Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / dacb5f9951064d19ac69c1198985af136f71a6db / . / docs / hazmat / backends / interfaces.rst
blob: 5cbd47d16d3ecaaf4a3a1b61a7529b1d5296df96 [file] [log] [blame]
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]1.. hazmat::
2
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]3Backend interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]4==================
5
Alex Gaynorf8796b12013-12-13 20:28:55 -0800[diff] [blame]6.. currentmodule:: cryptography.hazmat.backends.interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]7
8
Alex Gaynor969f18e2014-05-17 20:07:35 -0700[diff] [blame]9Backend implementations may provide a number of interfaces to support
10operations such as :doc:`/hazmat/primitives/symmetric-encryption`,
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]11:doc:`/hazmat/primitives/cryptographic-hashes`, and
Ayrxfa4a6b22014-04-16 23:03:14 +0800[diff] [blame]12:doc:`/hazmat/primitives/mac/hmac`.
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]13
14A specific ``backend`` may provide one or more of these interfaces.
15
16
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]17.. class:: CipherBackend
18
Alex Stapleton63b3de22014-02-08 09:43:16 +0000[diff] [blame]19 A backend that provides methods for using ciphers for encryption
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]20 and decryption.
21
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]22 The following backends implement this interface:
23
24 * :doc:`/hazmat/backends/openssl`
25 * :doc:`/hazmat/backends/commoncrypto`
26
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]27 .. method:: cipher_supported(cipher, mode)
28
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]29 Check if a ``cipher`` and ``mode`` combination is supported by
30 this backend.
31
32 :param cipher: An instance of a
33 :class:`~cryptography.hazmat.primitives.interfaces.CipherAlgorithm`
34 provider.
35 :param mode: An instance of a
36 :class:`~cryptography.hazmat.primitives.interfaces.Mode` provider.
37
38 :returns: ``True`` if the specified ``cipher`` and ``mode`` combination
39 is supported by this backend, otherwise ``False``
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]40
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]41
42 .. method:: create_symmetric_encryption_ctx(cipher, mode)
43
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]44 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]45 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]46 can be used for encrypting data with the symmetric ``cipher`` using
47 the given ``mode``.
48
49 :param cipher: An instance of a
50 :class:`~cryptography.hazmat.primitives.interfaces.CipherAlgorithm`
51 provider.
52 :param mode: An instance of a
53 :class:`~cryptography.hazmat.primitives.interfaces.Mode` provider.
54
55 :returns:
56 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext`
57
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]58 :raises ValueError: When tag is not None in an AEAD mode
59
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]60
61 .. method:: create_symmetric_decryption_ctx(cipher, mode)
62
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]63 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]64 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]65 can be used for decrypting data with the symmetric ``cipher`` using
66 the given ``mode``.
67
68 :param cipher: An instance of a
69 :class:`~cryptography.hazmat.primitives.interfaces.CipherAlgorithm`
70 provider.
71 :param mode: An instance of a
72 :class:`~cryptography.hazmat.primitives.interfaces.Mode` provider.
73
74 :returns:
75 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]76
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]77 :raises ValueError: When tag is None in an AEAD mode
78
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]79
80.. class:: HashBackend
81
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]82 A backend with methods for using cryptographic hash functions.
83
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]84 The following backends implement this interface:
85
86 * :doc:`/hazmat/backends/openssl`
87 * :doc:`/hazmat/backends/commoncrypto`
88
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]89 .. method:: hash_supported(algorithm)
90
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]91 Check if the specified ``algorithm`` is supported by this backend.
92
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]93 :param algorithm: An instance of a
94 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
95 provider.
96
97 :returns: ``True`` if the specified ``algorithm`` is supported by this
98 backend, otherwise ``False``.
99
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]100
101 .. method:: create_hash_ctx(algorithm)
102
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]103 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]104 :class:`~cryptography.hazmat.primitives.interfaces.HashContext` that
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]105 uses the specified ``algorithm`` to calculate a message digest.
106
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]107 :param algorithm: An instance of a
108 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
109 provider.
110
111 :returns:
112 :class:`~cryptography.hazmat.primitives.interfaces.HashContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]113
114
115.. class:: HMACBackend
116
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]117 A backend with methods for using cryptographic hash functions as message
118 authentication codes.
119
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]120 The following backends implement this interface:
121
122 * :doc:`/hazmat/backends/openssl`
123 * :doc:`/hazmat/backends/commoncrypto`
124
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]125 .. method:: hmac_supported(algorithm)
126
127 Check if the specified ``algorithm`` is supported by this backend.
128
129 :param algorithm: An instance of a
130 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
131 provider.
132
133 :returns: ``True`` if the specified ``algorithm`` is supported for HMAC
134 by this backend, otherwise ``False``.
135
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]136 .. method:: create_hmac_ctx(algorithm)
137
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]138 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]139 :class:`~cryptography.hazmat.primitives.interfaces.HashContext` that
Paul Kehrer4f776c42013-12-23 17:25:54 -0600[diff] [blame]140 uses the specified ``algorithm`` to calculate a hash-based message
141 authentication code.
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]142
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]143 :param algorithm: An instance of a
144 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
145 provider.
146
147 :returns:
148 :class:`~cryptography.hazmat.primitives.interfaces.HashContext`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]149
150
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]151.. class:: PBKDF2HMACBackend
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]152
Paul Kehrer5d1af212014-01-28 12:19:32 -0600[diff] [blame]153 .. versionadded:: 0.2
154
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]155 A backend with methods for using PBKDF2 using HMAC as a PRF.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]156
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]157 The following backends implement this interface:
158
159 * :doc:`/hazmat/backends/openssl`
160 * :doc:`/hazmat/backends/commoncrypto`
161
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]162 .. method:: pbkdf2_hmac_supported(algorithm)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]163
164 Check if the specified ``algorithm`` is supported by this backend.
165
Paul Kehrer589b9082014-01-28 21:25:41 -0600[diff] [blame]166 :param algorithm: An instance of a
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]167 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
168 provider.
169
170 :returns: ``True`` if the specified ``algorithm`` is supported for
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]171 PBKDF2 HMAC by this backend, otherwise ``False``.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]172
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]173 .. method:: derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
174 key_material)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]175
176 :param algorithm: An instance of a
177 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
178 provider.
179
180 :param int length: The desired length of the derived key. Maximum is
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]181 (2\ :sup:`32` - 1) * ``algorithm.digest_size``
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]182
Paul Kehrerb6d764c2014-01-27 22:32:11 -0600[diff] [blame]183 :param bytes salt: A salt.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]184
185 :param int iterations: The number of iterations to perform of the hash
Paul Kehrerc58b4782014-01-29 13:56:25 -0600[diff] [blame]186 function. This can be used to control the length of time the
187 operation takes. Higher numbers help mitigate brute force attacks
188 against derived keys.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]189
190 :param bytes key_material: The key material to use as a basis for
191 the derived key. This is typically a password.
192
193 :return bytes: Derived key.
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]194
195
196.. class:: RSABackend
197
198 .. versionadded:: 0.2
199
200 A backend with methods for using RSA.
201
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]202 .. method:: generate_rsa_private_key(public_exponent, key_size)
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]203
204 :param int public_exponent: The public exponent of the new key.
205 Often one of the small Fermat primes 3, 5, 17, 257 or 65537.
206
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]207 :param int key_size: The length in bits of the modulus. Should be
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]208 at least 2048.
209
210 :return: A new instance of a
211 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`
212 provider.
213
214 :raises ValueError: If the public_exponent is not valid.
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]215
Paul Kehrer3292c992014-02-17 21:12:38 -0600[diff] [blame]216 .. method:: create_rsa_signature_ctx(private_key, padding, algorithm)
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]217
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]218 .. deprecated:: 0.5
219
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]220 :param private_key: An instance of an
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]221 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`
222 provider.
223
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]224 :param padding: An instance of an
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]225 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
226 provider.
227
228 :param algorithm: An instance of a
229 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
230 provider.
231
232 :returns:
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]233 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]234
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]235 .. method:: create_rsa_verification_ctx(public_key, signature, padding, algorithm)
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]236
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]237 .. deprecated:: 0.5
238
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]239 :param public_key: An instance of a
240 :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey`
241 provider.
242
243 :param bytes signature: The signature to verify.
244
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]245 :param padding: An instance of an
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]246 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
247 provider.
248
249 :param algorithm: An instance of a
250 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
251 provider.
252
253 :returns:
Paul Kehrer430202d2014-02-18 13:36:53 -0600[diff] [blame]254 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricVerificationContext`
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]255
Paul Kehrer06c77932014-03-09 22:22:14 -0400[diff] [blame]256 .. method:: mgf1_hash_supported(algorithm)
257
Paul Kehrer6e85b172014-06-20 21:48:17 -0600[diff] [blame]258 ..deprecated:: 0.5
259
Paul Kehrer06c77932014-03-09 22:22:14 -0400[diff] [blame]260 Check if the specified ``algorithm`` is supported for use with
261 :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
262 inside :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
Paul Kehrer6e85b172014-06-20 21:48:17 -0600[diff] [blame]263 padding. This method is deprecated in favor of
264 ``rsa_padding_supported``.
Paul Kehrer06c77932014-03-09 22:22:14 -0400[diff] [blame]265
266 :param algorithm: An instance of a
267 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
268 provider.
269
270 :returns: ``True`` if the specified ``algorithm`` is supported by this
271 backend, otherwise ``False``.
272
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]273 .. method:: rsa_padding_supported(padding)
274
275 Check if the specified ``padding`` is supported by the backend.
276
277 :param padding: An instance of an
278 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
279 provider.
280
281 :returns: ``True`` if the specified ``padding`` is supported by this
282 backend, otherwise ``False``.
283
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]284 .. method:: generate_rsa_parameters_supported(public_exponent, key_size)
285
286 Check if the specified parameters are supported for key generation by
287 the backend.
288
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]289 :param int public_exponent: The public exponent.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]290
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]291 :param int key_size: The bit length of the generated modulus.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]292
Paul Kehrer4c0a3742014-04-05 19:51:00 -0500[diff] [blame]293 .. method:: decrypt_rsa(private_key, ciphertext, padding)
294
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]295 .. deprecated:: 0.5
296
Paul Kehrer4c0a3742014-04-05 19:51:00 -0500[diff] [blame]297 :param private_key: An instance of an
298 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`
299 provider.
300
301 :param bytes ciphertext: The ciphertext to decrypt.
302
303 :param padding: An instance of an
304 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
305 provider.
306
Paul Kehrerc929e402014-05-09 11:09:13 -0500[diff] [blame]307 :return bytes: The decrypted data.
308
309 :raises cryptography.exceptions.UnsupportedAlgorithm: If an unsupported
310 MGF, hash function, or padding is chosen.
311
312 :raises ValueError: When decryption fails or key size does not match
313 ciphertext length.
314
Paul Kehrer4e602f32014-04-24 12:07:54 -0500[diff] [blame]315 .. method:: encrypt_rsa(public_key, plaintext, padding)
316
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]317 .. deprecated:: 0.5
318
Paul Kehrer4e602f32014-04-24 12:07:54 -0500[diff] [blame]319 :param public_key: An instance of an
320 :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey`
321 provider.
322
323 :param bytes plaintext: The plaintext to encrypt.
324
325 :param padding: An instance of an
326 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
327 provider.
328
Paul Kehrerc929e402014-05-09 11:09:13 -0500[diff] [blame]329 :return bytes: The encrypted data.
330
331 :raises cryptography.exceptions.UnsupportedAlgorithm: If an unsupported
332 MGF, hash function, or padding is chosen.
333
334 :raises ValueError: When plaintext is too long for the key size.
David Reid576a1532014-05-28 14:00:41 -0700[diff] [blame]335
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]336 .. method:: load_rsa_private_numbers(numbers):
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]337
338 :param numbers: An instance of
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]339 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]340
341 :returns: A provider of
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]342 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`.
343
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]344 :raises ValueError: This is raised when the values of ``p``, ``q``,
345 ``private_exponent``, ``public_exponent``, or ``modulus`` do not
346 match the bounds specified in :rfc:`3447`.
347
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]348 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
349 any backend specific criteria are not met.
350
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]351 .. method:: load_rsa_public_numbers(numbers):
352
353 :param numbers: An instance of
354 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
355
356 :returns: A provider of
357 :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]358
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]359 :raises ValueError: This is raised when the values of
360 ``public_exponent`` or ``modulus`` do not match the bounds
361 specified in :rfc:`3447`.
362
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]363 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
364 any backend specific criteria are not met.
365
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]366
Alex Stapleton458c09b2014-04-23 20:58:37 +0100[diff] [blame]367.. class:: TraditionalOpenSSLSerializationBackend
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]368
369 .. versionadded:: 0.3
370
371 A backend with methods for working with OpenSSL's "traditional" PKCS #1
372 style key serialization.
373
374 .. method:: load_openssl_pem_private_key(data, password)
Alex Gaynorc6a6f312014-03-06 14:22:56 -0800[diff] [blame]375
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]376 :param bytes data: PEM data to deserialize.
377
378 :param bytes password: The password to use if this data is encrypted.
379 Should be None if the data is not encrypted.
380
Alex Stapleton458c09b2014-04-23 20:58:37 +0100[diff] [blame]381 :return: A new instance of the appropriate private key or public key
382 that the serialized data contains.
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]383
384 :raises ValueError: If the data could not be deserialized correctly.
385
386 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
387 encrypted with an unsupported algorithm.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]388
389
390.. class:: DSABackend
391
392 .. versionadded:: 0.4
393
394 A backend with methods for using DSA.
395
396 .. method:: generate_dsa_parameters(key_size)
397
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]398 :param int key_size: The length of the modulus in bits. It should be
399 either 1024, 2048 or 3072. For keys generated in 2014 this should
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]400 be at least 2048.
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]401 Note that some applications (such as SSH) have not yet gained
402 support for larger key sizes specified in FIPS 186-3 and are still
403 restricted to only the 1024-bit keys specified in FIPS 186-2.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]404
405 :return: A new instance of a
406 :class:`~cryptography.hazmat.primitives.interfaces.DSAParameters`
407 provider.
408
409 .. method:: generate_dsa_private_key(parameters)
410
411 :param parameters: A
412 :class:`~cryptography.hazmat.primitives.interfaces.DSAParameters`
413 provider.
414
415 :return: A new instance of a
416 :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`
417 provider.
418
Alex Gaynor239d5182014-04-24 13:42:58 -0700[diff] [blame]419 :raises ValueError: This is raised if the key size is not one of 1024,
420 2048, or 3072. It is also raised when OpenSSL is older than version
421 1.0.0 and the key size is larger than 1024; older OpenSSL versions
422 do not support keys larger than 1024 bits.
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]423
Paul Kehrer0b3ff3b2014-05-01 15:34:42 -0500[diff] [blame]424 .. method:: create_dsa_signature_ctx(private_key, algorithm)
425
426 :param private_key: An instance of a
427 :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`
428 provider.
429
430 :param algorithm: An instance of a
431 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
432 provider
433
434 :returns:
435 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
436
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]437 .. method:: create_dsa_verification_ctx(public_key, signature, algorithm)
438
439 :param public_key: An instance of a
440 :class:`~cryptography.hazmat.primitives.interfaces.DSAPublicKey`
441 provider.
442
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]443 :param bytes signature: The signature to verify. DER encoded as
444 specified in :rfc:`6979`.
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]445
446 :param algorithm: An instance of a
447 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
448 provider.
449
450 :returns:
451 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricVerificationContext`
452
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]453 .. method:: dsa_hash_supported(algorithm):
Paul Kehrer43dc2762014-04-30 16:24:39 -0500[diff] [blame]454
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]455 :param algorithm: An instance of a
456 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
457 provider.
458
459 :returns: ``True`` if the specified ``algorithm`` is supported by this
460 backend, otherwise ``False``.
461
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]462 .. method:: dsa_parameters_supported(p, q, g):
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]463
464 :param int p: The p value of a DSA key.
465
466 :param int q: The q value of a DSA key.
467
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]468 :param int g: The g value of a DSA key.
469
470 :returns: ``True`` if the given values of ``p``, ``q``, and ``g`` are
471 supported by this backend, otherwise ``False``.
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]472
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]473 .. method:: load_dsa_parameter_numbers(numbers):
474
475 :param numbers: An instance of
476 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers`.
477
478 :returns: A provider of
479 :class:`~cryptography.hazmat.primitives.interfaces.DSAParameters`.
480
481 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
482 any backend specific criteria are not met.
483
484 .. method:: load_dsa_private_numbers(numbers):
485
486 :param numbers: An instance of
487 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers`.
488
489 :returns: A provider of
490 :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`.
491
492 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
493 any backend specific criteria are not met.
494
495 .. method:: load_dsa_public_numbers(numbers):
496
497 :param numbers: An instance of
498 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers`.
499
500 :returns: A provider of
501 :class:`~cryptography.hazmat.primitives.interfaces.DSAPublicKey`.
502
503 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
504 any backend specific criteria are not met.
505
506
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]507
508.. class:: CMACBackend
509
510 .. versionadded:: 0.4
511
512 A backend with methods for using CMAC
513
Ayrx6cf29f22014-04-16 23:47:36 +0800[diff] [blame]514 .. method:: cmac_algorithm_supported(algorithm)
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]515
Ayrx6cf29f22014-04-16 23:47:36 +0800[diff] [blame]516 :param algorithm: An instance of a
517 :class:`~cryptography.hazmat.primitives.interfaces.BlockCipherAlgorithm`
518 provider.
519 :return: Returns True if the block cipher is supported for CMAC by this backend
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]520
521 .. method:: create_cmac_ctx(algorithm)
522
523 Create a
524 :class:`~cryptography.hazmat.primitives.interfaces.CMACContext` that
525 uses the specified ``algorithm`` to calculate a message authentication code.
526
527 :param algorithm: An instance of a
528 :class:`~cryptography.hazmat.primitives.interfaces.BlockCipherAlgorithm`
529 provider.
530
531 :returns:
532 :class:`~cryptography.hazmat.primitives.interfaces.CMACContext`
Paul Kehrer286c7dc2014-05-31 12:05:38 -0500[diff] [blame]533
534
535.. class:: PKCS8SerializationBackend
536
537 .. versionadded:: 0.5
538
539 A backend with methods for working with PKCS #8 key serialization.
540
541 .. method:: load_pkcs8_pem_private_key(data, password)
542
543 :param bytes data: PEM data to deserialize.
544
545 :param bytes password: The password to use if this data is encrypted.
546 Should be None if the data is not encrypted.
547
548 :return: A new instance of the appropriate private key or public key
549 that the serialized data contains.
550
551 :raises ValueError: If the data could not be deserialized correctly.
552
553 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
554 encrypted with an unsupported algorithm.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]555
556
557.. class:: EllipticCurveBackend
558
559 .. versionadded:: 0.5
560
561 .. method:: elliptic_curve_supported(curve)
562
563 :param curve: An instance of a
564 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
565 provider.
566
567 :returns: True if the elliptic curve is supported by this backend.
568
569 .. method:: elliptic_curve_signature_algorithm_supported(signature_algorithm, curve)
570
571 :param signature_algorithm: An instance of a
572 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurveSignatureAlgorithm`
573 provider.
574
575 :param curve: An instance of a
576 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
577 provider.
578
579 :returns: True if the signature algorithm and curve are supported by this backend.
580
581 .. method:: generate_elliptic_curve_private_key(curve)
582
583 :param curve: An instance of a
584 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
585 provider.
586
587 .. method:: elliptic_curve_private_key_from_numbers(numbers)
588
589 :param numbers: An instance of a
590 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateNumbers`
591 provider.
592
593 :returns: An instance of a
594 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateKey`
595 provider.
596
597 .. method:: elliptic_curve_public_key_from_numbers(numbers)
598
599 :param numbers: An instance of a
600 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicNumbers`
601 provider.
602
603 :returns: An instance of a
604 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKey`
605 provider.