Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / d2fa7d2eed79feb94ddde3d770e9467ac3edc8ac / . / docs / hazmat / primitives / interfaces.rst
blob: bd329b98a7cc6a5c2627ba1b9b47a99cbfe87c6e [file] [log] [blame]
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]1.. hazmat::
2
3Interfaces
4==========
5
6
7``cryptography`` uses `Abstract Base Classes`_ as interfaces to describe the
David Reidbd18bcd2013-11-07 13:13:30 -0800[diff] [blame]8properties and methods of most primitive constructs. Backends may also use
9this information to influence their operation. Interfaces should also be used
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]10to document argument and return types.
11
Alex Gaynore9df2942014-12-12 10:56:26 -0800[diff] [blame]12.. _`Abstract Base Classes`: https://docs.python.org/3/library/abc.html
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]13
14
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]15Symmetric ciphers
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]16-----------------
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]17
18.. currentmodule:: cryptography.hazmat.primitives.interfaces
19
David Reid0a394df2013-11-15 16:19:50 -0800[diff] [blame]20
21.. class:: CipherAlgorithm
22
23 A named symmetric encryption algorithm.
24
25 .. attribute:: name
26
27 :type: str
28
29 The standard name for the mode, for example, "AES", "Camellia", or
30 "Blowfish".
31
32 .. attribute:: key_size
33
34 :type: int
35
36 The number of bits in the key being used.
37
38
David Reid668d4802013-12-17 11:53:43 -0800[diff] [blame]39.. class:: BlockCipherAlgorithm
40
41 A block cipher algorithm.
42
43 .. attribute:: block_size
44
45 :type: int
46
47 The number of bits in a block.
48
49
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]50Cipher modes
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]51~~~~~~~~~~~~
David Reid0a394df2013-11-15 16:19:50 -0800[diff] [blame]52
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]53Interfaces used by the symmetric cipher modes described in
54:ref:`Symmetric Encryption Modes <symmetric-encryption-modes>`.
55
56.. class:: Mode
57
58 A named cipher mode.
59
60 .. attribute:: name
61
62 :type: str
63
64 This should be the standard shorthand name for the mode, for example
65 Cipher-Block Chaining mode is "CBC".
66
67 The name may be used by a backend to influence the operation of a
68 cipher in conjunction with the algorithm's name.
69
Alex Gaynor9626b5a2013-11-19 16:49:26 -0800[diff] [blame]70 .. method:: validate_for_algorithm(algorithm)
71
72 :param CipherAlgorithm algorithm:
73
74 Checks that the combination of this mode with the provided algorithm
75 meets any necessary invariants. This should raise an exception if they
76 are not met.
77
78 For example, the :class:`~cryptography.hazmat.primitives.modes.CBC`
79 mode uses this method to check that the provided initialization
80 vector's length matches the block size of the algorithm.
81
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]82
83.. class:: ModeWithInitializationVector
84
85 A cipher mode with an initialization vector.
86
87 .. attribute:: initialization_vector
88
89 :type: bytes
90
91 Exact requirements of the initialization are described by the
92 documentation of individual modes.
93
94
95.. class:: ModeWithNonce
96
97 A cipher mode with a nonce.
98
99 .. attribute:: nonce
100
101 :type: bytes
102
103 Exact requirements of the nonce are described by the documentation of
104 individual modes.
Paul Kehrerac423232014-01-25 14:13:09 -0600[diff] [blame]105
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]106Asymmetric interfaces
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]107---------------------
108
109.. class:: AsymmetricSignatureContext
110
111 .. versionadded:: 0.2
112
113 .. method:: update(data)
114
115 :param bytes data: The data you want to sign.
116
117 .. method:: finalize()
118
119 :return bytes signature: The signature.
120
121
122.. class:: AsymmetricVerificationContext
123
124 .. versionadded:: 0.2
125
126 .. method:: update(data)
127
128 :param bytes data: The data you wish to verify using the signature.
129
130 .. method:: verify()
131
132 :raises cryptography.exceptions.InvalidSignature: If the signature does
133 not validate.
134
135
136.. class:: AsymmetricPadding
137
138 .. versionadded:: 0.2
139
140 .. attribute:: name
141
Paul Kehrerd2fa7d22015-02-12 00:15:02 -0600[diff] [blame^]142DSA
143~~~
144
145In 0.8 the DSA key interfaces were moved to the
146:mod:`cryptography.hazmat.primitives.asymmetric.dsa` module.
147
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]148
149RSA
150~~~
Paul Kehrerac423232014-01-25 14:13:09 -0600[diff] [blame]151
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]152In 0.8 the RSA key interfaces were moved to the
153:mod:`cryptography.hazmat.primitives.asymmetric.rsa` module.
Paul Kehrerf0a48c62014-06-07 17:04:13 -0500[diff] [blame]154
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]155.. class:: EllipticCurve
156
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]157 .. versionadded:: 0.5
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]158
159 A named elliptic curve.
160
161 .. attribute:: name
162
163 :type: string
164
165 The name of the curve. Usually the name used for the ASN.1 OID such as
Alex Stapleton6e526742014-05-23 22:06:06 +0100[diff] [blame]166 ``secp256k1``.
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]167
168 .. attribute:: key_size
169
170 :type: int
171
Alex Stapletond4365692014-05-26 09:25:25 +0100[diff] [blame]172 The bit length of the curve's base point.
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]173
174
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]175Elliptic Curve
176~~~~~~~~~~~~~~
177
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]178.. class:: EllipticCurveSignatureAlgorithm
179
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]180 .. versionadded:: 0.5
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]181
182 A signature algorithm for use with elliptic curve keys.
183
Alex Stapleton80228a12014-04-20 16:44:26 +0100[diff] [blame]184 .. attribute:: algorithm
185
186 :type: :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
187
188 The digest algorithm to be used with the signature scheme.
189
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]190
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]191.. class:: EllipticCurvePrivateKey
192
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]193 .. versionadded:: 0.5
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]194
195 An elliptic curve private key for use with an algorithm such as `ECDSA`_ or
196 `EdDSA`_.
197
Alex Gaynor93f135a2014-11-17 09:20:58 -0800[diff] [blame]198 .. method:: signer(signature_algorithm)
199
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]200 Sign data which can be verified later by others using the public key.
Alex Gaynor93f135a2014-11-17 09:20:58 -0800[diff] [blame]201 The signature is formatted as DER-encoded bytes, as specified in
202 :rfc:`6979`.
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]203
204 :param signature_algorithm: An instance of a
205 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurveSignatureAlgorithm`
206 provider.
207
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]208 :returns:
209 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
210
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]211
212 :type: :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
213
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]214 .. method:: public_key()
215
216 :return: :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKey`
217
218 The EllipticCurvePublicKey object for this private key.
219
220
Paul Kehrere025be22014-09-24 11:26:48 -0500[diff] [blame]221.. class:: EllipticCurvePrivateKeyWithNumbers
222
223 .. versionadded:: 0.6
224
225 Extends :class:`EllipticCurvePrivateKey`.
226
227 .. method:: private_numbers()
228
229 Create a
230 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`
231 object.
232
233 :returns: An
234 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`
235 instance.
236
237
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]238.. class:: EllipticCurvePublicKey
239
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]240 .. versionadded:: 0.5
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]241
242 An elliptic curve public key.
243
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]244 .. method:: verifier(signature, signature_algorithm)
245
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]246 Verify data was signed by the private key associated with this public
247 key.
248
Alex Gaynor93f135a2014-11-17 09:20:58 -0800[diff] [blame]249 :param bytes signature: The signature to verify. DER encoded as
250 specified in :rfc:`6979`.
Alex Stapleton80228a12014-04-20 16:44:26 +0100[diff] [blame]251
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]252 :param signature_algorithm: An instance of a
253 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurveSignatureAlgorithm`
254 provider.
255
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]256 :returns:
257 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
258
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]259 .. attribute:: curve
260
261 :type: :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
262
263 The elliptic curve for this key.
264
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]265
Paul Kehrere025be22014-09-24 11:26:48 -0500[diff] [blame]266.. class:: EllipticCurvePublicKeyWithNumbers
267
268 .. versionadded:: 0.6
269
270 Extends :class:`EllipticCurvePublicKey`.
271
Paul Kehrer5cfd2112014-09-24 14:51:01 -0500[diff] [blame]272 .. method:: public_numbers()
Paul Kehrere025be22014-09-24 11:26:48 -0500[diff] [blame]273
274 Create a
275 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`
276 object.
277
278 :returns: An
279 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`
280 instance.
281
282
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]283Hash algorithms
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]284---------------
Paul Kehrere51a2db2014-01-29 11:49:35 -0600[diff] [blame]285
286.. class:: HashAlgorithm
287
Paul Kehrere51a2db2014-01-29 11:49:35 -0600[diff] [blame]288 .. attribute:: name
289
290 :type: str
291
Paul Kehrer4c75a8c2014-01-29 12:20:37 -0600[diff] [blame]292 The standard name for the hash algorithm, for example: ``"sha256"`` or
293 ``"whirlpool"``.
Paul Kehrere51a2db2014-01-29 11:49:35 -0600[diff] [blame]294
295 .. attribute:: digest_size
296
297 :type: int
298
299 The size of the resulting digest in bytes.
300
301 .. attribute:: block_size
302
303 :type: int
304
305 The internal block size of the hash algorithm in bytes.
306
307
Ayrxa0f98502014-04-15 19:17:03 +0800[diff] [blame]308.. class:: HashContext
309
310 .. attribute:: algorithm
311
312 A :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` that
313 will be used by this context.
314
315 .. method:: update(data)
316
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]317 :param bytes data: The data you want to hash.
Ayrxa0f98502014-04-15 19:17:03 +0800[diff] [blame]318
319 .. method:: finalize()
320
321 :return: The final digest as bytes.
322
323 .. method:: copy()
324
325 :return: A :class:`~cryptography.hazmat.primitives.interfaces.HashContext`
326 that is a copy of the current context.
327
328
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]329Key derivation functions
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]330------------------------
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]331
332.. class:: KeyDerivationFunction
333
Alex Gaynor8454c512014-01-28 07:01:54 -0800[diff] [blame]334 .. versionadded:: 0.2
335
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]336 .. method:: derive(key_material)
337
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]338 :param bytes key_material: The input key material. Depending on what
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]339 key derivation function you are using this
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]340 could be either random bytes, or a user
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]341 supplied password.
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]342 :return: The new key.
Alex Gaynore19e89f2014-01-28 06:58:43 -0800[diff] [blame]343 :raises cryptography.exceptions.AlreadyFinalized: This is raised when
344 :meth:`derive` or
345 :meth:`verify` is
346 called more than
347 once.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]348
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]349 This generates and returns a new key from the supplied key material.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]350
351 .. method:: verify(key_material, expected_key)
352
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]353 :param bytes key_material: The input key material. This is the same as
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]354 ``key_material`` in :meth:`derive`.
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]355 :param bytes expected_key: The expected result of deriving a new key,
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]356 this is the same as the return value of
357 :meth:`derive`.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]358 :raises cryptography.exceptions.InvalidKey: This is raised when the
359 derived key does not match
360 the expected key.
Alex Gaynore19e89f2014-01-28 06:58:43 -0800[diff] [blame]361 :raises cryptography.exceptions.AlreadyFinalized: This is raised when
362 :meth:`derive` or
363 :meth:`verify` is
364 called more than
365 once.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]366
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]367 This checks whether deriving a new key from the supplied
368 ``key_material`` generates the same key as the ``expected_key``, and
369 raises an exception if they do not match. This can be used for
370 something like checking whether a user's password attempt matches the
371 stored derived key.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]372
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]373
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]374`Message Authentication Code`_
375------------------------------
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]376
377.. class:: CMACContext
378
Alex Gaynor7d156882014-10-20 10:40:34 -0700[diff] [blame]379 :class:`CMACContext` has been deprecated in favor of :class:`MACContext`.
Terry Chiac7c82f32014-10-20 12:15:22 +0800[diff] [blame]380
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]381 .. versionadded:: 0.4
382
383 .. method:: update(data)
384
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]385 :param bytes data: The data you want to authenticate.
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]386
387 .. method:: finalize()
388
Ayrx7964c172014-04-15 21:50:58 +0800[diff] [blame]389 :return: The message authentication code.
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]390
391 .. method:: copy()
392
393 :return: A :class:`~cryptography.hazmat.primitives.interfaces.CMACContext`
394 that is a copy of the current context.
395
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]396.. class:: MACContext
397
398 .. versionadded:: 0.7
399
400 .. method:: update(data)
401
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]402 :param bytes data: The data you want to authenticate.
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]403
404 .. method:: finalize()
405
406 :return: The message authentication code.
407
408 .. method:: copy()
409
Alex Gaynor7d156882014-10-20 10:40:34 -0700[diff] [blame]410 :return: A
411 :class:`~cryptography.hazmat.primitives.interfaces.MACContext` that
412 is a copy of the current context.
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]413
Alex Gaynor7d156882014-10-20 10:40:34 -0700[diff] [blame]414 .. method:: verify(signature)
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]415
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]416 :param bytes signature: The signature to verify.
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]417
418 :raises cryptography.exceptions.InvalidSignature: This is raised when
419 the provided signature does not match the expected signature.
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]420
Paul Kehrer05c122b2014-11-24 08:41:05 -1000[diff] [blame]421
Paul Kehrer8e9c9842014-02-13 12:23:27 -0600[diff] [blame]422.. _`RSA`: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
423.. _`Chinese remainder theorem`: https://en.wikipedia.org/wiki/Chinese_remainder_theorem
Mohammed Attia604c78f2014-03-04 03:56:08 +0200[diff] [blame]424.. _`DSA`: https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
Ayrx83cd3f82014-04-15 21:56:32 +0800[diff] [blame]425.. _`CMAC`: https://en.wikipedia.org/wiki/CMAC
Alex Gaynore9df2942014-12-12 10:56:26 -0800[diff] [blame]426.. _`ECDSA`: https://en.wikipedia.org/wiki/ECDSA
427.. _`EdDSA`: https://en.wikipedia.org/wiki/EdDSA