Danger
This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.
Message digests (Hashing)
- class cryptography.hazmat.primitives.hashes.Hash(algorithm)
A cryptographic hash function takes an arbitrary block of data and calculates a fixed-size bit string (a digest), such that different data results (with a high probability) in different digests.
This is an implementation of
HashContext
meant to be used withHashAlgorithm
implementations to provide an incremental interface to calculating various message digests.>>> from cryptography.hazmat.primitives import hashes >>> digest = hashes.Hash(hashes.SHA256()) >>> digest.update(b"abc") >>> digest.update(b"123") >>> digest.finalize() b'l\xa1=R\xcap\xc8\x83\xe0\xf0\xbb\x10\x1eBZ\x89\xe8bM\xe5\x1d\xb2\xd29%\x93\xafj\x84\x11\x80\x90'
Keep in mind that attacks against cryptographic hashes only get stronger with time, and that often algorithms that were once thought to be strong, become broken. Because of this it’s important to include a plan for upgrading the hash algorithm you use over time. For more information, see Lifetimes of cryptographic hash functions.
- Parameters:
algorithm – A
HashAlgorithm
instance such as those described below.- Raises:
cryptography.exceptions.UnsupportedAlgorithm – This is raised if the provided
algorithm
is unsupported.
- update(data)
- copy()
Copy this
Hash
instance, usually so that you may callfinalize()
to get an intermediate digest value while we continue to callupdate()
on the original instance.- Returns:
A new instance of
Hash
that can be updated and finalized independently of the original instance.- Raises:
- finalize()
Finalize the current context and return the message digest as bytes.
After
finalize
has been called this object can no longer be used andupdate()
,copy()
, andfinalize()
will raise anAlreadyFinalized
exception.- Return bytes:
The message digest as bytes.
- class cryptography.hazmat.primitives.hashes.XOFHash(algorithm)
An extendable output function (XOF) is a cryptographic hash function that can produce an arbitrary amount of output for a given input. The output can be obtained by repeatedly calling
squeeze()
with the desired length.>>> import sys >>> from cryptography.hazmat.primitives import hashes >>> digest = hashes.XOFHash(hashes.SHAKE128(digest_size=sys.maxsize)) >>> digest.update(b"abc") >>> digest.update(b"123") >>> digest.squeeze(16) b'\x18\xd6\xbd\xeb5u\x83[@\xfa%/\xdc\xca\x9f\x1b' >>> digest.squeeze(16) b'\xc2\xeb\x12\x05\xc3\xf9Bu\x88\xe0\xda\x80FvAV'
- Parameters:
algorithm – A
ExtendableOutputFunction
instance such as those described below. Thedigest_size
passed is the maximum number of bytes that can be squeezed from the XOF when using this class.- Raises:
cryptography.exceptions.UnsupportedAlgorithm – This is raised if the provided
algorithm
is unsupported.
- update(data)
- Parameters:
data (bytes) – The bytes to be hashed.
- Raises:
cryptography.exceptions.AlreadyFinalized – If already squeezed.
TypeError – This exception is raised if
data
is notbytes
.
- copy()
Copy this
XOFHash
instance, usually so that you may callsqueeze()
to get an intermediate digest value while we continue to callupdate()
on the original instance.- Returns:
A new instance of
XOFHash
that can be updated and squeezed independently of the original instance. If you copy an instance that has already been squeezed, the copy will also be in a squeezed state.- Raises:
- squeeze(length)
- Parameters:
length (int) – The number of bytes to squeeze.
After
squeeze()
has been called this object can no longer be updated andupdate()
, will raise anAlreadyFinalized
exception.- Return bytes:
length
bytes of output from the extendable output function (XOF).- Raises:
ValueError – If the maximum number of bytes that can be squeezed has been exceeded.
SHA-2 family
- class cryptography.hazmat.primitives.hashes.SHA224[source]
SHA-224 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 224-bit message digest.
- class cryptography.hazmat.primitives.hashes.SHA256[source]
SHA-256 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 256-bit message digest.
- class cryptography.hazmat.primitives.hashes.SHA384[source]
SHA-384 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 384-bit message digest.
- class cryptography.hazmat.primitives.hashes.SHA512[source]
SHA-512 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 512-bit message digest.
BLAKE2
BLAKE2 is a cryptographic hash function specified in RFC 7693. BLAKE2’s design makes it immune to length-extension attacks, an advantage over the SHA-family of hashes.
Note
While the RFC specifies keying, personalization, and salting features, these are not supported at this time due to limitations in OpenSSL.
- class cryptography.hazmat.primitives.hashes.BLAKE2b(digest_size)[source]
BLAKE2b is optimized for 64-bit platforms and produces an 1 to 64-byte message digest.
- Parameters:
digest_size (int) – The desired size of the hash output in bytes. Only
64
is supported at this time.- Raises:
ValueError – If the
digest_size
is invalid.
- class cryptography.hazmat.primitives.hashes.BLAKE2s(digest_size)[source]
BLAKE2s is optimized for 8 to 32-bit platforms and produces a 1 to 32-byte message digest.
- Parameters:
digest_size (int) – The desired size of the hash output in bytes. Only
32
is supported at this time.- Raises:
ValueError – If the
digest_size
is invalid.
SHA-3 family
SHA-3 is the most recent NIST secure hash algorithm standard. Despite the larger number SHA-3 is not considered to be better than SHA-2. Instead, it uses a significantly different internal structure so that if an attack appears against SHA-2 it is unlikely to apply to SHA-3. SHA-3 is significantly slower than SHA-2 so at this time most users should choose SHA-2.
- class cryptography.hazmat.primitives.hashes.SHA3_224[source]
Added in version 2.5.
SHA3/224 is a cryptographic hash function from the SHA-3 family and is standardized by NIST. It produces a 224-bit message digest.
- class cryptography.hazmat.primitives.hashes.SHA3_256[source]
Added in version 2.5.
SHA3/256 is a cryptographic hash function from the SHA-3 family and is standardized by NIST. It produces a 256-bit message digest.
SHA-1
Warning
SHA-1 is a deprecated hash algorithm that has practical known collision attacks. You are strongly discouraged from using it. Existing applications should strongly consider moving away.
MD5
Warning
MD5 is a deprecated hash algorithm that has practical known collision attacks. You are strongly discouraged from using it. Existing applications should strongly consider moving away.
SM3
- class cryptography.hazmat.primitives.hashes.SM3[source]
Added in version 35.0.0.
SM3 is a cryptographic hash function standardized by the Chinese National Cryptography Administration in GM/T 0004-2012. It produces 256-bit message digests. (An English description is available at draft-sca-cfrg-sm3.) This hash should be used for compatibility purposes where required and is not otherwise recommended for use.
Extendable Output Functions
- class cryptography.hazmat.primitives.hashes.SHAKE128(digest_size)[source]
Added in version 2.5.
SHAKE128 is an extendable output function (XOF) based on the same core permutations as SHA3. It allows the caller to obtain an arbitrarily long digest length. Longer lengths, however, do not increase security or collision resistance and lengths shorter than 128 bit (16 bytes) will decrease it.
This class can be used with
Hash
orXOFHash
. When used inHash
finalize()
will returndigest_size
bytes. When used inXOFHash
this defines the total number of bytes allowed to be squeezed.- Parameters:
digest_size (int) – The length of output desired. Must be greater than zero.
- Raises:
ValueError – If the
digest_size
is invalid.
- class cryptography.hazmat.primitives.hashes.SHAKE256(digest_size)[source]
Added in version 2.5.
SHAKE256 is an extendable output function (XOF) based on the same core permutations as SHA3. It allows the caller to obtain an arbitrarily long digest length. Longer lengths, however, do not increase security or collision resistance and lengths shorter than 256 bit (32 bytes) will decrease it.
This class can be used with
Hash
orXOFHash
. When used inHash
finalize()
will returndigest_size
bytes. When used inXOFHash
this defines the total number of bytes allowed to be squeezed.- Parameters:
digest_size (int) – The length of output desired. Must be greater than zero.
- Raises:
ValueError – If the
digest_size
is invalid.
Interfaces
- class cryptography.hazmat.primitives.hashes.ExtendableOutputFunction[source]
An interface applied to hashes that act as extendable output functions (XOFs). The currently supported XOFs are
SHAKE128
andSHAKE256
.
- class cryptography.hazmat.primitives.hashes.HashContext[source]
- algorithm
A
HashAlgorithm
that will be used by this context.
- copy()[source]
- Returns:
A
HashContext
that is a copy of the current context.