Google Git
Sign in
android / platform / external / python / cryptography / f9506a4677a6a7f960107759a8a9594d648b00ae / . / docs / hazmat / primitives / mac / hmac.rst
blob: 9d11694bd569532b650149d03913a3b3e4a03e93 [file] [log] [blame]
.. hazmat::
Hash-based message authentication codes (HMAC)
==============================================
.. currentmodule:: cryptography.hazmat.primitives.hmac
.. testsetup::
import binascii
key = binascii.unhexlify(b"0" * 32)
Hash-based message authentication codes (or HMACs) are a tool for calculating
message authentication codes using a cryptographic hash function coupled with a
secret key. You can use an HMAC to verify both the integrity and authenticity
of a message.
.. class:: HMAC(key, algorithm, backend)
HMAC objects take a ``key`` and a
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` instance.
The ``key`` should be :doc:`randomly generated bytes </random-numbers>` and
is recommended to be equal in length to the ``digest_size`` of the hash
function chosen. You must keep the ``key`` secret.
This is an implementation of :rfc:`2104`.
.. doctest::
>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives import hashes, hmac
>>> h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
>>> h.update(b"message to hash")
>>> h.finalize()
b'#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J'
If the backend doesn't support the requested ``algorithm`` an
:class:`~cryptography.exceptions.UnsupportedAlgorithm` exception will be
raised.
If ``algorithm`` isn't a
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` instance
then ``TypeError`` will be raised.
To check that a given signature is correct use the :meth:`verify` method.
You will receive an exception if the signature is wrong:
.. doctest::
>>> h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
>>> h.update(b"message to hash")
>>> h.verify(b"an incorrect signature")
Traceback (most recent call last):
...
cryptography.exceptions.InvalidSignature: Signature did not match digest.
:param key: Secret key as ``bytes``.
:type key: :term:`bytes-like`
:param algorithm: An
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
instance such as those described in
:ref:`Cryptographic Hashes <cryptographic-hash-algorithms>`.
:param backend: An
:class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
instance.
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised if the
provided ``backend`` does not implement
:class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
.. method:: update(msg)
:param msg: The bytes to hash and authenticate.
:type msg: :term:`bytes-like`
:raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
:raises TypeError: This exception is raised if ``msg`` is not ``bytes``.
.. method:: copy()
Copy this :class:`HMAC` instance, usually so that we may call
:meth:`finalize` to get an intermediate digest value while we continue
to call :meth:`update` on the original instance.
:return: A new instance of :class:`HMAC` that can be updated
and finalized independently of the original instance.
:raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
.. method:: verify(signature)
Finalize the current context and securely compare digest to
``signature``.
:param bytes signature: The bytes to compare the current digest
against.
:raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
:raises cryptography.exceptions.InvalidSignature: If signature does not
match digest
:raises TypeError: This exception is raised if ``signature`` is not
``bytes``.
.. method:: finalize()
Finalize the current context and return the message digest as bytes.
After ``finalize`` has been called this object can no longer be used
and :meth:`update`, :meth:`copy`, :meth:`verify` and :meth:`finalize`
will raise an :class:`~cryptography.exceptions.AlreadyFinalized`
exception.
:return bytes: The message digest as bytes.
:raises cryptography.exceptions.AlreadyFinalized: