| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 1 | |
| 2 | :mod:`hashlib` --- Secure hashes and message digests |
| 3 | ==================================================== |
| 4 | |
| 5 | .. module:: hashlib |
| 6 | :synopsis: Secure hash and message digest algorithms. |
| 7 | .. moduleauthor:: Gregory P. Smith <greg@users.sourceforge.net> |
| 8 | .. sectionauthor:: Gregory P. Smith <greg@users.sourceforge.net> |
| 9 | |
| 10 | |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 11 | .. index:: |
| 12 | single: message digest, MD5 |
| 13 | single: secure hash algorithm, SHA1, SHA224, SHA256, SHA384, SHA512 |
| 14 | |
| 15 | This module implements a common interface to many different secure hash and |
| 16 | message digest algorithms. Included are the FIPS secure hash algorithms SHA1, |
| 17 | SHA224, SHA256, SHA384, and SHA512 (defined in FIPS 180-2) as well as RSA's MD5 |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 18 | algorithm (defined in Internet :rfc:`1321`). The terms "secure hash" and |
| 19 | "message digest" are interchangeable. Older algorithms were called message |
| 20 | digests. The modern term is secure hash. |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 21 | |
| 22 | .. warning:: |
| 23 | |
| 24 | Some algorithms have known hash collision weaknesses, see the FAQ at the end. |
| 25 | |
| 26 | There is one constructor method named for each type of :dfn:`hash`. All return |
| 27 | a hash object with the same simple interface. For example: use :func:`sha1` to |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 28 | create a SHA1 hash object. You can now feed this object with objects conforming |
| 29 | to the buffer interface (normally :class:`bytes` objects) using the |
| 30 | :meth:`update` method. At any point you can ask it for the :dfn:`digest` of the |
| 31 | concatenation of the data fed to it so far using the :meth:`digest` or |
| 32 | :meth:`hexdigest` methods. |
| 33 | |
| 34 | .. note:: |
| 35 | |
| 36 | Feeding string objects is to :meth:`update` is not supported, as hashes work |
| 37 | on bytes, not on characters. |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 38 | |
| Thomas Wouters | 1b7f891 | 2007-09-19 03:06:30 +0000 | [diff] [blame^] | 39 | .. index:: single: OpenSSL; (use in module hashlib) |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 40 | |
| 41 | Constructors for hash algorithms that are always present in this module are |
| 42 | :func:`md5`, :func:`sha1`, :func:`sha224`, :func:`sha256`, :func:`sha384`, and |
| 43 | :func:`sha512`. Additional algorithms may also be available depending upon the |
| 44 | OpenSSL library that Python uses on your platform. |
| 45 | |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 46 | For example, to obtain the digest of the byte string ``b'Nobody inspects the |
| 47 | spammish repetition'``:: |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 48 | |
| 49 | >>> import hashlib |
| 50 | >>> m = hashlib.md5() |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 51 | >>> m.update(b"Nobody inspects") |
| 52 | >>> m.update(b" the spammish repetition") |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 53 | >>> m.digest() |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 54 | b'\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9' |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 55 | |
| 56 | More condensed:: |
| 57 | |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 58 | >>> hashlib.sha224(b"Nobody inspects the spammish repetition").hexdigest() |
| 59 | b'a4337bc45a8fc544c03f52dc550cd6e1e87021bc896588bd79e901e2' |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 60 | |
| 61 | A generic :func:`new` constructor that takes the string name of the desired |
| 62 | algorithm as its first parameter also exists to allow access to the above listed |
| 63 | hashes as well as any other algorithms that your OpenSSL library may offer. The |
| 64 | named constructors are much faster than :func:`new` and should be preferred. |
| 65 | |
| 66 | Using :func:`new` with an algorithm provided by OpenSSL:: |
| 67 | |
| 68 | >>> h = hashlib.new('ripemd160') |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 69 | >>> h.update(b"Nobody inspects the spammish repetition") |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 70 | >>> h.hexdigest() |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 71 | b'cc4a5ce1b3df48aec5d22d1f16b894a0b894eccc' |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 72 | |
| 73 | The following values are provided as constant attributes of the hash objects |
| 74 | returned by the constructors: |
| 75 | |
| 76 | |
| 77 | .. data:: digest_size |
| 78 | |
| 79 | The size of the resulting digest in bytes. |
| 80 | |
| 81 | A hash object has the following methods: |
| 82 | |
| 83 | |
| 84 | .. method:: hash.update(arg) |
| 85 | |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 86 | Update the hash object with the object *arg*, which must be interpretable as |
| 87 | a buffer of bytes. Repeated calls are equivalent to a single call with the |
| 88 | concatenation of all the arguments: ``m.update(a); m.update(b)`` is |
| 89 | equivalent to ``m.update(a+b)``. |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 90 | |
| 91 | |
| 92 | .. method:: hash.digest() |
| 93 | |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 94 | Return the digest of the data passed to the :meth:`update` method so far. |
| 95 | This is a bytes array of size :attr:`digest_size` which may contain bytes in |
| 96 | the whole range from 0 to 255. |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 97 | |
| 98 | |
| 99 | .. method:: hash.hexdigest() |
| 100 | |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 101 | Like :meth:`digest` except the digest is returned as a string object of |
| 102 | double length, containing only hexadecimal digits. This may be used to |
| 103 | exchange the value safely in email or other non-binary environments. |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 104 | |
| 105 | |
| 106 | .. method:: hash.copy() |
| 107 | |
| 108 | Return a copy ("clone") of the hash object. This can be used to efficiently |
| Georg Brandl | 67ced42 | 2007-09-06 14:09:10 +0000 | [diff] [blame] | 109 | compute the digests of data sharing a common initial substring. |
| Georg Brandl | 116aa62 | 2007-08-15 14:28:22 +0000 | [diff] [blame] | 110 | |
| 111 | |
| 112 | .. seealso:: |
| 113 | |
| 114 | Module :mod:`hmac` |
| 115 | A module to generate message authentication codes using hashes. |
| 116 | |
| 117 | Module :mod:`base64` |
| 118 | Another way to encode binary hashes for non-binary environments. |
| 119 | |
| 120 | http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf |
| 121 | The FIPS 180-2 publication on Secure Hash Algorithms. |
| 122 | |
| 123 | http://www.cryptography.com/cnews/hash.html |
| 124 | Hash Collision FAQ with information on which algorithms have known issues and |
| 125 | what that means regarding their use. |
| 126 | |