| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- # This file is dual licensed under the terms of the Apache License, Version
- # 2.0, and the BSD License. See the LICENSE file in the root of this repository
- # for complete details.
- from __future__ import annotations
- import typing
- from cryptography import utils
- from cryptography.exceptions import (
- AlreadyFinalized,
- InvalidKey,
- UnsupportedAlgorithm,
- _Reasons,
- )
- from cryptography.hazmat.bindings._rust import openssl as rust_openssl
- from cryptography.hazmat.primitives import constant_time, hashes
- from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
- class PBKDF2HMAC(KeyDerivationFunction):
- def __init__(
- self,
- algorithm: hashes.HashAlgorithm,
- length: int,
- salt: bytes,
- iterations: int,
- backend: typing.Any = None,
- ):
- from cryptography.hazmat.backends.openssl.backend import (
- backend as ossl,
- )
- if not ossl.pbkdf2_hmac_supported(algorithm):
- raise UnsupportedAlgorithm(
- f"{algorithm.name} is not supported for PBKDF2.",
- _Reasons.UNSUPPORTED_HASH,
- )
- self._used = False
- self._algorithm = algorithm
- self._length = length
- utils._check_bytes("salt", salt)
- self._salt = salt
- self._iterations = iterations
- def derive(self, key_material: bytes) -> bytes:
- if self._used:
- raise AlreadyFinalized("PBKDF2 instances can only be used once.")
- self._used = True
- return rust_openssl.kdf.derive_pbkdf2_hmac(
- key_material,
- self._algorithm,
- self._salt,
- self._iterations,
- self._length,
- )
- def verify(self, key_material: bytes, expected_key: bytes) -> None:
- derived_key = self.derive(key_material)
- if not constant_time.bytes_eq(derived_key, expected_key):
- raise InvalidKey("Keys do not match.")
|
