diff options
| -rw-r--r-- | cryptography/hazmat/primitives/hmac.py | 38 | ||||
| -rw-r--r-- | docs/hazmat/primitives/hmac.rst | 21 | ||||
| -rw-r--r-- | tests/hazmat/primitives/test_hmac.py | 21 | ||||
| -rw-r--r-- | tests/hazmat/primitives/test_hmac_vectors.py | 14 | ||||
| -rw-r--r-- | tests/hazmat/primitives/utils.py | 17 |
5 files changed, 46 insertions, 65 deletions
diff --git a/cryptography/hazmat/primitives/hmac.py b/cryptography/hazmat/primitives/hmac.py index 4da0cc3f..1457ed78 100644 --- a/cryptography/hazmat/primitives/hmac.py +++ b/cryptography/hazmat/primitives/hmac.py @@ -13,47 +13,39 @@ from __future__ import absolute_import, division, print_function -import binascii - import six +from cryptography.hazmat.primitives import interfaces + +@interfaces.register(interfaces.HashContext) class HMAC(object): - def __init__(self, key, msg=None, digestmod=None, ctx=None, backend=None): + def __init__(self, key, algorithm, ctx=None, backend=None): super(HMAC, self).__init__() + if not isinstance(algorithm, interfaces.HashAlgorithm): + raise TypeError("Expected instance of interfaces.HashAlgorithm.") + self.algorithm = algorithm + if backend is None: from cryptography.hazmat.bindings import _default_backend backend = _default_backend - if digestmod is None: - raise TypeError("digestmod is a required argument") - self._backend = backend - self.digestmod = digestmod - self.key = key + self._key = key if ctx is None: - self._ctx = self._backend.hmacs.create_ctx(key, self.digestmod) + self._ctx = self._backend.hmacs.create_ctx(key, self.algorithm) else: self._ctx = ctx - if msg is not None: - self.update(msg) - def update(self, msg): if isinstance(msg, six.text_type): raise TypeError("Unicode-objects must be encoded before hashing") self._backend.hmacs.update_ctx(self._ctx, msg) def copy(self): - return self.__class__(self.key, digestmod=self.digestmod, - backend=self._backend, ctx=self._copy_ctx()) - - def digest(self): - return self._backend.hmacs.finalize_ctx(self._copy_ctx(), - self.digestmod.digest_size) - - def hexdigest(self): - return str(binascii.hexlify(self.digest()).decode("ascii")) + return self.__class__(self._key, self.algorithm, backend=self._backend, + ctx=self._backend.hmacs.copy_ctx(self._ctx)) - def _copy_ctx(self): - return self._backend.hmacs.copy_ctx(self._ctx) + def finalize(self): + return self._backend.hmacs.finalize_ctx(self._ctx, + self.algorithm.digest_size) diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst index 44cc29fa..301d72d5 100644 --- a/docs/hazmat/primitives/hmac.rst +++ b/docs/hazmat/primitives/hmac.rst @@ -15,10 +15,10 @@ message authentication codes using a cryptographic hash function coupled with a secret key. You can use an HMAC to verify integrity as well as authenticate a message. -.. class:: HMAC(key, msg=None, digestmod=None) +.. class:: HMAC(key, algorithm) - HMAC objects take a ``key``, a hash class derived from - :class:`~cryptography.primitives.hashes.BaseHash`, and optional message. + HMAC objects take a ``key`` and a provider of + :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`. The ``key`` should be randomly generated bytes and is recommended to be equal in length to the ``digest_size`` of the hash function chosen. You must keep the ``key`` secret. @@ -26,10 +26,10 @@ message. .. doctest:: >>> from cryptography.hazmat.primitives import hashes, hmac - >>> h = hmac.HMAC(key, digestmod=hashes.SHA256) + >>> h = hmac.HMAC(key, hashes.SHA256()) >>> h.update(b"message to hash") - >>> h.hexdigest() - '...' + >>> h.finalize() + '#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J' .. method:: update(msg) @@ -39,11 +39,10 @@ message. :return: a new instance of this object with a copied internal state. - .. method:: digest() + .. method:: finalize() - :return bytes: The message digest as bytes. - - .. method:: hexdigest() + Finalize the current context and return the message digest as bytes. - :return str: The message digest as hex. + Once ``finalize`` is called this object can no longer be used. + :return bytes: The message digest as bytes. diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 42726a7c..a44838cf 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -26,32 +26,25 @@ from .utils import generate_base_hmac_test class TestHMAC(object): test_copy = generate_base_hmac_test( - hashes.MD5, + hashes.MD5(), only_if=lambda backend: backend.hashes.supported(hashes.MD5), skip_message="Does not support MD5", ) def test_hmac_reject_unicode(self, backend): - h = hmac.HMAC(key=b"mykey", digestmod=hashes.SHA1, backend=backend) + h = hmac.HMAC(b"mykey", hashes.SHA1(), backend=backend) with pytest.raises(TypeError): h.update(six.u("\u00FC")) - def test_base_hash_hexdigest_string_type(self, backend): - h = hmac.HMAC(key=b"mykey", digestmod=hashes.SHA1, backend=backend, - msg=b"") - assert isinstance(h.hexdigest(), str) - - def test_hmac_no_digestmod(self): - with pytest.raises(TypeError): - hmac.HMAC(key=b"shortkey") - - -class TestCopyHMAC(object): def test_copy_backend_object(self): pretend_hmac = pretend.stub(copy_ctx=lambda a: True) pretend_backend = pretend.stub(hmacs=pretend_hmac) pretend_ctx = pretend.stub() - h = hmac.HMAC(b"key", digestmod=hashes.SHA1, backend=pretend_backend, + h = hmac.HMAC(b"key", hashes.SHA1(), backend=pretend_backend, ctx=pretend_ctx) assert h._backend is pretend_backend assert h.copy()._backend is pretend_backend + + def test_hmac_algorithm_instance(self): + with pytest.raises(TypeError): + hmac.HMAC(b"key", hashes.SHA1) diff --git a/tests/hazmat/primitives/test_hmac_vectors.py b/tests/hazmat/primitives/test_hmac_vectors.py index 27b45012..52d592b6 100644 --- a/tests/hazmat/primitives/test_hmac_vectors.py +++ b/tests/hazmat/primitives/test_hmac_vectors.py @@ -26,7 +26,7 @@ class TestHMAC_MD5(object): [ "rfc-2202-md5.txt", ], - hashes.MD5, + hashes.MD5(), only_if=lambda backend: backend.hashes.supported(hashes.MD5), skip_message="Does not support MD5", ) @@ -39,7 +39,7 @@ class TestHMAC_SHA1(object): [ "rfc-2202-sha1.txt", ], - hashes.SHA1, + hashes.SHA1(), only_if=lambda backend: backend.hashes.supported(hashes.SHA1), skip_message="Does not support SHA1", ) @@ -52,7 +52,7 @@ class TestHMAC_SHA224(object): [ "rfc-4231-sha224.txt", ], - hashes.SHA224, + hashes.SHA224(), only_if=lambda backend: backend.hashes.supported(hashes.SHA224), skip_message="Does not support SHA224", ) @@ -65,7 +65,7 @@ class TestHMAC_SHA256(object): [ "rfc-4231-sha256.txt", ], - hashes.SHA256, + hashes.SHA256(), only_if=lambda backend: backend.hashes.supported(hashes.SHA256), skip_message="Does not support SHA256", ) @@ -78,7 +78,7 @@ class TestHMAC_SHA384(object): [ "rfc-4231-sha384.txt", ], - hashes.SHA384, + hashes.SHA384(), only_if=lambda backend: backend.hashes.supported(hashes.SHA384), skip_message="Does not support SHA384", ) @@ -91,7 +91,7 @@ class TestHMAC_SHA512(object): [ "rfc-4231-sha512.txt", ], - hashes.SHA512, + hashes.SHA512(), only_if=lambda backend: backend.hashes.supported(hashes.SHA512), skip_message="Does not support SHA512", ) @@ -104,7 +104,7 @@ class TestHMAC_RIPEMD160(object): [ "rfc-2286-ripemd160.txt", ], - hashes.RIPEMD160, + hashes.RIPEMD160(), only_if=lambda backend: backend.hashes.supported(hashes.RIPEMD160), skip_message="Does not support RIPEMD160", ) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index efc5fbf0..b4a8a3e6 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -129,7 +129,7 @@ def long_string_hash_test(backend, algorithm, md, only_if, skip_message): assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) -def generate_hmac_test(param_loader, path, file_names, digestmod, +def generate_hmac_test(param_loader, path, file_names, algorithm, only_if=None, skip_message=None): def test_hmac(self): for backend in _ALL_BACKENDS: @@ -138,7 +138,7 @@ def generate_hmac_test(param_loader, path, file_names, digestmod, yield ( hmac_test, backend, - digestmod, + algorithm, params, only_if, skip_message @@ -146,18 +146,15 @@ def generate_hmac_test(param_loader, path, file_names, digestmod, return test_hmac -def hmac_test(backend, digestmod, params, only_if, skip_message): +def hmac_test(backend, algorithm, params, only_if, skip_message): if only_if is not None and not only_if(backend): pytest.skip(skip_message) msg = params[0] md = params[1] key = params[2] - h = hmac.HMAC(binascii.unhexlify(key), digestmod=digestmod) + h = hmac.HMAC(binascii.unhexlify(key), algorithm) h.update(binascii.unhexlify(msg)) - assert h.hexdigest() == md - digest = hmac.HMAC(binascii.unhexlify(key), digestmod=digestmod, - msg=binascii.unhexlify(msg)).hexdigest() - assert digest == md + assert h.finalize() == binascii.unhexlify(md.encode("ascii")) def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None): @@ -173,11 +170,11 @@ def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None): return test_base_hmac -def base_hmac_test(backend, digestmod, only_if, skip_message): +def base_hmac_test(backend, algorithm, only_if, skip_message): if only_if is not None and not only_if(backend): pytest.skip(skip_message) key = b"ab" - h = hmac.HMAC(binascii.unhexlify(key), digestmod=digestmod) + h = hmac.HMAC(binascii.unhexlify(key), algorithm) h_copy = h.copy() assert h != h_copy assert h._ctx != h_copy._ctx |