cryptography.hazmat.primitives.cmac
import binascii key = binascii.unhexlify(b"0" * 32)
Cipher-based message authentication codes (or CMACs) are a tool for calculating message authentication codes using a block cipher coupled with a secret key. You can use an CMAC to verify both the integrity and authenticity of a message.
A subset of CMAC with the AES-128 algorithm is described in 4493.
0.4
CMAC objects take a ~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm instance.
>>> from cryptography.hazmat.backends import default_backend >>> from cryptography.hazmat.primitives import cmac >>> from cryptography.hazmat.primitives.ciphers import algorithms >>> c = cmac.CMAC(algorithms.AES(key), backend=default_backend()) >>> c.update(b"message to authenticate") >>> c.finalize() b'CTx1dxc8x0ex15xbe4exdbxb6x84xcaxd9Xk'
If the backend doesn't support the requested algorithm an ~cryptography.exceptions.UnsupportedAlgorithm exception will be raised.
If algorithm isn't a ~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm instance then TypeError will be raised.
To check that a given signature is correct use the verify method. You will receive an exception if the signature is wrong:
>>> c = cmac.CMAC(algorithms.AES(key), backend=default_backend()) >>> c.update(b"message to authenticate") >>> c.verify(b"an incorrect signature") Traceback (most recent call last): ... cryptography.exceptions.InvalidSignature: Signature did not match digest.
- param algorithm
An instance of
~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm.- param backend
An instance of
~cryptography.hazmat.backends.interfaces.CMACBackend.- raises TypeError
This is raised if the provided
algorithmis not an instance of~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm- raises cryptography.exceptions.UnsupportedAlgorithm
This is raised if the provided
backenddoes not implement~cryptography.hazmat.backends.interfaces.CMACBackend
update(data)
- param bytes data
The bytes to hash and authenticate.
- raises cryptography.exceptions.AlreadyFinalized
See
finalize- raises TypeError
This exception is raised if
datais notbytes.
copy()
Copy this CMAC instance, usually so that we may call finalize to get an intermediate value while we continue to call update on the original instance.
- return
A new instance of
CMACthat can be updated and finalized independently of the original instance.- raises cryptography.exceptions.AlreadyFinalized
See
finalize
verify(signature)
Finalize the current context and securely compare the MAC to signature.
- param bytes signature
The bytes to compare the current CMAC against.
- raises cryptography.exceptions.AlreadyFinalized
See
finalize- raises cryptography.exceptions.InvalidSignature
If signature does not match digest
- raises TypeError
This exception is raised if
signatureis notbytes.
finalize()
Finalize the current context and return the message authentication code as bytes.
After finalize has been called this object can no longer be used and update, copy, verify and finalize will raise an ~cryptography.exceptions.AlreadyFinalized exception.
- return bytes
The message authentication code as bytes.
- raises cryptography.exceptions.AlreadyFinalized