Added CMAC docs

2 files changed, 200 insertions, 0 deletions

diff --git a/docs/hazmat/primitives/mac/cmac.rst b/docs/hazmat/primitives/mac/cmac.rst
new file mode 100644
index 00000000..90d94ed8
--- /dev/null
+++ b/docs/hazmat/primitives/mac/cmac.rst
@@ -0,0 +1,100 @@
+.. hazmat::
+
+Cipher-based message authentication code
+========================================
+
+.. currentmodule:: cryptography.hazmat.primitives.cmac
+
+.. testsetup::
+
+    import binascii
+    key = binascii.unhexlify(b"0" * 32)
+
+Cipher-based message authentication codes (or CMACs) are a tool for calculating
+message authentication codes using a block cipher coupled with a
+secret key. You can use an CMAC to verify both the integrity and authenticity
+of a message.
+
+.. class:: CMAC(algorithm, backend)
+
+    CMAC objects take a
+    :class:`~cryptography.hazmat.primitives.interfaces.BlockCipherAlgorithm` provider.
+
+    .. doctest::
+
+        >>> from cryptography.hazmat.backends import default_backend
+        >>> from cryptography.hazmat.primitives import cmac
+        >>> from cryptography.hazmat.primitives.ciphers import algorithms
+        >>> c = cmac.CMAC(algorithms.AES(key), backend=default_backend())
+        >>> c.update(b"message to authenticate")
+        >>> c.finalize()
+        'CT\x1d\xc8\x0e\x15\xbe4e\xdb\xb6\x84\xca\xd9Xk'
+
+    If the backend doesn't support the requested ``algorithm`` an
+    :class:`~cryptography.exceptions.UnsupportedAlgorithm` exception will be
+    raised.
+
+    If the `algorithm`` isn't a
+    :class:`~cryptography.primitives.interfaces.BlockCipherAlgorithm` provider,
+    ``TypeError`` will be raised.
+
+    To check that a given signature is correct use the :meth:`verify` method.
+    You will receive an exception if the signature is wrong:
+
+    .. code-block:: pycon
+
+        >>> c.verify(b"an incorrect signature")
+        Traceback (most recent call last):
+        ...
+        cryptography.exceptions.InvalidSignature: Signature did not match digest.
+
+    :param algorithm: An
+        :class:`~cryptography.hazmat.primitives.interfaces.BlockCipherAlgorithm`
+        provider.
+    :param backend: An
+        :class:`~cryptography.hazmat.backends.interfaces.CMACBackend`
+        provider.
+    :raises TypeError: This is raised if the provided ``algorithm`` is not an instance of
+        :class:`~cryptography.hazmat.primitives.interfaces.BlockCipherAlgorithm`
+    :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised if the
+        provided ``backend`` does not implement
+        :class:`~cryptography.hazmat.backends.interfaces.CMACBackend`
+
+    .. method:: update(data)
+
+        :param bytes data: The bytes to hash and authenticate.
+        :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
+
+    .. method:: copy()
+
+        Copy this :class:`CMAC` instance, usually so that we may call
+        :meth:`finalize` to get an intermediate value while we continue
+        to call :meth:`update` on the original instance.
+
+        :return: A new instance of :class:`CMAC` that can be updated
+            and finalized independently of the original instance.
+        :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
+
+    .. method:: verify(signature)
+
+        Finalize the current context and securely compare the MAC to
+        ``signature``.
+
+        :param bytes signature: The bytes to compare the current CMAC
+                against.
+        :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
+        :raises cryptography.exceptions.InvalidSignature: If signature does not
+                                                                  match digest
+
+        .. method:: finalize()
+
+        Finalize the current context and return the message authentication code
+        as bytes.
+
+        After ``finalize`` has been called this object can no longer be used
+        and :meth:`update`, :meth:`copy`, :meth:`verify` and :meth:`finalize`
+        will raise an :class:`~cryptography.exceptions.AlreadyFinalized`
+        exception.
+
+        :return bytes: The message authentication code as bytes.
+        :raises cryptography.exceptions.AlreadyFinalized:
diff --git a/docs/hazmat/primitives/mac/hmac.rst b/docs/hazmat/primitives/mac/hmac.rst
new file mode 100644
index 00000000..11b10735
--- /dev/null
+++ b/docs/hazmat/primitives/mac/hmac.rst
@@ -0,0 +1,100 @@
+.. hazmat::
+
+Hash-based message authentication codes
+=======================================
+
+.. currentmodule:: cryptography.hazmat.primitives.hmac
+
+.. testsetup::
+
+    import binascii
+    key = binascii.unhexlify(b"0" * 32)
+
+Hash-based message authentication codes (or HMACs) are a tool for calculating
+message authentication codes using a cryptographic hash function coupled with a
+secret key. You can use an HMAC to verify both the integrity and authenticity
+of a message.
+
+.. class:: HMAC(key, algorithm, backend)
+
+    HMAC objects take a ``key`` and a
+    :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` provider.
+    The ``key`` should be randomly generated bytes and is recommended to be
+    equal in length to the ``digest_size`` of the hash function chosen.
+    You must keep the ``key`` secret.
+
+    This is an implementation of :rfc:`2104`.
+
+    .. doctest::
+
+        >>> from cryptography.hazmat.backends import default_backend
+        >>> from cryptography.hazmat.primitives import hashes, hmac
+        >>> h = hmac.HMAC(key, hashes.SHA256(), backend=default_backend())
+        >>> h.update(b"message to hash")
+        >>> h.finalize()
+        '#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J'
+
+    If the backend doesn't support the requested ``algorithm`` an
+    :class:`~cryptography.exceptions.UnsupportedAlgorithm` exception will be
+    raised.
+
+    To check that a given signature is correct use the :meth:`verify` method.
+    You will receive an exception if the signature is wrong:
+
+    .. code-block:: pycon
+
+        >>> h.verify(b"an incorrect signature")
+        Traceback (most recent call last):
+        ...
+        cryptography.exceptions.InvalidSignature: Signature did not match digest.
+
+    :param bytes key: Secret key as ``bytes``.
+    :param algorithm: An
+        :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`
+        provider such as those described in
+        :ref:`Cryptographic Hashes <cryptographic-hash-algorithms>`.
+    :param backend: An
+        :class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
+        provider.
+
+    :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised if the
+        provided ``backend`` does not implement
+        :class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
+
+    .. method:: update(msg)
+
+        :param bytes msg: The bytes to hash and authenticate.
+        :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
+
+    .. method:: copy()
+
+        Copy this :class:`HMAC` instance, usually so that we may call
+        :meth:`finalize` to get an intermediate digest value while we continue
+        to call :meth:`update` on the original instance.
+
+        :return: A new instance of :class:`HMAC` that can be updated
+            and finalized independently of the original instance.
+        :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
+
+    .. method:: verify(signature)
+
+        Finalize the current context and securely compare digest to
+        ``signature``.
+
+        :param bytes signature: The bytes to compare the current digest
+                                against.
+        :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`
+        :raises cryptography.exceptions.InvalidSignature: If signature does not
+                                                          match digest
+
+    .. method:: finalize()
+
+        Finalize the current context and return the message digest as bytes.
+
+        After ``finalize`` has been called this object can no longer be used
+        and :meth:`update`, :meth:`copy`, :meth:`verify` and :meth:`finalize`
+        will raise an :class:`~cryptography.exceptions.AlreadyFinalized`
+        exception.
+
+        :return bytes: The message digest as bytes.
+        :raises cryptography.exceptions.AlreadyFinalized: