Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cryptography / f99d45e30b59771b5d675e91362b7d64dd367a4a / . / docs / hazmat / backends / interfaces.rst
blob: e3c674745d06ea215ae319f0a2ee2cb3a5771adc [file] [log] [blame]
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]1.. hazmat::
2
Alex Stapletonc5fffd32014-03-18 15:29:00 +0000[diff] [blame]3Backend interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]4==================
5
Alex Gaynorf8796b12013-12-13 20:28:55 -0800[diff] [blame]6.. currentmodule:: cryptography.hazmat.backends.interfaces
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]7
8
Alex Gaynor969f18e2014-05-17 20:07:35 -0700[diff] [blame]9Backend implementations may provide a number of interfaces to support
10operations such as :doc:`/hazmat/primitives/symmetric-encryption`,
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]11:doc:`/hazmat/primitives/cryptographic-hashes`, and
Ayrxfa4a6b22014-04-16 23:03:14 +0800[diff] [blame]12:doc:`/hazmat/primitives/mac/hmac`.
David Reid6b9df812013-11-18 14:13:02 -0800[diff] [blame]13
14A specific ``backend`` may provide one or more of these interfaces.
15
16
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]17.. class:: CipherBackend
18
Alex Stapleton63b3de22014-02-08 09:43:16 +0000[diff] [blame]19 A backend that provides methods for using ciphers for encryption
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]20 and decryption.
21
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]22 The following backends implement this interface:
23
24 * :doc:`/hazmat/backends/openssl`
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]25
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]26 .. method:: cipher_supported(cipher, mode)
27
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]28 Check if a ``cipher`` and ``mode`` combination is supported by
29 this backend.
30
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]31 :param cipher: An instance of
32 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`.
33
34 :param mode: An instance of
35 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]36
37 :returns: ``True`` if the specified ``cipher`` and ``mode`` combination
38 is supported by this backend, otherwise ``False``
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]39
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]40
41 .. method:: create_symmetric_encryption_ctx(cipher, mode)
42
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]43 Create a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]44 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]45 can be used for encrypting data with the symmetric ``cipher`` using
46 the given ``mode``.
47
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]48 :param cipher: An instance of
49 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`.
50
51 :param mode: An instance of
52 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]53
54 :returns:
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]55 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]56
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]57 :raises ValueError: When tag is not None in an AEAD mode
58
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]59
60 .. method:: create_symmetric_decryption_ctx(cipher, mode)
61
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]62 Create a
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]63 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]64 can be used for decrypting data with the symmetric ``cipher`` using
65 the given ``mode``.
66
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]67 :param cipher: An instance of
68 :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`.
69
70 :param mode: An instance of
71 :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]72
73 :returns:
Paul Kehrer7c5c9fe2015-02-14 10:27:14 -0600[diff] [blame]74 :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]75
Paul Kehrera07925a2013-12-06 11:49:42 -0600[diff] [blame]76 :raises ValueError: When tag is None in an AEAD mode
77
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]78
79.. class:: HashBackend
80
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]81 A backend with methods for using cryptographic hash functions.
82
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]83 The following backends implement this interface:
84
85 * :doc:`/hazmat/backends/openssl`
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]86
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]87 .. method:: hash_supported(algorithm)
88
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]89 Check if the specified ``algorithm`` is supported by this backend.
90
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]91 :param algorithm: An instance of
92 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]93
94 :returns: ``True`` if the specified ``algorithm`` is supported by this
95 backend, otherwise ``False``.
96
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]97
98 .. method:: create_hash_ctx(algorithm)
99
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]100 Create a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]101 :class:`~cryptography.hazmat.primitives.hashes.HashContext` that
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]102 uses the specified ``algorithm`` to calculate a message digest.
103
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]104 :param algorithm: An instance of
105 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]106
107 :returns:
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]108 :class:`~cryptography.hazmat.primitives.hashes.HashContext`
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]109
110
111.. class:: HMACBackend
112
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]113 A backend with methods for using cryptographic hash functions as message
114 authentication codes.
115
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]116 The following backends implement this interface:
117
118 * :doc:`/hazmat/backends/openssl`
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]119
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]120 .. method:: hmac_supported(algorithm)
121
122 Check if the specified ``algorithm`` is supported by this backend.
123
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]124 :param algorithm: An instance of
125 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
Paul Kehrer90ae8662013-12-23 17:21:00 -0600[diff] [blame]126
127 :returns: ``True`` if the specified ``algorithm`` is supported for HMAC
128 by this backend, otherwise ``False``.
129
Alex Gaynorb80a5ab2016-01-30 16:24:19 -0500[diff] [blame]130 .. method:: create_hmac_ctx(key, algorithm)
David Reid2a746ce2013-11-15 15:32:14 -0800[diff] [blame]131
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]132 Create a
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]133 :class:`~cryptography.hazmat.primitives.hashes.HashContext` that
Paul Kehrer4f776c42013-12-23 17:25:54 -0600[diff] [blame]134 uses the specified ``algorithm`` to calculate a hash-based message
135 authentication code.
David Reid6624a442013-11-18 12:44:30 -0800[diff] [blame]136
Alex Gaynorb80a5ab2016-01-30 16:24:19 -0500[diff] [blame]137 :param bytes key: Secret key as ``bytes``.
138
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]139 :param algorithm: An instance of
140 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
David Reid5973f4c2013-11-18 11:29:44 -0800[diff] [blame]141
142 :returns:
Paul Kehrer601278a2015-02-12 12:51:00 -0600[diff] [blame]143 :class:`~cryptography.hazmat.primitives.hashes.HashContext`
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]144
145
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]146.. class:: CMACBackend
147
148 .. versionadded:: 0.4
149
150 A backend with methods for using CMAC
151
152 .. method:: cmac_algorithm_supported(algorithm)
153
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]154 :param algorithm: An instance of
155 :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`.
156
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]157 :return: Returns True if the block cipher is supported for CMAC by this backend
158
159 .. method:: create_cmac_ctx(algorithm)
160
161 Create a
Paul Kehrer891efd92015-03-09 09:25:22 -0500[diff] [blame]162 :class:`~cryptography.hazmat.primitives.interfaces.MACContext` that
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]163 uses the specified ``algorithm`` to calculate a message authentication code.
164
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]165 :param algorithm: An instance of
166 :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`.
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]167
168 :returns:
Paul Kehrer891efd92015-03-09 09:25:22 -0500[diff] [blame]169 :class:`~cryptography.hazmat.primitives.interfaces.MACContext`
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]170
171
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]172.. class:: PBKDF2HMACBackend
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]173
Paul Kehrer5d1af212014-01-28 12:19:32 -0600[diff] [blame]174 .. versionadded:: 0.2
175
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]176 A backend with methods for using PBKDF2 using HMAC as a PRF.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]177
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]178 The following backends implement this interface:
179
180 * :doc:`/hazmat/backends/openssl`
Alex Gaynor585c99c2014-02-04 16:10:10 -0800[diff] [blame]181
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]182 .. method:: pbkdf2_hmac_supported(algorithm)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]183
184 Check if the specified ``algorithm`` is supported by this backend.
185
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]186 :param algorithm: An instance of
187 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]188
189 :returns: ``True`` if the specified ``algorithm`` is supported for
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]190 PBKDF2 HMAC by this backend, otherwise ``False``.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]191
Alex Gaynor1cfc5d52014-11-23 17:44:28 -0600[diff] [blame]192 .. method:: derive_pbkdf2_hmac(self, algorithm, length, salt, iterations, key_material)
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]193
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]194 :param algorithm: An instance of
195 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]196
197 :param int length: The desired length of the derived key. Maximum is
Paul Kehrer98e40e62014-01-28 15:07:49 -0600[diff] [blame]198 (2\ :sup:`32` - 1) * ``algorithm.digest_size``
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]199
Paul Kehrerb6d764c2014-01-27 22:32:11 -0600[diff] [blame]200 :param bytes salt: A salt.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]201
202 :param int iterations: The number of iterations to perform of the hash
Paul Kehrerc58b4782014-01-29 13:56:25 -0600[diff] [blame]203 function. This can be used to control the length of time the
204 operation takes. Higher numbers help mitigate brute force attacks
205 against derived keys.
Paul Kehrer1050ddf2014-01-27 21:04:03 -0600[diff] [blame]206
207 :param bytes key_material: The key material to use as a basis for
208 the derived key. This is typically a password.
209
210 :return bytes: Derived key.
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]211
212
213.. class:: RSABackend
214
215 .. versionadded:: 0.2
216
217 A backend with methods for using RSA.
218
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]219 .. method:: generate_rsa_private_key(public_exponent, key_size)
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]220
221 :param int public_exponent: The public exponent of the new key.
222 Often one of the small Fermat primes 3, 5, 17, 257 or 65537.
223
Alex Stapletone009ad22014-02-08 17:23:46 +0000[diff] [blame]224 :param int key_size: The length in bits of the modulus. Should be
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]225 at least 2048.
226
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]227 :return: A new instance of
228 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
Alex Stapleton209a1322014-02-07 20:26:44 +0000[diff] [blame]229
230 :raises ValueError: If the public_exponent is not valid.
Paul Kehrer2b3f0fc2014-02-17 19:20:14 -0600[diff] [blame]231
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]232 .. method:: rsa_padding_supported(padding)
233
234 Check if the specified ``padding`` is supported by the backend.
235
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]236 :param padding: An instance of
237 :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`.
Paul Kehrerc333dbc2014-05-24 18:35:02 -0500[diff] [blame]238
239 :returns: ``True`` if the specified ``padding`` is supported by this
240 backend, otherwise ``False``.
241
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]242 .. method:: generate_rsa_parameters_supported(public_exponent, key_size)
243
244 Check if the specified parameters are supported for key generation by
245 the backend.
246
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]247 :param int public_exponent: The public exponent.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]248
Paul Kehrer1b760f12014-05-26 08:54:38 -0500[diff] [blame]249 :param int key_size: The bit length of the generated modulus.
Paul Kehrer342d2e42014-05-25 22:01:20 -0500[diff] [blame]250
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]251 .. method:: load_rsa_private_numbers(numbers)
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]252
253 :param numbers: An instance of
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]254 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]255
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]256 :returns: An instance of
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]257 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]258
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]259 :raises ValueError: This is raised when the values of ``p``, ``q``,
260 ``private_exponent``, ``public_exponent``, or ``modulus`` do not
261 match the bounds specified in :rfc:`3447`.
262
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]263 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
264 when any backend specific criteria are not met.
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]265
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]266 .. method:: load_rsa_public_numbers(numbers)
David Reida674afe2014-05-30 14:15:29 -0700[diff] [blame]267
268 :param numbers: An instance of
269 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
270
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]271 :returns: An instance of
Alex Stapletonf79c2312014-12-30 12:50:14 +0000[diff] [blame]272 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
David Reid68b509a2014-05-08 10:31:51 -0700[diff] [blame]273
David Reidc57a3762014-06-03 13:27:50 -0700[diff] [blame]274 :raises ValueError: This is raised when the values of
275 ``public_exponent`` or ``modulus`` do not match the bounds
276 specified in :rfc:`3447`.
277
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]278 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
279 when any backend specific criteria are not met.
David Reidda76ae02014-06-03 14:01:18 -0700[diff] [blame]280
Alex Stapleton2fb76a32014-02-15 11:10:57 +0000[diff] [blame]281
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]282.. class:: DSABackend
283
284 .. versionadded:: 0.4
285
286 A backend with methods for using DSA.
287
288 .. method:: generate_dsa_parameters(key_size)
289
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]290 :param int key_size: The length of the modulus in bits. It should be
Alex Gaynor20c44042015-01-08 11:00:00 -0800[diff] [blame]291 either 1024, 2048 or 3072. For keys generated in 2015 this should
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]292 be at least 2048.
Alex Gaynorc9dc0a02014-04-24 13:38:12 -0700[diff] [blame]293 Note that some applications (such as SSH) have not yet gained
294 support for larger key sizes specified in FIPS 186-3 and are still
295 restricted to only the 1024-bit keys specified in FIPS 186-2.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]296
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]297 :return: A new instance of
298 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]299
300 .. method:: generate_dsa_private_key(parameters)
301
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]302 :param parameters: An instance of
303 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]304
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]305 :return: A new instance of
306 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
Mohammed Attia29474ac2014-04-02 04:03:09 +0200[diff] [blame]307
Alex Gaynor239d5182014-04-24 13:42:58 -0700[diff] [blame]308 :raises ValueError: This is raised if the key size is not one of 1024,
Alex Gaynora8f935b2016-06-26 13:25:59 -0400[diff] [blame]309 2048, or 3072.
Ayrx97a72fd2014-04-15 19:02:51 +0800[diff] [blame]310
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]311 .. method:: generate_dsa_private_key_and_parameters(key_size)
312
313 :param int key_size: The length of the modulus in bits. It should be
Alex Gaynor20c44042015-01-08 11:00:00 -0800[diff] [blame]314 either 1024, 2048 or 3072. For keys generated in 2015 this should
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]315 be at least 2048.
316 Note that some applications (such as SSH) have not yet gained
317 support for larger key sizes specified in FIPS 186-3 and are still
318 restricted to only the 1024-bit keys specified in FIPS 186-2.
319
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]320 :return: A new instance of
321 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
Paul Kehrer298effd2014-06-27 14:07:59 -0600[diff] [blame]322
323 :raises ValueError: This is raised if the key size is not supported
324 by the backend.
325
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]326 .. method:: dsa_hash_supported(algorithm)
Paul Kehrer43dc2762014-04-30 16:24:39 -0500[diff] [blame]327
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]328 :param algorithm: An instance of
329 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
Mohammed Attia59edb612014-04-25 22:44:40 +0200[diff] [blame]330
331 :returns: ``True`` if the specified ``algorithm`` is supported by this
332 backend, otherwise ``False``.
333
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]334 .. method:: dsa_parameters_supported(p, q, g)
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]335
336 :param int p: The p value of a DSA key.
337
338 :param int q: The q value of a DSA key.
339
Paul Kehrer21babbb2014-05-01 11:33:22 -0500[diff] [blame]340 :param int g: The g value of a DSA key.
341
342 :returns: ``True`` if the given values of ``p``, ``q``, and ``g`` are
343 supported by this backend, otherwise ``False``.
Paul Kehrerb4037872014-04-30 16:32:23 -0500[diff] [blame]344
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]345 .. method:: load_dsa_parameter_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]346
347 :param numbers: An instance of
348 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers`.
349
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]350 :returns: An instance of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]351 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]352
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]353 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
354 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]355
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]356 .. method:: load_dsa_private_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]357
358 :param numbers: An instance of
359 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers`.
360
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]361 :returns: An instance of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]362 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]363
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]364 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
365 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]366
Alex Gaynor4922c452014-11-20 19:45:07 -0800[diff] [blame]367 .. method:: load_dsa_public_numbers(numbers)
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]368
369 :param numbers: An instance of
370 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers`.
371
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]372 :returns: An instance of
Alex Stapletonf48f69d2015-01-18 15:57:28 +0000[diff] [blame]373 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]374
Alex Gaynorfecf6442014-12-27 11:19:32 -0800[diff] [blame]375 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
376 when any backend specific criteria are not met.
Paul Kehrer0739afc2014-06-22 12:06:18 -0600[diff] [blame]377
378
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]379.. class:: EllipticCurveBackend
380
381 .. versionadded:: 0.5
382
383 .. method:: elliptic_curve_supported(curve)
384
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]385 :param curve: An instance of
386 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]387
388 :returns: True if the elliptic curve is supported by this backend.
389
390 .. method:: elliptic_curve_signature_algorithm_supported(signature_algorithm, curve)
391
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]392 :param signature_algorithm: An instance of
393 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]394
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]395 :param curve: An instance of
396 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]397
398 :returns: True if the signature algorithm and curve are supported by this backend.
399
400 .. method:: generate_elliptic_curve_private_key(curve)
401
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]402 :param curve: An instance of
403 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]404
Paul Kehrer77e95a02014-09-25 12:28:07 -0500[diff] [blame]405 .. method:: load_elliptic_curve_private_numbers(numbers)
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]406
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]407 :param numbers: An instance of
408 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]409
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]410 :returns: An instance of
411 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]412
Paul Kehrer77e95a02014-09-25 12:28:07 -0500[diff] [blame]413 .. method:: load_elliptic_curve_public_numbers(numbers)
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]414
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]415 :param numbers: An instance of
416 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`.
Alex Stapleton13f1d8d2014-05-17 16:50:11 +0100[diff] [blame]417
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]418 :returns: An instance of
419 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
Alexander Gaynora1f1afa2014-07-18 10:57:41 -0700[diff] [blame]420
Paul Kehrer533a3c92016-11-19 09:49:10 +0800[diff] [blame]421 .. method:: derive_elliptic_curve_private_key(private_value, curve)
Ofek Levc8167352016-11-11 10:54:00 -0500[diff] [blame]422
423 :param private_value: A secret scalar value.
424
425 :param curve: An instance of
426 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
427
Paul Kehrer533a3c92016-11-19 09:49:10 +0800[diff] [blame]428 :returns: An instance of
429 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
Ofek Levc8167352016-11-11 10:54:00 -0500[diff] [blame]430
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]431.. class:: PEMSerializationBackend
432
433 .. versionadded:: 0.6
434
435 A backend with methods for working with any PEM encoded keys.
436
437 .. method:: load_pem_private_key(data, password)
438
439 :param bytes data: PEM data to load.
440 :param bytes password: The password to use if the data is encrypted.
Alex Gaynor99e61ea2014-09-08 10:26:40 -0700[diff] [blame]441 Should be ``None`` if the data is not encrypted.
Alexander Gaynore0e95412014-07-19 10:58:50 -0700[diff] [blame]442 :return: A new instance of the appropriate type of private key that the
443 serialized data contains.
444 :raises ValueError: If the data could not be deserialized.
445 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
446 encrypted with an unsupported algorithm.
447
michael-hart801e8c12014-09-26 00:32:25 +0100[diff] [blame]448 .. method:: load_pem_public_key(data)
449
450 :param bytes data: PEM data to load.
Alex Gaynorb366f392014-09-29 11:07:05 -0700[diff] [blame]451 :return: A new instance of the appropriate type of public key
452 serialized data contains.
michael-hart801e8c12014-09-26 00:32:25 +0100[diff] [blame]453 :raises ValueError: If the data could not be deserialized.
454
Paul Kehrer76da86a2015-01-04 15:54:32 -0600[diff] [blame]455.. class:: DERSerializationBackend
456
457 .. versionadded:: 0.8
458
459 A backend with methods for working with DER encoded keys.
460
461 .. method:: load_der_private_key(data, password)
462
463 :param bytes data: DER data to load.
464 :param bytes password: The password to use if the data is encrypted.
465 Should be ``None`` if the data is not encrypted.
466 :return: A new instance of the appropriate type of private key that the
467 serialized data contains.
468 :raises ValueError: If the data could not be deserialized.
469 :raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
470 encrypted with an unsupported algorithm.
471
472 .. method:: load_der_public_key(data)
473
474 :param bytes data: DER data to load.
475 :return: A new instance of the appropriate type of public key
476 serialized data contains.
477 :raises ValueError: If the data could not be deserialized.
478
Paul Kehrer6c4302e2014-11-24 09:20:38 -1000[diff] [blame]479.. class:: X509Backend
480
481 .. versionadded:: 0.7
482
483 A backend with methods for working with X.509 objects.
484
485 .. method:: load_pem_x509_certificate(data)
486
487 :param bytes data: PEM formatted certificate data.
488
Paul Kehrer13b6aff2015-02-12 14:05:44 -0600[diff] [blame]489 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer8473df62014-11-24 17:13:59 -1000[diff] [blame]490
491 .. method:: load_der_x509_certificate(data)
492
493 :param bytes data: DER formatted certificate data.
494
Paul Kehrer13b6aff2015-02-12 14:05:44 -0600[diff] [blame]495 :returns: An instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]496
Paul Kehrer31e39882015-03-11 11:37:04 -0500[diff] [blame]497 .. method:: load_pem_x509_csr(data)
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]498
499 .. versionadded:: 0.9
500
Paul Kehrer7e007d52015-03-16 21:10:03 -0500[diff] [blame]501 :param bytes data: PEM formatted certificate signing request data.
Paul Kehrerdc480ad2015-02-23 12:14:54 -0600[diff] [blame]502
Paul Kehrera1a1f232015-03-15 15:34:35 -0500[diff] [blame]503 :returns: An instance of
504 :class:`~cryptography.x509.CertificateSigningRequest`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]505
Paul Kehrera9732f52015-06-26 09:43:45 -0500[diff] [blame]506 .. method:: load_der_x509_csr(data)
507
508 .. versionadded:: 0.9
509
510 :param bytes data: DER formatted certificate signing request data.
511
512 :returns: An instance of
513 :class:`~cryptography.x509.CertificateSigningRequest`.
514
515 .. method:: create_x509_csr(builder, private_key, algorithm)
516
517 .. versionadded:: 1.0
518
519 :param builder: An instance of
520 :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
521
522 :param private_key: The
523 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
524 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
525 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
526 that will be used to sign the request. When the request is
527 signed by a certificate authority, the private key's associated
528 public key will be stored in the resulting certificate.
529
530 :param algorithm: The
531 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
532 that will be used to generate the request signature.
533
Alex Gaynor6b3184c2015-12-24 14:21:47 -0500[diff] [blame]534 :returns: A new instance of
535 :class:`~cryptography.x509.CertificateSigningRequest`.
Paul Kehrera9732f52015-06-26 09:43:45 -0500[diff] [blame]536
Paul Kehrer1ae76532015-08-06 12:37:10 +0100[diff] [blame]537 .. method:: create_x509_certificate(builder, private_key, algorithm)
Paul Kehrer0d62a072015-08-06 11:00:47 +0100[diff] [blame]538
539 .. versionadded:: 1.0
540
541 :param builder: An instance of
542 :class:`~cryptography.x509.CertificateBuilder`.
543
544 :param private_key: The
545 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
546 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
547 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
548 that will be used to sign the certificate.
549
550 :param algorithm: The
551 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
552 that will be used to generate the certificate signature.
553
Alex Gaynor6b3184c2015-12-24 14:21:47 -0500[diff] [blame]554 :returns: A new instance of :class:`~cryptography.x509.Certificate`.
Paul Kehrer0d62a072015-08-06 11:00:47 +0100[diff] [blame]555
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]556 .. method:: create_x509_crl(builder, private_key, algorithm)
557
558 .. versionadded:: 1.2
559
560 :param builder: An instance of
Paul Kehrer7eaaf0c2015-12-24 19:27:38 -0600[diff] [blame]561 :class:`~cryptography.x509.CertificateRevocationListBuilder`.
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]562
563 :param private_key: The
564 :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
565 :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
566 :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
567 that will be used to sign the CRL.
568
569 :param algorithm: The
570 :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
571 that will be used to generate the CRL signature.
572
Paul Kehrera3ef6212015-12-24 13:20:41 -0600[diff] [blame]573 :returns: A new instance of
574 :class:`~cryptography.x509.CertificateRevocationList`.
Paul Kehrer07b7e7f2015-12-24 13:06:12 -0600[diff] [blame]575
Paul Kehreraa8b0f42015-12-25 11:13:45 -0600[diff] [blame]576 .. method:: create_x509_revoked_certificate(builder)
577
578 .. versionadded:: 1.2
579
580 :param builder: An instance of RevokedCertificateBuilder.
581
582 :returns: A new instance of
583 :class:`~cryptography.x509.RevokedCertificate`.
584
Paul Kehrer3a15b032016-11-13 14:30:11 -0800[diff] [blame]585 .. method:: x509_name_bytes(name)
586
587 .. versionadded:: 1.6
588
589 :param name: An instance of :class:`~cryptography.x509.Name`.
590
591 :return bytes: The DER encoded bytes.
592
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]593.. class:: DHBackend
594
595 .. versionadded:: 0.9
596
597 A backend with methods for doing Diffie-Hellman key exchange.
598
Aviv Palivoda495f21a2016-11-25 18:51:28 +0200[diff] [blame]599 .. method:: generate_dh_parameters(generator, key_size)
600
601 :param int generator: The generator to use. Often 2 or 5.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]602
603 :param int key_size: The bit length of the prime modulus to generate.
604
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]605 :return: A new instance of
606 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]607
608 :raises ValueError: If ``key_size`` is not at least 512.
609
610 .. method:: generate_dh_private_key(parameters)
611
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]612 :param parameters: An instance of
613 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]614
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]615 :return: A new instance of
616 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]617
Aviv Palivoda495f21a2016-11-25 18:51:28 +0200[diff] [blame]618 .. method:: generate_dh_private_key_and_parameters(generator, key_size)
619
620 :param int generator: The generator to use. Often 2 or 5.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]621
622 :param int key_size: The bit length of the prime modulus to generate.
623
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]624 :return: A new instance of
625 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]626
627 :raises ValueError: If ``key_size`` is not at least 512.
628
629 .. method:: load_dh_private_numbers(numbers)
630
631 :param numbers: A
632 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateNumbers`
633 instance.
634
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]635 :return: A new instance of
636 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]637
638 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
639 when any backend specific criteria are not met.
640
641 .. method:: load_dh_public_numbers(numbers)
642
643 :param numbers: A
644 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
645 instance.
646
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]647 :return: A new instance of
648 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]649
650 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
651 when any backend specific criteria are not met.
652
653 .. method:: load_dh_parameter_numbers(numbers)
654
655 :param numbers: A
656 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
657 instance.
658
Gabriel Orisaka6868b1f2016-07-18 21:54:23 -0300[diff] [blame]659 :return: A new instance of
660 :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]661
662 :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
663 when any backend specific criteria are not met.
664
Aviv Palivodae44efb62017-03-06 04:24:55 +0200[diff] [blame]665 .. method:: dh_parameters_supported(p, g, q=None)
Alex Stapletonb7c60292014-08-25 10:57:42 +0100[diff] [blame]666
667 :param int p: The p value of the DH key.
668
669 :param int g: The g value of the DH key.
670
Aviv Palivodae44efb62017-03-06 04:24:55 +0200[diff] [blame]671 :param int q: The q value of the DH key.
672
673 :returns: ``True`` if the given values of ``p``, ``g`` and ``q``
674 are supported by this backend, otherwise ``False``.
675
676 .. versionadded:: 1.8
677
678 .. method:: dh_x942_serialization_supported()
679
680 :returns: True if serialization of DH objects with
681 subgroup order (q) is supported by this backend.
Terry Chiad8a27df2016-09-01 23:39:57 +0800[diff] [blame]682
683
684.. class:: ScryptBackend
685
686 .. versionadded:: 1.6
687
688 A backend with methods for using Scrypt.
689
690 The following backends implement this interface:
691
692 * :doc:`/hazmat/backends/openssl`
693
694 .. method:: derive_scrypt(self, key_material, salt, length, n, r, p)
695
696 :param bytes key_material: The key material to use as a basis for
697 the derived key. This is typically a password.
698
699 :param bytes salt: A salt.
700
701 :param int length: The desired length of the derived key.
702
703 :param int n: CPU/Memory cost parameter. It must be larger than 1 and be a
704 power of 2.
705
706 :param int r: Block size parameter.
707
708 :param int p: Parallelization parameter.
709
710 :return bytes: Derived key.
711