diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2014-01-07 19:21:49 -0600 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2014-01-07 19:21:49 -0600 |
| commit | af0b9f56e761353593a0b33b1f4797169a716dec (patch) | |
| tree | cec97dc0352001912a7fc913964efb385527d45c /docs/hazmat | |
| parent | 75832bc3f661f9867878f16244c0f810bacb736d (diff) | |
| download | cryptography-af0b9f56e761353593a0b33b1f4797169a716dec.tar.gz cryptography-af0b9f56e761353593a0b33b1f4797169a716dec.tar.bz2 cryptography-af0b9f56e761353593a0b33b1f4797169a716dec.zip | |
GCM does not require padding (removing from docs example)
Diffstat (limited to 'docs/hazmat')
| -rw-r--r-- | docs/hazmat/primitives/symmetric-encryption.rst | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index a683bb98..86267a25 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -364,8 +364,6 @@ Modes Cipher, algorithms, modes ) - from cryptography.hazmat.primitives.padding import PKCS7 - def encrypt(key, plaintext, associated_data): # Generate a random 96-bit IV. iv = os.urandom(12) @@ -378,17 +376,13 @@ Modes backend=default_backend() ).encryptor() - # We have to pad our plaintext because it may not be a - # multiple of the block size. - padder = PKCS7(algorithms.AES.block_size).padder() - padded_plaintext = padder.update(plaintext) + padder.finalize() - # associated_data will be authenticated but not encrypted, # it must also be passed in on decryption. encryptor.authenticate_additional_data(associated_data) # Encrypt the plaintext and get the associated ciphertext. - ciphertext = encryptor.update(padded_plaintext) + encryptor.finalize() + # GCM does not require padding. + ciphertext = encryptor.update(plaintext) + encryptor.finalize() return (iv, ciphertext, encryptor.tag) @@ -401,17 +395,13 @@ Modes backend=default_backend() ).decryptor() - # We will need to unpad the plaintext. - unpadder = PKCS7(algorithms.AES.block_size).unpadder() - # We put associated_data back in or the tag will fail to verify # when we finalize the decryptor. decryptor.authenticate_additional_data(associated_data) - # Decryption gets us the authenticated padded plaintext. - padded_plaintext = decryptor.update(ciphertext) + decryptor.finalize() - - return unpadder.update(padded_plaintext) + unpadder.finalize() + # Decryption gets us the authenticated plaintext. + # If the tag does not match an InvalidTag exception will be raised. + return decryptor.update(ciphertext) + decryptor.finalize() iv, ciphertext, tag = encrypt( key, |