information about the request and response.

The value 3 (Debug) logs the headers and body for both the request and response, as well as additional debug information (if any).

Message is the log entry.

LogType identifies the type of log entry. Possible values are as follows:

• "Info"
• "RequestHeaders"
• "ResponseHeaders"
• "RequestBody"
• "ResponseBody"
• "ProxyRequest"
• "ProxyResponse"
• "FirewallRequest"
• "FirewallResponse"

on_ssl_server_authentication Event

Fired after the server presents its certificate to the client.

Syntax

class GoogleKMSSSLServerAuthenticationEventParams(object):
  @property
  def cert_encoded() -> bytes: ...

  @property
  def cert_subject() -> str: ...

  @property
  def cert_issuer() -> str: ...

  @property
  def status() -> str: ...

  @property
  def accept() -> bool: ...
  @accept.setter
  def accept(value) -> None: ...

# In class GoogleKMS:
@property
def on_ssl_server_authentication() -> Callable[[GoogleKMSSSLServerAuthenticationEventParams], None]: ...
@on_ssl_server_authentication.setter
def on_ssl_server_authentication(event_hook: Callable[[GoogleKMSSSLServerAuthenticationEventParams], None]) -> None: ...

Remarks

During this event, the client can decide whether or not to continue with the connection process. The Accept parameter is a recommendation on whether to continue or close the connection. This is just a suggestion: application software must use its own logic to determine whether or not to continue.

When Accept is False, Status shows why the verification failed (otherwise, Status contains the string OK). If it is decided to continue, you can override and accept the certificate by setting the Accept parameter to True.

on_ssl_status Event

Fired when secure connection progress messages are available.

Syntax

class GoogleKMSSSLStatusEventParams(object):
  @property
  def message() -> str: ...

# In class GoogleKMS:
@property
def on_ssl_status() -> Callable[[GoogleKMSSSLStatusEventParams], None]: ...
@on_ssl_status.setter
def on_ssl_status(event_hook: Callable[[GoogleKMSSSLStatusEventParams], None]) -> None: ...

Remarks

The event is fired for informational and logging purposes only. This event tracks the progress of the connection.

on_start_transfer Event

This event fires when a document starts transferring (after the headers).

Syntax

class GoogleKMSStartTransferEventParams(object):
  @property
  def direction() -> int: ...

# In class GoogleKMS:
@property
def on_start_transfer() -> Callable[[GoogleKMSStartTransferEventParams], None]: ...
@on_start_transfer.setter
def on_start_transfer(event_hook: Callable[[GoogleKMSStartTransferEventParams], None]) -> None: ...

Remarks

The on_start_transfer event is fired when the document text starts transferring from the server to the local host.

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

on_transfer Event

Fired while a document transfers (delivers document).

Syntax

class GoogleKMSTransferEventParams(object):
  @property
  def direction() -> int: ...

  @property
  def bytes_transferred() -> int: ...

  @property
  def percent_done() -> int: ...

  @property
  def text() -> bytes: ...

# In class GoogleKMS:
@property
def on_transfer() -> Callable[[GoogleKMSTransferEventParams], None]: ...
@on_transfer.setter
def on_transfer(event_hook: Callable[[GoogleKMSTransferEventParams], None]) -> None: ...

Remarks

The Text parameter contains the portion of the document text being received. It is empty if data are being posted to the server.

The BytesTransferred parameter contains the number of bytes transferred in this Direction since the beginning of the document text (excluding HTTP response headers).

The Direction parameter shows whether the client (0) or the server (1) is sending the data.

The PercentDone parameter shows the progress of the transfer in the corresponding direction. If PercentDone can not be calculated the value will be -1.

Note: Events are not re-entrant. Performing time-consuming operations within this event will prevent it from firing again in a timely manner and may affect overall performance.

on_version_list Event

Fires once for each key version when listing key versions.

Syntax

class GoogleKMSVersionListEventParams(object):
  @property
  def name() -> str: ...

  @property
  def version_id() -> str: ...

  @property
  def state() -> str: ...

  @property
  def algorithm() -> str: ...

  @property
  def protection_level() -> str: ...

  @property
  def creation_date() -> str: ...

  @property
  def destruction_date() -> str: ...

# In class GoogleKMS:
@property
def on_version_list() -> Callable[[GoogleKMSVersionListEventParams], None]: ...
@on_version_list.setter
def on_version_list(event_hook: Callable[[GoogleKMSVersionListEventParams], None]) -> None: ...

Remarks

This event fires once for each key version returned when list_versions or get_version_info is called.

Name reflects the name of the key.

VersionId reflects the Id of the key version.

State reflects the state of the key version. Possible values are:

• PENDING_GENERATION: The version is still being generated, and cannot be used yet. Once generation has finished, it will become ENABLED.
• ENABLED: The version is enabled and available for use.
• DISABLED: The version is disabled; it cannot be used unless it is enabled again. It may be destroyed.
• DESTROY_SCHEDULED: The version's cryptographic material is scheduled for destruction, and will be destroyed at the time reflected by unless cancel_destruction before then.
• DESTROYED: The version's cryptographic material has been destroyed, and the version is no longer usable. This state is permanent once entered.
• PENDING_IMPORT*: Cryptographic material has not finished importing, and the version cannot be used yet. Once the import has finished, it will become ENABLED.
• IMPORT_FAILED*: The version was not imported successfully; it cannot be used, and any imported cryptographic material has been discarded.

Algorithm reflects the key version's algorithm. For symmetric keys, this will always be GOOGLE_SYMMETRIC_ENCRYPTION. For asymmetric keys, this value describes both the key type and the algorithm that must be used during cryptographic operations, and possible values are:

• RSA_SIGN_PSS_2048_SHA256: RSASSA-PSS 2048 bit key with a SHA256 digest
• RSA_SIGN_PSS_3072_SHA256: RSASSA-PSS 3072 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA256: RSASSA-PSS 4096 bit key with a SHA256 digest
• RSA_SIGN_PSS_4096_SHA512: RSASSA-PSS 4096 bit key with a SHA512 digest
• RSA_SIGN_PKCS1_2048_SHA256: RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_3072_SHA256: RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA256: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest
• RSA_SIGN_PKCS1_4096_SHA512: RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest
• RSA_DECRYPT_OAEP_2048_SHA256: RSAES-OAEP 2048 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_3072_SHA256: RSAES-OAEP 3072 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA256: RSAES-OAEP 4096 bit key with a SHA256 digest
• RSA_DECRYPT_OAEP_4096_SHA512: RSAES-OAEP 4096 bit key with a SHA512 digest
• EC_SIGN_P256_SHA256: ECDSA on the NIST P-256 curve with a SHA256 digest
• EC_SIGN_P384_SHA384: ECDSA on the NIST P-384 curve with a SHA384 digest

Refer to Google's CryptoKeyVersionAlgorithm documentation page for more information.

ProtectionLevel reflects the key version's protection level. Possible values are:

• SOFTWARE
• HSM
• EXTERNAL

CreationDate reflects the key version's creation date, formatted as an RFC 3339 UTC timestamp.

DestructionDate reflects the date at which the key version's cryptographic material was (or will be) destroyed, formatted as an RFC 3339 UTC timestamp; or empty string if the key version's cryptographic material has not been, and is not scheduled to be, destroyed.

GoogleKMS Config Settings

GoogleKMS Config Settings

<firstlevel>
  <one>value</one>
  <two>
    <item>first</item>
    <item>second</item>
  </two>
  <three>value three</three>
</firstlevel>

{
  "firstlevel": {
    "one": "value",
    "two": ["first", "second"],
    "three": "value three"
  }
}

OAuth Config Settings

HTTP Config Settings

TCPClient Config Settings

SSL Config Settings

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert ...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert ...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert ...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert ...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEKzCCAxOgAwIBAgIRANTET4LIkxdH6P+CFIiHvTowDQYJKoZIhvcNAQELBQAw
... Intermediate Cert...
eWHV5OW1K53o/atv59sOiW5K3crjFhsBOd5Q+cJJnU+SWinPKtANXMht+EDvYY2w
F0I1XhM+pKj7FjDr+XNj
-----END CERTIFICATE-----
\r \n
-----BEGIN CERTIFICATE-----
MIIEFjCCAv6gAwIBAgIQetu1SMxpnENAnnOz1P+PtTANBgkqhkiG9w0BAQUFADBp
... Root Cert...
d8q23djXZbVYiIfE9ebr4g3152BlVCHZ2GyPdjhIuLeH21VbT/dyEHHA
-----END CERTIFICATE-----

Socket Config Settings

Base Config Settings