.. hazmat:: Hash-based Message Authentication Codes ======================================= .. currentmodule:: cryptography.hazmat.primitives.hmac .. testsetup:: import binascii key = binascii.unhexlify(b"0" * 32) Hash-based message authentication codes (or HMACs) are a tool for calculating message authentication codes using a cryptographic hash function coupled with a secret key. You can use an HMAC to verify integrity as well as authenticate a message. .. class:: HMAC(key, algorithm) HMAC objects take a ``key`` and a provider of :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`. The ``key`` should be randomly generated bytes and is recommended to be equal in length to the ``digest_size`` of the hash function chosen. You must keep the ``key`` secret. This is an implementation of :rfc:`2104`. .. doctest:: >>> from cryptography.hazmat.primitives import hashes, hmac >>> h = hmac.HMAC(key, hashes.SHA256()) >>> h.update(b"message to hash") >>> h.finalize() '#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J' .. method:: update(msg) :param bytes msg: The bytes to hash and authenticate. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` .. method:: copy() Copy this :class:`HMAC` instance, usually so that we may call :meth:`finalize` and get an intermediate digest value while we continue to call :meth:`update` on the original. :return: A new instance of :class:`HMAC` which can be updated and finalized independently of the original instance. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` .. method:: finalize() Finalize the current context and return the message digest as bytes. Once ``finalize`` is called this object can no longer be used and :meth:`update`, :meth:`copy`, and :meth:`finalize` will raise :class:`~cryptography.exceptions.AlreadyFinalized`. :return bytes: The message digest as bytes. :raises cryptography.exceptions.AlreadyFinalized: