Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / 4fc052fc8cd2bbfeceb797f3b1b71ed0f03c0768 / . / docs / hazmat / backends / interfaces.rst
blob: 83ec6f19434dc404d23cc8d8fbcdf213b5676637 [file] [log] [blame]
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]1.. hazmat::
2
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]3Backend interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]4==================
5
Alex Gaynorf8796b12013-12-13 20:28:55 -0800[diff] [blame]6.. currentmodule:: cryptography.hazmat.backends.interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]7
8
Alex Gaynor969f18e2014-05-17 20:07:35 -0700[diff] [blame]9Backend implementations may provide a number of interfaces to support
10operations such as :doc:`/hazmat/primitives/symmetric-encryption`,
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]11:doc:`/hazmat/primitives/cryptographic-hashes`, and
Ayrxfa4a6b22014-04-16 23:03:14 +0800[diff] [blame]12:doc:`/hazmat/primitives/mac/hmac`.
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]13
14A specific ``backend`` may provide one or more of these interfaces.
15
16
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]17.. class:: CipherBackend
18
Alex Stapleton63b3de22014-02-08 09:43:16 +0000[diff] [blame]19 A backend that provides methods for using ciphers for encryption
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]20 and decryption.
21
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]22 The following backends implement this interface:
23
24 * :doc:`/hazmat/backends/openssl`
25 * :doc:`/hazmat/backends/commoncrypto`
26
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]27 .. method:: cipher_supported(cipher, mode)
28
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]29 Check if a ``cipher`` and ``mode`` combination is supported by
30 this backend.
31
32 :param cipher: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]33 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]34 provider.
35 :param mode: An instance of a
Paul Kehrer513b7cb2015-02-12 17:31:24 -0600[diff] [blame]36 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode` provider.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]37
38 :returns: ``True`` if the specified ``cipher`` and ``mode`` combination
39 is supported by this backend, otherwise ``False``
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]40
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]41
42 .. method:: create_symmetric_encryption_ctx(cipher, mode)
43
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]44 Create a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]45 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]46 can be used for encrypting data with the symmetric ``cipher`` using
47 the given ``mode``.
48
49 :param cipher: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]50 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]51 provider.
52 :param mode: An instance of a
Paul Kehrer513b7cb2015-02-12 17:31:24 -0600[diff] [blame]53 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode` provider.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]54
55 :returns:
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]56 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]57
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]58 :raises ValueError: When tag is not None in an AEAD mode
59
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]60
61 .. method:: create_symmetric_decryption_ctx(cipher, mode)
62
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]63 Create a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]64 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]65 can be used for decrypting data with the symmetric ``cipher`` using
66 the given ``mode``.
67
68 :param cipher: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]69 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]70 provider.
71 :param mode: An instance of a
Paul Kehrer513b7cb2015-02-12 17:31:24 -0600[diff] [blame]72 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode` provider.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]73
74 :returns:
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]75 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]76
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]77 :raises ValueError: When tag is None in an AEAD mode
78
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]79
80.. class:: HashBackend
81
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]82 A backend with methods for using cryptographic hash functions.
83
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]84 The following backends implement this interface:
85
86 * :doc:`/hazmat/backends/openssl`
87 * :doc:`/hazmat/backends/commoncrypto`
88
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]89 .. method:: hash_supported(algorithm)
90
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]91 Check if the specified ``algorithm`` is supported by this backend.
92
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]93 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]94 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]95 provider.
96
97 :returns: ``True`` if the specified ``algorithm`` is supported by this
98 backend, otherwise ``False``.
99
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]100
101 .. method:: create_hash_ctx(algorithm)
102
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]103 Create a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]104 :class:`~cryptography.hazmat.primitives.hashes.HashContext` that
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]105 uses the specified ``algorithm`` to calculate a message digest.
106
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]107 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]108 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]109 provider.
110
111 :returns:
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]112 :class:`~cryptography.hazmat.primitives.hashes.HashContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]113
114
115.. class:: HMACBackend
116
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]117 A backend with methods for using cryptographic hash functions as message
118 authentication codes.
119
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]120 The following backends implement this interface:
121
122 * :doc:`/hazmat/backends/openssl`
123 * :doc:`/hazmat/backends/commoncrypto`
124
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]125 .. method:: hmac_supported(algorithm)
126
127 Check if the specified ``algorithm`` is supported by this backend.
128
129 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]130 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]131 provider.
132
133 :returns: ``True`` if the specified ``algorithm`` is supported for HMAC
134 by this backend, otherwise ``False``.
135
Alex Gaynorb80a5ab2016-01-30 16:24:19 -0500[diff] [blame]136 .. method:: create_hmac_ctx(key, algorithm)
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]137
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]138 Create a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]139 :class:`~cryptography.hazmat.primitives.hashes.HashContext` that
Paul Kehrer4f776c42013-12-23 17:25:54 -0600[diff] [blame]140 uses the specified ``algorithm`` to calculate a hash-based message
141 authentication code.
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]142
Alex Gaynorb80a5ab2016-01-30 16:24:19 -0500[diff] [blame]143 :param bytes key: Secret key as ``bytes``.
144
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]145 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]146 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]147 provider.
148
149 :returns:
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]150 :class:`~cryptography.hazmat.primitives.hashes.HashContext`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]151
152
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]153.. class:: CMACBackend
154
155 .. versionadded:: 0.4
156
157 A backend with methods for using CMAC
158
159 .. method:: cmac_algorithm_supported(algorithm)
160
161 :param algorithm: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]162 :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]163 provider.
164 :return: Returns True if the block cipher is supported for CMAC by this backend
165
166 .. method:: create_cmac_ctx(algorithm)
167
168 Create a
Paul Kehrer891efd92015-03-09 09:25:22 -0500[diff] [blame]169 :class:`~cryptography.hazmat.primitives.interfaces.MACContext` that
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]170 uses the specified ``algorithm`` to calculate a message authentication code.
171
172 :param algorithm: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]173 :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]174 provider.
175
176 :returns:
Paul Kehrer891efd92015-03-09 09:25:22 -0500[diff] [blame]177 :class:`~cryptography.hazmat.primitives.interfaces.MACContext`
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]178
179
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]180.. class:: PBKDF2HMACBackend
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]181
Paul Kehrer5d1af212014-01-28 12:19:32 -0600[diff] [blame]182 .. versionadded:: 0.2
183
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]184 A backend with methods for using PBKDF2 using HMAC as a PRF.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]185
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]186 The following backends implement this interface:
187
188 * :doc:`/hazmat/backends/openssl`
189 * :doc:`/hazmat/backends/commoncrypto`
190
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]191 .. method:: pbkdf2_hmac_supported(algorithm)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]192
193 Check if the specified ``algorithm`` is supported by this backend.
194
Paul Kehrer589b9082014-01-28 21:25:41 -0600[diff] [blame]195 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]196 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]197 provider.
198
199 :returns: ``True`` if the specified ``algorithm`` is supported for
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]200 PBKDF2 HMAC by this backend, otherwise ``False``.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]201
Alex Gaynor1cfc5d52014-11-23 17:44:28 -0600[diff] [blame]202 .. method:: derive_pbkdf2_hmac(self, algorithm, length, salt, iterations, key_material)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]203
204 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]205 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]206 provider.
207
208 :param int length: The desired length of the derived key. Maximum is
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]209 (2\ :sup:`32` - 1) * ``algorithm.digest_size``
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]210
Paul Kehrerb6d764c2014-01-27 22:32:11 -0600[diff] [blame]211 :param bytes salt: A salt.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]212
213 :param int iterations: The number of iterations to perform of the hash
Paul Kehrerc58b4782014-01-29 13:56:25 -0600[diff] [blame]214 function. This can be used to control the length of time the
215 operation takes. Higher numbers help mitigate brute force attacks
216 against derived keys.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]217
218 :param bytes key_material: The key material to use as a basis for
219 the derived key. This is typically a password.
220
221 :return bytes: Derived key.
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]222
223
224.. class:: RSABackend
225
226 .. versionadded:: 0.2
227
228 A backend with methods for using RSA.
229
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]230 .. method:: generate_rsa_private_key(public_exponent, key_size)
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]231
232 :param int public_exponent: The public exponent of the new key.
233 Often one of the small Fermat primes 3, 5, 17, 257 or 65537.
234
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]235 :param int key_size: The length in bits of the modulus. Should be
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]236 at least 2048.
237
238 :return: A new instance of a
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]239 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]240 provider.
241
242 :raises ValueError: If the public_exponent is not valid.
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]243
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]244 .. method:: rsa_padding_supported(padding)
245
246 Check if the specified ``padding`` is supported by the backend.
247
248 :param padding: An instance of an
Paul Kehrer64ddb7a2015-02-14 19:20:28 -0600[diff] [blame]249 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]250 provider.
251
252 :returns: ``True`` if the specified ``padding`` is supported by this
253 backend, otherwise ``False``.
254
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]255 .. method:: generate_rsa_parameters_supported(public_exponent, key_size)
256
257 Check if the specified parameters are supported for key generation by
258 the backend.
259
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]260 :param int public_exponent: The public exponent.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]261
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]262 :param int key_size: The bit length of the generated modulus.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]263
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]264 .. method:: load_rsa_private_numbers(numbers)
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]265
266 :param numbers: An instance of
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]267 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]268
269 :returns: A provider of
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]270 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]271
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]272 :raises ValueError: This is raised when the values of ``p``, ``q``,
273 ``private_exponent``, ``public_exponent``, or ``modulus`` do not
274 match the bounds specified in :rfc:`3447`.
275
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]276 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
277 when any backend specific criteria are not met.
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]278
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]279 .. method:: load_rsa_public_numbers(numbers)
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]280
281 :param numbers: An instance of
282 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
283
284 :returns: A provider of
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]285 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]286
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]287 :raises ValueError: This is raised when the values of
288 ``public_exponent`` or ``modulus`` do not match the bounds
289 specified in :rfc:`3447`.
290
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]291 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
292 when any backend specific criteria are not met.
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]293
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]294
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]295.. class:: DSABackend
296
297 .. versionadded:: 0.4
298
299 A backend with methods for using DSA.
300
301 .. method:: generate_dsa_parameters(key_size)
302
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]303 :param int key_size: The length of the modulus in bits. It should be
Alex Gaynor20c44042015-01-08 11:00:00 -0800[diff] [blame]304 either 1024, 2048 or 3072. For keys generated in 2015 this should
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]305 be at least 2048.
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]306 Note that some applications (such as SSH) have not yet gained
307 support for larger key sizes specified in FIPS 186-3 and are still
308 restricted to only the 1024-bit keys specified in FIPS 186-2.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]309
310 :return: A new instance of a
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]311 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]312 provider.
313
314 .. method:: generate_dsa_private_key(parameters)
315
316 :param parameters: A
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]317 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]318 provider.
319
320 :return: A new instance of a
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]321 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]322 provider.
323
Alex Gaynor239d5182014-04-24 13:42:58 -0700[diff] [blame]324 :raises ValueError: This is raised if the key size is not one of 1024,
325 2048, or 3072. It is also raised when OpenSSL is older than version
326 1.0.0 and the key size is larger than 1024; older OpenSSL versions
327 do not support keys larger than 1024 bits.
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]328
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]329 .. method:: generate_dsa_private_key_and_parameters(key_size)
330
331 :param int key_size: The length of the modulus in bits. It should be
Alex Gaynor20c44042015-01-08 11:00:00 -0800[diff] [blame]332 either 1024, 2048 or 3072. For keys generated in 2015 this should
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]333 be at least 2048.
334 Note that some applications (such as SSH) have not yet gained
335 support for larger key sizes specified in FIPS 186-3 and are still
336 restricted to only the 1024-bit keys specified in FIPS 186-2.
337
338 :return: A new instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]339 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]340 provider.
341
342 :raises ValueError: This is raised if the key size is not supported
343 by the backend.
344
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]345 .. method:: dsa_hash_supported(algorithm)
Paul Kehrer43dc2762014-04-30 16:24:39 -0500[diff] [blame]346
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]347 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]348 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]349 provider.
350
351 :returns: ``True`` if the specified ``algorithm`` is supported by this
352 backend, otherwise ``False``.
353
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]354 .. method:: dsa_parameters_supported(p, q, g)
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]355
356 :param int p: The p value of a DSA key.
357
358 :param int q: The q value of a DSA key.
359
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]360 :param int g: The g value of a DSA key.
361
362 :returns: ``True`` if the given values of ``p``, ``q``, and ``g`` are
363 supported by this backend, otherwise ``False``.
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]364
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]365 .. method:: load_dsa_parameter_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]366
367 :param numbers: An instance of
368 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers`.
369
370 :returns: A provider of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]371 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]372
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]373 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
374 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]375
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]376 .. method:: load_dsa_private_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]377
378 :param numbers: An instance of
379 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers`.
380
381 :returns: A provider of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]382 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]383
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]384 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
385 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]386
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]387 .. method:: load_dsa_public_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]388
389 :param numbers: An instance of
390 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers`.
391
392 :returns: A provider of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]393 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]394
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]395 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
396 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]397
398
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]399.. class:: EllipticCurveBackend
400
401 .. versionadded:: 0.5
402
403 .. method:: elliptic_curve_supported(curve)
404
405 :param curve: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]406 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]407 provider.
408
409 :returns: True if the elliptic curve is supported by this backend.
410
411 .. method:: elliptic_curve_signature_algorithm_supported(signature_algorithm, curve)
412
413 :param signature_algorithm: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]414 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]415 provider.
416
417 :param curve: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]418 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]419 provider.
420
421 :returns: True if the signature algorithm and curve are supported by this backend.
422
423 .. method:: generate_elliptic_curve_private_key(curve)
424
425 :param curve: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]426 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]427 provider.
428
Paul Kehrer77e95a02014-09-25 12:28:07 -0500[diff] [blame]429 .. method:: load_elliptic_curve_private_numbers(numbers)
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]430
431 :param numbers: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]432 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]433 provider.
434
435 :returns: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]436 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]437 provider.
438
Paul Kehrer77e95a02014-09-25 12:28:07 -0500[diff] [blame]439 .. method:: load_elliptic_curve_public_numbers(numbers)
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]440
441 :param numbers: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]442 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]443 provider.
444
445 :returns: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]446 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]447 provider.
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]448
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]449.. class:: PEMSerializationBackend
450
451 .. versionadded:: 0.6
452
453 A backend with methods for working with any PEM encoded keys.
454
455 .. method:: load_pem_private_key(data, password)
456
457 :param bytes data: PEM data to load.
458 :param bytes password: The password to use if the data is encrypted.
Alex Gaynor99e61ea2014-09-08 10:26:40 -0700[diff] [blame]459 Should be ``None`` if the data is not encrypted.
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]460 :return: A new instance of the appropriate type of private key that the
461 serialized data contains.
462 :raises ValueError: If the data could not be deserialized.
463 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
464 encrypted with an unsupported algorithm.
465
michael-hart801e8c12014-09-26 00:32:25 +0100[diff] [blame]466 .. method:: load_pem_public_key(data)
467
468 :param bytes data: PEM data to load.
Alex Gaynorb366f392014-09-29 11:07:05 -0700[diff] [blame]469 :return: A new instance of the appropriate type of public key
470 serialized data contains.
michael-hart801e8c12014-09-26 00:32:25 +0100[diff] [blame]471 :raises ValueError: If the data could not be deserialized.
472
Paul Kehrer76da86a2015-01-04 15:54:32 -0600[diff] [blame]473.. class:: DERSerializationBackend
474
475 .. versionadded:: 0.8
476
477 A backend with methods for working with DER encoded keys.
478
479 .. method:: load_der_private_key(data, password)
480
481 :param bytes data: DER data to load.
482 :param bytes password: The password to use if the data is encrypted.
483 Should be ``None`` if the data is not encrypted.
484 :return: A new instance of the appropriate type of private key that the
485 serialized data contains.
486 :raises ValueError: If the data could not be deserialized.
487 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
488 encrypted with an unsupported algorithm.
489
490 .. method:: load_der_public_key(data)
491
492 :param bytes data: DER data to load.
493 :return: A new instance of the appropriate type of public key
494 serialized data contains.
495 :raises ValueError: If the data could not be deserialized.
496
Paul Kehrer6c4302e2014-11-24 09:20:38 -1000[diff] [blame]497.. class:: X509Backend
498
499 .. versionadded:: 0.7
500
501 A backend with methods for working with X.509 objects.
502
503 .. method:: load_pem_x509_certificate(data)
504
505 :param bytes data: PEM formatted certificate data.
506
Paul Kehrer13b6aff2015-02-12 14:05:44 -0600[diff] [blame]507 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer8473df62014-11-24 17:13:59 -1000[diff] [blame]508
509 .. method:: load_der_x509_certificate(data)
510
511 :param bytes data: DER formatted certificate data.
512
Paul Kehrer13b6aff2015-02-12 14:05:44 -0600[diff] [blame]513 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]514
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]515 .. method:: load_pem_x509_csr(data)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]516
517 .. versionadded:: 0.9
518
Paul Kehrer7e007d52015-03-16 21:10:03 -0500[diff] [blame]519 :param bytes data: PEM formatted certificate signing request data.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]520
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]521 :returns: An instance of
522 :class:`~cryptography.x509.CertificateSigningRequest`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]523
Paul Kehrera9732f52015-06-26 09:43:45 -0500[diff] [blame]524 .. method:: load_der_x509_csr(data)
525
526 .. versionadded:: 0.9
527
528 :param bytes data: DER formatted certificate signing request data.
529
530 :returns: An instance of
531 :class:`~cryptography.x509.CertificateSigningRequest`.
532
533 .. method:: create_x509_csr(builder, private_key, algorithm)
534
535 .. versionadded:: 1.0
536
537 :param builder: An instance of
538 :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
539
540 :param private_key: The
541 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
542 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
543 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
544 that will be used to sign the request. When the request is
545 signed by a certificate authority, the private key's associated
546 public key will be stored in the resulting certificate.
547
548 :param algorithm: The
549 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
550 that will be used to generate the request signature.
551
Alex Gaynor6b3184c2015-12-24 14:21:47 -0500[diff] [blame]552 :returns: A new instance of
553 :class:`~cryptography.x509.CertificateSigningRequest`.
Paul Kehrera9732f52015-06-26 09:43:45 -0500[diff] [blame]554
Paul Kehrer1ae76532015-08-06 12:37:10 +0100[diff] [blame]555 .. method:: create_x509_certificate(builder, private_key, algorithm)
Paul Kehrer0d62a072015-08-06 11:00:47 +0100[diff] [blame]556
557 .. versionadded:: 1.0
558
559 :param builder: An instance of
560 :class:`~cryptography.x509.CertificateBuilder`.
561
562 :param private_key: The
563 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
564 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
565 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
566 that will be used to sign the certificate.
567
568 :param algorithm: The
569 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
570 that will be used to generate the certificate signature.
571
Alex Gaynor6b3184c2015-12-24 14:21:47 -0500[diff] [blame]572 :returns: A new instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer0d62a072015-08-06 11:00:47 +0100[diff] [blame]573
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]574 .. method:: create_x509_crl(builder, private_key, algorithm)
575
576 .. versionadded:: 1.2
577
578 :param builder: An instance of
Paul Kehrer7eaaf0c2015-12-24 19:27:38 -0600[diff] [blame]579 :class:`~cryptography.x509.CertificateRevocationListBuilder`.
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]580
581 :param private_key: The
582 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
583 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
584 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
585 that will be used to sign the CRL.
586
587 :param algorithm: The
588 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
589 that will be used to generate the CRL signature.
590
Paul Kehrera3ef6212015-12-24 13:20:41 -0600[diff] [blame]591 :returns: A new instance of
592 :class:`~cryptography.x509.CertificateRevocationList`.
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]593
Paul Kehreraa8b0f42015-12-25 11:13:45 -0600[diff] [blame]594 .. method:: create_x509_revoked_certificate(builder)
595
596 .. versionadded:: 1.2
597
598 :param builder: An instance of RevokedCertificateBuilder.
599
600 :returns: A new instance of
601 :class:`~cryptography.x509.RevokedCertificate`.
602
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]603.. class:: DHBackend
604
605 .. versionadded:: 0.9
606
607 A backend with methods for doing Diffie-Hellman key exchange.
608
609 .. method:: generate_dh_parameters(key_size)
610
611 :param int key_size: The bit length of the prime modulus to generate.
612
613 :return: A new instance of a
614 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
615 provider.
616
617 :raises ValueError: If ``key_size`` is not at least 512.
618
619 .. method:: generate_dh_private_key(parameters)
620
621 :param parameters: A
622 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
623 provider.
624
625 :return: A new instance of a
626 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
627 provider.
628
629 .. method:: generate_dh_private_key_and_parameters(self, key_size)
630
631 :param int key_size: The bit length of the prime modulus to generate.
632
633 :return: A new instance of a
634 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
635 provider.
636
637 :raises ValueError: If ``key_size`` is not at least 512.
638
639 .. method:: load_dh_private_numbers(numbers)
640
641 :param numbers: A
642 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateNumbers`
643 instance.
644
645 :return: A new instance of a
646 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
647 provider.
648
649 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
650 when any backend specific criteria are not met.
651
652 .. method:: load_dh_public_numbers(numbers)
653
654 :param numbers: A
655 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
656 instance.
657
658 :return: A new instance of a
659 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`
660 provider.
661
662 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
663 when any backend specific criteria are not met.
664
665 .. method:: load_dh_parameter_numbers(numbers)
666
667 :param numbers: A
668 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
669 instance.
670
671 :return: A new instance of a
672 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
673 provider.
674
675 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
676 when any backend specific criteria are not met.
677
678 .. method:: dh_parameters_supported(p, g)
679
680 :param int p: The p value of the DH key.
681
682 :param int g: The g value of the DH key.
683
684 :returns: ``True`` if the given values of ``p`` and ``g`` are supported
685 by this backend, otherwise ``False``.