Commit cc520034 authored by SVN-Git Migration's avatar SVN-Git Migration

Imported Upstream version 0.9.3

parent 8e61cbc4
......@@ -20,3 +20,5 @@ PGP key fingerprints are enclosed in parentheses.
* Michael Hart <michael.hart1994@gmail.com>
* Mark Adams <mark@markadams.me> (A18A 7DD3 283C CF2A B0CE FE0E C7A0 5E3F C972 098C)
* Gregory Haynes <greg@greghaynes.net> (6FB6 44BF 9FD0 EBA2 1CE9 471F B08F 42F9 0DC6 599F)
* Chelsea Winfree <chelsea.winfree@gmail.com>
* Steven Buss <steven.buss@gmail.com> (1FB9 2EC1 CF93 DFD6 B47F F583 B1A5 6C22 290D A4C3)
Changelog
=========
0.9.3 - 2015-07-09
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.2d.
0.9.2 - 2015-07-04
~~~~~~~~~~~~~~~~~~
* Updated Windows wheels to be compiled against OpenSSL 1.0.2c.
0.9.1 - 2015-06-06
~~~~~~~~~~~~~~~~~~
* **SECURITY ISSUE**: Fixed a double free in the OpenSSL backend when using DSA
to verify signatures. Note that this only affects PyPy 2.6.0 and (presently
unreleased) CFFI versions greater than 1.1.0.
0.9 - 2015-05-13
~~~~~~~~~~~~~~~~
* Removed support for Python 3.2. This version of Python is rarely used
and caused support headaches. Users affected by this should upgrade to 3.3+.
* Deprecated support for Python 2.6. At the time there is no time table for
actually dropping support, however we strongly encourage all users to upgrade
their Python, as Python 2.6 no longer receives support from the Python core
team.
* Add support for the
:class:`~cryptography.hazmat.primitives.asymmetric.ec.SECP256K1` elliptic
curve.
* Fixed compilation when using an OpenSSL which was compiled with the
``no-comp`` (``OPENSSL_NO_COMP``) option.
* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
serialization of public keys using the ``public_bytes`` method of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithSerialization`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithSerialization`.
* Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER`
serialization of private keys using the ``private_bytes`` method of
:class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization`,
:class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization`,
and
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization`.
* Add support for parsing X.509 certificate signing requests (CSRs) with
:func:`~cryptography.x509.load_pem_x509_csr` and
:func:`~cryptography.x509.load_der_x509_csr`.
* Moved ``cryptography.exceptions.InvalidToken`` to
:class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated
the old location. This was moved to minimize confusion between this exception
and :class:`cryptography.fernet.InvalidToken`.
* Added support for X.509 extensions in :class:`~cryptography.x509.Certificate`
objects. The following extensions are supported as of this release:
* :class:`~cryptography.x509.BasicConstraints`
* :class:`~cryptography.x509.AuthorityKeyIdentifier`
* :class:`~cryptography.x509.SubjectKeyIdentifier`
* :class:`~cryptography.x509.KeyUsage`
* :class:`~cryptography.x509.SubjectAlternativeName`
* :class:`~cryptography.x509.ExtendedKeyUsage`
* :class:`~cryptography.x509.CRLDistributionPoints`
* :class:`~cryptography.x509.AuthorityInformationAccess`
* :class:`~cryptography.x509.CertificatePolicies`
Note that unsupported extensions with the critical flag raise
:class:`~cryptography.x509.UnsupportedExtension` while unsupported extensions
set to non-critical are silently ignored. Read the
:doc:`X.509 documentation</x509>` for more information.
0.8.2 - 2015-04-10
~~~~~~~~~~~~~~~~~~
......@@ -167,8 +235,7 @@ Changelog
* More bit-lengths are now supported for ``p`` and ``q`` when loading DSA keys
from numbers.
* Added :class:`~cryptography.hazmat.primitives.interfaces.MACContext` as a
common interface for CMAC and HMAC and deprecated
:class:`~cryptography.hazmat.primitives.interfaces.CMACContext`.
common interface for CMAC and HMAC and deprecated ``CMACContext``.
* Added support for encoding and decoding :rfc:`6979` signatures in
:doc:`/hazmat/primitives/asymmetric/utils`.
* Added
......
......@@ -8,6 +8,7 @@ include README.rst
recursive-include docs *
recursive-include src/cryptography/hazmat/primitives/src *.c *.h
recursive-include src/cryptography/hazmat/bindings/openssl/src *.c *.h
prune docs/_build
recursive-include tests *.py
recursive-exclude vectors *
Metadata-Version: 1.1
Name: cryptography
Version: 0.8.2
Version: 0.9.3
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
......@@ -26,7 +26,7 @@ Description: Cryptography
``cryptography`` is a package which provides cryptographic recipes and
primitives to Python developers. Our goal is for it to be your "cryptographic
standard library". It supports Python 2.6-2.7, Python 3.2+, and PyPy.
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy.
``cryptography`` includes both high level recipes, and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, message digests and
......@@ -77,7 +77,6 @@ Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.6
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.2
Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: Implementation :: CPython
......
......@@ -18,7 +18,7 @@ Cryptography
``cryptography`` is a package which provides cryptographic recipes and
primitives to Python developers. Our goal is for it to be your "cryptographic
standard library". It supports Python 2.6-2.7, Python 3.2+, and PyPy.
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy.
``cryptography`` includes both high level recipes, and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, message digests and
......
SECP256K1 vector creation
=========================
This page documents the code that was used to generate the SECP256K1 elliptic
curve test vectors as well as code used to verify them against another
implementation.
Creation
--------
The vectors are generated using a `pure Python ecdsa`_ implementation. The test
messages and combinations of algorithms are derived from the NIST vector data.
.. literalinclude:: /development/custom-vectors/secp256k1/generate_secp256k1.py
Download link: :download:`generate_secp256k1.py
</development/custom-vectors/secp256k1/generate_secp256k1.py>`
Verification
------------
``cryptography`` was modified to support the SECP256K1 curve. Then
the following python script was run to generate the vector files.
.. literalinclude:: /development/custom-vectors/secp256k1/verify_secp256k1.py
Download link: :download:`verify_secp256k1.py
</development/custom-vectors/secp256k1/verify_secp256k1.py>`
.. _`pure Python ecdsa`: https://pypi.python.org/pypi/ecdsa
from __future__ import absolute_import, print_function
import hashlib
import os
from binascii import hexlify
from collections import defaultdict
from ecdsa import SECP256k1, SigningKey
from ecdsa.util import sigdecode_der, sigencode_der
from cryptography_vectors import open_vector_file
from tests.utils import (
load_fips_ecdsa_signing_vectors, load_vectors_from_file
)
HASHLIB_HASH_TYPES = {
"SHA-1": hashlib.sha1,
"SHA-224": hashlib.sha224,
"SHA-256": hashlib.sha256,
"SHA-384": hashlib.sha384,
"SHA-512": hashlib.sha512,
}
class TruncatedHash(object):
def __init__(self, hasher):
self.hasher = hasher
def __call__(self, data):
self.hasher.update(data)
return self
def digest(self):
return self.hasher.digest()[:256 // 8]
def build_vectors(fips_vectors):
vectors = defaultdict(list)
for vector in fips_vectors:
vectors[vector['digest_algorithm']].append(vector['message'])
for digest_algorithm, messages in vectors.items():
if digest_algorithm not in HASHLIB_HASH_TYPES:
continue
yield ""
yield "[K-256,{0}]".format(digest_algorithm)
yield ""
for message in messages:
# Make a hash context
hash_func = TruncatedHash(HASHLIB_HASH_TYPES[digest_algorithm]())
# Sign the message using warner/ecdsa
secret_key = SigningKey.generate(curve=SECP256k1)
public_key = secret_key.get_verifying_key()
signature = secret_key.sign(message, hashfunc=hash_func,
sigencode=sigencode_der)
r, s = sigdecode_der(signature, None)
yield "Msg = {0}".format(hexlify(message))
yield "d = {0:x}".format(secret_key.privkey.secret_multiplier)
yield "Qx = {0:x}".format(public_key.pubkey.point.x())
yield "Qy = {0:x}".format(public_key.pubkey.point.y())
yield "R = {0:x}".format(r)
yield "S = {0:x}".format(s)
yield ""
def write_file(lines, dest):
for line in lines:
print(line)
print(line, file=dest)
source_path = os.path.join("asymmetric", "ECDSA", "FIPS_186-3", "SigGen.txt")
dest_path = os.path.join("asymmetric", "ECDSA", "SECP256K1", "SigGen.txt")
fips_vectors = load_vectors_from_file(
source_path,
load_fips_ecdsa_signing_vectors
)
with open_vector_file(dest_path, "w") as dest_file:
write_file(
build_vectors(fips_vectors),
dest_file
)
from __future__ import absolute_import, print_function
import os
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric.utils import (
encode_rfc6979_signature
)
from tests.utils import (
load_fips_ecdsa_signing_vectors, load_vectors_from_file
)
CRYPTOGRAPHY_HASH_TYPES = {
"SHA-1": hashes.SHA1,
"SHA-224": hashes.SHA224,
"SHA-256": hashes.SHA256,
"SHA-384": hashes.SHA384,
"SHA-512": hashes.SHA512,
}
def verify_one_vector(vector):
digest_algorithm = vector['digest_algorithm']
message = vector['message']
x = vector['x']
y = vector['y']
signature = encode_rfc6979_signature(vector['r'], vector['s'])
numbers = ec.EllipticCurvePublicNumbers(
x, y,
ec.SECP256K1()
)
key = numbers.public_key(default_backend())
verifier = key.verifier(
signature,
ec.ECDSA(CRYPTOGRAPHY_HASH_TYPES[digest_algorithm]())
)
verifier.update(message)
return verifier.verify()
def verify_vectors(vectors):
for vector in vectors:
assert verify_one_vector(vector)
vector_path = os.path.join("asymmetric", "ECDSA", "SECP256K1", "SigGen.txt")
secp256k1_vectors = load_vectors_from_file(
vector_path,
load_fips_ecdsa_signing_vectors
)
verify_vectors(secp256k1_vectors)
......@@ -44,7 +44,6 @@ each supported Python version and run the tests. For example:
ERROR: py26: InterpreterNotFound: python2.6
py27: commands succeeded
ERROR: pypy: InterpreterNotFound: pypy
ERROR: py32: InterpreterNotFound: python3.2
py33: commands succeeded
docs: commands succeeded
pep8: commands succeeded
......
......@@ -37,9 +37,14 @@ Asymmetric ciphers
Ruby test suite.
Custom Asymmetric Vectors
Custom asymmetric vectors
~~~~~~~~~~~~~~~~~~~~~~~~~
.. toctree::
:maxdepth: 1
custom-vectors/secp256k1
* ``asymmetric/PEM_Serialization/ec_private_key.pem`` and
``asymmetric/DER_Serialization/ec_private_key.der`` - Contains an Elliptic
Curve key generated by OpenSSL from the curve ``secp256r1``.
......@@ -78,6 +83,13 @@ Custom Asymmetric Vectors
``asymmetric/public/PKCS1/rsa.pub.der`` are PKCS1 conversions of the public
key from ``asymmetric/PKCS8/unenc-rsa-pkcs8.pem`` using PEM and DER encoding.
Key exchange
~~~~~~~~~~~~
* ``vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt`` contains
Diffie-Hellman examples from appendix A.1, A.2 and A.3 of :rfc:`5114`.
X.509
~~~~~
......@@ -88,6 +100,8 @@ X.509
* ``verisign-md2-root.pem`` - A legacy Verisign public root signed using the
MD2 algorithm. This is a PEM conversion of the `root data`_ in the NSS source
tree.
* ``cryptography.io.pem`` - A leaf certificate issued by RapidSSL for the
cryptography website.
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
......@@ -108,20 +122,101 @@ Custom X.509 Vectors
* ``utf8_common_name.pem`` - An RSA 2048 bit self-signed CA certificate
generated using OpenSSL that contains a UTF8String common name with the value
"We heart UTF8!™".
* ``two_basic_constraints.pem`` - An RSA 2048 bit self-signed certificate
containing two basic constraints extensions.
* ``basic_constraints_not_critical.pem`` - An RSA 2048 bit self-signed
certificate containing a basic constraints extension that is not marked as
critical.
* ``bc_path_length_zero.pem`` - An RSA 2048 bit self-signed
certificate containing a basic constraints extension with a path length of
zero.
* ``unsupported_extension.pem`` - An RSA 2048 bit self-signed certificate
containing an unsupported extension type. The OID was encoded as
"1.2.3.4" with an ``extnValue`` of "value".
* ``unsupported_extension_critical.pem`` - An RSA 2048 bit self-signed
certificate containing an unsupported extension type marked critical. The OID
was encoded as "1.2.3.4" with an ``extnValue`` of "value".
* ``san_email_dns_ip_dirname_uri.pem`` - An RSA 2048 bit self-signed
certificate containing a subject alternative name extension with the
following general names: ``rfc822Name``, ``dNSName``, ``iPAddress``,
``directoryName``, and ``uniformResourceIdentifier``.
* ``san_other_name.pem`` - An RSA 2048 bit self-signed certificate containing
a subject alternative name extension with the ``otherName`` general name.
* ``san_registered_id.pem`` - An RSA 1024 bit certificate containing a
subject alternative name extension with the ``registeredID`` general name.
* ``all_key_usages.pem`` - An RSA 2048 bit self-signed certificate containing
a key usage extension with all nine purposes set to true.
* ``extended_key_usage.pem`` - An RSA 2048 bit self-signed certificate
containing an extended key usage extension with eight usages.
* ``san_idna_names.pem`` - An RSA 2048 bit self-signed certificate containing
a subject alternative name extension with ``rfc822Name``, ``dNSName``, and
``uniformResourceIdentifier`` general names with IDNA (:rfc:`5895`) encoding.
* ``san_rfc822_names.pem`` - An RSA 2048 bit self-signed certificate containing
a subject alternative name extension with various ``rfc822Name`` values.
* ``san_rfc822_idna.pem`` - An RSA 2048 bit self-signed certificate containing
a subject alternative name extension with an IDNA ``rfc822Name``.
* ``san_uri_with_port.pem`` - An RSA 2048 bit self-signed certificate
containing a subject alternative name extension with various
``uniformResourceIdentifier`` values.
* ``san_ipaddr.pem`` - An RSA 2048 bit self-signed certificate containing a
subject alternative name extension with an ``iPAddress`` value.
* ``san_dirname.pem`` - An RSA 2048 bit self-signed certificate containing a
subject alternative name extension with a ``directoryName`` value.
* ``inhibit_any_policy_5.pem`` - An RSA 2048 bit self-signed certificate
containing an inhibit any policy extension with the value 5.
* ``inhibit_any_policy_negative.pem`` - An RSA 2048 bit self-signed certificate
containing an inhibit any policy extension with the value -1.
* ``authority_key_identifier.pem`` - An RSA 2048 bit self-signed certificate
containing an authority key identifier extension with key identifier,
authority certificate issuer, and authority certificate serial number fields.
* ``authority_key_identifier_no_keyid.pem`` - An RSA 2048 bit self-signed
certificate containing an authority key identifier extension with authority
certificate issuer and authority certificate serial number fields.
* ``aia_ocsp_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate
containing an authority information access extension with two OCSP and one
CA issuers entry.
* ``aia_ocsp.pem`` - An RSA 2048 bit self-signed certificate
containing an authority information access extension with an OCSP entry.
* ``aia_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate
containing an authority information access extension with a CA issuers entry.
* ``cdp_fullname_reasons_crl_issuer.pem`` - An RSA 1024 bit certificate
containing a CRL distribution points extension with ``fullName``,
``cRLIssuer``, and ``reasons`` data.
* ``cdp_crl_issuer.pem`` - An RSA 1024 bit certificate containing a CRL
distribution points extension with ``cRLIssuer`` data.
* ``cdp_all_reasons.pem`` - An RSA 1024 bit certificate containing a CRL
distribution points extension with all ``reasons`` bits set.
* ``cdp_reason_aa_compromise.pem`` - An RSA 1024 bit certificate containing a
CRL distribution points extension with the ``AACompromise`` ``reasons`` bit
set.
* ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with a
notice reference in the user notice.
* ``cp_user_notice_with_explicit_text.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with explicit
text and no notice reference.
* ``cp_cps_uri.pem`` - An RSA 2048 bit self-signed certificate containing a
certificate policies extension with a CPS URI and no user notice.
* ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed
certificate containing a certificate policies extension with a user notice
with no explicit text.
Custom X.509 Request Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* ``dsa_sha1.pem`` - Contains a certificate request using 1024-bit DSA
parameters and SHA1 generated using OpenSSL.
* ``rsa_md4.pem`` - Contains a certificate request using 2048 bit RSA and MD4
* ``dsa_sha1.pem`` and ``dsa_sha1.der`` - Contain a certificate request using
1024-bit DSA parameters and SHA1 generated using OpenSSL.
* ``rsa_md4.pem`` and ``rsa_md4.der`` - Contain a certificate request using
2048 bit RSA and MD4 generated using OpenSSL.
* ``rsa_sha1.pem`` and ``rsa_sha1.der`` - Contain a certificate request using
2048 bit RSA and SHA1 generated using OpenSSL.
* ``rsa_sha256.pem`` and ``rsa_sha256.der`` - Contain a certificate request
using 2048 bit RSA and SHA256 generated using OpenSSL.
* ``ec_sha256.pem`` and ``ec_sha256.der`` - Contain a certificate request
using EC (``secp384r1``) and SHA256 generated using OpenSSL.
* ``san_rsa_sha1.pem`` and ``san_rsa_sha1.der`` - Contain a certificate
request using RSA and SHA1 with a subject alternative name extension
generated using OpenSSL.
* ``rsa_sha1.pem`` - Contains a certificate request using 2048 bit RSA and
SHA1 generated using OpenSSL.
* ``rsa_sha256.pem`` - Contains a certificate request using 2048 bit RSA and
SHA256 generated using OpenSSL.
* ``ec_sha256.pem`` - Contains a certificate request using EC (``secp384r1``)
and SHA256 generated using OpenSSL.
Hashes
~~~~~~
......@@ -147,6 +242,11 @@ Key derivation functions
* PBKDF2 (HMAC-SHA1) from :rfc:`6070`.
* scrypt from the `draft RFC`_.
Key wrapping
~~~~~~~~~~~~
* AES key wrap (AESKW) and 3DES key wrap test vectors from `NIST CAVP`_.
Recipes
~~~~~~~
......@@ -233,7 +333,7 @@ header format (substituting the correct information):
.. _`unenc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/unencpkcs8.pem
.. _`pkcs12_s2k_pem.c`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs12_s2k_pem.c
.. _`Botan's ECC private keys`: https://github.com/randombit/botan/tree/4917f26a2b154e841cd27c1bcecdd41d2bdeb6ce/src/tests/data/ecc
.. _`GnuTLS example keys`: https://gitorious.org/gnutls/gnutls/commit/ad2061deafdd7db78fd405f9d143b0a7c579da7b
.. _`GnuTLS example keys`: https://gitlab.com/gnutls/gnutls/commit/ad2061deafdd7db78fd405f9d143b0a7c579da7b
.. _`NESSIE IDEA vectors`: https://www.cosic.esat.kuleuven.be/nessie/testvectors/bc/idea/Idea-128-64.verified.test-vectors
.. _`NESSIE`: https://en.wikipedia.org/wiki/NESSIE
.. _`Ed25519 website`: http://ed25519.cr.yp.to/software.html
......
......@@ -16,7 +16,7 @@ Bumping the version number
The next step in doing a release is bumping the version number in the
software.
* Update the version number in ``cryptography/__about__.py``.
* Update the version number in ``src/cryptography/__about__.py``.
* Update the version number in ``vectors/cryptography_vectors/__about__.py``.
* Set the release date in the :doc:`/changelog`.
* Do a commit indicating this.
......
......@@ -37,9 +37,3 @@ Exceptions
This is raised when the verify method of a key derivation function's
computed key does not match the expected key.
.. class:: InvalidToken
This is raised when the verify method of a one time password function's
computed token does not match the expected token.
......@@ -92,8 +92,10 @@ has support for implementing key rotation via :class:`MultiFernet`.
>>> f.decrypt(token)
'Secret message!'
Fernet performs all encryption options using the *first* key in the
``list`` provided. Decryption supports using *any* of constituent keys.
MultiFernet performs all encryption options using the *first* key in the
``list`` provided. MultiFernet attempts to decrypt tokens with each key in
turn. A :class:`cryptography.fernet.InvalidToken` exception is raised if
the correct key is not found in the ``list`` provided.
Key rotation makes it easy to replace old keys. You can add your new key at
the front of the list to start encrypting new messages, and remove old keys
......
......@@ -164,7 +164,7 @@ A specific ``backend`` may provide one or more of these interfaces.
.. method:: create_cmac_ctx(algorithm)
Create a
:class:`~cryptography.hazmat.primitives.interfaces.CMACContext` that
:class:`~cryptography.hazmat.primitives.interfaces.MACContext` that
uses the specified ``algorithm`` to calculate a message authentication code.
:param algorithm: An instance of a
......@@ -172,7 +172,7 @@ A specific ``backend`` may provide one or more of these interfaces.
provider.
:returns:
:class:`~cryptography.hazmat.primitives.interfaces.CMACContext`
:class:`~cryptography.hazmat.primitives.interfaces.MACContext`
.. class:: PBKDF2HMACBackend
......@@ -509,3 +509,97 @@ A specific ``backend`` may provide one or more of these interfaces.
:param bytes data: DER formatted certificate data.
:returns: An instance of :class:`~cryptography.x509.Certificate`.
.. method:: load_pem_x509_csr(data)
.. versionadded:: 0.9
:param bytes data: PEM formatted certificate signing request data.
:returns: An instance of
:class:`~cryptography.x509.CertificateSigningRequest`.
.. class:: DHBackend
.. versionadded:: 0.9
A backend with methods for doing Diffie-Hellman key exchange.
.. method:: generate_dh_parameters(key_size)
:param int key_size: The bit length of the prime modulus to generate.
:return: A new instance of a
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
provider.
:raises ValueError: If ``key_size`` is not at least 512.
.. method:: generate_dh_private_key(parameters)
:param parameters: A
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
provider.
:return: A new instance of a
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
provider.
.. method:: generate_dh_private_key_and_parameters(self, key_size)
:param int key_size: The bit length of the prime modulus to generate.
:return: A new instance of a
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
provider.
:raises ValueError: If ``key_size`` is not at least 512.
.. method:: load_dh_private_numbers(numbers)
:param numbers: A
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateNumbers`
instance.
:return: A new instance of a
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
provider.
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
when any backend specific criteria are not met.
.. method:: load_dh_public_numbers(numbers)
:param numbers: A
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
instance.
:return: A new instance of a
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`
provider.
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
when any backend specific criteria are not met.
.. method:: load_dh_parameter_numbers(numbers)
:param numbers: A
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
instance.
:return: A new instance of a
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
provider.
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
when any backend specific criteria are not met.
.. method:: dh_parameters_supported(p, g)
:param int p: The p value of the DH key.
:param int g: The g value of the DH key.
:returns: ``True`` if the given values of ``p`` and ``g`` are supported
by this backend, otherwise ``False``.
......@@ -6,6 +6,9 @@ Diffie-Hellman key exchange
.. currentmodule:: cryptography.hazmat.primitives.asymmetric.dh
Numbers
~~~~~~~
.. class:: DHPrivateNumbers(x, public_numbers)
.. versionadded:: 0.8
......@@ -62,3 +65,98 @@ Diffie-Hellman key exchange
:type: int
The generator value.
Key interfaces
~~~~~~~~~~~~~~
.. class:: DHParameters
.. versionadded:: 0.9
.. method:: generate_private_key()
.. versionadded:: 0.9
Generate a DH private key. This method can be used to generate many
new private keys from a single set of parameters.
:return: A
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
provider.
.. class:: DHParametersWithSerialization
.. versionadded:: 0.9
Inherits from :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
.. method:: parameter_numbers()
Return the numbers that make up this set of parameters.
:return: A :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`.
.. class:: DHPrivateKey
.. versionadded:: 0.9
.. attribute:: key_size
The bit length of the prime modulus.
.. method:: public_key()
Return the public key associated with this private key.
:return: A :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`.
.. method:: parameters()
Return the parameters associated with this private key.
:return: A :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
.. class:: DHPrivateKeyWithSerialization
.. versionadded:: 0.9
Inherits from :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.