Keys

Cloud-backed key classes adapt provider signing APIs to Paramiko’s ECDSA key interface. They are certificate-authority keys as well as regular Paramiko signing keys.

Shared Base Classes

class paramiko_cloud.base.CloudSigningKey

Bases: ABC

Base class for all cloud KMS-backed signing keys

Constructor

Parameters:

curve – the elliptic curve used for this key

__init__(curve)

Constructor

Parameters:

curve (EllipticCurve) – the elliptic curve used for this key

static digest(data, signature_algorithm)

Calculates the hash of the given data according to the given elliptic curve key

Parameters:

  • data (bytes) – the data for which to calculate the hash

  • signature_algorithm (ECDSA) – the elliptic curve signature algorithm

Returns:

The hash of the data

Return type:

bytes

sign(data, signature_algorithm)

Calculate the signature for the given data

Parameters:

  • data (bytes) – data for which to calculate a signature

  • signature_algorithm (ECDSA) – the curve used for this signature

Returns:

The DER formatted signature

Return type:

bytes

class paramiko_cloud.base.BaseKeyECDSA

Bases: ECDSAKey, CertificateSigningKeyMixin

Base class for all cloud-backed ECDSA keys

Constructor

Parameters:

vals – tuple of signing key and verifying key

__init__(vals)

Constructor

Parameters:

vals (Tuple[CloudSigningKey, EllipticCurvePublicKey]) – tuple of signing key and verifying key

pubkey_string(comment=None)

Render a string suitable for OpenSSH authorized_keys files

Parameters:

comment (str | None) – an optional comment, defaulting to the current date and time in ISO format

Returns:

The public key string

Return type:

str

Provider Implementations

AWS KMS

class paramiko_cloud.aws.keys.ECDSAKey

Bases: BaseKeyECDSA

An AWS KMS-based ECDSA key

Parameters:

  • key_id – the AWS KMS key id

  • **kwargs – extra parameters passed to the Boto3 kms client, see the Boto3 documentation.

Constructor

Parameters:

vals – tuple of signing key and verifying key

__init__(key_id, **kwargs)

Constructor

Parameters:

  • vals – tuple of signing key and verifying key

  • key_id (str)

  • kwargs (Any)

Return type:

None

Google Cloud KMS

class paramiko_cloud.gcp.keys.ECDSAKey

Bases: BaseKeyECDSA

A Google Cloud Platform KMS-based ECDSA key

Parameters:

  • kms_client – a KMS client that can access the selected key

  • key_name – the name of the key

Constructor

Parameters:

vals – tuple of signing key and verifying key

__init__(kms_client, key_name)

Constructor

Parameters:

  • vals – tuple of signing key and verifying key

  • kms_client (KeyManagementServiceClient)

  • key_name (str)

Azure Key Vault

class paramiko_cloud.azure.keys.ECDSAKey

Bases: BaseKeyECDSA

An Azure Key Vault-backed ECDSA key

Parameters:

  • credential – an Azure credential suitable for accessing the key in Key Vault

  • vault_url – the vault URL

  • key_name – the name of the key in the vault

Constructor

Parameters:

vals – tuple of signing key and verifying key

__init__(credential, vault_url, key_name)

Constructor

Parameters:

  • vals – tuple of signing key and verifying key

  • credential (DefaultAzureCredential | AzurePowerShellCredential | InteractiveBrowserCredential | ChainedTokenCredential | EnvironmentCredential | ManagedIdentityCredential | SharedTokenCacheCredential | AzureCliCredential | VisualStudioCodeCredential)

  • vault_url (str)

  • key_name (str)