diff options
-rw-r--r-- | cryptography/fernet.py | 12 | ||||
-rw-r--r-- | cryptography/hazmat/primitives/cmac.py | 8 | ||||
-rw-r--r-- | cryptography/hazmat/primitives/constant_time.py | 5 | ||||
-rw-r--r-- | cryptography/hazmat/primitives/hashes.py | 4 | ||||
-rw-r--r-- | cryptography/hazmat/primitives/hmac.py | 8 | ||||
-rw-r--r-- | cryptography/hazmat/primitives/kdf/hkdf.py | 24 | ||||
-rw-r--r-- | cryptography/hazmat/primitives/kdf/pbkdf2.py | 14 | ||||
-rw-r--r-- | cryptography/hazmat/primitives/padding.py | 8 | ||||
-rw-r--r-- | docs/fernet.rst | 6 | ||||
-rw-r--r-- | docs/hazmat/primitives/constant-time.rst | 2 | ||||
-rw-r--r-- | docs/hazmat/primitives/cryptographic-hashes.rst | 1 | ||||
-rw-r--r-- | docs/hazmat/primitives/key-derivation-functions.rst | 13 | ||||
-rw-r--r-- | docs/hazmat/primitives/mac/cmac.rst | 3 | ||||
-rw-r--r-- | docs/hazmat/primitives/mac/hmac.rst | 3 | ||||
-rw-r--r-- | docs/hazmat/primitives/padding.rst | 1 |
15 files changed, 60 insertions, 52 deletions
diff --git a/cryptography/fernet.py b/cryptography/fernet.py index 674ce8ae..93eb32bd 100644 --- a/cryptography/fernet.py +++ b/cryptography/fernet.py @@ -60,10 +60,8 @@ class Fernet(object): return self._encrypt_from_parts(data, current_time, iv) def _encrypt_from_parts(self, data, current_time, iv): - if isinstance(data, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before encryption" - ) + if not isinstance(data, six.binary_type): + raise TypeError("data must be bytes") padder = padding.PKCS7(algorithms.AES.block_size).padder() padded_data = padder.update(data) + padder.finalize() @@ -82,10 +80,8 @@ class Fernet(object): return base64.urlsafe_b64encode(basic_parts + hmac) def decrypt(self, token, ttl=None): - if isinstance(token, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before decryption" - ) + if not isinstance(token, six.binary_type): + raise TypeError("token must be bytes") current_time = int(time.time()) diff --git a/cryptography/hazmat/primitives/cmac.py b/cryptography/hazmat/primitives/cmac.py index 7e7f65ab..b01c5170 100644 --- a/cryptography/hazmat/primitives/cmac.py +++ b/cryptography/hazmat/primitives/cmac.py @@ -47,8 +47,8 @@ class CMAC(object): def update(self, data): if self._ctx is None: raise AlreadyFinalized("Context was already finalized") - if isinstance(data, six.text_type): - raise TypeError("Unicode-objects must be encoded before hashing") + if not isinstance(data, six.binary_type): + raise TypeError("data must be bytes") self._ctx.update(data) def finalize(self): @@ -59,8 +59,8 @@ class CMAC(object): return digest def verify(self, signature): - if isinstance(signature, six.text_type): - raise TypeError("Unicode-objects must be encoded before verifying") + if not isinstance(signature, six.binary_type): + raise TypeError("signature must be bytes") digest = self.finalize() if not constant_time.bytes_eq(digest, signature): raise InvalidSignature("Signature did not match digest.") diff --git a/cryptography/hazmat/primitives/constant_time.py b/cryptography/hazmat/primitives/constant_time.py index e0e9aa37..6d325a9d 100644 --- a/cryptography/hazmat/primitives/constant_time.py +++ b/cryptography/hazmat/primitives/constant_time.py @@ -57,7 +57,8 @@ _lib = _ffi.verify( def bytes_eq(a, b): - if isinstance(a, six.text_type) or isinstance(b, six.text_type): - raise TypeError("Unicode-objects must be encoded before comparing") + if (not isinstance(a, six.binary_type) or + not isinstance(b, six.binary_type)): + raise TypeError("a and b must be bytes") return _lib.Cryptography_constant_time_bytes_eq(a, len(a), b, len(b)) == 1 diff --git a/cryptography/hazmat/primitives/hashes.py b/cryptography/hazmat/primitives/hashes.py index 35b677b0..2efd8484 100644 --- a/cryptography/hazmat/primitives/hashes.py +++ b/cryptography/hazmat/primitives/hashes.py @@ -46,8 +46,8 @@ class Hash(object): def update(self, data): if self._ctx is None: raise AlreadyFinalized("Context was already finalized") - if isinstance(data, six.text_type): - raise TypeError("Unicode-objects must be encoded before hashing") + if not isinstance(data, six.binary_type): + raise TypeError("data must be bytes") self._ctx.update(data) def copy(self): diff --git a/cryptography/hazmat/primitives/hmac.py b/cryptography/hazmat/primitives/hmac.py index afbb2f75..5d7bad59 100644 --- a/cryptography/hazmat/primitives/hmac.py +++ b/cryptography/hazmat/primitives/hmac.py @@ -46,8 +46,8 @@ class HMAC(object): def update(self, msg): if self._ctx is None: raise AlreadyFinalized("Context was already finalized") - if isinstance(msg, six.text_type): - raise TypeError("Unicode-objects must be encoded before hashing") + if not isinstance(msg, six.binary_type): + raise TypeError("msg must be bytes") self._ctx.update(msg) def copy(self): @@ -68,8 +68,8 @@ class HMAC(object): return digest def verify(self, signature): - if isinstance(signature, six.text_type): - raise TypeError("Unicode-objects must be encoded before verifying") + if not isinstance(signature, six.binary_type): + raise TypeError("signature must be bytes") digest = self.finalize() if not constant_time.bytes_eq(digest, signature): raise InvalidSignature("Signature did not match digest.") diff --git a/cryptography/hazmat/primitives/kdf/hkdf.py b/cryptography/hazmat/primitives/kdf/hkdf.py index daa8fcc7..adeecaff 100644 --- a/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/cryptography/hazmat/primitives/kdf/hkdf.py @@ -34,9 +34,8 @@ class HKDF(object): self._algorithm = algorithm - if isinstance(salt, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before using them as a salt.") + if not isinstance(salt, six.binary_type) and salt is not None: + raise TypeError("salt must be bytes") if salt is None: salt = b"\x00" * (self._algorithm.digest_size // 8) @@ -53,11 +52,8 @@ class HKDF(object): return h.finalize() def derive(self, key_material): - if isinstance(key_material, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before using them as key " - "material." - ) + if not isinstance(key_material, six.binary_type): + raise TypeError("key_material must be bytes") return self._hkdf_expand.derive(self._extract(key_material)) @@ -89,9 +85,8 @@ class HKDFExpand(object): self._length = length - if isinstance(info, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before using them as info.") + if not isinstance(info, six.binary_type) and info is not None: + raise TypeError("info must be bytes") if info is None: info = b"" @@ -115,11 +110,8 @@ class HKDFExpand(object): return b"".join(output)[:self._length] def derive(self, key_material): - if isinstance(key_material, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before using them as key" - "material." - ) + if not isinstance(key_material, six.binary_type): + raise TypeError("key_material must be bytes") if self._used: raise AlreadyFinalized diff --git a/cryptography/hazmat/primitives/kdf/pbkdf2.py b/cryptography/hazmat/primitives/kdf/pbkdf2.py index bec35bb2..66a9b462 100644 --- a/cryptography/hazmat/primitives/kdf/pbkdf2.py +++ b/cryptography/hazmat/primitives/kdf/pbkdf2.py @@ -41,11 +41,8 @@ class PBKDF2HMAC(object): self._used = False self._algorithm = algorithm self._length = length - if isinstance(salt, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before using them as key " - "material." - ) + if not isinstance(salt, six.binary_type): + raise TypeError("salt must be bytes") self._salt = salt self._iterations = iterations self._backend = backend @@ -55,11 +52,8 @@ class PBKDF2HMAC(object): raise AlreadyFinalized("PBKDF2 instances can only be used once") self._used = True - if isinstance(key_material, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before using them as key " - "material." - ) + if not isinstance(key_material, six.binary_type): + raise TypeError("key_material must be bytes") return self._backend.derive_pbkdf2_hmac( self._algorithm, self._length, diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index c1a763b5..e8e6a6df 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -104,8 +104,8 @@ class _PKCS7PaddingContext(object): if self._buffer is None: raise AlreadyFinalized("Context was already finalized") - if isinstance(data, six.text_type): - raise TypeError("Unicode-objects must be encoded before padding") + if not isinstance(data, six.binary_type): + raise TypeError("data must be bytes") self._buffer += data @@ -137,8 +137,8 @@ class _PKCS7UnpaddingContext(object): if self._buffer is None: raise AlreadyFinalized("Context was already finalized") - if isinstance(data, six.text_type): - raise TypeError("Unicode-objects must be encoded before unpadding") + if not isinstance(data, six.binary_type): + raise TypeError("data must be bytes") self._buffer += data diff --git a/docs/fernet.rst b/docs/fernet.rst index f55a2d60..1c4918ad 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -34,12 +34,13 @@ symmetric (also known as "secret key") authenticated cryptography. they'll also be able forge arbitrary messages that will be authenticated and decrypted. - .. method:: encrypt(plaintext) + .. method:: encrypt(data) - :param bytes plaintext: The message you would like to encrypt. + :param bytes data: The message you would like to encrypt. :returns bytes: A secure message that cannot be read or altered without the key. It is URL-safe base64-encoded. This is referred to as a "Fernet token". + :raises TypeError: This exception is raised if ``data`` is not ``bytes``. .. note:: @@ -66,6 +67,7 @@ symmetric (also known as "secret key") authenticated cryptography. ``ttl``, it is malformed, or it does not have a valid signature. + :raises TypeError: This exception is raised if ``token`` is not ``bytes``. .. class:: InvalidToken diff --git a/docs/hazmat/primitives/constant-time.rst b/docs/hazmat/primitives/constant-time.rst index c6fcb3a3..1394b6b3 100644 --- a/docs/hazmat/primitives/constant-time.rst +++ b/docs/hazmat/primitives/constant-time.rst @@ -36,6 +36,8 @@ about the timing attacks on KeyCzar and Java's ``MessageDigest.isEqual()``. :param bytes b: The right-hand side. :returns bool: ``True`` if ``a`` has the same bytes as ``b``, otherwise ``False``. + :raises TypeError: This exception is raised if ``a`` or ``b`` is not + ``bytes``. .. _`Coda Hale's blog post`: http://codahale.com/a-lesson-in-timing-attacks/ diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index 773d97f6..7e5295c4 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -54,6 +54,7 @@ Message digests :param bytes data: The bytes to be hashed. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`. + :raises TypeError: This exception is raised if ``data`` is not ``bytes``. .. method:: copy() diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index de6bf5f8..f68b12c1 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -88,6 +88,8 @@ Different KDFs are suitable for different tasks such as: provided ``backend`` does not implement :class:`~cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend` + :raises TypeError: This exception is raised if ``salt`` is not ``bytes``. + .. method:: derive(key_material) :param bytes key_material: The input key material. For PBKDF2 this @@ -99,6 +101,9 @@ Different KDFs are suitable for different tasks such as: called more than once. + :raises TypeError: This exception is raised if ``key_material`` is not + ``bytes``. + This generates and returns a new key from the supplied password. .. method:: verify(key_material, expected_key) @@ -191,10 +196,15 @@ Different KDFs are suitable for different tasks such as: provided ``backend`` does not implement :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` + :raises TypeError: This exception is raised if ``salt`` or ``info`` is not + ``bytes``. + .. method:: derive(key_material) :param bytes key_material: The input key material. :return bytes: The derived key. + :raises TypeError: This exception is raised if ``key_material`` is not + ``bytes``. Derives a new key from the input key material by performing both the extract and expand operations. @@ -277,6 +287,7 @@ Different KDFs are suitable for different tasks such as: provided ``backend`` does not implement :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` :raises TypeError: This is raised if the provided ``info`` is a unicode object + :raises TypeError: This exception is raised if ``info`` is not ``bytes``. .. method:: derive(key_material) @@ -285,6 +296,8 @@ Different KDFs are suitable for different tasks such as: :raises TypeError: This is raised if the provided ``key_material`` is a unicode object + :raises TypeError: This exception is raised if ``key_material`` is not + ``bytes``. Derives a new key from the input key material by performing both the extract and expand operations. diff --git a/docs/hazmat/primitives/mac/cmac.rst b/docs/hazmat/primitives/mac/cmac.rst index 1fde1398..23b1fea2 100644 --- a/docs/hazmat/primitives/mac/cmac.rst +++ b/docs/hazmat/primitives/mac/cmac.rst @@ -68,6 +68,7 @@ A subset of CMAC with the AES-128 algorithm is described in :rfc:`4493`. :param bytes data: The bytes to hash and authenticate. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` + :raises TypeError: This exception is raised if ``data`` is not ``bytes``. .. method:: copy() @@ -89,6 +90,8 @@ A subset of CMAC with the AES-128 algorithm is described in :rfc:`4493`. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` :raises cryptography.exceptions.InvalidSignature: If signature does not match digest + :raises TypeError: This exception is raised if ``signature`` is not + ``bytes``. .. method:: finalize() diff --git a/docs/hazmat/primitives/mac/hmac.rst b/docs/hazmat/primitives/mac/hmac.rst index e20a4034..d56927b9 100644 --- a/docs/hazmat/primitives/mac/hmac.rst +++ b/docs/hazmat/primitives/mac/hmac.rst @@ -69,6 +69,7 @@ of a message. :param bytes msg: The bytes to hash and authenticate. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` + :raises TypeError: This exception is raised if ``msg`` is not ``bytes``. .. method:: copy() @@ -90,6 +91,8 @@ of a message. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` :raises cryptography.exceptions.InvalidSignature: If signature does not match digest + :raises TypeError: This exception is raised if ``signature`` is not + ``bytes``. .. method:: finalize() diff --git a/docs/hazmat/primitives/padding.rst b/docs/hazmat/primitives/padding.rst index 4092ac00..0322f9d2 100644 --- a/docs/hazmat/primitives/padding.rst +++ b/docs/hazmat/primitives/padding.rst @@ -70,6 +70,7 @@ multiple of the block size. :return bytes: Returns the data that was padded or unpadded. :raises TypeError: Raised if data is not bytes. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize`. + :raises TypeError: This exception is raised if ``data`` is not ``bytes``. .. method:: finalize() |