cryptography.hazmat.primitives.hashes
A cryptographic hash function takes an arbitrary block of data and calculates a fixed-size bit string (a digest), such that different data results (with a high probability) in different digests.
This is an implementation of ~cryptography.hazmat.primitives.hashes.HashContext
meant to be used with ~cryptography.hazmat.primitives.hashes.HashAlgorithm
implementations to provide an incremental interface to calculating various message digests.
>>> from cryptography.hazmat.primitives import hashes >>> digest = hashes.Hash(hashes.SHA256()) >>> digest.update(b"abc") >>> digest.update(b"123") >>> digest.finalize() b'lxa1=Rxcapxc8x83xe0xf0xbbx10x1eBZx89xe8bMxe5x1dxb2xd29%x93xafjx84x11x80x90'
Keep in mind that attacks against cryptographic hashes only get stronger with time, and that often algorithms that were once thought to be strong, become broken. Because of this it's important to include a plan for upgrading the hash algorithm you use over time. For more information, see Lifetimes of cryptographic hash functions.
- param algorithm
A
~cryptography.hazmat.primitives.hashes.HashAlgorithm
instance such as those described inbelow <cryptographic-hash-algorithms>
.- raises cryptography.exceptions.UnsupportedAlgorithm
This is raised if the provided
algorithm
is unsupported.
update(data)
- param bytes data
The bytes to be hashed.
- raises cryptography.exceptions.AlreadyFinalized
See
finalize
.- raises TypeError
This exception is raised if
data
is notbytes
.
copy()
Copy this Hash
instance, usually so that you may call finalize
to get an intermediate digest value while we continue to call update
on the original instance.
- return
A new instance of
Hash
that can be updated and finalized independently of the original instance.- raises cryptography.exceptions.AlreadyFinalized
See
finalize
.
finalize()
Finalize the current context and return the message digest as bytes.
After finalize
has been called this object can no longer be used and update
, copy
, and finalize
will raise an ~cryptography.exceptions.AlreadyFinalized
exception.
- return bytes
The message digest as bytes.
SHA-224 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 224-bit message digest.
SHA-256 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 256-bit message digest.
SHA-384 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 384-bit message digest.
SHA-512 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 512-bit message digest.
2.5
SHA-512/224 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 224-bit message digest.
2.5
SHA-512/256 is a cryptographic hash function from the SHA-2 family and is standardized by NIST. It produces a 256-bit message digest.
BLAKE2 is a cryptographic hash function specified in 7693
. BLAKE2's design makes it immune to length-extension attacks, an advantage over the SHA-family of hashes.
Note
While the RFC specifies keying, personalization, and salting features, these are not supported at this time due to limitations in OpenSSL 1.1.0.
BLAKE2b is optimized for 64-bit platforms and produces an 1 to 64-byte message digest.
- param int digest_size
The desired size of the hash output in bytes. Only
64
is supported at this time.- raises ValueError
If the
digest_size
is invalid.
BLAKE2s is optimized for 8 to 32-bit platforms and produces a 1 to 32-byte message digest.
- param int digest_size
The desired size of the hash output in bytes. Only
32
is supported at this time.- raises ValueError
If the
digest_size
is invalid.
SHA-3 is the most recent NIST secure hash algorithm standard. Despite the larger number SHA-3 is not considered to be better than SHA-2. Instead, it uses a significantly different internal structure so that if an attack appears against SHA-2 it is unlikely to apply to SHA-3. SHA-3 is significantly slower than SHA-2 so at this time most users should choose SHA-2.
2.5
SHA3/224 is a cryptographic hash function from the SHA-3 family and is standardized by NIST. It produces a 224-bit message digest.
2.5
SHA3/256 is a cryptographic hash function from the SHA-3 family and is standardized by NIST. It produces a 256-bit message digest.
2.5
SHA3/384 is a cryptographic hash function from the SHA-3 family and is standardized by NIST. It produces a 384-bit message digest.
2.5
SHA3/512 is a cryptographic hash function from the SHA-3 family and is standardized by NIST. It produces a 512-bit message digest.
2.5
SHAKE128 is an extendable output function (XOF) based on the same core permutations as SHA3. It allows the caller to obtain an arbitrarily long digest length. Longer lengths, however, do not increase security or collision resistance and lengths shorter than 128 bit (16 bytes) will decrease it.
- param int digest_size
The length of output desired. Must be greater than zero.
- raises ValueError
If the
digest_size
is invalid.
2.5
SHAKE256 is an extendable output function (XOF) based on the same core permutations as SHA3. It allows the caller to obtain an arbitrarily long digest length. Longer lengths, however, do not increase security or collision resistance and lengths shorter than 256 bit (32 bytes) will decrease it.
- param int digest_size
The length of output desired. Must be greater than zero.
- raises ValueError
If the
digest_size
is invalid.
Warning
SHA-1 is a deprecated hash algorithm that has practical known collision attacks. You are strongly discouraged from using it. Existing applications should strongly consider moving away.
SHA-1 is a cryptographic hash function standardized by NIST. It produces an 160-bit message digest. Cryptanalysis of SHA-1 has demonstrated that it is vulnerable to practical collision attacks, and collisions have been demonstrated.
Warning
MD5 is a deprecated hash algorithm that has practical known collision attacks. You are strongly discouraged from using it. Existing applications should strongly consider moving away.
MD5 is a deprecated cryptographic hash function. It produces a 128-bit message digest and has practical known collision attacks.
35.0.0
SM3 is a cryptographic hash function standardized by the Chinese National Cryptography Administration in GM/T 0004-2012. It produces 256-bit message digests. (An English description is available at draft-sca-cfrg-sm3.) This hash should be used for compatibility purposes where required and is not otherwise recommended for use.
name
- type
str
The standard name for the hash algorithm, for example: "sha256"
or "blake2b"
.
digest_size
- type
int
The size of the resulting digest in bytes.
algorithm
A HashAlgorithm
that will be used by this context.
update(data)
- param bytes data
The data you want to hash.
finalize()
- return
The final digest as bytes.
copy()
- return
A
HashContext
that is a copy of the current context.