6 files changed, 269 insertions, 7 deletions

diff --git a/cryptography/hazmat/backends/__init__.py b/cryptography/hazmat/backends/__init__.py
index cb1fee90..41d260a8 100644
--- a/cryptography/hazmat/backends/__init__.py
+++ b/cryptography/hazmat/backends/__init__.py
@@ -12,16 +12,20 @@
 # limitations under the License.
 
 from cryptography.hazmat.backends import openssl
+from cryptography.hazmat.backends.multibackend import MultiBackend
 from cryptography.hazmat.bindings.commoncrypto.binding import (
-    Binding as CCBinding
+    Binding as CommonCryptoBinding
 )
 
 _ALL_BACKENDS = [openssl.backend]
 
-if CCBinding.is_available():
+if CommonCryptoBinding.is_available():
     from cryptography.hazmat.backends import commoncrypto
     _ALL_BACKENDS.append(commoncrypto.backend)
 
 
+_default_backend = MultiBackend(_ALL_BACKENDS)
+
+
 def default_backend():
-    return openssl.backend
+    return _default_backend
diff --git a/cryptography/hazmat/backends/multibackend.py b/cryptography/hazmat/backends/multibackend.py
new file mode 100644
index 00000000..49a4014d
--- /dev/null
+++ b/cryptography/hazmat/backends/multibackend.py
@@ -0,0 +1,103 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat.backends.interfaces import (
+    CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend
+)
+
+
+@utils.register_interface(CipherBackend)
+@utils.register_interface(HashBackend)
+@utils.register_interface(HMACBackend)
+@utils.register_interface(PBKDF2HMACBackend)
+class MultiBackend(object):
+    name = "multibackend"
+
+    def __init__(self, backends):
+        self._backends = backends
+
+    def _filtered_backends(self, interface):
+        for b in self._backends:
+            if isinstance(b, interface):
+                yield b
+
+    def cipher_supported(self, algorithm, mode):
+        return any(
+            b.cipher_supported(algorithm, mode)
+            for b in self._filtered_backends(CipherBackend)
+        )
+
+    def create_symmetric_encryption_ctx(self, algorithm, mode):
+        for b in self._filtered_backends(CipherBackend):
+            try:
+                return b.create_symmetric_encryption_ctx(algorithm, mode)
+            except UnsupportedAlgorithm:
+                pass
+        raise UnsupportedAlgorithm
+
+    def create_symmetric_decryption_ctx(self, algorithm, mode):
+        for b in self._filtered_backends(CipherBackend):
+            try:
+                return b.create_symmetric_decryption_ctx(algorithm, mode)
+            except UnsupportedAlgorithm:
+                pass
+        raise UnsupportedAlgorithm
+
+    def hash_supported(self, algorithm):
+        return any(
+            b.hash_supported(algorithm)
+            for b in self._filtered_backends(HashBackend)
+        )
+
+    def create_hash_ctx(self, algorithm):
+        for b in self._filtered_backends(HashBackend):
+            try:
+                return b.create_hash_ctx(algorithm)
+            except UnsupportedAlgorithm:
+                pass
+        raise UnsupportedAlgorithm
+
+    def hmac_supported(self, algorithm):
+        return any(
+            b.hmac_supported(algorithm)
+            for b in self._filtered_backends(HMACBackend)
+        )
+
+    def create_hmac_ctx(self, key, algorithm):
+        for b in self._filtered_backends(HMACBackend):
+            try:
+                return b.create_hmac_ctx(key, algorithm)
+            except UnsupportedAlgorithm:
+                pass
+        raise UnsupportedAlgorithm
+
+    def pbkdf2_hmac_supported(self, algorithm):
+        return any(
+            b.pbkdf2_hmac_supported(algorithm)
+            for b in self._filtered_backends(PBKDF2HMACBackend)
+        )
+
+    def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+                           key_material):
+        for b in self._filtered_backends(PBKDF2HMACBackend):
+            try:
+                return b.derive_pbkdf2_hmac(
+                    algorithm, length, salt, iterations, key_material
+                )
+            except UnsupportedAlgorithm:
+                pass
+        raise UnsupportedAlgorithm
diff --git a/docs/hazmat/backends/index.rst b/docs/hazmat/backends/index.rst
index dbc0724e..983a44e9 100644
--- a/docs/hazmat/backends/index.rst
+++ b/docs/hazmat/backends/index.rst
@@ -32,4 +32,5 @@ Individual Backends
 
     openssl
     commoncrypto
+    multibackend
     interfaces
diff --git a/docs/hazmat/backends/multibackend.rst b/docs/hazmat/backends/multibackend.rst
new file mode 100644
index 00000000..971c7671
--- /dev/null
+++ b/docs/hazmat/backends/multibackend.rst
@@ -0,0 +1,14 @@
+.. hazmat::
+
+MultiBackend
+============
+
+.. currentmodule:: cryptography.hazmat.backends.multibackend
+
+.. class:: MultiBackend(backends)
+
+    This class allows you to combine multiple backends into a single backend
+    which offers the combined features of all of its constituents.
+
+    :param backends: A ``list`` of backend objects. Backends are checked for
+                     feature support in the order they appear in this list.
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
new file mode 100644
index 00000000..ca21c9fc
--- /dev/null
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -0,0 +1,144 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pytest
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat.backends.interfaces import (
+    CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend
+)
+from cryptography.hazmat.backends.multibackend import MultiBackend
+from cryptography.hazmat.primitives import hashes, hmac
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+
+
+@utils.register_interface(CipherBackend)
+class DummyCipherBackend(object):
+    def __init__(self, supported_ciphers):
+        self._ciphers = supported_ciphers
+
+    def cipher_supported(self, algorithm, mode):
+        return (type(algorithm), type(mode)) in self._ciphers
+
+    def create_symmetric_encryption_ctx(self, algorithm, mode):
+        if not self.cipher_supported(algorithm, mode):
+            raise UnsupportedAlgorithm
+
+    def create_symmetric_decryption_ctx(self, algorithm, mode):
+        if not self.cipher_supported(algorithm, mode):
+            raise UnsupportedAlgorithm
+
+
+@utils.register_interface(HashBackend)
+class DummyHashBackend(object):
+    def __init__(self, supported_algorithms):
+        self._algorithms = supported_algorithms
+
+    def hash_supported(self, algorithm):
+        return type(algorithm) in self._algorithms
+
+    def create_hash_ctx(self, algorithm):
+        if not self.hash_supported(algorithm):
+            raise UnsupportedAlgorithm
+
+
+@utils.register_interface(HMACBackend)
+class DummyHMACBackend(object):
+    def __init__(self, supported_algorithms):
+        self._algorithms = supported_algorithms
+
+    def hmac_supported(self, algorithm):
+        return type(algorithm) in self._algorithms
+
+    def create_hmac_ctx(self, key, algorithm):
+        if not self.hmac_supported(algorithm):
+            raise UnsupportedAlgorithm
+
+
+@utils.register_interface(PBKDF2HMACBackend)
+class DummyPBKDF2HMAC(object):
+    def __init__(self, supported_algorithms):
+        self._algorithms = supported_algorithms
+
+    def pbkdf2_hmac_supported(self, algorithm):
+        return type(algorithm) in self._algorithms
+
+    def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+                           key_material):
+        if not self.pbkdf2_hmac_supported(algorithm):
+            raise UnsupportedAlgorithm
+
+
+class TestMultiBackend(object):
+    def test_ciphers(self):
+        backend = MultiBackend([
+            DummyHashBackend([]),
+            DummyCipherBackend([
+                (algorithms.AES, modes.CBC),
+            ])
+        ])
+        assert backend.cipher_supported(
+            algorithms.AES(b"\x00" * 16), modes.CBC(b"\x00" * 16)
+        )
+
+        cipher = Cipher(
+            algorithms.AES(b"\x00" * 16),
+            modes.CBC(b"\x00" * 16),
+            backend=backend
+        )
+        cipher.encryptor()
+        cipher.decryptor()
+
+        cipher = Cipher(
+            algorithms.Camellia(b"\x00" * 16),
+            modes.CBC(b"\x00" * 16),
+            backend=backend
+        )
+        with pytest.raises(UnsupportedAlgorithm):
+            cipher.encryptor()
+        with pytest.raises(UnsupportedAlgorithm):
+            cipher.decryptor()
+
+    def test_hashes(self):
+        backend = MultiBackend([
+            DummyHashBackend([hashes.MD5])
+        ])
+        assert backend.hash_supported(hashes.MD5())
+
+        hashes.Hash(hashes.MD5(), backend=backend)
+
+        with pytest.raises(UnsupportedAlgorithm):
+            hashes.Hash(hashes.SHA1(), backend=backend)
+
+    def test_hmac(self):
+        backend = MultiBackend([
+            DummyHMACBackend([hashes.MD5])
+        ])
+        assert backend.hmac_supported(hashes.MD5())
+
+        hmac.HMAC(b"", hashes.MD5(), backend=backend)
+
+        with pytest.raises(UnsupportedAlgorithm):
+            hmac.HMAC(b"", hashes.SHA1(), backend=backend)
+
+    def test_pbkdf2(self):
+        backend = MultiBackend([
+            DummyPBKDF2HMAC([hashes.MD5])
+        ])
+        assert backend.pbkdf2_hmac_supported(hashes.MD5())
+
+        backend.derive_pbkdf2_hmac(hashes.MD5(), 10, b"", 10, b"")
+
+        with pytest.raises(UnsupportedAlgorithm):
+            backend.derive_pbkdf2_hmac(hashes.SHA1(), 10, b"", 10, b"")
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 1e35322a..9f00364f 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -15,7 +15,6 @@ import pytest
 
 from cryptography import utils
 from cryptography.exceptions import UnsupportedAlgorithm, InternalError
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.backends.openssl.backend import backend, Backend
 from cryptography.hazmat.primitives import interfaces
 from cryptography.hazmat.primitives.ciphers import Cipher
@@ -40,9 +39,6 @@ class TestOpenSSL(object):
     def test_backend_exists(self):
         assert backend
 
-    def test_is_default(self):
-        assert backend == default_backend()
-
     def test_openssl_version_text(self):
         """
         This test checks the value of OPENSSL_VERSION_TEXT.