| Paul Kehrer | ca8e161 | 2015-03-16 20:57:09 -0500 | [diff] [blame] | 1 | .. hazmat:: |
| 2 | |
| 3 | .. module:: cryptography.hazmat.primitives.keywrap |
| 4 | |
| 5 | Key wrapping |
| 6 | ============ |
| 7 | |
| 8 | Key wrapping is a cryptographic construct that uses symmetric encryption to |
| Paul Kehrer | 42e029b | 2015-10-17 09:52:04 -0500 | [diff] [blame] | 9 | encapsulate key material. Key wrapping algorithms are occasionally utilized |
| 10 | to protect keys at rest or transmit them over insecure networks. Many of the |
| 11 | protections offered by key wrapping are also offered by using authenticated |
| 12 | :doc:`symmetric encryption </hazmat/primitives/symmetric-encryption>`. |
| Paul Kehrer | ca8e161 | 2015-03-16 20:57:09 -0500 | [diff] [blame] | 13 | |
| 14 | .. function:: aes_key_wrap(wrapping_key, key_to_wrap, backend) |
| 15 | |
| Paul Kehrer | 6f6cf00 | 2015-06-17 19:58:10 -0600 | [diff] [blame] | 16 | .. versionadded:: 1.1 |
| 17 | |
| Paul Kehrer | 974e875 | 2015-10-22 11:21:55 -0500 | [diff] [blame] | 18 | This function performs AES key wrap (without padding) as specified in |
| 19 | :rfc:`3394`. |
| 20 | |
| Paul Kehrer | ca8e161 | 2015-03-16 20:57:09 -0500 | [diff] [blame] | 21 | :param bytes wrapping_key: The wrapping key. |
| 22 | |
| 23 | :param bytes key_to_wrap: The key to wrap. |
| 24 | |
| 25 | :param backend: A |
| 26 | :class:`~cryptography.hazmat.backends.interfaces.CipherBackend` |
| 27 | provider that supports |
| 28 | :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES`. |
| 29 | |
| 30 | :return bytes: The wrapped key as bytes. |
| 31 | |
| 32 | .. function:: aes_key_unwrap(wrapping_key, wrapped_key, backend) |
| 33 | |
| Paul Kehrer | 6f6cf00 | 2015-06-17 19:58:10 -0600 | [diff] [blame] | 34 | .. versionadded:: 1.1 |
| 35 | |
| Paul Kehrer | 974e875 | 2015-10-22 11:21:55 -0500 | [diff] [blame] | 36 | This function performs AES key unwrap (without padding) as specified in |
| 37 | :rfc:`3394`. |
| 38 | |
| Paul Kehrer | ca8e161 | 2015-03-16 20:57:09 -0500 | [diff] [blame] | 39 | :param bytes wrapping_key: The wrapping key. |
| 40 | |
| 41 | :param bytes wrapped_key: The wrapped key. |
| 42 | |
| 43 | :param backend: A |
| 44 | :class:`~cryptography.hazmat.backends.interfaces.CipherBackend` |
| 45 | provider that supports |
| 46 | :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES`. |
| 47 | |
| 48 | :return bytes: The unwrapped key as bytes. |
| 49 | |
| Paul Kehrer | 6f6cf00 | 2015-06-17 19:58:10 -0600 | [diff] [blame] | 50 | :raises cryptography.hazmat.primitives.keywrap.InvalidUnwrap: This is |
| 51 | raised if the key is not successfully unwrapped. |
| 52 | |
| Paul Kehrer | ca8e161 | 2015-03-16 20:57:09 -0500 | [diff] [blame] | 53 | Exceptions |
| 54 | ~~~~~~~~~~ |
| 55 | |
| 56 | .. class:: InvalidUnwrap |
| 57 | |
| 58 | This is raised when a wrapped key fails to unwrap. It can be caused by a |
| 59 | corrupted or invalid wrapped key or an invalid wrapping key. |