cryptography.hazmat.primitives.cmac
import binascii key = binascii.unhexlify(b"0" * 32)
Cipher-based message authentication codes (or CMACs) are a tool for calculating message authentication codes using a block cipher coupled with a secret key. You can use an CMAC to verify both the integrity and authenticity of a message.
A subset of CMAC with the AES-128 algorithm is described in 4493
.
0.4
CMAC objects take a ~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm
instance.
>>> from cryptography.hazmat.primitives import cmac >>> from cryptography.hazmat.primitives.ciphers import algorithms >>> c = cmac.CMAC(algorithms.AES(key)) >>> c.update(b"message to authenticate") >>> c.finalize() b'CTx1dxc8x0ex15xbe4exdbxb6x84xcaxd9Xk'
If algorithm
isn't a ~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm
instance then TypeError
will be raised.
To check that a given signature is correct use the verify
method. You will receive an exception if the signature is wrong:
>>> c = cmac.CMAC(algorithms.AES(key)) >>> c.update(b"message to authenticate") >>> c.verify(b"an incorrect signature") Traceback (most recent call last): ... cryptography.exceptions.InvalidSignature: Signature did not match digest.
- param algorithm
An instance of
~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm
.- raises TypeError
This is raised if the provided
algorithm
is not an instance of~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm
- raises cryptography.exceptions.UnsupportedAlgorithm
This is raised if the provided
algorithm
is unsupported.
update(data)
- param bytes data
The bytes to hash and authenticate.
- raises cryptography.exceptions.AlreadyFinalized
See
finalize
- raises TypeError
This exception is raised if
data
is notbytes
.
copy()
Copy this CMAC
instance, usually so that we may call finalize
to get an intermediate value while we continue to call update
on the original instance.
- return
A new instance of
CMAC
that can be updated and finalized independently of the original instance.- raises cryptography.exceptions.AlreadyFinalized
See
finalize
verify(signature)
Finalize the current context and securely compare the MAC to signature
.
- param bytes signature
The bytes to compare the current CMAC against.
- raises cryptography.exceptions.AlreadyFinalized
See
finalize
- raises cryptography.exceptions.InvalidSignature
If signature does not match digest
- raises TypeError
This exception is raised if
signature
is notbytes
.
finalize()
Finalize the current context and return the message authentication code as bytes.
After finalize
has been called this object can no longer be used and update
, copy
, verify
and finalize
will raise an ~cryptography.exceptions.AlreadyFinalized
exception.
- return bytes
The message authentication code as bytes.
- raises cryptography.exceptions.AlreadyFinalized