Danger

This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.

Backend interfaces

Backend implementations may provide a number of interfaces to support operations such as Symmetric encryption, Message digests, and Hash-based message authentication codes.

A specific backend may provide one or more of these interfaces.

class cryptography.hazmat.backends.interfaces.CipherBackend

A backend that provides methods for using ciphers for encryption and decryption.

The following backends implement this interface:

cipher_supported(cipher, mode)

Check if a cipher and mode combination is supported by this backend.

Parameters:
  • cipher – An instance of a CipherAlgorithm provider.
  • mode – An instance of a Mode provider.
Returns:

True if the specified cipher and mode combination is supported by this backend, otherwise False

create_symmetric_encryption_ctx(cipher, mode)

Create a CipherContext that can be used for encrypting data with the symmetric cipher using the given mode.

Parameters:
  • cipher – An instance of a CipherAlgorithm provider.
  • mode – An instance of a Mode provider.
Returns:

CipherContext

Raises ValueError:
 

When tag is not None in an AEAD mode

create_symmetric_decryption_ctx(cipher, mode)

Create a CipherContext that can be used for decrypting data with the symmetric cipher using the given mode.

Parameters:
  • cipher – An instance of a CipherAlgorithm provider.
  • mode – An instance of a Mode provider.
Returns:

CipherContext

Raises ValueError:
 

When tag is None in an AEAD mode

class cryptography.hazmat.backends.interfaces.HashBackend

A backend with methods for using cryptographic hash functions.

The following backends implement this interface:

hash_supported(algorithm)

Check if the specified algorithm is supported by this backend.

Parameters:algorithm – An instance of a HashAlgorithm provider.
Returns:True if the specified algorithm is supported by this backend, otherwise False.
create_hash_ctx(algorithm)

Create a HashContext that uses the specified algorithm to calculate a message digest.

Parameters:algorithm – An instance of a HashAlgorithm provider.
Returns:HashContext
class cryptography.hazmat.backends.interfaces.HMACBackend

A backend with methods for using cryptographic hash functions as message authentication codes.

The following backends implement this interface:

hmac_supported(algorithm)

Check if the specified algorithm is supported by this backend.

Parameters:algorithm – An instance of a HashAlgorithm provider.
Returns:True if the specified algorithm is supported for HMAC by this backend, otherwise False.
create_hmac_ctx(key, algorithm)

Create a HashContext that uses the specified algorithm to calculate a hash-based message authentication code.

Parameters:
  • key (bytes) – Secret key as bytes.
  • algorithm – An instance of a HashAlgorithm provider.
Returns:

HashContext

class cryptography.hazmat.backends.interfaces.CMACBackend

New in version 0.4.

A backend with methods for using CMAC

cmac_algorithm_supported(algorithm)
Parameters:algorithm – An instance of a BlockCipherAlgorithm provider.
Returns:Returns True if the block cipher is supported for CMAC by this backend
create_cmac_ctx(algorithm)

Create a MACContext that uses the specified algorithm to calculate a message authentication code.

Parameters:algorithm – An instance of a BlockCipherAlgorithm provider.
Returns:MACContext
class cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend

New in version 0.2.

A backend with methods for using PBKDF2 using HMAC as a PRF.

The following backends implement this interface:

pbkdf2_hmac_supported(algorithm)

Check if the specified algorithm is supported by this backend.

Parameters:algorithm – An instance of a HashAlgorithm provider.
Returns:True if the specified algorithm is supported for PBKDF2 HMAC by this backend, otherwise False.
derive_pbkdf2_hmac(self, algorithm, length, salt, iterations, key_material)
Parameters:
  • algorithm – An instance of a HashAlgorithm provider.
  • length (int) – The desired length of the derived key. Maximum is (232 - 1) * algorithm.digest_size
  • salt (bytes) – A salt.
  • iterations (int) – The number of iterations to perform of the hash function. This can be used to control the length of time the operation takes. Higher numbers help mitigate brute force attacks against derived keys.
  • key_material (bytes) – The key material to use as a basis for the derived key. This is typically a password.
Return bytes:

Derived key.

class cryptography.hazmat.backends.interfaces.RSABackend

New in version 0.2.

A backend with methods for using RSA.

generate_rsa_private_key(public_exponent, key_size)
Parameters:
  • public_exponent (int) – The public exponent of the new key. Often one of the small Fermat primes 3, 5, 17, 257 or 65537.
  • key_size (int) – The length in bits of the modulus. Should be at least 2048.
Returns:

A new instance of a RSAPrivateKey provider.

Raises ValueError:
 

If the public_exponent is not valid.

rsa_padding_supported(padding)

Check if the specified padding is supported by the backend.

Parameters:padding – An instance of an AsymmetricPadding provider.
Returns:True if the specified padding is supported by this backend, otherwise False.
generate_rsa_parameters_supported(public_exponent, key_size)

Check if the specified parameters are supported for key generation by the backend.

Parameters:
  • public_exponent (int) – The public exponent.
  • key_size (int) – The bit length of the generated modulus.
load_rsa_private_numbers(numbers)
Parameters:

numbers – An instance of RSAPrivateNumbers.

Returns:

A provider of RSAPrivateKey.

Raises:
  • ValueError – This is raised when the values of p, q, private_exponent, public_exponent, or modulus do not match the bounds specified in RFC 3447.
  • cryptography.exceptions.UnsupportedAlgorithm – This is raised when any backend specific criteria are not met.
load_rsa_public_numbers(numbers)
Parameters:

numbers – An instance of RSAPrivateNumbers.

Returns:

A provider of RSAPublicKey.

Raises:
class cryptography.hazmat.backends.interfaces.DSABackend

New in version 0.4.

A backend with methods for using DSA.

generate_dsa_parameters(key_size)
Parameters:key_size (int) – The length of the modulus in bits. It should be either 1024, 2048 or 3072. For keys generated in 2015 this should be at least 2048. Note that some applications (such as SSH) have not yet gained support for larger key sizes specified in FIPS 186-3 and are still restricted to only the 1024-bit keys specified in FIPS 186-2.
Returns:A new instance of a DSAParameters provider.
generate_dsa_private_key(parameters)
Parameters:parameters – A DSAParameters provider.
Returns:A new instance of a DSAPrivateKey provider.
Raises ValueError:
 This is raised if the key size is not one of 1024, 2048, or 3072. It is also raised when OpenSSL is older than version 1.0.0 and the key size is larger than 1024; older OpenSSL versions do not support keys larger than 1024 bits.
generate_dsa_private_key_and_parameters(key_size)
Parameters:key_size (int) – The length of the modulus in bits. It should be either 1024, 2048 or 3072. For keys generated in 2015 this should be at least 2048. Note that some applications (such as SSH) have not yet gained support for larger key sizes specified in FIPS 186-3 and are still restricted to only the 1024-bit keys specified in FIPS 186-2.
Returns:A new instance of a DSAPrivateKey provider.
Raises ValueError:
 This is raised if the key size is not supported by the backend.
dsa_hash_supported(algorithm)
Parameters:algorithm – An instance of a HashAlgorithm provider.
Returns:True if the specified algorithm is supported by this backend, otherwise False.
dsa_parameters_supported(p, q, g)
Parameters:
  • p (int) – The p value of a DSA key.
  • q (int) – The q value of a DSA key.
  • g (int) – The g value of a DSA key.
Returns:

True if the given values of p, q, and g are supported by this backend, otherwise False.

load_dsa_parameter_numbers(numbers)
Parameters:numbers – An instance of DSAParameterNumbers.
Returns:A provider of DSAParameters.
Raises cryptography.exceptions.UnsupportedAlgorithm:
 This is raised when any backend specific criteria are not met.
load_dsa_private_numbers(numbers)
Parameters:numbers – An instance of DSAPrivateNumbers.
Returns:A provider of DSAPrivateKey.
Raises cryptography.exceptions.UnsupportedAlgorithm:
 This is raised when any backend specific criteria are not met.
load_dsa_public_numbers(numbers)
Parameters:numbers – An instance of DSAPublicNumbers.
Returns:A provider of DSAPublicKey.
Raises cryptography.exceptions.UnsupportedAlgorithm:
 This is raised when any backend specific criteria are not met.
class cryptography.hazmat.backends.interfaces.EllipticCurveBackend

New in version 0.5.

elliptic_curve_supported(curve)
Parameters:curve – An instance of a EllipticCurve provider.
Returns:True if the elliptic curve is supported by this backend.
elliptic_curve_signature_algorithm_supported(signature_algorithm, curve)
Parameters:
Returns:

True if the signature algorithm and curve are supported by this backend.

generate_elliptic_curve_private_key(curve)
Parameters:curve – An instance of a EllipticCurve provider.
load_elliptic_curve_private_numbers(numbers)
Parameters:numbers – An instance of a EllipticCurvePrivateNumbers provider.
Returns:An instance of a EllipticCurvePrivateKey provider.
load_elliptic_curve_public_numbers(numbers)
Parameters:numbers – An instance of a EllipticCurvePublicNumbers provider.
Returns:An instance of a EllipticCurvePublicKey provider.
class cryptography.hazmat.backends.interfaces.PEMSerializationBackend

New in version 0.6.

A backend with methods for working with any PEM encoded keys.

load_pem_private_key(data, password)
Parameters:
  • data (bytes) – PEM data to load.
  • password (bytes) – The password to use if the data is encrypted. Should be None if the data is not encrypted.
Returns:

A new instance of the appropriate type of private key that the serialized data contains.

Raises:
load_pem_public_key(data)
Parameters:data (bytes) – PEM data to load.
Returns:A new instance of the appropriate type of public key serialized data contains.
Raises ValueError:
 If the data could not be deserialized.
class cryptography.hazmat.backends.interfaces.DERSerializationBackend

New in version 0.8.

A backend with methods for working with DER encoded keys.

load_der_private_key(data, password)
Parameters:
  • data (bytes) – DER data to load.
  • password (bytes) – The password to use if the data is encrypted. Should be None if the data is not encrypted.
Returns:

A new instance of the appropriate type of private key that the serialized data contains.

Raises:
load_der_public_key(data)
Parameters:data (bytes) – DER data to load.
Returns:A new instance of the appropriate type of public key serialized data contains.
Raises ValueError:
 If the data could not be deserialized.
class cryptography.hazmat.backends.interfaces.X509Backend

New in version 0.7.

A backend with methods for working with X.509 objects.

load_pem_x509_certificate(data)
Parameters:data (bytes) – PEM formatted certificate data.
Returns:An instance of Certificate.
load_der_x509_certificate(data)
Parameters:data (bytes) – DER formatted certificate data.
Returns:An instance of Certificate.
load_pem_x509_csr(data)

New in version 0.9.

Parameters:data (bytes) – PEM formatted certificate signing request data.
Returns:An instance of CertificateSigningRequest.
load_der_x509_csr(data)

New in version 0.9.

Parameters:data (bytes) – DER formatted certificate signing request data.
Returns:An instance of CertificateSigningRequest.
create_x509_csr(builder, private_key, algorithm)

New in version 1.0.

Parameters:
Returns:

A new instance of CertificateSigningRequest.

create_x509_certificate(builder, private_key, algorithm)

New in version 1.0.

Parameters:
Returns:

A new instance of Certificate.

create_x509_crl(builder, private_key, algorithm)

New in version 1.2.

Parameters:
Returns:

A new instance of CertificateRevocationList.

create_x509_revoked_certificate(builder)

New in version 1.2.

Parameters:builder – An instance of RevokedCertificateBuilder.
Returns:A new instance of RevokedCertificate.
class cryptography.hazmat.backends.interfaces.DHBackend

New in version 0.9.

A backend with methods for doing Diffie-Hellman key exchange.

generate_dh_parameters(key_size)
Parameters:key_size (int) – The bit length of the prime modulus to generate.
Returns:A new instance of a DHParameters provider.
Raises ValueError:
 If key_size is not at least 512.
generate_dh_private_key(parameters)
Parameters:parameters – A DHParameters provider.
Returns:A new instance of a DHPrivateKey provider.
generate_dh_private_key_and_parameters(self, key_size)
Parameters:key_size (int) – The bit length of the prime modulus to generate.
Returns:A new instance of a DHPrivateKey provider.
Raises ValueError:
 If key_size is not at least 512.
load_dh_private_numbers(numbers)
Parameters:numbers – A DHPrivateNumbers instance.
Returns:A new instance of a DHPrivateKey provider.
Raises cryptography.exceptions.UnsupportedAlgorithm:
 This is raised when any backend specific criteria are not met.
load_dh_public_numbers(numbers)
Parameters:numbers – A DHPublicNumbers instance.
Returns:A new instance of a DHPublicKey provider.
Raises cryptography.exceptions.UnsupportedAlgorithm:
 This is raised when any backend specific criteria are not met.
load_dh_parameter_numbers(numbers)
Parameters:numbers – A DHParameterNumbers instance.
Returns:A new instance of a DHParameters provider.
Raises cryptography.exceptions.UnsupportedAlgorithm:
 This is raised when any backend specific criteria are not met.
dh_parameters_supported(p, g)
Parameters:
  • p (int) – The p value of the DH key.
  • g (int) – The g value of the DH key.
Returns:

True if the given values of p and g are supported by this backend, otherwise False.