Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / b45731b94d7a50b4b4ca39e6a571fc5c19f509b4 / . / docs / hazmat / backends / interfaces.rst
blob: f8341d11acfeb2b6eab8ace852aa99504a6f1f2b [file] [log] [blame]
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]1.. hazmat::
2
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]3Backend interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]4==================
5
Alex Gaynorf8796b12013-12-13 20:28:55 -0800[diff] [blame]6.. currentmodule:: cryptography.hazmat.backends.interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]7
8
Alex Gaynor969f18e2014-05-17 20:07:35 -0700[diff] [blame]9Backend implementations may provide a number of interfaces to support
10operations such as :doc:`/hazmat/primitives/symmetric-encryption`,
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]11:doc:`/hazmat/primitives/cryptographic-hashes`, and
Ayrxfa4a6b22014-04-16 23:03:14 +0800[diff] [blame]12:doc:`/hazmat/primitives/mac/hmac`.
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]13
14A specific ``backend`` may provide one or more of these interfaces.
15
16
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]17.. class:: CipherBackend
18
Alex Stapleton63b3de22014-02-08 09:43:16 +0000[diff] [blame]19 A backend that provides methods for using ciphers for encryption
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]20 and decryption.
21
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]22 The following backends implement this interface:
23
24 * :doc:`/hazmat/backends/openssl`
25 * :doc:`/hazmat/backends/commoncrypto`
26
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]27 .. method:: cipher_supported(cipher, mode)
28
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]29 Check if a ``cipher`` and ``mode`` combination is supported by
30 this backend.
31
32 :param cipher: An instance of a
33 :class:`~cryptography.hazmat.primitives.interfaces.CipherAlgorithm`
34 provider.
35 :param mode: An instance of a
36 :class:`~cryptography.hazmat.primitives.interfaces.Mode` provider.
37
38 :returns: ``True`` if the specified ``cipher`` and ``mode`` combination
39 is supported by this backend, otherwise ``False``
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]40
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]41
42 .. method:: create_symmetric_encryption_ctx(cipher, mode)
43
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]44 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]45 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]46 can be used for encrypting data with the symmetric ``cipher`` using
47 the given ``mode``.
48
49 :param cipher: An instance of a
50 :class:`~cryptography.hazmat.primitives.interfaces.CipherAlgorithm`
51 provider.
52 :param mode: An instance of a
53 :class:`~cryptography.hazmat.primitives.interfaces.Mode` provider.
54
55 :returns:
56 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext`
57
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]58 :raises ValueError: When tag is not None in an AEAD mode
59
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]60
61 .. method:: create_symmetric_decryption_ctx(cipher, mode)
62
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]63 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]64 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]65 can be used for decrypting data with the symmetric ``cipher`` using
66 the given ``mode``.
67
68 :param cipher: An instance of a
69 :class:`~cryptography.hazmat.primitives.interfaces.CipherAlgorithm`
70 provider.
71 :param mode: An instance of a
72 :class:`~cryptography.hazmat.primitives.interfaces.Mode` provider.
73
74 :returns:
75 :class:`~cryptography.hazmat.primitives.interfaces.CipherContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]76
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]77 :raises ValueError: When tag is None in an AEAD mode
78
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]79
80.. class:: HashBackend
81
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]82 A backend with methods for using cryptographic hash functions.
83
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]84 The following backends implement this interface:
85
86 * :doc:`/hazmat/backends/openssl`
87 * :doc:`/hazmat/backends/commoncrypto`
88
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]89 .. method:: hash_supported(algorithm)
90
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]91 Check if the specified ``algorithm`` is supported by this backend.
92
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]93 :param algorithm: An instance of a
94 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
95 provider.
96
97 :returns: ``True`` if the specified ``algorithm`` is supported by this
98 backend, otherwise ``False``.
99
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]100
101 .. method:: create_hash_ctx(algorithm)
102
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]103 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]104 :class:`~cryptography.hazmat.primitives.interfaces.HashContext` that
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]105 uses the specified ``algorithm`` to calculate a message digest.
106
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]107 :param algorithm: An instance of a
108 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
109 provider.
110
111 :returns:
112 :class:`~cryptography.hazmat.primitives.interfaces.HashContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]113
114
115.. class:: HMACBackend
116
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]117 A backend with methods for using cryptographic hash functions as message
118 authentication codes.
119
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]120 The following backends implement this interface:
121
122 * :doc:`/hazmat/backends/openssl`
123 * :doc:`/hazmat/backends/commoncrypto`
124
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]125 .. method:: hmac_supported(algorithm)
126
127 Check if the specified ``algorithm`` is supported by this backend.
128
129 :param algorithm: An instance of a
130 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
131 provider.
132
133 :returns: ``True`` if the specified ``algorithm`` is supported for HMAC
134 by this backend, otherwise ``False``.
135
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]136 .. method:: create_hmac_ctx(algorithm)
137
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]138 Create a
Paul Kehrer446cc2a2014-01-29 14:39:30 -0600[diff] [blame]139 :class:`~cryptography.hazmat.primitives.interfaces.HashContext` that
Paul Kehrer4f776c42013-12-23 17:25:54 -0600[diff] [blame]140 uses the specified ``algorithm`` to calculate a hash-based message
141 authentication code.
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]142
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]143 :param algorithm: An instance of a
144 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
145 provider.
146
147 :returns:
148 :class:`~cryptography.hazmat.primitives.interfaces.HashContext`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]149
150
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]151.. class:: CMACBackend
152
153 .. versionadded:: 0.4
154
155 A backend with methods for using CMAC
156
157 .. method:: cmac_algorithm_supported(algorithm)
158
159 :param algorithm: An instance of a
160 :class:`~cryptography.hazmat.primitives.interfaces.BlockCipherAlgorithm`
161 provider.
162 :return: Returns True if the block cipher is supported for CMAC by this backend
163
164 .. method:: create_cmac_ctx(algorithm)
165
166 Create a
167 :class:`~cryptography.hazmat.primitives.interfaces.CMACContext` that
168 uses the specified ``algorithm`` to calculate a message authentication code.
169
170 :param algorithm: An instance of a
171 :class:`~cryptography.hazmat.primitives.interfaces.BlockCipherAlgorithm`
172 provider.
173
174 :returns:
175 :class:`~cryptography.hazmat.primitives.interfaces.CMACContext`
176
177
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]178.. class:: PBKDF2HMACBackend
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]179
Paul Kehrer5d1af212014-01-28 12:19:32 -0600[diff] [blame]180 .. versionadded:: 0.2
181
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]182 A backend with methods for using PBKDF2 using HMAC as a PRF.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]183
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]184 The following backends implement this interface:
185
186 * :doc:`/hazmat/backends/openssl`
187 * :doc:`/hazmat/backends/commoncrypto`
188
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]189 .. method:: pbkdf2_hmac_supported(algorithm)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]190
191 Check if the specified ``algorithm`` is supported by this backend.
192
Paul Kehrer589b9082014-01-28 21:25:41 -0600[diff] [blame]193 :param algorithm: An instance of a
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]194 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
195 provider.
196
197 :returns: ``True`` if the specified ``algorithm`` is supported for
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]198 PBKDF2 HMAC by this backend, otherwise ``False``.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]199
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]200 .. method:: derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
201 key_material)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]202
203 :param algorithm: An instance of a
204 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
205 provider.
206
207 :param int length: The desired length of the derived key. Maximum is
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]208 (2\ :sup:`32` - 1) * ``algorithm.digest_size``
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]209
Paul Kehrerb6d764c2014-01-27 22:32:11 -0600[diff] [blame]210 :param bytes salt: A salt.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]211
212 :param int iterations: The number of iterations to perform of the hash
Paul Kehrerc58b4782014-01-29 13:56:25 -0600[diff] [blame]213 function. This can be used to control the length of time the
214 operation takes. Higher numbers help mitigate brute force attacks
215 against derived keys.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]216
217 :param bytes key_material: The key material to use as a basis for
218 the derived key. This is typically a password.
219
220 :return bytes: Derived key.
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]221
222
223.. class:: RSABackend
224
225 .. versionadded:: 0.2
226
227 A backend with methods for using RSA.
228
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]229 .. method:: generate_rsa_private_key(public_exponent, key_size)
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]230
231 :param int public_exponent: The public exponent of the new key.
232 Often one of the small Fermat primes 3, 5, 17, 257 or 65537.
233
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]234 :param int key_size: The length in bits of the modulus. Should be
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]235 at least 2048.
236
237 :return: A new instance of a
238 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`
239 provider.
240
241 :raises ValueError: If the public_exponent is not valid.
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]242
Paul Kehrer3292c992014-02-17 21:12:38 -0600[diff] [blame]243 .. method:: create_rsa_signature_ctx(private_key, padding, algorithm)
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]244
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]245 .. deprecated:: 0.5
246
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]247 :param private_key: An instance of an
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]248 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`
249 provider.
250
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]251 :param padding: An instance of an
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]252 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
253 provider.
254
255 :param algorithm: An instance of a
256 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
257 provider.
258
259 :returns:
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]260 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]261
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]262 .. method:: create_rsa_verification_ctx(public_key, signature, padding, algorithm)
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]263
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]264 .. deprecated:: 0.5
265
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]266 :param public_key: An instance of a
267 :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey`
268 provider.
269
270 :param bytes signature: The signature to verify.
271
Paul Kehrerdd3780a2014-02-18 13:17:53 -0600[diff] [blame]272 :param padding: An instance of an
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]273 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
274 provider.
275
276 :param algorithm: An instance of a
277 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
278 provider.
279
280 :returns:
Paul Kehrer430202d2014-02-18 13:36:53 -0600[diff] [blame]281 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricVerificationContext`
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]282
Paul Kehrer06c77932014-03-09 22:22:14 -0400[diff] [blame]283 .. method:: mgf1_hash_supported(algorithm)
284
Paul Kehrer6e85b172014-06-20 21:48:17 -0600[diff] [blame]285 ..deprecated:: 0.5
286
Paul Kehrer06c77932014-03-09 22:22:14 -0400[diff] [blame]287 Check if the specified ``algorithm`` is supported for use with
288 :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1`
289 inside :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`
Paul Kehrer6e85b172014-06-20 21:48:17 -0600[diff] [blame]290 padding. This method is deprecated in favor of
291 ``rsa_padding_supported``.
Paul Kehrer06c77932014-03-09 22:22:14 -0400[diff] [blame]292
293 :param algorithm: An instance of a
294 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
295 provider.
296
297 :returns: ``True`` if the specified ``algorithm`` is supported by this
298 backend, otherwise ``False``.
299
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]300 .. method:: rsa_padding_supported(padding)
301
302 Check if the specified ``padding`` is supported by the backend.
303
304 :param padding: An instance of an
305 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
306 provider.
307
308 :returns: ``True`` if the specified ``padding`` is supported by this
309 backend, otherwise ``False``.
310
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]311 .. method:: generate_rsa_parameters_supported(public_exponent, key_size)
312
313 Check if the specified parameters are supported for key generation by
314 the backend.
315
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]316 :param int public_exponent: The public exponent.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]317
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]318 :param int key_size: The bit length of the generated modulus.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]319
Paul Kehrer4c0a3742014-04-05 19:51:00 -0500[diff] [blame]320 .. method:: decrypt_rsa(private_key, ciphertext, padding)
321
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]322 .. deprecated:: 0.5
323
Paul Kehrer4c0a3742014-04-05 19:51:00 -0500[diff] [blame]324 :param private_key: An instance of an
325 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`
326 provider.
327
328 :param bytes ciphertext: The ciphertext to decrypt.
329
330 :param padding: An instance of an
331 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
332 provider.
333
Paul Kehrerc929e402014-05-09 11:09:13 -0500[diff] [blame]334 :return bytes: The decrypted data.
335
336 :raises cryptography.exceptions.UnsupportedAlgorithm: If an unsupported
337 MGF, hash function, or padding is chosen.
338
339 :raises ValueError: When decryption fails or key size does not match
340 ciphertext length.
341
Paul Kehrer4e602f32014-04-24 12:07:54 -0500[diff] [blame]342 .. method:: encrypt_rsa(public_key, plaintext, padding)
343
Paul Kehrerf2fb02a2014-06-19 10:16:42 -0600[diff] [blame]344 .. deprecated:: 0.5
345
Paul Kehrer4e602f32014-04-24 12:07:54 -0500[diff] [blame]346 :param public_key: An instance of an
347 :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey`
348 provider.
349
350 :param bytes plaintext: The plaintext to encrypt.
351
352 :param padding: An instance of an
353 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricPadding`
354 provider.
355
Paul Kehrerc929e402014-05-09 11:09:13 -0500[diff] [blame]356 :return bytes: The encrypted data.
357
358 :raises cryptography.exceptions.UnsupportedAlgorithm: If an unsupported
359 MGF, hash function, or padding is chosen.
360
361 :raises ValueError: When plaintext is too long for the key size.
David Reid576a1532014-05-28 14:00:41 -0700[diff] [blame]362
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]363 .. method:: load_rsa_private_numbers(numbers):
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]364
365 :param numbers: An instance of
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]366 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]367
368 :returns: A provider of
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]369 :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey`.
370
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]371 :raises ValueError: This is raised when the values of ``p``, ``q``,
372 ``private_exponent``, ``public_exponent``, or ``modulus`` do not
373 match the bounds specified in :rfc:`3447`.
374
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]375 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
376 any backend specific criteria are not met.
377
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]378 .. method:: load_rsa_public_numbers(numbers):
379
380 :param numbers: An instance of
381 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
382
383 :returns: A provider of
384 :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]385
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]386 :raises ValueError: This is raised when the values of
387 ``public_exponent`` or ``modulus`` do not match the bounds
388 specified in :rfc:`3447`.
389
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]390 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
391 any backend specific criteria are not met.
392
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]393
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]394.. class:: DSABackend
395
396 .. versionadded:: 0.4
397
398 A backend with methods for using DSA.
399
400 .. method:: generate_dsa_parameters(key_size)
401
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]402 :param int key_size: The length of the modulus in bits. It should be
403 either 1024, 2048 or 3072. For keys generated in 2014 this should
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]404 be at least 2048.
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]405 Note that some applications (such as SSH) have not yet gained
406 support for larger key sizes specified in FIPS 186-3 and are still
407 restricted to only the 1024-bit keys specified in FIPS 186-2.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]408
409 :return: A new instance of a
410 :class:`~cryptography.hazmat.primitives.interfaces.DSAParameters`
411 provider.
412
413 .. method:: generate_dsa_private_key(parameters)
414
415 :param parameters: A
416 :class:`~cryptography.hazmat.primitives.interfaces.DSAParameters`
417 provider.
418
419 :return: A new instance of a
420 :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`
421 provider.
422
Alex Gaynor239d5182014-04-24 13:42:58 -0700[diff] [blame]423 :raises ValueError: This is raised if the key size is not one of 1024,
424 2048, or 3072. It is also raised when OpenSSL is older than version
425 1.0.0 and the key size is larger than 1024; older OpenSSL versions
426 do not support keys larger than 1024 bits.
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]427
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]428 .. method:: generate_dsa_private_key_and_parameters(key_size)
429
430 :param int key_size: The length of the modulus in bits. It should be
431 either 1024, 2048 or 3072. For keys generated in 2014 this should
432 be at least 2048.
433 Note that some applications (such as SSH) have not yet gained
434 support for larger key sizes specified in FIPS 186-3 and are still
435 restricted to only the 1024-bit keys specified in FIPS 186-2.
436
437 :return: A new instance of a
438 :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`
439 provider.
440
441 :raises ValueError: This is raised if the key size is not supported
442 by the backend.
443
Paul Kehrer0b3ff3b2014-05-01 15:34:42 -0500[diff] [blame]444 .. method:: create_dsa_signature_ctx(private_key, algorithm)
445
Paul Kehrer1262be22014-06-26 16:16:50 -0600[diff] [blame]446 .. deprecated:: 0.5
447
Paul Kehrer0b3ff3b2014-05-01 15:34:42 -0500[diff] [blame]448 :param private_key: An instance of a
449 :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`
450 provider.
451
452 :param algorithm: An instance of a
453 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
454 provider
455
456 :returns:
457 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
458
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]459 .. method:: create_dsa_verification_ctx(public_key, signature, algorithm)
460
Paul Kehrer1262be22014-06-26 16:16:50 -0600[diff] [blame]461 .. deprecated:: 0.5
462
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]463 :param public_key: An instance of a
464 :class:`~cryptography.hazmat.primitives.interfaces.DSAPublicKey`
465 provider.
466
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]467 :param bytes signature: The signature to verify. DER encoded as
468 specified in :rfc:`6979`.
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]469
470 :param algorithm: An instance of a
471 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
472 provider.
473
474 :returns:
475 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricVerificationContext`
476
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]477 .. method:: dsa_hash_supported(algorithm):
Paul Kehrer43dc2762014-04-30 16:24:39 -0500[diff] [blame]478
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]479 :param algorithm: An instance of a
480 :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
481 provider.
482
483 :returns: ``True`` if the specified ``algorithm`` is supported by this
484 backend, otherwise ``False``.
485
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]486 .. method:: dsa_parameters_supported(p, q, g):
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]487
488 :param int p: The p value of a DSA key.
489
490 :param int q: The q value of a DSA key.
491
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]492 :param int g: The g value of a DSA key.
493
494 :returns: ``True`` if the given values of ``p``, ``q``, and ``g`` are
495 supported by this backend, otherwise ``False``.
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]496
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]497 .. method:: load_dsa_parameter_numbers(numbers):
498
499 :param numbers: An instance of
500 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers`.
501
502 :returns: A provider of
503 :class:`~cryptography.hazmat.primitives.interfaces.DSAParameters`.
504
505 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
506 any backend specific criteria are not met.
507
508 .. method:: load_dsa_private_numbers(numbers):
509
510 :param numbers: An instance of
511 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers`.
512
513 :returns: A provider of
514 :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`.
515
516 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
517 any backend specific criteria are not met.
518
519 .. method:: load_dsa_public_numbers(numbers):
520
521 :param numbers: An instance of
522 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers`.
523
524 :returns: A provider of
525 :class:`~cryptography.hazmat.primitives.interfaces.DSAPublicKey`.
526
527 :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when
528 any backend specific criteria are not met.
529
530
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]531.. class:: EllipticCurveBackend
532
533 .. versionadded:: 0.5
534
535 .. method:: elliptic_curve_supported(curve)
536
537 :param curve: An instance of a
538 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
539 provider.
540
541 :returns: True if the elliptic curve is supported by this backend.
542
543 .. method:: elliptic_curve_signature_algorithm_supported(signature_algorithm, curve)
544
545 :param signature_algorithm: An instance of a
546 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurveSignatureAlgorithm`
547 provider.
548
549 :param curve: An instance of a
550 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
551 provider.
552
553 :returns: True if the signature algorithm and curve are supported by this backend.
554
555 .. method:: generate_elliptic_curve_private_key(curve)
556
557 :param curve: An instance of a
558 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
559 provider.
560
561 .. method:: elliptic_curve_private_key_from_numbers(numbers)
562
563 :param numbers: An instance of a
564 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateNumbers`
565 provider.
566
567 :returns: An instance of a
568 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePrivateKey`
569 provider.
570
571 .. method:: elliptic_curve_public_key_from_numbers(numbers)
572
573 :param numbers: An instance of a
574 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicNumbers`
575 provider.
576
577 :returns: An instance of a
578 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKey`
579 provider.
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]580
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]581.. class:: PEMSerializationBackend
582
583 .. versionadded:: 0.6
584
585 A backend with methods for working with any PEM encoded keys.
586
587 .. method:: load_pem_private_key(data, password)
588
589 :param bytes data: PEM data to load.
590 :param bytes password: The password to use if the data is encrypted.
Alex Gaynor99e61ea2014-09-08 10:26:40 -0700[diff] [blame]591 Should be ``None`` if the data is not encrypted.
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]592 :return: A new instance of the appropriate type of private key that the
593 serialized data contains.
594 :raises ValueError: If the data could not be deserialized.
595 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
596 encrypted with an unsupported algorithm.
597
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]598.. class:: TraditionalOpenSSLSerializationBackend
599
600 .. versionadded:: 0.3
601
602 A backend with methods for working with OpenSSL's "traditional" PKCS #1
603 style key serialization.
604
605 .. method:: load_openssl_pem_private_key(data, password)
606
607 :param bytes data: PEM data to deserialize.
608
609 :param bytes password: The password to use if this data is encrypted.
610 Should be None if the data is not encrypted.
611
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]612 :return: A new instance of the appropriate type of private key that the
613 serialized data contains.
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]614
615 :raises ValueError: If the data could not be deserialized correctly.
616
617 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
618 encrypted with an unsupported algorithm.
619
620
621.. class:: PKCS8SerializationBackend
622
623 .. versionadded:: 0.5
624
625 A backend with methods for working with PKCS #8 key serialization.
626
627 .. method:: load_pkcs8_pem_private_key(data, password)
628
629 :param bytes data: PEM data to deserialize.
630
631 :param bytes password: The password to use if this data is encrypted.
632 Should be None if the data is not encrypted.
633
634 :return: A new instance of the appropriate private key or public key
635 that the serialized data contains.
636
637 :raises ValueError: If the data could not be deserialized correctly.
638
639 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
640 encrypted with an unsupported algorithm.
641