Danger

This is a “Hazardous Materials” module. You should ONLY use it if you’re 100% absolutely sure that you know what you’re doing because this module is full of land mines, dragons, and dinosaurs with laser guns.

Symmetric Padding

Padding is a way to take data that may or may not be a multiple of the block size for a cipher and extend it out so that it is. This is required for many block cipher modes as they require the data to be encrypted to be an exact multiple of the block size.

class cryptography.hazmat.primitives.padding.PKCS7(block_size)

PKCS7 padding is a generalization of PKCS5 padding (also known as standard padding). PKCS7 padding works by appending N bytes with the value of chr(N), where N is the number of bytes required to make the final block of data the same size as the block size. A simple example of padding is:

>>> from cryptography.hazmat.primitives import padding
>>> padder = padding.PKCS7(128).padder()
>>> padded_data = padder.update(b"11111111111111112222222222")
>>> padded_data
b'1111111111111111'
>>> padded_data += padder.finalize()
>>> padded_data
b'11111111111111112222222222\x06\x06\x06\x06\x06\x06'
>>> unpadder = padding.PKCS7(128).unpadder()
>>> data = unpadder.update(padded_data)
>>> data
b'1111111111111111'
>>> data + unpadder.finalize()
b'11111111111111112222222222'
Parameters:

block_size – The size of the block in bits that the data is being padded to.

Raises:

ValueError – Raised if block size is not a multiple of 8 or is not between 0 and 2040 inclusive.

padder()
Returns:

A padding PaddingContext instance.

unpadder()
Returns:

An unpadding PaddingContext instance.

class cryptography.hazmat.primitives.padding.ANSIX923(block_size)

New in version 1.3.

ANSI X9.23 padding works by appending N-1 bytes with the value of 0 and a last byte with the value of chr(N), where N is the number of bytes required to make the final block of data the same size as the block size. A simple example of padding is:

>>> padder = padding.ANSIX923(128).padder()
>>> padded_data = padder.update(b"11111111111111112222222222")
>>> padded_data
b'1111111111111111'
>>> padded_data += padder.finalize()
>>> padded_data
b'11111111111111112222222222\x00\x00\x00\x00\x00\x06'
>>> unpadder = padding.ANSIX923(128).unpadder()
>>> data = unpadder.update(padded_data)
>>> data
b'1111111111111111'
>>> data + unpadder.finalize()
b'11111111111111112222222222'
Parameters:

block_size – The size of the block in bits that the data is being padded to.

Raises:

ValueError – Raised if block size is not a multiple of 8 or is not between 0 and 2040 inclusive.

padder()
Returns:

A padding PaddingContext instance.

unpadder()
Returns:

An unpadding PaddingContext instance.

class cryptography.hazmat.primitives.padding.PaddingContext

When calling padder() or unpadder() the result will conform to the PaddingContext interface. You can then call update(data) with data until you have fed everything into the context. Once that is done call finalize() to finish the operation and obtain the remainder of the data.

update(data)
Parameters:

data (bytes-like) – The data you wish to pass into the context.

Return bytes:

Returns the data that was padded or unpadded.

Raises:
finalize()

Finalize the current context and return the rest of the data.

After finalize has been called this object can no longer be used; update() and finalize() will raise an AlreadyFinalized exception.

Return bytes:

Returns the remainder of the data.

Raises:

  • TypeError – Raised if data is not bytes.

  • ValueError – When trying to remove padding from incorrectly padded data.