Merge pull request #212 from dreid/primitive-hmac

Strip down the HMAC interface to match the Hash interface.

5 files changed, 46 insertions, 65 deletions

diff --git a/cryptography/hazmat/primitives/hmac.py b/cryptography/hazmat/primitives/hmac.py
index 4da0cc3f..1457ed78 100644
--- a/cryptography/hazmat/primitives/hmac.py
+++ b/cryptography/hazmat/primitives/hmac.py
@@ -13,47 +13,39 @@
 
 from __future__ import absolute_import, division, print_function
 
-import binascii
-
 import six
 
+from cryptography.hazmat.primitives import interfaces
+
 
+@interfaces.register(interfaces.HashContext)
 class HMAC(object):
-    def __init__(self, key, msg=None, digestmod=None, ctx=None, backend=None):
+    def __init__(self, key, algorithm, ctx=None, backend=None):
         super(HMAC, self).__init__()
+        if not isinstance(algorithm, interfaces.HashAlgorithm):
+            raise TypeError("Expected instance of interfaces.HashAlgorithm.")
+        self.algorithm = algorithm
+
         if backend is None:
             from cryptography.hazmat.bindings import _default_backend
             backend = _default_backend
 
-        if digestmod is None:
-            raise TypeError("digestmod is a required argument")
-
         self._backend = backend
-        self.digestmod = digestmod
-        self.key = key
+        self._key = key
         if ctx is None:
-            self._ctx = self._backend.hmacs.create_ctx(key, self.digestmod)
+            self._ctx = self._backend.hmacs.create_ctx(key, self.algorithm)
         else:
             self._ctx = ctx
 
-        if msg is not None:
-            self.update(msg)
-
     def update(self, msg):
         if isinstance(msg, six.text_type):
             raise TypeError("Unicode-objects must be encoded before hashing")
         self._backend.hmacs.update_ctx(self._ctx, msg)
 
     def copy(self):
-        return self.__class__(self.key, digestmod=self.digestmod,
-                              backend=self._backend, ctx=self._copy_ctx())
-
-    def digest(self):
-        return self._backend.hmacs.finalize_ctx(self._copy_ctx(),
-                                                self.digestmod.digest_size)
-
-    def hexdigest(self):
-        return str(binascii.hexlify(self.digest()).decode("ascii"))
+        return self.__class__(self._key, self.algorithm, backend=self._backend,
+                              ctx=self._backend.hmacs.copy_ctx(self._ctx))
 
-    def _copy_ctx(self):
-        return self._backend.hmacs.copy_ctx(self._ctx)
+    def finalize(self):
+        return self._backend.hmacs.finalize_ctx(self._ctx,
+                                                self.algorithm.digest_size)
diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst
index 44cc29fa..301d72d5 100644
--- a/docs/hazmat/primitives/hmac.rst
+++ b/docs/hazmat/primitives/hmac.rst
@@ -15,10 +15,10 @@ message authentication codes using a cryptographic hash function coupled with a
 secret key. You can use an HMAC to verify integrity as well as authenticate a
 message.
 
-.. class:: HMAC(key, msg=None, digestmod=None)
+.. class:: HMAC(key, algorithm)
 
-    HMAC objects take a ``key``, a hash class derived from
-    :class:`~cryptography.primitives.hashes.BaseHash`, and optional message.
+    HMAC objects take a ``key`` and a provider of
+    :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm`.
     The ``key`` should be randomly generated bytes and is recommended to be
     equal in length to the ``digest_size`` of the hash function chosen.
     You must keep the ``key`` secret.
@@ -26,10 +26,10 @@ message.
     .. doctest::
 
         >>> from cryptography.hazmat.primitives import hashes, hmac
-        >>> h = hmac.HMAC(key, digestmod=hashes.SHA256)
+        >>> h = hmac.HMAC(key, hashes.SHA256())
         >>> h.update(b"message to hash")
-        >>> h.hexdigest()
-        '...'
+        >>> h.finalize()
+        '#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J'
 
     .. method:: update(msg)
 
@@ -39,11 +39,10 @@ message.
 
         :return: a new instance of this object with a copied internal state.
 
-    .. method:: digest()
+    .. method:: finalize()
 
-        :return bytes: The message digest as bytes.
-
-    .. method:: hexdigest()
+        Finalize the current context and return the message digest as bytes.
 
-        :return str: The message digest as hex.
+        Once ``finalize`` is called this object can no longer be used.
 
+        :return bytes: The message digest as bytes.
diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py
index 42726a7c..a44838cf 100644
--- a/tests/hazmat/primitives/test_hmac.py
+++ b/tests/hazmat/primitives/test_hmac.py
@@ -26,32 +26,25 @@ from .utils import generate_base_hmac_test
 
 class TestHMAC(object):
     test_copy = generate_base_hmac_test(
-        hashes.MD5,
+        hashes.MD5(),
         only_if=lambda backend: backend.hashes.supported(hashes.MD5),
         skip_message="Does not support MD5",
     )
 
     def test_hmac_reject_unicode(self, backend):
-        h = hmac.HMAC(key=b"mykey", digestmod=hashes.SHA1, backend=backend)
+        h = hmac.HMAC(b"mykey", hashes.SHA1(), backend=backend)
         with pytest.raises(TypeError):
             h.update(six.u("\u00FC"))
 
-    def test_base_hash_hexdigest_string_type(self, backend):
-        h = hmac.HMAC(key=b"mykey", digestmod=hashes.SHA1, backend=backend,
-                      msg=b"")
-        assert isinstance(h.hexdigest(), str)
-
-    def test_hmac_no_digestmod(self):
-        with pytest.raises(TypeError):
-            hmac.HMAC(key=b"shortkey")
-
-
-class TestCopyHMAC(object):
     def test_copy_backend_object(self):
         pretend_hmac = pretend.stub(copy_ctx=lambda a: True)
         pretend_backend = pretend.stub(hmacs=pretend_hmac)
         pretend_ctx = pretend.stub()
-        h = hmac.HMAC(b"key", digestmod=hashes.SHA1, backend=pretend_backend,
+        h = hmac.HMAC(b"key", hashes.SHA1(), backend=pretend_backend,
                       ctx=pretend_ctx)
         assert h._backend is pretend_backend
         assert h.copy()._backend is pretend_backend
+
+    def test_hmac_algorithm_instance(self):
+        with pytest.raises(TypeError):
+            hmac.HMAC(b"key", hashes.SHA1)
diff --git a/tests/hazmat/primitives/test_hmac_vectors.py b/tests/hazmat/primitives/test_hmac_vectors.py
index 27b45012..52d592b6 100644
--- a/tests/hazmat/primitives/test_hmac_vectors.py
+++ b/tests/hazmat/primitives/test_hmac_vectors.py
@@ -26,7 +26,7 @@ class TestHMAC_MD5(object):
         [
             "rfc-2202-md5.txt",
         ],
-        hashes.MD5,
+        hashes.MD5(),
         only_if=lambda backend: backend.hashes.supported(hashes.MD5),
         skip_message="Does not support MD5",
     )
@@ -39,7 +39,7 @@ class TestHMAC_SHA1(object):
         [
             "rfc-2202-sha1.txt",
         ],
-        hashes.SHA1,
+        hashes.SHA1(),
         only_if=lambda backend: backend.hashes.supported(hashes.SHA1),
         skip_message="Does not support SHA1",
     )
@@ -52,7 +52,7 @@ class TestHMAC_SHA224(object):
         [
             "rfc-4231-sha224.txt",
         ],
-        hashes.SHA224,
+        hashes.SHA224(),
         only_if=lambda backend: backend.hashes.supported(hashes.SHA224),
         skip_message="Does not support SHA224",
     )
@@ -65,7 +65,7 @@ class TestHMAC_SHA256(object):
         [
             "rfc-4231-sha256.txt",
         ],
-        hashes.SHA256,
+        hashes.SHA256(),
         only_if=lambda backend: backend.hashes.supported(hashes.SHA256),
         skip_message="Does not support SHA256",
     )
@@ -78,7 +78,7 @@ class TestHMAC_SHA384(object):
         [
             "rfc-4231-sha384.txt",
         ],
-        hashes.SHA384,
+        hashes.SHA384(),
         only_if=lambda backend: backend.hashes.supported(hashes.SHA384),
         skip_message="Does not support SHA384",
     )
@@ -91,7 +91,7 @@ class TestHMAC_SHA512(object):
         [
             "rfc-4231-sha512.txt",
         ],
-        hashes.SHA512,
+        hashes.SHA512(),
         only_if=lambda backend: backend.hashes.supported(hashes.SHA512),
         skip_message="Does not support SHA512",
     )
@@ -104,7 +104,7 @@ class TestHMAC_RIPEMD160(object):
         [
             "rfc-2286-ripemd160.txt",
         ],
-        hashes.RIPEMD160,
+        hashes.RIPEMD160(),
         only_if=lambda backend: backend.hashes.supported(hashes.RIPEMD160),
         skip_message="Does not support RIPEMD160",
     )
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
index efc5fbf0..b4a8a3e6 100644
--- a/tests/hazmat/primitives/utils.py
+++ b/tests/hazmat/primitives/utils.py
@@ -129,7 +129,7 @@ def long_string_hash_test(backend, algorithm, md, only_if, skip_message):
     assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii"))
 
 
-def generate_hmac_test(param_loader, path, file_names, digestmod,
+def generate_hmac_test(param_loader, path, file_names, algorithm,
                        only_if=None, skip_message=None):
     def test_hmac(self):
         for backend in _ALL_BACKENDS:
@@ -138,7 +138,7 @@ def generate_hmac_test(param_loader, path, file_names, digestmod,
                     yield (
                         hmac_test,
                         backend,
-                        digestmod,
+                        algorithm,
                         params,
                         only_if,
                         skip_message
@@ -146,18 +146,15 @@ def generate_hmac_test(param_loader, path, file_names, digestmod,
     return test_hmac
 
 
-def hmac_test(backend, digestmod, params, only_if, skip_message):
+def hmac_test(backend, algorithm, params, only_if, skip_message):
     if only_if is not None and not only_if(backend):
         pytest.skip(skip_message)
     msg = params[0]
     md = params[1]
     key = params[2]
-    h = hmac.HMAC(binascii.unhexlify(key), digestmod=digestmod)
+    h = hmac.HMAC(binascii.unhexlify(key), algorithm)
     h.update(binascii.unhexlify(msg))
-    assert h.hexdigest() == md
-    digest = hmac.HMAC(binascii.unhexlify(key), digestmod=digestmod,
-                       msg=binascii.unhexlify(msg)).hexdigest()
-    assert digest == md
+    assert h.finalize() == binascii.unhexlify(md.encode("ascii"))
 
 
 def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None):
@@ -173,11 +170,11 @@ def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None):
     return test_base_hmac
 
 
-def base_hmac_test(backend, digestmod, only_if, skip_message):
+def base_hmac_test(backend, algorithm, only_if, skip_message):
     if only_if is not None and not only_if(backend):
         pytest.skip(skip_message)
     key = b"ab"
-    h = hmac.HMAC(binascii.unhexlify(key), digestmod=digestmod)
+    h = hmac.HMAC(binascii.unhexlify(key), algorithm)
     h_copy = h.copy()
     assert h != h_copy
     assert h._ctx != h_copy._ctx