You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
731 lines
25 KiB
731 lines
25 KiB
.. hazmat::
|
|
|
|
Backend interfaces
|
|
==================
|
|
|
|
.. currentmodule:: cryptography.hazmat.backends.interfaces
|
|
|
|
|
|
Backend implementations may provide a number of interfaces to support
|
|
operations such as :doc:`/hazmat/primitives/symmetric-encryption`,
|
|
:doc:`/hazmat/primitives/cryptographic-hashes`, and
|
|
:doc:`/hazmat/primitives/mac/hmac`.
|
|
|
|
A specific ``backend`` may provide one or more of these interfaces.
|
|
|
|
|
|
.. class:: CipherBackend
|
|
|
|
A backend that provides methods for using ciphers for encryption
|
|
and decryption.
|
|
|
|
The following backends implement this interface:
|
|
|
|
* :doc:`/hazmat/backends/openssl`
|
|
|
|
.. method:: cipher_supported(cipher, mode)
|
|
|
|
Check if a ``cipher`` and ``mode`` combination is supported by
|
|
this backend.
|
|
|
|
:param cipher: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`.
|
|
|
|
:param mode: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`.
|
|
|
|
:returns: ``True`` if the specified ``cipher`` and ``mode`` combination
|
|
is supported by this backend, otherwise ``False``
|
|
|
|
|
|
.. method:: create_symmetric_encryption_ctx(cipher, mode)
|
|
|
|
Create a
|
|
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
|
|
can be used for encrypting data with the symmetric ``cipher`` using
|
|
the given ``mode``.
|
|
|
|
:param cipher: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`.
|
|
|
|
:param mode: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`.
|
|
|
|
:returns:
|
|
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
|
|
|
|
:raises ValueError: When tag is not None in an AEAD mode
|
|
|
|
|
|
.. method:: create_symmetric_decryption_ctx(cipher, mode)
|
|
|
|
Create a
|
|
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext` that
|
|
can be used for decrypting data with the symmetric ``cipher`` using
|
|
the given ``mode``.
|
|
|
|
:param cipher: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`.
|
|
|
|
:param mode: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`.
|
|
|
|
:returns:
|
|
:class:`~cryptography.hazmat.primitives.ciphers.CipherContext`
|
|
|
|
:raises ValueError: When tag is None in an AEAD mode
|
|
|
|
|
|
.. class:: HashBackend
|
|
|
|
A backend with methods for using cryptographic hash functions.
|
|
|
|
The following backends implement this interface:
|
|
|
|
* :doc:`/hazmat/backends/openssl`
|
|
|
|
.. method:: hash_supported(algorithm)
|
|
|
|
Check if the specified ``algorithm`` is supported by this backend.
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
|
|
|
|
:returns: ``True`` if the specified ``algorithm`` is supported by this
|
|
backend, otherwise ``False``.
|
|
|
|
|
|
.. method:: create_hash_ctx(algorithm)
|
|
|
|
Create a
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashContext` that
|
|
uses the specified ``algorithm`` to calculate a message digest.
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
|
|
|
|
:returns:
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashContext`
|
|
|
|
|
|
.. class:: HMACBackend
|
|
|
|
A backend with methods for using cryptographic hash functions as message
|
|
authentication codes.
|
|
|
|
The following backends implement this interface:
|
|
|
|
* :doc:`/hazmat/backends/openssl`
|
|
|
|
.. method:: hmac_supported(algorithm)
|
|
|
|
Check if the specified ``algorithm`` is supported by this backend.
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
|
|
|
|
:returns: ``True`` if the specified ``algorithm`` is supported for HMAC
|
|
by this backend, otherwise ``False``.
|
|
|
|
.. method:: create_hmac_ctx(key, algorithm)
|
|
|
|
Create a
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashContext` that
|
|
uses the specified ``algorithm`` to calculate a hash-based message
|
|
authentication code.
|
|
|
|
:param bytes key: Secret key as ``bytes``.
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
|
|
|
|
:returns:
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashContext`
|
|
|
|
|
|
.. class:: CMACBackend
|
|
|
|
.. versionadded:: 0.4
|
|
|
|
A backend with methods for using CMAC
|
|
|
|
.. method:: cmac_algorithm_supported(algorithm)
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`.
|
|
|
|
:return: Returns True if the block cipher is supported for CMAC by this backend
|
|
|
|
.. method:: create_cmac_ctx(algorithm)
|
|
|
|
Create a
|
|
:class:`~cryptography.hazmat.primitives.mac.MACContext` that
|
|
uses the specified ``algorithm`` to calculate a message authentication code.
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`.
|
|
|
|
:returns:
|
|
:class:`~cryptography.hazmat.primitives.mac.MACContext`
|
|
|
|
|
|
.. class:: PBKDF2HMACBackend
|
|
|
|
.. versionadded:: 0.2
|
|
|
|
A backend with methods for using PBKDF2 using HMAC as a PRF.
|
|
|
|
The following backends implement this interface:
|
|
|
|
* :doc:`/hazmat/backends/openssl`
|
|
|
|
.. method:: pbkdf2_hmac_supported(algorithm)
|
|
|
|
Check if the specified ``algorithm`` is supported by this backend.
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
|
|
|
|
:returns: ``True`` if the specified ``algorithm`` is supported for
|
|
PBKDF2 HMAC by this backend, otherwise ``False``.
|
|
|
|
.. method:: derive_pbkdf2_hmac(self, algorithm, length, salt, iterations, key_material)
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
|
|
|
|
:param int length: The desired length of the derived key. Maximum is
|
|
(2\ :sup:`32` - 1) * ``algorithm.digest_size``
|
|
|
|
:param bytes salt: A salt.
|
|
|
|
:param int iterations: The number of iterations to perform of the hash
|
|
function. This can be used to control the length of time the
|
|
operation takes. Higher numbers help mitigate brute force attacks
|
|
against derived keys.
|
|
|
|
:param bytes key_material: The key material to use as a basis for
|
|
the derived key. This is typically a password.
|
|
|
|
:return bytes: Derived key.
|
|
|
|
|
|
.. class:: RSABackend
|
|
|
|
.. versionadded:: 0.2
|
|
|
|
A backend with methods for using RSA.
|
|
|
|
.. method:: generate_rsa_private_key(public_exponent, key_size)
|
|
|
|
:param int public_exponent: The public exponent of the new key.
|
|
Often one of the small Fermat primes 3, 5, 17, 257 or 65537.
|
|
|
|
:param int key_size: The length in bits of the modulus. Should be
|
|
at least 2048.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
|
|
|
|
:raises ValueError: If the public_exponent is not valid.
|
|
|
|
.. method:: rsa_padding_supported(padding)
|
|
|
|
Check if the specified ``padding`` is supported by the backend.
|
|
|
|
:param padding: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding`.
|
|
|
|
:returns: ``True`` if the specified ``padding`` is supported by this
|
|
backend, otherwise ``False``.
|
|
|
|
.. method:: generate_rsa_parameters_supported(public_exponent, key_size)
|
|
|
|
Check if the specified parameters are supported for key generation by
|
|
the backend.
|
|
|
|
:param int public_exponent: The public exponent.
|
|
|
|
:param int key_size: The bit length of the generated modulus.
|
|
|
|
.. method:: load_rsa_private_numbers(numbers)
|
|
|
|
:param numbers: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`.
|
|
|
|
:raises ValueError: This is raised when the values of ``p``, ``q``,
|
|
``private_exponent``, ``public_exponent``, or ``modulus`` do not
|
|
match the bounds specified in :rfc:`3447`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
.. method:: load_rsa_public_numbers(numbers)
|
|
|
|
:param numbers: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicNumbers`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`.
|
|
|
|
:raises ValueError: This is raised when the values of
|
|
``public_exponent`` or ``modulus`` do not match the bounds
|
|
specified in :rfc:`3447`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
|
|
.. class:: DSABackend
|
|
|
|
.. versionadded:: 0.4
|
|
|
|
A backend with methods for using DSA.
|
|
|
|
.. method:: generate_dsa_parameters(key_size)
|
|
|
|
:param int key_size: The length of the modulus in bits. It should be
|
|
either 1024, 2048 or 3072. For keys generated in 2015 this should
|
|
be at least 2048.
|
|
Note that some applications (such as SSH) have not yet gained
|
|
support for larger key sizes specified in FIPS 186-3 and are still
|
|
restricted to only the 1024-bit keys specified in FIPS 186-2.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
|
|
|
|
.. method:: generate_dsa_private_key(parameters)
|
|
|
|
:param parameters: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
|
|
|
|
:raises ValueError: This is raised if the key size is not one of 1024,
|
|
2048, or 3072.
|
|
|
|
.. method:: generate_dsa_private_key_and_parameters(key_size)
|
|
|
|
:param int key_size: The length of the modulus in bits. It should be
|
|
either 1024, 2048 or 3072. For keys generated in 2015 this should
|
|
be at least 2048.
|
|
Note that some applications (such as SSH) have not yet gained
|
|
support for larger key sizes specified in FIPS 186-3 and are still
|
|
restricted to only the 1024-bit keys specified in FIPS 186-2.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
|
|
|
|
:raises ValueError: This is raised if the key size is not supported
|
|
by the backend.
|
|
|
|
.. method:: dsa_hash_supported(algorithm)
|
|
|
|
:param algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
|
|
|
|
:returns: ``True`` if the specified ``algorithm`` is supported by this
|
|
backend, otherwise ``False``.
|
|
|
|
.. method:: dsa_parameters_supported(p, q, g)
|
|
|
|
:param int p: The p value of a DSA key.
|
|
|
|
:param int q: The q value of a DSA key.
|
|
|
|
:param int g: The g value of a DSA key.
|
|
|
|
:returns: ``True`` if the given values of ``p``, ``q``, and ``g`` are
|
|
supported by this backend, otherwise ``False``.
|
|
|
|
.. method:: load_dsa_parameter_numbers(numbers)
|
|
|
|
:param numbers: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
.. method:: load_dsa_private_numbers(numbers)
|
|
|
|
:param numbers: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
.. method:: load_dsa_public_numbers(numbers)
|
|
|
|
:param numbers: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
|
|
.. class:: EllipticCurveBackend
|
|
|
|
.. versionadded:: 0.5
|
|
|
|
.. method:: elliptic_curve_supported(curve)
|
|
|
|
:param curve: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
|
|
|
|
:returns: True if the elliptic curve is supported by this backend.
|
|
|
|
.. method:: elliptic_curve_signature_algorithm_supported(signature_algorithm, curve)
|
|
|
|
:param signature_algorithm: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`.
|
|
|
|
:param curve: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
|
|
|
|
:returns: True if the signature algorithm and curve are supported by this backend.
|
|
|
|
.. method:: generate_elliptic_curve_private_key(curve)
|
|
|
|
:param curve: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
|
|
|
|
.. method:: load_elliptic_curve_private_numbers(numbers)
|
|
|
|
:param numbers: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateNumbers`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
|
|
|
|
.. method:: load_elliptic_curve_public_numbers(numbers)
|
|
|
|
:param numbers: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
|
|
|
|
.. method:: derive_elliptic_curve_private_key(private_value, curve)
|
|
|
|
:param private_value: A secret scalar value.
|
|
|
|
:param curve: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
|
|
|
|
.. class:: PEMSerializationBackend
|
|
|
|
.. versionadded:: 0.6
|
|
|
|
A backend with methods for working with any PEM encoded keys.
|
|
|
|
.. method:: load_pem_private_key(data, password)
|
|
|
|
:param bytes data: PEM data to load.
|
|
:param bytes password: The password to use if the data is encrypted.
|
|
Should be ``None`` if the data is not encrypted.
|
|
:return: A new instance of the appropriate type of private key that the
|
|
serialized data contains.
|
|
:raises ValueError: If the data could not be deserialized.
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
|
|
encrypted with an unsupported algorithm.
|
|
|
|
.. method:: load_pem_public_key(data)
|
|
|
|
:param bytes data: PEM data to load.
|
|
:return: A new instance of the appropriate type of public key
|
|
serialized data contains.
|
|
:raises ValueError: If the data could not be deserialized.
|
|
|
|
.. method:: load_pem_parameters(data)
|
|
|
|
.. versionadded:: 2.0
|
|
|
|
:param bytes data: PEM data to load.
|
|
:return: A new instance of the appropriate type of asymmetric
|
|
parameters the serialized data contains.
|
|
:raises ValueError: If the data could not be deserialized.
|
|
|
|
.. class:: DERSerializationBackend
|
|
|
|
.. versionadded:: 0.8
|
|
|
|
A backend with methods for working with DER encoded keys.
|
|
|
|
.. method:: load_der_private_key(data, password)
|
|
|
|
:param bytes data: DER data to load.
|
|
:param bytes password: The password to use if the data is encrypted.
|
|
Should be ``None`` if the data is not encrypted.
|
|
:return: A new instance of the appropriate type of private key that the
|
|
serialized data contains.
|
|
:raises ValueError: If the data could not be deserialized.
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: If the data is
|
|
encrypted with an unsupported algorithm.
|
|
|
|
.. method:: load_der_public_key(data)
|
|
|
|
:param bytes data: DER data to load.
|
|
:return: A new instance of the appropriate type of public key
|
|
serialized data contains.
|
|
:raises ValueError: If the data could not be deserialized.
|
|
|
|
.. method:: load_der_parameters(data)
|
|
|
|
.. versionadded:: 2.0
|
|
|
|
:param bytes data: DER data to load.
|
|
:return: A new instance of the appropriate type of asymmetric
|
|
parameters the serialized data contains.
|
|
:raises ValueError: If the data could not be deserialized.
|
|
|
|
|
|
.. class:: X509Backend
|
|
|
|
.. versionadded:: 0.7
|
|
|
|
A backend with methods for working with X.509 objects.
|
|
|
|
.. method:: load_pem_x509_certificate(data)
|
|
|
|
:param bytes data: PEM formatted certificate data.
|
|
|
|
:returns: An instance of :class:`~cryptography.x509.Certificate`.
|
|
|
|
.. method:: load_der_x509_certificate(data)
|
|
|
|
:param bytes data: DER formatted certificate data.
|
|
|
|
:returns: An instance of :class:`~cryptography.x509.Certificate`.
|
|
|
|
.. method:: load_pem_x509_csr(data)
|
|
|
|
.. versionadded:: 0.9
|
|
|
|
:param bytes data: PEM formatted certificate signing request data.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.x509.CertificateSigningRequest`.
|
|
|
|
.. method:: load_der_x509_csr(data)
|
|
|
|
.. versionadded:: 0.9
|
|
|
|
:param bytes data: DER formatted certificate signing request data.
|
|
|
|
:returns: An instance of
|
|
:class:`~cryptography.x509.CertificateSigningRequest`.
|
|
|
|
.. method:: create_x509_csr(builder, private_key, algorithm)
|
|
|
|
.. versionadded:: 1.0
|
|
|
|
:param builder: An instance of
|
|
:class:`~cryptography.x509.CertificateSigningRequestBuilder`.
|
|
|
|
:param private_key: The
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
|
|
that will be used to sign the request. When the request is
|
|
signed by a certificate authority, the private key's associated
|
|
public key will be stored in the resulting certificate.
|
|
|
|
:param algorithm: The
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
|
|
that will be used to generate the request signature.
|
|
|
|
:returns: A new instance of
|
|
:class:`~cryptography.x509.CertificateSigningRequest`.
|
|
|
|
.. method:: create_x509_certificate(builder, private_key, algorithm)
|
|
|
|
.. versionadded:: 1.0
|
|
|
|
:param builder: An instance of
|
|
:class:`~cryptography.x509.CertificateBuilder`.
|
|
|
|
:param private_key: The
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
|
|
that will be used to sign the certificate.
|
|
|
|
:param algorithm: The
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
|
|
that will be used to generate the certificate signature.
|
|
|
|
:returns: A new instance of :class:`~cryptography.x509.Certificate`.
|
|
|
|
.. method:: create_x509_crl(builder, private_key, algorithm)
|
|
|
|
.. versionadded:: 1.2
|
|
|
|
:param builder: An instance of
|
|
:class:`~cryptography.x509.CertificateRevocationListBuilder`.
|
|
|
|
:param private_key: The
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
|
|
that will be used to sign the CRL.
|
|
|
|
:param algorithm: The
|
|
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
|
|
that will be used to generate the CRL signature.
|
|
|
|
:returns: A new instance of
|
|
:class:`~cryptography.x509.CertificateRevocationList`.
|
|
|
|
.. method:: create_x509_revoked_certificate(builder)
|
|
|
|
.. versionadded:: 1.2
|
|
|
|
:param builder: An instance of RevokedCertificateBuilder.
|
|
|
|
:returns: A new instance of
|
|
:class:`~cryptography.x509.RevokedCertificate`.
|
|
|
|
.. method:: x509_name_bytes(name)
|
|
|
|
.. versionadded:: 1.6
|
|
|
|
:param name: An instance of :class:`~cryptography.x509.Name`.
|
|
|
|
:return bytes: The DER encoded bytes.
|
|
|
|
.. class:: DHBackend
|
|
|
|
.. versionadded:: 0.9
|
|
|
|
A backend with methods for doing Diffie-Hellman key exchange.
|
|
|
|
.. method:: generate_dh_parameters(generator, key_size)
|
|
|
|
:param int generator: The generator to use. Often 2 or 5.
|
|
|
|
:param int key_size: The bit length of the prime modulus to generate.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
|
|
|
|
:raises ValueError: If ``key_size`` is not at least 512.
|
|
|
|
.. method:: generate_dh_private_key(parameters)
|
|
|
|
:param parameters: An instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
|
|
|
|
.. method:: generate_dh_private_key_and_parameters(generator, key_size)
|
|
|
|
:param int generator: The generator to use. Often 2 or 5.
|
|
|
|
:param int key_size: The bit length of the prime modulus to generate.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
|
|
|
|
:raises ValueError: If ``key_size`` is not at least 512.
|
|
|
|
.. method:: load_dh_private_numbers(numbers)
|
|
|
|
:param numbers: A
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateNumbers`
|
|
instance.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
.. method:: load_dh_public_numbers(numbers)
|
|
|
|
:param numbers: A
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
|
|
instance.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
.. method:: load_dh_parameter_numbers(numbers)
|
|
|
|
:param numbers: A
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
|
|
instance.
|
|
|
|
:return: A new instance of
|
|
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
|
|
|
|
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
|
|
when any backend specific criteria are not met.
|
|
|
|
.. method:: dh_parameters_supported(p, g, q=None)
|
|
|
|
:param int p: The p value of the DH key.
|
|
|
|
:param int g: The g value of the DH key.
|
|
|
|
:param int q: The q value of the DH key.
|
|
|
|
:returns: ``True`` if the given values of ``p``, ``g`` and ``q``
|
|
are supported by this backend, otherwise ``False``.
|
|
|
|
.. versionadded:: 1.8
|
|
|
|
.. method:: dh_x942_serialization_supported()
|
|
|
|
:returns: True if serialization of DH objects with
|
|
subgroup order (q) is supported by this backend.
|
|
|
|
|
|
.. class:: ScryptBackend
|
|
|
|
.. versionadded:: 1.6
|
|
|
|
A backend with methods for using Scrypt.
|
|
|
|
The following backends implement this interface:
|
|
|
|
* :doc:`/hazmat/backends/openssl`
|
|
|
|
.. method:: derive_scrypt(self, key_material, salt, length, n, r, p)
|
|
|
|
:param bytes key_material: The key material to use as a basis for
|
|
the derived key. This is typically a password.
|
|
|
|
:param bytes salt: A salt.
|
|
|
|
:param int length: The desired length of the derived key.
|
|
|
|
:param int n: CPU/Memory cost parameter. It must be larger than 1 and be a
|
|
power of 2.
|
|
|
|
:param int r: Block size parameter.
|
|
|
|
:param int p: Parallelization parameter.
|
|
|
|
:return bytes: Derived key.
|
|
|