Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / a8f935b813538d8ca50efd62620a250d02856760 / . / docs / hazmat / backends / interfaces.rst
blob: 218bc0cb88854f85a76af76e7d4967f163f4c05a [file] [log] [blame]
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]1.. hazmat::
2
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]3Backend interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]4==================
5
Alex Gaynorf8796b12013-12-13 20:28:55 -0800[diff] [blame]6.. currentmodule:: cryptography.hazmat.backends.interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]7
8
Alex Gaynor969f18e2014-05-17 20:07:35 -0700[diff] [blame]9Backend implementations may provide a number of interfaces to support
10operations such as :doc:`/hazmat/primitives/symmetric-encryption`,
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]11:doc:`/hazmat/primitives/cryptographic-hashes`, and
Ayrxfa4a6b22014-04-16 23:03:14 +0800[diff] [blame]12:doc:`/hazmat/primitives/mac/hmac`.
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]13
14A specific ``backend`` may provide one or more of these interfaces.
15
16
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]17.. class:: CipherBackend
18
Alex Stapleton63b3de22014-02-08 09:43:16 +0000[diff] [blame]19 A backend that provides methods for using ciphers for encryption
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]20 and decryption.
21
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]22 The following backends implement this interface:
23
24 * :doc:`/hazmat/backends/openssl`
25 * :doc:`/hazmat/backends/commoncrypto`
26
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]27 .. method:: cipher_supported(cipher, mode)
28
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]29 Check if a ``cipher`` and ``mode`` combination is supported by
30 this backend.
31
32 :param cipher: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]33 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]34 provider.
35 :param mode: An instance of a
Paul Kehrer513b7cb2015-02-12 17:31:24 -0600[diff] [blame]36 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode` provider.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]37
38 :returns: ``True`` if the specified ``cipher`` and ``mode`` combination
39 is supported by this backend, otherwise ``False``
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]40
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]41
42 .. method:: create_symmetric_encryption_ctx(cipher, mode)
43
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]44 Create a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]45 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]46 can be used for encrypting data with the symmetric ``cipher`` using
47 the given ``mode``.
48
49 :param cipher: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]50 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]51 provider.
52 :param mode: An instance of a
Paul Kehrer513b7cb2015-02-12 17:31:24 -0600[diff] [blame]53 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode` provider.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]54
55 :returns:
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]56 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]57
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]58 :raises ValueError: When tag is not None in an AEAD mode
59
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]60
61 .. method:: create_symmetric_decryption_ctx(cipher, mode)
62
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]63 Create a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]64 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]65 can be used for decrypting data with the symmetric ``cipher`` using
66 the given ``mode``.
67
68 :param cipher: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]69 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]70 provider.
71 :param mode: An instance of a
Paul Kehrer513b7cb2015-02-12 17:31:24 -0600[diff] [blame]72 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode` provider.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]73
74 :returns:
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]75 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]76
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]77 :raises ValueError: When tag is None in an AEAD mode
78
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]79
80.. class:: HashBackend
81
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]82 A backend with methods for using cryptographic hash functions.
83
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]84 The following backends implement this interface:
85
86 * :doc:`/hazmat/backends/openssl`
87 * :doc:`/hazmat/backends/commoncrypto`
88
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]89 .. method:: hash_supported(algorithm)
90
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]91 Check if the specified ``algorithm`` is supported by this backend.
92
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]93 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]94 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]95 provider.
96
97 :returns: ``True`` if the specified ``algorithm`` is supported by this
98 backend, otherwise ``False``.
99
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]100
101 .. method:: create_hash_ctx(algorithm)
102
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]103 Create a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]104 :class:`~cryptography.hazmat.primitives.hashes.HashContext` that
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]105 uses the specified ``algorithm`` to calculate a message digest.
106
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]107 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]108 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]109 provider.
110
111 :returns:
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]112 :class:`~cryptography.hazmat.primitives.hashes.HashContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]113
114
115.. class:: HMACBackend
116
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]117 A backend with methods for using cryptographic hash functions as message
118 authentication codes.
119
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]120 The following backends implement this interface:
121
122 * :doc:`/hazmat/backends/openssl`
123 * :doc:`/hazmat/backends/commoncrypto`
124
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]125 .. method:: hmac_supported(algorithm)
126
127 Check if the specified ``algorithm`` is supported by this backend.
128
129 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]130 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]131 provider.
132
133 :returns: ``True`` if the specified ``algorithm`` is supported for HMAC
134 by this backend, otherwise ``False``.
135
Alex Gaynorb80a5ab2016-01-30 16:24:19 -0500[diff] [blame]136 .. method:: create_hmac_ctx(key, algorithm)
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]137
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]138 Create a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]139 :class:`~cryptography.hazmat.primitives.hashes.HashContext` that
Paul Kehrer4f776c42013-12-23 17:25:54 -0600[diff] [blame]140 uses the specified ``algorithm`` to calculate a hash-based message
141 authentication code.
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]142
Alex Gaynorb80a5ab2016-01-30 16:24:19 -0500[diff] [blame]143 :param bytes key: Secret key as ``bytes``.
144
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]145 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]146 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]147 provider.
148
149 :returns:
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]150 :class:`~cryptography.hazmat.primitives.hashes.HashContext`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]151
152
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]153.. class:: CMACBackend
154
155 .. versionadded:: 0.4
156
157 A backend with methods for using CMAC
158
159 .. method:: cmac_algorithm_supported(algorithm)
160
161 :param algorithm: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]162 :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]163 provider.
164 :return: Returns True if the block cipher is supported for CMAC by this backend
165
166 .. method:: create_cmac_ctx(algorithm)
167
168 Create a
Paul Kehrer891efd92015-03-09 09:25:22 -0500[diff] [blame]169 :class:`~cryptography.hazmat.primitives.interfaces.MACContext` that
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]170 uses the specified ``algorithm`` to calculate a message authentication code.
171
172 :param algorithm: An instance of a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]173 :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]174 provider.
175
176 :returns:
Paul Kehrer891efd92015-03-09 09:25:22 -0500[diff] [blame]177 :class:`~cryptography.hazmat.primitives.interfaces.MACContext`
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]178
179
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]180.. class:: PBKDF2HMACBackend
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]181
Paul Kehrer5d1af212014-01-28 12:19:32 -0600[diff] [blame]182 .. versionadded:: 0.2
183
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]184 A backend with methods for using PBKDF2 using HMAC as a PRF.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]185
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]186 The following backends implement this interface:
187
188 * :doc:`/hazmat/backends/openssl`
189 * :doc:`/hazmat/backends/commoncrypto`
190
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]191 .. method:: pbkdf2_hmac_supported(algorithm)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]192
193 Check if the specified ``algorithm`` is supported by this backend.
194
Paul Kehrer589b9082014-01-28 21:25:41 -0600[diff] [blame]195 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]196 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]197 provider.
198
199 :returns: ``True`` if the specified ``algorithm`` is supported for
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]200 PBKDF2 HMAC by this backend, otherwise ``False``.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]201
Alex Gaynor1cfc5d52014-11-23 17:44:28 -0600[diff] [blame]202 .. method:: derive_pbkdf2_hmac(self, algorithm, length, salt, iterations, key_material)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]203
204 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]205 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]206 provider.
207
208 :param int length: The desired length of the derived key. Maximum is
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]209 (2\ :sup:`32` - 1) * ``algorithm.digest_size``
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]210
Paul Kehrerb6d764c2014-01-27 22:32:11 -0600[diff] [blame]211 :param bytes salt: A salt.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]212
213 :param int iterations: The number of iterations to perform of the hash
Paul Kehrerc58b4782014-01-29 13:56:25 -0600[diff] [blame]214 function. This can be used to control the length of time the
215 operation takes. Higher numbers help mitigate brute force attacks
216 against derived keys.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]217
218 :param bytes key_material: The key material to use as a basis for
219 the derived key. This is typically a password.
220
221 :return bytes: Derived key.
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]222
223
224.. class:: RSABackend
225
226 .. versionadded:: 0.2
227
228 A backend with methods for using RSA.
229
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]230 .. method:: generate_rsa_private_key(public_exponent, key_size)
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]231
232 :param int public_exponent: The public exponent of the new key.
233 Often one of the small Fermat primes 3, 5, 17, 257 or 65537.
234
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]235 :param int key_size: The length in bits of the modulus. Should be
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]236 at least 2048.
237
238 :return: A new instance of a
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]239 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]240 provider.
241
242 :raises ValueError: If the public_exponent is not valid.
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]243
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]244 .. method:: rsa_padding_supported(padding)
245
246 Check if the specified ``padding`` is supported by the backend.
247
248 :param padding: An instance of an
Paul Kehrer64ddb7a2015-02-14 19:20:28 -0600[diff] [blame]249 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]250 provider.
251
252 :returns: ``True`` if the specified ``padding`` is supported by this
253 backend, otherwise ``False``.
254
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]255 .. method:: generate_rsa_parameters_supported(public_exponent, key_size)
256
257 Check if the specified parameters are supported for key generation by
258 the backend.
259
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]260 :param int public_exponent: The public exponent.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]261
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]262 :param int key_size: The bit length of the generated modulus.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]263
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]264 .. method:: load_rsa_private_numbers(numbers)
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]265
266 :param numbers: An instance of
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]267 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]268
269 :returns: A provider of
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]270 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]271
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]272 :raises ValueError: This is raised when the values of ``p``, ``q``,
273 ``private_exponent``, ``public_exponent``, or ``modulus`` do not
274 match the bounds specified in :rfc:`3447`.
275
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]276 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
277 when any backend specific criteria are not met.
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]278
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]279 .. method:: load_rsa_public_numbers(numbers)
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]280
281 :param numbers: An instance of
282 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
283
284 :returns: A provider of
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]285 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]286
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]287 :raises ValueError: This is raised when the values of
288 ``public_exponent`` or ``modulus`` do not match the bounds
289 specified in :rfc:`3447`.
290
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]291 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
292 when any backend specific criteria are not met.
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]293
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]294
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]295.. class:: DSABackend
296
297 .. versionadded:: 0.4
298
299 A backend with methods for using DSA.
300
301 .. method:: generate_dsa_parameters(key_size)
302
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]303 :param int key_size: The length of the modulus in bits. It should be
Alex Gaynor20c44042015-01-08 11:00:00 -0800[diff] [blame]304 either 1024, 2048 or 3072. For keys generated in 2015 this should
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]305 be at least 2048.
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]306 Note that some applications (such as SSH) have not yet gained
307 support for larger key sizes specified in FIPS 186-3 and are still
308 restricted to only the 1024-bit keys specified in FIPS 186-2.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]309
310 :return: A new instance of a
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]311 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]312 provider.
313
314 .. method:: generate_dsa_private_key(parameters)
315
316 :param parameters: A
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]317 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]318 provider.
319
320 :return: A new instance of a
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]321 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]322 provider.
323
Alex Gaynor239d5182014-04-24 13:42:58 -0700[diff] [blame]324 :raises ValueError: This is raised if the key size is not one of 1024,
Alex Gaynora8f935b2016-06-26 13:25:59 -0400[diff] [blame^]325 2048, or 3072.
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]326
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]327 .. method:: generate_dsa_private_key_and_parameters(key_size)
328
329 :param int key_size: The length of the modulus in bits. It should be
Alex Gaynor20c44042015-01-08 11:00:00 -0800[diff] [blame]330 either 1024, 2048 or 3072. For keys generated in 2015 this should
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]331 be at least 2048.
332 Note that some applications (such as SSH) have not yet gained
333 support for larger key sizes specified in FIPS 186-3 and are still
334 restricted to only the 1024-bit keys specified in FIPS 186-2.
335
336 :return: A new instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]337 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]338 provider.
339
340 :raises ValueError: This is raised if the key size is not supported
341 by the backend.
342
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]343 .. method:: dsa_hash_supported(algorithm)
Paul Kehrer43dc2762014-04-30 16:24:39 -0500[diff] [blame]344
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]345 :param algorithm: An instance of a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]346 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]347 provider.
348
349 :returns: ``True`` if the specified ``algorithm`` is supported by this
350 backend, otherwise ``False``.
351
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]352 .. method:: dsa_parameters_supported(p, q, g)
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]353
354 :param int p: The p value of a DSA key.
355
356 :param int q: The q value of a DSA key.
357
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]358 :param int g: The g value of a DSA key.
359
360 :returns: ``True`` if the given values of ``p``, ``q``, and ``g`` are
361 supported by this backend, otherwise ``False``.
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]362
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]363 .. method:: load_dsa_parameter_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]364
365 :param numbers: An instance of
366 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers`.
367
368 :returns: A provider of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]369 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]370
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]371 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
372 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]373
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]374 .. method:: load_dsa_private_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]375
376 :param numbers: An instance of
377 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers`.
378
379 :returns: A provider of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]380 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]381
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]382 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
383 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]384
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]385 .. method:: load_dsa_public_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]386
387 :param numbers: An instance of
388 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers`.
389
390 :returns: A provider of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]391 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]392
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]393 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
394 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]395
396
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]397.. class:: EllipticCurveBackend
398
399 .. versionadded:: 0.5
400
401 .. method:: elliptic_curve_supported(curve)
402
403 :param curve: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]404 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]405 provider.
406
407 :returns: True if the elliptic curve is supported by this backend.
408
409 .. method:: elliptic_curve_signature_algorithm_supported(signature_algorithm, curve)
410
411 :param signature_algorithm: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]412 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]413 provider.
414
415 :param curve: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]416 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]417 provider.
418
419 :returns: True if the signature algorithm and curve are supported by this backend.
420
421 .. method:: generate_elliptic_curve_private_key(curve)
422
423 :param curve: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]424 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]425 provider.
426
Paul Kehrer77e95a02014-09-25 12:28:07 -0500[diff] [blame]427 .. method:: load_elliptic_curve_private_numbers(numbers)
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]428
429 :param numbers: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]430 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]431 provider.
432
433 :returns: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]434 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]435 provider.
436
Paul Kehrer77e95a02014-09-25 12:28:07 -0500[diff] [blame]437 .. method:: load_elliptic_curve_public_numbers(numbers)
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]438
439 :param numbers: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]440 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]441 provider.
442
443 :returns: An instance of a
Paul Kehrer45efdbc2015-02-12 10:58:22 -0600[diff] [blame]444 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]445 provider.
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]446
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]447.. class:: PEMSerializationBackend
448
449 .. versionadded:: 0.6
450
451 A backend with methods for working with any PEM encoded keys.
452
453 .. method:: load_pem_private_key(data, password)
454
455 :param bytes data: PEM data to load.
456 :param bytes password: The password to use if the data is encrypted.
Alex Gaynor99e61ea2014-09-08 10:26:40 -0700[diff] [blame]457 Should be ``None`` if the data is not encrypted.
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]458 :return: A new instance of the appropriate type of private key that the
459 serialized data contains.
460 :raises ValueError: If the data could not be deserialized.
461 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
462 encrypted with an unsupported algorithm.
463
michael-hart801e8c12014-09-26 00:32:25 +0100[diff] [blame]464 .. method:: load_pem_public_key(data)
465
466 :param bytes data: PEM data to load.
Alex Gaynorb366f392014-09-29 11:07:05 -0700[diff] [blame]467 :return: A new instance of the appropriate type of public key
468 serialized data contains.
michael-hart801e8c12014-09-26 00:32:25 +0100[diff] [blame]469 :raises ValueError: If the data could not be deserialized.
470
Paul Kehrer76da86a2015-01-04 15:54:32 -0600[diff] [blame]471.. class:: DERSerializationBackend
472
473 .. versionadded:: 0.8
474
475 A backend with methods for working with DER encoded keys.
476
477 .. method:: load_der_private_key(data, password)
478
479 :param bytes data: DER data to load.
480 :param bytes password: The password to use if the data is encrypted.
481 Should be ``None`` if the data is not encrypted.
482 :return: A new instance of the appropriate type of private key that the
483 serialized data contains.
484 :raises ValueError: If the data could not be deserialized.
485 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
486 encrypted with an unsupported algorithm.
487
488 .. method:: load_der_public_key(data)
489
490 :param bytes data: DER data to load.
491 :return: A new instance of the appropriate type of public key
492 serialized data contains.
493 :raises ValueError: If the data could not be deserialized.
494
Paul Kehrer6c4302e2014-11-24 09:20:38 -1000[diff] [blame]495.. class:: X509Backend
496
497 .. versionadded:: 0.7
498
499 A backend with methods for working with X.509 objects.
500
501 .. method:: load_pem_x509_certificate(data)
502
503 :param bytes data: PEM formatted certificate data.
504
Paul Kehrer13b6aff2015-02-12 14:05:44 -0600[diff] [blame]505 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer8473df62014-11-24 17:13:59 -1000[diff] [blame]506
507 .. method:: load_der_x509_certificate(data)
508
509 :param bytes data: DER formatted certificate data.
510
Paul Kehrer13b6aff2015-02-12 14:05:44 -0600[diff] [blame]511 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]512
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]513 .. method:: load_pem_x509_csr(data)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]514
515 .. versionadded:: 0.9
516
Paul Kehrer7e007d52015-03-16 21:10:03 -0500[diff] [blame]517 :param bytes data: PEM formatted certificate signing request data.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]518
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]519 :returns: An instance of
520 :class:`~cryptography.x509.CertificateSigningRequest`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]521
Paul Kehrera9732f52015-06-26 09:43:45 -0500[diff] [blame]522 .. method:: load_der_x509_csr(data)
523
524 .. versionadded:: 0.9
525
526 :param bytes data: DER formatted certificate signing request data.
527
528 :returns: An instance of
529 :class:`~cryptography.x509.CertificateSigningRequest`.
530
531 .. method:: create_x509_csr(builder, private_key, algorithm)
532
533 .. versionadded:: 1.0
534
535 :param builder: An instance of
536 :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
537
538 :param private_key: The
539 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
540 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
541 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
542 that will be used to sign the request. When the request is
543 signed by a certificate authority, the private key's associated
544 public key will be stored in the resulting certificate.
545
546 :param algorithm: The
547 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
548 that will be used to generate the request signature.
549
Alex Gaynor6b3184c2015-12-24 14:21:47 -0500[diff] [blame]550 :returns: A new instance of
551 :class:`~cryptography.x509.CertificateSigningRequest`.
Paul Kehrera9732f52015-06-26 09:43:45 -0500[diff] [blame]552
Paul Kehrer1ae76532015-08-06 12:37:10 +0100[diff] [blame]553 .. method:: create_x509_certificate(builder, private_key, algorithm)
Paul Kehrer0d62a072015-08-06 11:00:47 +0100[diff] [blame]554
555 .. versionadded:: 1.0
556
557 :param builder: An instance of
558 :class:`~cryptography.x509.CertificateBuilder`.
559
560 :param private_key: The
561 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
562 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
563 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
564 that will be used to sign the certificate.
565
566 :param algorithm: The
567 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
568 that will be used to generate the certificate signature.
569
Alex Gaynor6b3184c2015-12-24 14:21:47 -0500[diff] [blame]570 :returns: A new instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer0d62a072015-08-06 11:00:47 +0100[diff] [blame]571
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]572 .. method:: create_x509_crl(builder, private_key, algorithm)
573
574 .. versionadded:: 1.2
575
576 :param builder: An instance of
Paul Kehrer7eaaf0c2015-12-24 19:27:38 -0600[diff] [blame]577 :class:`~cryptography.x509.CertificateRevocationListBuilder`.
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]578
579 :param private_key: The
580 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
581 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
582 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
583 that will be used to sign the CRL.
584
585 :param algorithm: The
586 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
587 that will be used to generate the CRL signature.
588
Paul Kehrera3ef6212015-12-24 13:20:41 -0600[diff] [blame]589 :returns: A new instance of
590 :class:`~cryptography.x509.CertificateRevocationList`.
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]591
Paul Kehreraa8b0f42015-12-25 11:13:45 -0600[diff] [blame]592 .. method:: create_x509_revoked_certificate(builder)
593
594 .. versionadded:: 1.2
595
596 :param builder: An instance of RevokedCertificateBuilder.
597
598 :returns: A new instance of
599 :class:`~cryptography.x509.RevokedCertificate`.
600
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]601.. class:: DHBackend
602
603 .. versionadded:: 0.9
604
605 A backend with methods for doing Diffie-Hellman key exchange.
606
607 .. method:: generate_dh_parameters(key_size)
608
609 :param int key_size: The bit length of the prime modulus to generate.
610
611 :return: A new instance of a
612 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
613 provider.
614
615 :raises ValueError: If ``key_size`` is not at least 512.
616
617 .. method:: generate_dh_private_key(parameters)
618
619 :param parameters: A
620 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
621 provider.
622
623 :return: A new instance of a
624 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
625 provider.
626
627 .. method:: generate_dh_private_key_and_parameters(self, key_size)
628
629 :param int key_size: The bit length of the prime modulus to generate.
630
631 :return: A new instance of a
632 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
633 provider.
634
635 :raises ValueError: If ``key_size`` is not at least 512.
636
637 .. method:: load_dh_private_numbers(numbers)
638
639 :param numbers: A
640 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateNumbers`
641 instance.
642
643 :return: A new instance of a
644 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
645 provider.
646
647 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
648 when any backend specific criteria are not met.
649
650 .. method:: load_dh_public_numbers(numbers)
651
652 :param numbers: A
653 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
654 instance.
655
656 :return: A new instance of a
657 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`
658 provider.
659
660 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
661 when any backend specific criteria are not met.
662
663 .. method:: load_dh_parameter_numbers(numbers)
664
665 :param numbers: A
666 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
667 instance.
668
669 :return: A new instance of a
670 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
671 provider.
672
673 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
674 when any backend specific criteria are not met.
675
676 .. method:: dh_parameters_supported(p, g)
677
678 :param int p: The p value of the DH key.
679
680 :param int g: The g value of the DH key.
681
682 :returns: ``True`` if the given values of ``p`` and ``g`` are supported
683 by this backend, otherwise ``False``.