tessl/pypi-cryptography
Cryptographic recipes and primitives for Python developers
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-cryptography@45.0.0index.mddocs/
Cryptography
A comprehensive Python cryptographic library providing cryptographic recipes and primitives to Python developers. The cryptography package serves as Python's cryptographic standard library, offering both high-level recipes for common cryptographic operations and low-level interfaces to cryptographic algorithms.
Package Information
- Package Name: cryptography
- Language: Python
- Installation:
pip install cryptography - Python Support: Python 3.7+ and PyPy3
- Optional Dependencies:
pip install cryptography[ssh]for SSH key support
Core Imports
import cryptography
from cryptography import __version__, __author__, __copyright__Common high-level imports:
from cryptography.fernet import Fernet, MultiFernet, InvalidToken
from cryptography import x509
from cryptography.exceptions import (
InvalidSignature, InvalidKey, UnsupportedAlgorithm,
AlreadyFinalized, InvalidTag
)Low-level hazmat imports (use with caution):
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.primitives.asymmetric import rsa, dsa, ec, padding
from cryptography.hazmat.primitives.kdf import pbkdf2, hkdfBasic Usage
from cryptography.fernet import Fernet
# Generate a key for symmetric encryption
key = Fernet.generate_key()
fernet = Fernet(key)
# Encrypt data
message = b"Secret message"
encrypted = fernet.encrypt(message)
# Decrypt data
decrypted = fernet.decrypt(encrypted)
print(decrypted) # b"Secret message"
# X.509 certificate handling
from cryptography import x509
from cryptography.hazmat.primitives import serialization
# Load a certificate from PEM data
cert = x509.load_pem_x509_certificate(pem_data)
print(cert.subject)
print(cert.public_key())Architecture
The cryptography package follows a layered architecture separating safe high-level APIs from expert-level primitives:
- High-level APIs: Safe, ready-to-use cryptographic functions (Fernet, X.509)
- Hazmat Layer: Low-level "hazardous materials" primitives requiring expert knowledge
- Backend Abstraction: OpenSSL backend with Rust integration for performance
- Standards Compliance: Implements cryptographic standards and best practices
This design ensures developers can use cryptography safely at the appropriate level for their expertise while maintaining access to full cryptographic functionality.
Capabilities
Symmetric Encryption (Fernet)
High-level symmetric encryption using authenticated encryption. Provides secure, simple encryption/decryption with built-in authentication and key rotation support.
class Fernet:
def __init__(self, key: bytes | str, backend: typing.Any = None): ...
@classmethod
def generate_key(cls) -> bytes: ...
def encrypt(self, data: bytes) -> bytes: ...
def encrypt_at_time(self, data: bytes, current_time: int) -> bytes: ...
def decrypt(self, token: bytes | str, ttl: int | None = None) -> bytes: ...
def decrypt_at_time(self, token: bytes | str, ttl: int, current_time: int) -> bytes: ...
def extract_timestamp(self, token: bytes | str) -> int: ...
class MultiFernet:
def __init__(self, fernets: Iterable[Fernet]): ...
def encrypt(self, msg: bytes) -> bytes: ...
def encrypt_at_time(self, msg: bytes, current_time: int) -> bytes: ...
def decrypt(self, msg: bytes | str, ttl: int | None = None) -> bytes: ...
def decrypt_at_time(self, msg: bytes | str, ttl: int, current_time: int) -> bytes: ...
def rotate(self, msg: bytes | str) -> bytes: ...
def extract_timestamp(self, msg: bytes | str) -> int: ...
class InvalidToken(Exception): ...X.509 Certificates
Comprehensive X.509 certificate handling including certificate creation, parsing, validation, and extension management. Supports certificate signing requests, certificate revocation lists, and certificate verification.
class Certificate:
def public_key(self): ...
def subject(self) -> Name: ...
def issuer(self) -> Name: ...
def serial_number(self) -> int: ...
class CertificateBuilder:
def subject_name(self, name: Name) -> 'CertificateBuilder': ...
def issuer_name(self, name: Name) -> 'CertificateBuilder': ...
def public_key(self, key) -> 'CertificateBuilder': ...
def sign(self, private_key, algorithm) -> Certificate: ...
def load_pem_x509_certificate(data: bytes) -> Certificate: ...
def load_der_x509_certificate(data: bytes) -> Certificate: ...Hash Functions
Cryptographic hash functions including SHA family, SHA-3, BLAKE2, and more. Provides both one-shot hashing and incremental hash contexts.
class Hash:
def __init__(self, algorithm, backend=None): ...
def update(self, data: bytes) -> None: ...
def finalize(self) -> bytes: ...
class SHA256: ...
class SHA3_256: ...
class BLAKE2b:
def __init__(self, digest_size: int): ...Symmetric Ciphers
Low-level symmetric encryption algorithms including AES, ChaCha20, and cipher modes. Provides building blocks for custom cryptographic protocols.
class Cipher:
def __init__(self, algorithm, mode, backend=None): ...
def encryptor(self) -> CipherContext: ...
def decryptor(self) -> CipherContext: ...
class AES:
def __init__(self, key: bytes): ...
class ChaCha20:
def __init__(self, key: bytes, nonce: bytes): ...AEAD Ciphers
Authenticated Encryption with Associated Data providing encryption and authentication in a single operation. Includes AES-GCM, ChaCha20-Poly1305, and other modern AEAD algorithms.
class AESGCM:
def __init__(self, key: bytes): ...
def encrypt(self, nonce: bytes, data: bytes, associated_data: bytes = None) -> bytes: ...
def decrypt(self, nonce: bytes, data: bytes, associated_data: bytes = None) -> bytes: ...
class ChaCha20Poly1305:
def __init__(self, key: bytes): ...
def encrypt(self, nonce: bytes, data: bytes, associated_data: bytes = None) -> bytes: ...
def decrypt(self, nonce: bytes, data: bytes, associated_data: bytes = None) -> bytes: ...Asymmetric Cryptography
Public-key cryptography including RSA, DSA, ECDSA, EdDSA, and key exchange algorithms. Supports key generation, digital signatures, and encryption.
def generate_private_key(public_exponent: int, key_size: int) -> RSAPrivateKey: ...
class RSAPrivateKey:
def public_key(self) -> RSAPublicKey: ...
def sign(self, data: bytes, padding, algorithm): ...
def private_bytes(self, encoding, format, encryption_algorithm): ...
class RSAPublicKey:
def verify(self, signature: bytes, data: bytes, padding, algorithm): ...
def encrypt(self, plaintext: bytes, padding): ...Key Derivation Functions
Password-based and key-based derivation functions for generating cryptographic keys from passwords or other key material. Includes PBKDF2, HKDF, Scrypt, and Argon2.
class PBKDF2HMAC:
def __init__(self, algorithm, length: int, salt: bytes, iterations: int): ...
def derive(self, key_material: bytes) -> bytes: ...
def verify(self, key_material: bytes, expected_key: bytes) -> None: ...
class HKDF:
def __init__(self, algorithm, length: int, salt: bytes = None, info: bytes = None): ...
def derive(self, key_material: bytes) -> bytes: ...Key Serialization
Serialization and deserialization of cryptographic keys in various formats including PEM, DER, and SSH formats. Supports both public and private keys with optional encryption.
def load_pem_private_key(data: bytes, password: bytes = None) -> PrivateKey: ...
def load_pem_public_key(data: bytes) -> PublicKey: ...
def load_ssh_private_key(data: bytes, password: bytes = None) -> PrivateKey: ...
class Encoding:
PEM: Encoding
DER: Encoding
class PrivateFormat:
PKCS8: PrivateFormat
TraditionalOpenSSL: PrivateFormatMessage Authentication
Message authentication codes and digital signatures for ensuring data integrity and authenticity. Includes HMAC, CMAC, and Poly1305.
class HMAC:
def __init__(self, key: bytes, algorithm): ...
def update(self, data: bytes) -> None: ...
def finalize(self) -> bytes: ...
def verify(self, signature: bytes) -> None: ...
class CMAC:
def __init__(self, key: bytes, algorithm): ...
def update(self, data: bytes) -> None: ...
def finalize(self) -> bytes: ...Two-Factor Authentication
Time-based and HMAC-based one-time password (OTP) generation and verification for implementing two-factor authentication systems.
class TOTP:
def __init__(self, key: bytes, length: int, algorithm, time_step: int): ...
def generate(self, time: int) -> bytes: ...
def verify(self, totp: bytes, time: int) -> None: ...
class HOTP:
def __init__(self, key: bytes, length: int, algorithm): ...
def generate(self, counter: int) -> bytes: ...
def verify(self, hotp: bytes, counter: int) -> None: ...Cryptographic Utilities
Additional utilities including constant-time operations and AES key wrapping functionality for secure key storage and timing attack prevention.
def bytes_eq(a: bytes, b: bytes) -> bool: ...
def aes_key_wrap(wrapping_key: bytes, key_to_wrap: bytes) -> bytes: ...
def aes_key_unwrap(wrapping_key: bytes, wrapped_key: bytes) -> bytes: ...
def aes_key_wrap_with_padding(wrapping_key: bytes, key_to_wrap: bytes) -> bytes: ...
def aes_key_unwrap_with_padding(wrapping_key: bytes, wrapped_key: bytes) -> bytes: ...Package Information API
Package-level metadata and version information:
__version__: str # "45.0.7"
__author__: str # "The Python Cryptographic Authority and individual contributors"
__copyright__: str # "Copyright 2013-2025 {__author__}"Exception Handling
Common exceptions thrown by the cryptography library:
# Core exceptions from cryptography.exceptions
class UnsupportedAlgorithm(Exception):
def __init__(self, message: str, reason: _Reasons | None = None): ...
class InvalidSignature(Exception): ...
class InvalidKey(Exception): ...
class InvalidTag(Exception): ...
class AlreadyFinalized(Exception): ...
class AlreadyUpdated(Exception): ...
class NotYetFinalized(Exception): ...
class InternalError(Exception):
def __init__(self, msg: str, err_code: list[rust_openssl.OpenSSLError]): ...
# Fernet-specific exception
class InvalidToken(Exception): ... # from cryptography.fernetMost cryptographic operations can raise InvalidSignature, InvalidKey, or UnsupportedAlgorithm exceptions. Always handle these appropriately in production code.