From e9d22379dd246d88d483a010be5737718e700f9b Mon Sep 17 00:00:00 2001 From: Ayrx Date: Mon, 5 May 2014 13:25:11 +0800 Subject: Added HKDFExpandOnly --- cryptography/hazmat/primitives/kdf/hkdf.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/cryptography/hazmat/primitives/kdf/hkdf.py b/cryptography/hazmat/primitives/kdf/hkdf.py index 03500aaa..78c5bfc1 100644 --- a/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/cryptography/hazmat/primitives/kdf/hkdf.py @@ -100,3 +100,25 @@ class HKDF(object): def verify(self, key_material, expected_key): if not constant_time.bytes_eq(self.derive(key_material), expected_key): raise InvalidKey + +@utils.register_interface(interfaces.KeyDerivationFunction) +class HKDFExpandOnly(HKDF): + def __init__(self, algorithm, length, info, backend): + HKDF.__init__(self, algorithm, length, None, info, backend) + + def derive(self, key_material): + if isinstance(key_material, six.text_type): + raise TypeError( + "Unicode-objects must be encoded before using them as key" + "material." + ) + + if self._used: + raise AlreadyFinalized + + self._used = True + return self._expand(key_material) + + def verify(self, key_material, expected_key): + if not constant_time.bytes_eq(self.derive(key_material), expected_key): + raise InvalidKey -- cgit v1.2.3 From f1981a612ea70710138a701138c269655b16985b Mon Sep 17 00:00:00 2001 From: Ayrx Date: Mon, 5 May 2014 14:18:54 +0800 Subject: Added tests for HKDFExpandOnly --- tests/hazmat/primitives/test_hkdf.py | 60 +++++++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py index 2e3c0c3d..f46ca1c0 100644 --- a/tests/hazmat/primitives/test_hkdf.py +++ b/tests/hazmat/primitives/test_hkdf.py @@ -13,6 +13,8 @@ from __future__ import absolute_import, division, print_function +import binascii + import pytest import six @@ -21,7 +23,7 @@ from cryptography.exceptions import ( AlreadyFinalized, InvalidKey, _Reasons ) from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.kdf.hkdf import HKDF +from cryptography.hazmat.primitives.kdf.hkdf import HKDF, HKDFExpandOnly from ...utils import raises_unsupported_algorithm @@ -151,6 +153,62 @@ class TestHKDF(object): hkdf.verify(b"foo", six.u("bar")) +@pytest.mark.hmac +class TestHKDFExpandOnly(object): + def test_derive(self, backend): + prk = binascii.unhexlify( + b"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5" + ) + + okm = (b"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c" + "5bf34007208d5b887185865") + + info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") + hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + + assert binascii.hexlify(hkdf.derive(prk)) == okm + + def test_verify(self, backend): + prk = binascii.unhexlify( + b"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5" + ) + + okm = (b"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c" + "5bf34007208d5b887185865") + + info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") + hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + + assert hkdf.verify(prk, binascii.unhexlify(okm)) is None + + def test_invalid_verify(self, backend): + prk = binascii.unhexlify( + b"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5" + ) + + info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") + hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + + with pytest.raises(InvalidKey): + hkdf.verify(prk, b"wrong key") + + def test_already_finalized(self, backend): + info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") + hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + + hkdf.derive("first") + + with pytest.raises(AlreadyFinalized): + hkdf.derive("second") + + def test_unicode_error(self, backend): + info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") + hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + + with pytest.raises(TypeError): + hkdf.derive(six.u("first")) + + def test_invalid_backend(): pretend_backend = object() -- cgit v1.2.3 From 7cc0c834ff41f6309d0ccba7a5e3534932702bf8 Mon Sep 17 00:00:00 2001 From: Ayrx Date: Tue, 6 May 2014 13:33:48 +0800 Subject: Fixed test failures --- cryptography/hazmat/primitives/kdf/hkdf.py | 1 + tests/hazmat/primitives/test_hkdf.py | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/primitives/kdf/hkdf.py b/cryptography/hazmat/primitives/kdf/hkdf.py index 78c5bfc1..6d34a0f7 100644 --- a/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/cryptography/hazmat/primitives/kdf/hkdf.py @@ -101,6 +101,7 @@ class HKDF(object): if not constant_time.bytes_eq(self.derive(key_material), expected_key): raise InvalidKey + @utils.register_interface(interfaces.KeyDerivationFunction) class HKDFExpandOnly(HKDF): def __init__(self, algorithm, length, info, backend): diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py index f46ca1c0..904ed69c 100644 --- a/tests/hazmat/primitives/test_hkdf.py +++ b/tests/hazmat/primitives/test_hkdf.py @@ -161,7 +161,7 @@ class TestHKDFExpandOnly(object): ) okm = (b"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c" - "5bf34007208d5b887185865") + b"5bf34007208d5b887185865") info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) @@ -174,7 +174,7 @@ class TestHKDFExpandOnly(object): ) okm = (b"3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c" - "5bf34007208d5b887185865") + b"5bf34007208d5b887185865") info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) @@ -196,10 +196,10 @@ class TestHKDFExpandOnly(object): info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) - hkdf.derive("first") + hkdf.derive(b"first") with pytest.raises(AlreadyFinalized): - hkdf.derive("second") + hkdf.derive(b"second") def test_unicode_error(self, backend): info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") -- cgit v1.2.3 From 9d72f12dcb28191f87fde9740899a39060e14495 Mon Sep 17 00:00:00 2001 From: Ayrx Date: Tue, 6 May 2014 20:27:51 +0800 Subject: Added documentation --- .../hazmat/primitives/key-derivation-functions.rst | 86 ++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 269f949d..9b76bf64 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -219,6 +219,92 @@ Different KDFs are suitable for different tasks such as: ``key_material`` generates the same key as the ``expected_key``, and raises an exception if they do not match. + +.. class:: HKDFExpandOnly(algorithm, length, info, backend) + + .. versionadded:: 0.5 + + HKDF consists of two stages, extract and expand. This class exposes an + expand only version of HKDF that is suitable when the key material is + already cryptographically strong. + + .. warning:: + + HKDFExpandOnly should only be used if the key material is + cryptographically strong. You should use + :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF` if + you are unsure. + + .. doctest:: + + >>> import os + >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.hazmat.primitives.kdf.hkdf import HKDFExpandOnly + >>> from cryptography.hazmat.backends import default_backend + >>> backend = default_backend() + >>> info = b"hkdf-example" + >>> key_material = os.urandom(16) + >>> hkdf = HKDFExpandOnly( + ... algorithm=hashes.SHA256(), + ... length=32, + ... info=info, + ... backend=backend + ... ) + >>> key = hkdf.derive(key_material) + >>> hkdf = HKDFExpandOnly( + ... algorithm=hashes.SHA256(), + ... length=32, + ... info=info, + ... backend=backend + ... ) + >>> hkdf.verify(key_material, key) + + :param algorithm: An instance of a + :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` + provider. + + :param int length: The desired length of the derived key. Maximum is + ``255 * (algorithm.digest_size // 8)``. + + :param bytes info: Application specific context information. If ``None`` + is explicitly passed an empty byte string will be used. + + :param backend: A + :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` + provider. + + :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised if the + provided ``backend`` does not implement + :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` + + .. method:: derive(key_material) + + :param bytes key_material: The input key material. + :return bytes: The derived key. + + Derives a new key from the input key material by performing both the + extract and expand operations. + + .. method:: verify(key_material, expected_key) + + :param key_material bytes: The input key material. This is the same as + ``key_material`` in :meth:`derive`. + :param expected_key bytes: The expected result of deriving a new key, + this is the same as the return value of + :meth:`derive`. + :raises cryptography.exceptions.InvalidKey: This is raised when the + derived key does not match + the expected key. + :raises cryptography.exceptions.AlreadyFinalized: This is raised when + :meth:`derive` or + :meth:`verify` is + called more than + once. + + This checks whether deriving a new key from the supplied + ``key_material`` generates the same key as the ``expected_key``, and + raises an exception if they do not match. + .. _`NIST SP 800-132`: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf .. _`Password Storage Cheat Sheet`: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet .. _`PBKDF2`: https://en.wikipedia.org/wiki/PBKDF2 -- cgit v1.2.3 From c0ce911b4e971f3090d406cb88dea532647eeac6 Mon Sep 17 00:00:00 2001 From: Ayrx Date: Wed, 7 May 2014 16:22:09 +0800 Subject: Renamed HKDFExpandOnly to HKDFExpand --- cryptography/hazmat/primitives/kdf/hkdf.py | 2 +- docs/hazmat/primitives/key-derivation-functions.rst | 10 +++++----- tests/hazmat/primitives/test_hkdf.py | 14 +++++++------- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/cryptography/hazmat/primitives/kdf/hkdf.py b/cryptography/hazmat/primitives/kdf/hkdf.py index 6d34a0f7..44e14817 100644 --- a/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/cryptography/hazmat/primitives/kdf/hkdf.py @@ -103,7 +103,7 @@ class HKDF(object): @utils.register_interface(interfaces.KeyDerivationFunction) -class HKDFExpandOnly(HKDF): +class HKDFExpand(HKDF): def __init__(self, algorithm, length, info, backend): HKDF.__init__(self, algorithm, length, None, info, backend) diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 9b76bf64..11fbd4e0 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -220,7 +220,7 @@ Different KDFs are suitable for different tasks such as: raises an exception if they do not match. -.. class:: HKDFExpandOnly(algorithm, length, info, backend) +.. class:: HKDFExpand(algorithm, length, info, backend) .. versionadded:: 0.5 @@ -230,7 +230,7 @@ Different KDFs are suitable for different tasks such as: .. warning:: - HKDFExpandOnly should only be used if the key material is + HKDFExpand should only be used if the key material is cryptographically strong. You should use :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF` if you are unsure. @@ -239,19 +239,19 @@ Different KDFs are suitable for different tasks such as: >>> import os >>> from cryptography.hazmat.primitives import hashes - >>> from cryptography.hazmat.primitives.kdf.hkdf import HKDFExpandOnly + >>> from cryptography.hazmat.primitives.kdf.hkdf import HKDFExpand >>> from cryptography.hazmat.backends import default_backend >>> backend = default_backend() >>> info = b"hkdf-example" >>> key_material = os.urandom(16) - >>> hkdf = HKDFExpandOnly( + >>> hkdf = HKDFExpand( ... algorithm=hashes.SHA256(), ... length=32, ... info=info, ... backend=backend ... ) >>> key = hkdf.derive(key_material) - >>> hkdf = HKDFExpandOnly( + >>> hkdf = HKDFExpand( ... algorithm=hashes.SHA256(), ... length=32, ... info=info, diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py index 904ed69c..bee42172 100644 --- a/tests/hazmat/primitives/test_hkdf.py +++ b/tests/hazmat/primitives/test_hkdf.py @@ -23,7 +23,7 @@ from cryptography.exceptions import ( AlreadyFinalized, InvalidKey, _Reasons ) from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.kdf.hkdf import HKDF, HKDFExpandOnly +from cryptography.hazmat.primitives.kdf.hkdf import HKDF, HKDFExpand from ...utils import raises_unsupported_algorithm @@ -154,7 +154,7 @@ class TestHKDF(object): @pytest.mark.hmac -class TestHKDFExpandOnly(object): +class TestHKDFExpand(object): def test_derive(self, backend): prk = binascii.unhexlify( b"077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5" @@ -164,7 +164,7 @@ class TestHKDFExpandOnly(object): b"5bf34007208d5b887185865") info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") - hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + hkdf = HKDFExpand(hashes.SHA256(), 42, info, backend) assert binascii.hexlify(hkdf.derive(prk)) == okm @@ -177,7 +177,7 @@ class TestHKDFExpandOnly(object): b"5bf34007208d5b887185865") info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") - hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + hkdf = HKDFExpand(hashes.SHA256(), 42, info, backend) assert hkdf.verify(prk, binascii.unhexlify(okm)) is None @@ -187,14 +187,14 @@ class TestHKDFExpandOnly(object): ) info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") - hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + hkdf = HKDFExpand(hashes.SHA256(), 42, info, backend) with pytest.raises(InvalidKey): hkdf.verify(prk, b"wrong key") def test_already_finalized(self, backend): info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") - hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + hkdf = HKDFExpand(hashes.SHA256(), 42, info, backend) hkdf.derive(b"first") @@ -203,7 +203,7 @@ class TestHKDFExpandOnly(object): def test_unicode_error(self, backend): info = binascii.unhexlify(b"f0f1f2f3f4f5f6f7f8f9") - hkdf = HKDFExpandOnly(hashes.SHA256(), 42, info, backend) + hkdf = HKDFExpand(hashes.SHA256(), 42, info, backend) with pytest.raises(TypeError): hkdf.derive(six.u("first")) -- cgit v1.2.3 From ac1a079f9baf441c262fd11628f3e3d06f73129d Mon Sep 17 00:00:00 2001 From: Ayrx Date: Wed, 7 May 2014 17:02:21 +0800 Subject: Modified HKDF to use HKDFExpand --- cryptography/hazmat/primitives/kdf/hkdf.py | 81 +++++++++++++++++------------- tests/hazmat/primitives/test_hkdf.py | 3 ++ tests/hazmat/primitives/utils.py | 5 +- 3 files changed, 52 insertions(+), 37 deletions(-) diff --git a/cryptography/hazmat/primitives/kdf/hkdf.py b/cryptography/hazmat/primitives/kdf/hkdf.py index 44e14817..d49cc5bd 100644 --- a/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/cryptography/hazmat/primitives/kdf/hkdf.py @@ -34,16 +34,6 @@ class HKDF(object): self._algorithm = algorithm - max_length = 255 * (algorithm.digest_size // 8) - - if length > max_length: - raise ValueError( - "Can not derive keys larger than {0} octets.".format( - max_length - )) - - self._length = length - if isinstance(salt, six.text_type): raise TypeError( "Unicode-objects must be encoded before using them as a salt.") @@ -53,37 +43,17 @@ class HKDF(object): self._salt = salt - if isinstance(info, six.text_type): - raise TypeError( - "Unicode-objects must be encoded before using them as info.") - - if info is None: - info = b"" - - self._info = info self._backend = backend self._used = False + self._hkdf_expand = HKDFExpand(self._algorithm, length, info, backend) + def _extract(self, key_material): h = hmac.HMAC(self._salt, self._algorithm, backend=self._backend) h.update(key_material) return h.finalize() - def _expand(self, key_material): - output = [b""] - counter = 1 - - while (self._algorithm.digest_size // 8) * len(output) < self._length: - h = hmac.HMAC(key_material, self._algorithm, backend=self._backend) - h.update(output[-1]) - h.update(self._info) - h.update(six.int2byte(counter)) - output.append(h.finalize()) - counter += 1 - - return b"".join(output)[:self._length] - def derive(self, key_material): if isinstance(key_material, six.text_type): raise TypeError( @@ -95,7 +65,7 @@ class HKDF(object): raise AlreadyFinalized self._used = True - return self._expand(self._extract(key_material)) + return self._hkdf_expand.derive(self._extract(key_material)) def verify(self, key_material, expected_key): if not constant_time.bytes_eq(self.derive(key_material), expected_key): @@ -105,7 +75,50 @@ class HKDF(object): @utils.register_interface(interfaces.KeyDerivationFunction) class HKDFExpand(HKDF): def __init__(self, algorithm, length, info, backend): - HKDF.__init__(self, algorithm, length, None, info, backend) + if not isinstance(backend, HMACBackend): + raise UnsupportedAlgorithm( + "Backend object does not implement HMACBackend", + _Reasons.BACKEND_MISSING_INTERFACE + ) + + self._algorithm = algorithm + + self._backend = backend + + max_length = 255 * (algorithm.digest_size // 8) + + if length > max_length: + raise ValueError( + "Can not derive keys larger than {0} octets.".format( + max_length + )) + + self._length = length + + if isinstance(info, six.text_type): + raise TypeError( + "Unicode-objects must be encoded before using them as info.") + + if info is None: + info = b"" + + self._info = info + + self._used = False + + def _expand(self, key_material): + output = [b""] + counter = 1 + + while (self._algorithm.digest_size // 8) * len(output) < self._length: + h = hmac.HMAC(key_material, self._algorithm, backend=self._backend) + h.update(output[-1]) + h.update(self._info) + h.update(six.int2byte(counter)) + output.append(h.finalize()) + counter += 1 + + return b"".join(output)[:self._length] def derive(self, key_material): if isinstance(key_material, six.text_type): diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py index bee42172..598f09f0 100644 --- a/tests/hazmat/primitives/test_hkdf.py +++ b/tests/hazmat/primitives/test_hkdf.py @@ -214,3 +214,6 @@ def test_invalid_backend(): with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE): HKDF(hashes.SHA256(), 16, None, None, pretend_backend) + + with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE): + HKDFExpand(hashes.SHA256(), 16, None, pretend_backend) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 6c3f4c95..7cf5efd0 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -26,7 +26,7 @@ from cryptography.exceptions import ( from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.ciphers import Cipher -from cryptography.hazmat.primitives.kdf.hkdf import HKDF +from cryptography.hazmat.primitives.kdf.hkdf import HKDF, HKDFExpand from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from ...utils import load_vectors_from_file @@ -347,10 +347,9 @@ def hkdf_extract_test(backend, algorithm, params): def hkdf_expand_test(backend, algorithm, params): - hkdf = HKDF( + hkdf = HKDFExpand( algorithm, int(params["l"]), - salt=binascii.unhexlify(params["salt"]) or None, info=binascii.unhexlify(params["info"]) or None, backend=backend ) -- cgit v1.2.3 From 2d6cd449f1ad3448798d77d9216aded95b861a8d Mon Sep 17 00:00:00 2001 From: Ayrx Date: Fri, 9 May 2014 14:48:06 +0800 Subject: Minor fixes --- cryptography/hazmat/primitives/kdf/hkdf.py | 8 +------- tests/hazmat/primitives/utils.py | 2 +- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/cryptography/hazmat/primitives/kdf/hkdf.py b/cryptography/hazmat/primitives/kdf/hkdf.py index d49cc5bd..daa8fcc7 100644 --- a/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/cryptography/hazmat/primitives/kdf/hkdf.py @@ -45,8 +45,6 @@ class HKDF(object): self._backend = backend - self._used = False - self._hkdf_expand = HKDFExpand(self._algorithm, length, info, backend) def _extract(self, key_material): @@ -61,10 +59,6 @@ class HKDF(object): "material." ) - if self._used: - raise AlreadyFinalized - - self._used = True return self._hkdf_expand.derive(self._extract(key_material)) def verify(self, key_material, expected_key): @@ -73,7 +67,7 @@ class HKDF(object): @utils.register_interface(interfaces.KeyDerivationFunction) -class HKDFExpand(HKDF): +class HKDFExpand(object): def __init__(self, algorithm, length, info, backend): if not isinstance(backend, HMACBackend): raise UnsupportedAlgorithm( diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 7cf5efd0..a496459b 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -354,7 +354,7 @@ def hkdf_expand_test(backend, algorithm, params): backend=backend ) - okm = hkdf._expand(binascii.unhexlify(params["prk"])) + okm = hkdf.derive(binascii.unhexlify(params["prk"])) assert okm == binascii.unhexlify(params["okm"]) -- cgit v1.2.3 From c48100a9126990552197b5431d22f7a9e065baf7 Mon Sep 17 00:00:00 2001 From: Ayrx Date: Sat, 10 May 2014 13:01:46 +0800 Subject: Added missing exception to documentation --- docs/hazmat/primitives/key-derivation-functions.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 11fbd4e0..fdc540b9 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -276,12 +276,16 @@ Different KDFs are suitable for different tasks such as: :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised if the provided ``backend`` does not implement :class:`~cryptography.hazmat.backends.interfaces.HMACBackend` + :raises TypeError: This is raised if the provided ``info`` is a unicode object .. method:: derive(key_material) :param bytes key_material: The input key material. :return bytes: The derived key. + :raises TypeError: This is raised if the provided ``key_material`` is + a unicode object + Derives a new key from the input key material by performing both the extract and expand operations. @@ -300,6 +304,8 @@ Different KDFs are suitable for different tasks such as: :meth:`verify` is called more than once. + :raises TypeError: This is raised if the provided ``key_material`` is + a unicode object This checks whether deriving a new key from the supplied ``key_material`` generates the same key as the ``expected_key``, and -- cgit v1.2.3