Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / f79c2313afdedae24b1b5b6d8fb8ff57f778a29b / . / docs / hazmat / primitives / interfaces.rst
blob: aae891e8a5bf20a075e33e99a6b6618384f6b387 [file] [log] [blame]
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]1.. hazmat::
2
3Interfaces
4==========
5
6
7``cryptography`` uses `Abstract Base Classes`_ as interfaces to describe the
David Reidbd18bcd2013-11-07 13:13:30 -0800[diff] [blame]8properties and methods of most primitive constructs. Backends may also use
9this information to influence their operation. Interfaces should also be used
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]10to document argument and return types.
11
Alex Gaynore9df2942014-12-12 10:56:26 -0800[diff] [blame]12.. _`Abstract Base Classes`: https://docs.python.org/3/library/abc.html
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]13
14
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]15Symmetric ciphers
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]16-----------------
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]17
18.. currentmodule:: cryptography.hazmat.primitives.interfaces
19
David Reid0a394df2013-11-15 16:19:50 -0800[diff] [blame]20
21.. class:: CipherAlgorithm
22
23 A named symmetric encryption algorithm.
24
25 .. attribute:: name
26
27 :type: str
28
29 The standard name for the mode, for example, "AES", "Camellia", or
30 "Blowfish".
31
32 .. attribute:: key_size
33
34 :type: int
35
36 The number of bits in the key being used.
37
38
David Reid668d4802013-12-17 11:53:43 -0800[diff] [blame]39.. class:: BlockCipherAlgorithm
40
41 A block cipher algorithm.
42
43 .. attribute:: block_size
44
45 :type: int
46
47 The number of bits in a block.
48
49
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]50Cipher modes
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]51~~~~~~~~~~~~
David Reid0a394df2013-11-15 16:19:50 -0800[diff] [blame]52
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]53Interfaces used by the symmetric cipher modes described in
54:ref:`Symmetric Encryption Modes <symmetric-encryption-modes>`.
55
56.. class:: Mode
57
58 A named cipher mode.
59
60 .. attribute:: name
61
62 :type: str
63
64 This should be the standard shorthand name for the mode, for example
65 Cipher-Block Chaining mode is "CBC".
66
67 The name may be used by a backend to influence the operation of a
68 cipher in conjunction with the algorithm's name.
69
Alex Gaynor9626b5a2013-11-19 16:49:26 -0800[diff] [blame]70 .. method:: validate_for_algorithm(algorithm)
71
72 :param CipherAlgorithm algorithm:
73
74 Checks that the combination of this mode with the provided algorithm
75 meets any necessary invariants. This should raise an exception if they
76 are not met.
77
78 For example, the :class:`~cryptography.hazmat.primitives.modes.CBC`
79 mode uses this method to check that the provided initialization
80 vector's length matches the block size of the algorithm.
81
David Reid30722b92013-11-07 13:03:39 -0800[diff] [blame]82
83.. class:: ModeWithInitializationVector
84
85 A cipher mode with an initialization vector.
86
87 .. attribute:: initialization_vector
88
89 :type: bytes
90
91 Exact requirements of the initialization are described by the
92 documentation of individual modes.
93
94
95.. class:: ModeWithNonce
96
97 A cipher mode with a nonce.
98
99 .. attribute:: nonce
100
101 :type: bytes
102
103 Exact requirements of the nonce are described by the documentation of
104 individual modes.
Paul Kehrerac423232014-01-25 14:13:09 -0600[diff] [blame]105
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]106Asymmetric interfaces
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]107---------------------
108
109.. class:: AsymmetricSignatureContext
110
111 .. versionadded:: 0.2
112
113 .. method:: update(data)
114
115 :param bytes data: The data you want to sign.
116
117 .. method:: finalize()
118
119 :return bytes signature: The signature.
120
121
122.. class:: AsymmetricVerificationContext
123
124 .. versionadded:: 0.2
125
126 .. method:: update(data)
127
128 :param bytes data: The data you wish to verify using the signature.
129
130 .. method:: verify()
131
132 :raises cryptography.exceptions.InvalidSignature: If the signature does
133 not validate.
134
135
136.. class:: AsymmetricPadding
137
138 .. versionadded:: 0.2
139
140 .. attribute:: name
141
142
143RSA
144~~~
Paul Kehrerac423232014-01-25 14:13:09 -0600[diff] [blame]145
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame^]146In 0.8 the RSA key interfaces were moved to the
147:mod:`cryptography.hazmat.primitives.asymmetric.rsa` module.
Paul Kehrerf0a48c62014-06-07 17:04:13 -0500[diff] [blame]148
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]149.. class:: EllipticCurve
150
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]151 .. versionadded:: 0.5
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]152
153 A named elliptic curve.
154
155 .. attribute:: name
156
157 :type: string
158
159 The name of the curve. Usually the name used for the ASN.1 OID such as
Alex Stapleton6e526742014-05-23 22:06:06 +0100[diff] [blame]160 ``secp256k1``.
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]161
162 .. attribute:: key_size
163
164 :type: int
165
Alex Stapletond4365692014-05-26 09:25:25 +0100[diff] [blame]166 The bit length of the curve's base point.
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]167
168
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]169Elliptic Curve
170~~~~~~~~~~~~~~
171
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]172.. class:: EllipticCurveSignatureAlgorithm
173
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]174 .. versionadded:: 0.5
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]175
176 A signature algorithm for use with elliptic curve keys.
177
Alex Stapleton80228a12014-04-20 16:44:26 +0100[diff] [blame]178 .. attribute:: algorithm
179
180 :type: :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
181
182 The digest algorithm to be used with the signature scheme.
183
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]184
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]185.. class:: EllipticCurvePrivateKey
186
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]187 .. versionadded:: 0.5
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]188
189 An elliptic curve private key for use with an algorithm such as `ECDSA`_ or
190 `EdDSA`_.
191
Alex Gaynor93f135a2014-11-17 09:20:58 -0800[diff] [blame]192 .. method:: signer(signature_algorithm)
193
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]194 Sign data which can be verified later by others using the public key.
Alex Gaynor93f135a2014-11-17 09:20:58 -0800[diff] [blame]195 The signature is formatted as DER-encoded bytes, as specified in
196 :rfc:`6979`.
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]197
198 :param signature_algorithm: An instance of a
199 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurveSignatureAlgorithm`
200 provider.
201
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]202 :returns:
203 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
204
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]205
206 :type: :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
207
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]208 .. method:: public_key()
209
210 :return: :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurvePublicKey`
211
212 The EllipticCurvePublicKey object for this private key.
213
214
Paul Kehrere025be22014-09-24 11:26:48 -0500[diff] [blame]215.. class:: EllipticCurvePrivateKeyWithNumbers
216
217 .. versionadded:: 0.6
218
219 Extends :class:`EllipticCurvePrivateKey`.
220
221 .. method:: private_numbers()
222
223 Create a
224 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`
225 object.
226
227 :returns: An
228 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`
229 instance.
230
231
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]232.. class:: EllipticCurvePublicKey
233
Alex Stapleton20c99032014-05-03 21:06:46 +0100[diff] [blame]234 .. versionadded:: 0.5
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]235
236 An elliptic curve public key.
237
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]238 .. method:: verifier(signature, signature_algorithm)
239
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]240 Verify data was signed by the private key associated with this public
241 key.
242
Alex Gaynor93f135a2014-11-17 09:20:58 -0800[diff] [blame]243 :param bytes signature: The signature to verify. DER encoded as
244 specified in :rfc:`6979`.
Alex Stapleton80228a12014-04-20 16:44:26 +0100[diff] [blame]245
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]246 :param signature_algorithm: An instance of a
247 :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurveSignatureAlgorithm`
248 provider.
249
Alex Stapletona1853f92014-04-18 11:38:28 +0100[diff] [blame]250 :returns:
251 :class:`~cryptography.hazmat.primitives.interfaces.AsymmetricSignatureContext`
252
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]253 .. attribute:: curve
254
255 :type: :class:`~cryptography.hazmat.primitives.interfaces.EllipticCurve`
256
257 The elliptic curve for this key.
258
Alex Stapleton085f3782014-04-01 16:18:17 +0100[diff] [blame]259
Paul Kehrere025be22014-09-24 11:26:48 -0500[diff] [blame]260.. class:: EllipticCurvePublicKeyWithNumbers
261
262 .. versionadded:: 0.6
263
264 Extends :class:`EllipticCurvePublicKey`.
265
Paul Kehrer5cfd2112014-09-24 14:51:01 -0500[diff] [blame]266 .. method:: public_numbers()
Paul Kehrere025be22014-09-24 11:26:48 -0500[diff] [blame]267
268 Create a
269 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`
270 object.
271
272 :returns: An
273 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`
274 instance.
275
276
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]277Hash algorithms
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]278---------------
Paul Kehrere51a2db2014-01-29 11:49:35 -0600[diff] [blame]279
280.. class:: HashAlgorithm
281
Paul Kehrere51a2db2014-01-29 11:49:35 -0600[diff] [blame]282 .. attribute:: name
283
284 :type: str
285
Paul Kehrer4c75a8c2014-01-29 12:20:37 -0600[diff] [blame]286 The standard name for the hash algorithm, for example: ``"sha256"`` or
287 ``"whirlpool"``.
Paul Kehrere51a2db2014-01-29 11:49:35 -0600[diff] [blame]288
289 .. attribute:: digest_size
290
291 :type: int
292
293 The size of the resulting digest in bytes.
294
295 .. attribute:: block_size
296
297 :type: int
298
299 The internal block size of the hash algorithm in bytes.
300
301
Ayrxa0f98502014-04-15 19:17:03 +0800[diff] [blame]302.. class:: HashContext
303
304 .. attribute:: algorithm
305
306 A :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` that
307 will be used by this context.
308
309 .. method:: update(data)
310
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]311 :param bytes data: The data you want to hash.
Ayrxa0f98502014-04-15 19:17:03 +0800[diff] [blame]312
313 .. method:: finalize()
314
315 :return: The final digest as bytes.
316
317 .. method:: copy()
318
319 :return: A :class:`~cryptography.hazmat.primitives.interfaces.HashContext`
320 that is a copy of the current context.
321
322
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]323Key derivation functions
Alex Gaynor645315b2014-06-23 11:55:55 -0700[diff] [blame]324------------------------
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]325
326.. class:: KeyDerivationFunction
327
Alex Gaynor8454c512014-01-28 07:01:54 -0800[diff] [blame]328 .. versionadded:: 0.2
329
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]330 .. method:: derive(key_material)
331
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]332 :param bytes key_material: The input key material. Depending on what
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]333 key derivation function you are using this
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]334 could be either random bytes, or a user
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]335 supplied password.
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]336 :return: The new key.
Alex Gaynore19e89f2014-01-28 06:58:43 -0800[diff] [blame]337 :raises cryptography.exceptions.AlreadyFinalized: This is raised when
338 :meth:`derive` or
339 :meth:`verify` is
340 called more than
341 once.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]342
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]343 This generates and returns a new key from the supplied key material.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]344
345 .. method:: verify(key_material, expected_key)
346
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]347 :param bytes key_material: The input key material. This is the same as
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]348 ``key_material`` in :meth:`derive`.
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]349 :param bytes expected_key: The expected result of deriving a new key,
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]350 this is the same as the return value of
351 :meth:`derive`.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]352 :raises cryptography.exceptions.InvalidKey: This is raised when the
353 derived key does not match
354 the expected key.
Alex Gaynore19e89f2014-01-28 06:58:43 -0800[diff] [blame]355 :raises cryptography.exceptions.AlreadyFinalized: This is raised when
356 :meth:`derive` or
357 :meth:`verify` is
358 called more than
359 once.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]360
Alex Gaynor5484f722014-01-28 05:46:15 -0800[diff] [blame]361 This checks whether deriving a new key from the supplied
362 ``key_material`` generates the same key as the ``expected_key``, and
363 raises an exception if they do not match. This can be used for
364 something like checking whether a user's password attempt matches the
365 stored derived key.
Alex Gaynorb2774f52014-01-27 11:05:29 -0800[diff] [blame]366
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]367
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]368`Message Authentication Code`_
369------------------------------
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]370
371.. class:: CMACContext
372
Alex Gaynor7d156882014-10-20 10:40:34 -0700[diff] [blame]373 :class:`CMACContext` has been deprecated in favor of :class:`MACContext`.
Terry Chiac7c82f32014-10-20 12:15:22 +0800[diff] [blame]374
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]375 .. versionadded:: 0.4
376
377 .. method:: update(data)
378
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]379 :param bytes data: The data you want to authenticate.
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]380
381 .. method:: finalize()
382
Ayrx7964c172014-04-15 21:50:58 +0800[diff] [blame]383 :return: The message authentication code.
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]384
385 .. method:: copy()
386
387 :return: A :class:`~cryptography.hazmat.primitives.interfaces.CMACContext`
388 that is a copy of the current context.
389
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]390.. class:: MACContext
391
392 .. versionadded:: 0.7
393
394 .. method:: update(data)
395
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]396 :param bytes data: The data you want to authenticate.
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]397
398 .. method:: finalize()
399
400 :return: The message authentication code.
401
402 .. method:: copy()
403
Alex Gaynor7d156882014-10-20 10:40:34 -0700[diff] [blame]404 :return: A
405 :class:`~cryptography.hazmat.primitives.interfaces.MACContext` that
406 is a copy of the current context.
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]407
Alex Gaynor7d156882014-10-20 10:40:34 -0700[diff] [blame]408 .. method:: verify(signature)
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]409
Alex Gaynore85e3562014-11-22 23:26:30 -0800[diff] [blame]410 :param bytes signature: The signature to verify.
Terry Chiacc5e4452014-10-12 15:35:21 +0800[diff] [blame]411
412 :raises cryptography.exceptions.InvalidSignature: This is raised when
413 the provided signature does not match the expected signature.
Ayrxc8121702014-04-15 19:02:05 +0800[diff] [blame]414
Paul Kehrer05c122b2014-11-24 08:41:05 -1000[diff] [blame]415
Paul Kehrer8e9c9842014-02-13 12:23:27 -0600[diff] [blame]416.. _`RSA`: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
417.. _`Chinese remainder theorem`: https://en.wikipedia.org/wiki/Chinese_remainder_theorem
Mohammed Attia604c78f2014-03-04 03:56:08 +0200[diff] [blame]418.. _`DSA`: https://en.wikipedia.org/wiki/Digital_Signature_Algorithm
Ayrx83cd3f82014-04-15 21:56:32 +0800[diff] [blame]419.. _`CMAC`: https://en.wikipedia.org/wiki/CMAC
Alex Gaynore9df2942014-12-12 10:56:26 -0800[diff] [blame]420.. _`ECDSA`: https://en.wikipedia.org/wiki/ECDSA
421.. _`EdDSA`: https://en.wikipedia.org/wiki/EdDSA