moving to scripts

asq-env/lib/python3.9/site-packages/cryptography/hazmat/primitives/kdf/__init__.py

@@ -0,0 +1,22 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+import abc
+
+
+class KeyDerivationFunction(metaclass=abc.ABCMeta):
+    @abc.abstractmethod
+    def derive(self, key_material: bytes) -> bytes:
+        """
+        Deterministically generates and returns a new key based on the existing
+        key material.
+        """
+
+    @abc.abstractmethod
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        """
+        Checks whether the key generated by the key material matches the
+        expected derived key. Raises an exception if they do not match.
+        """

asq-env/lib/python3.9/site-packages/cryptography/hazmat/primitives/kdf/concatkdf.py

@@ -0,0 +1,155 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+import struct
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import (
+    AlreadyFinalized,
+    InvalidKey,
+    UnsupportedAlgorithm,
+    _Reasons,
+)
+from cryptography.hazmat.backends import _get_backend
+from cryptography.hazmat.backends.interfaces import (
+    Backend,
+    HMACBackend,
+    HashBackend,
+)
+from cryptography.hazmat.primitives import constant_time, hashes, hmac
+from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
+
+
+def _int_to_u32be(n: int) -> bytes:
+    return struct.pack(">I", n)
+
+
+def _common_args_checks(
+    algorithm: hashes.HashAlgorithm,
+    length: int,
+    otherinfo: typing.Optional[bytes],
+) -> None:
+    max_length = algorithm.digest_size * (2 ** 32 - 1)
+    if length > max_length:
+        raise ValueError(
+            "Cannot derive keys larger than {} bits.".format(max_length)
+        )
+    if otherinfo is not None:
+        utils._check_bytes("otherinfo", otherinfo)
+
+
+def _concatkdf_derive(
+    key_material: bytes,
+    length: int,
+    auxfn: typing.Callable[[], hashes.HashContext],
+    otherinfo: bytes,
+) -> bytes:
+    utils._check_byteslike("key_material", key_material)
+    output = [b""]
+    outlen = 0
+    counter = 1
+
+    while length > outlen:
+        h = auxfn()
+        h.update(_int_to_u32be(counter))
+        h.update(key_material)
+        h.update(otherinfo)
+        output.append(h.finalize())
+        outlen += len(output[-1])
+        counter += 1
+
+    return b"".join(output)[:length]
+
+
+class ConcatKDFHash(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm: hashes.HashAlgorithm,
+        length: int,
+        otherinfo: typing.Optional[bytes],
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+
+        _common_args_checks(algorithm, length, otherinfo)
+        self._algorithm = algorithm
+        self._length = length
+        self._otherinfo: bytes = otherinfo if otherinfo is not None else b""
+
+        if not isinstance(backend, HashBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement HashBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+        self._backend = backend
+        self._used = False
+
+    def _hash(self) -> hashes.Hash:
+        return hashes.Hash(self._algorithm, self._backend)
+
+    def derive(self, key_material: bytes) -> bytes:
+        if self._used:
+            raise AlreadyFinalized
+        self._used = True
+        return _concatkdf_derive(
+            key_material, self._length, self._hash, self._otherinfo
+        )
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
+            raise InvalidKey
+
+
+class ConcatKDFHMAC(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm: hashes.HashAlgorithm,
+        length: int,
+        salt: typing.Optional[bytes],
+        otherinfo: typing.Optional[bytes],
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+
+        _common_args_checks(algorithm, length, otherinfo)
+        self._algorithm = algorithm
+        self._length = length
+        self._otherinfo: bytes = otherinfo if otherinfo is not None else b""
+
+        if algorithm.block_size is None:
+            raise TypeError(
+                "{} is unsupported for ConcatKDF".format(algorithm.name)
+            )
+
+        if salt is None:
+            salt = b"\x00" * algorithm.block_size
+        else:
+            utils._check_bytes("salt", salt)
+
+        self._salt = salt
+
+        if not isinstance(backend, HMACBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement HMACBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+        self._backend = backend
+        self._used = False
+
+    def _hmac(self) -> hmac.HMAC:
+        return hmac.HMAC(self._salt, self._algorithm, self._backend)
+
+    def derive(self, key_material: bytes) -> bytes:
+        if self._used:
+            raise AlreadyFinalized
+        self._used = True
+        return _concatkdf_derive(
+            key_material, self._length, self._hmac, self._otherinfo
+        )
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
+            raise InvalidKey

asq-env/lib/python3.9/site-packages/cryptography/hazmat/primitives/kdf/hkdf.py

@@ -0,0 +1,125 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import (
+    AlreadyFinalized,
+    InvalidKey,
+    UnsupportedAlgorithm,
+    _Reasons,
+)
+from cryptography.hazmat.backends import _get_backend
+from cryptography.hazmat.backends.interfaces import Backend, HMACBackend
+from cryptography.hazmat.primitives import constant_time, hashes, hmac
+from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
+
+
+class HKDF(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm: hashes.HashAlgorithm,
+        length: int,
+        salt: typing.Optional[bytes],
+        info: typing.Optional[bytes],
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+        if not isinstance(backend, HMACBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement HMACBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+
+        self._algorithm = algorithm
+
+        if salt is None:
+            salt = b"\x00" * self._algorithm.digest_size
+        else:
+            utils._check_bytes("salt", salt)
+
+        self._salt = salt
+
+        self._backend = backend
+
+        self._hkdf_expand = HKDFExpand(self._algorithm, length, info, backend)
+
+    def _extract(self, key_material: bytes) -> bytes:
+        h = hmac.HMAC(self._salt, self._algorithm, backend=self._backend)
+        h.update(key_material)
+        return h.finalize()
+
+    def derive(self, key_material: bytes) -> bytes:
+        utils._check_byteslike("key_material", key_material)
+        return self._hkdf_expand.derive(self._extract(key_material))
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
+            raise InvalidKey
+
+
+class HKDFExpand(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm: hashes.HashAlgorithm,
+        length: int,
+        info: typing.Optional[bytes],
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+        if not isinstance(backend, HMACBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement HMACBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+
+        self._algorithm = algorithm
+
+        self._backend = backend
+
+        max_length = 255 * algorithm.digest_size
+
+        if length > max_length:
+            raise ValueError(
+                "Cannot derive keys larger than {} octets.".format(max_length)
+            )
+
+        self._length = length
+
+        if info is None:
+            info = b""
+        else:
+            utils._check_bytes("info", info)
+
+        self._info = info
+
+        self._used = False
+
+    def _expand(self, key_material: bytes) -> bytes:
+        output = [b""]
+        counter = 1
+
+        while self._algorithm.digest_size * (len(output) - 1) < self._length:
+            h = hmac.HMAC(key_material, self._algorithm, backend=self._backend)
+            h.update(output[-1])
+            h.update(self._info)
+            h.update(bytes([counter]))
+            output.append(h.finalize())
+            counter += 1
+
+        return b"".join(output)[: self._length]
+
+    def derive(self, key_material: bytes) -> bytes:
+        utils._check_byteslike("key_material", key_material)
+        if self._used:
+            raise AlreadyFinalized
+
+        self._used = True
+        return self._expand(key_material)
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
+            raise InvalidKey

asq-env/lib/python3.9/site-packages/cryptography/hazmat/primitives/kdf/kbkdf.py

@@ -0,0 +1,272 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import (
+    AlreadyFinalized,
+    InvalidKey,
+    UnsupportedAlgorithm,
+    _Reasons,
+)
+from cryptography.hazmat.backends import _get_backend
+from cryptography.hazmat.backends.interfaces import (
+    Backend,
+    CMACBackend,
+    HMACBackend,
+)
+from cryptography.hazmat.primitives import (
+    ciphers,
+    cmac,
+    constant_time,
+    hashes,
+    hmac,
+)
+from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
+
+
+class Mode(utils.Enum):
+    CounterMode = "ctr"
+
+
+class CounterLocation(utils.Enum):
+    BeforeFixed = "before_fixed"
+    AfterFixed = "after_fixed"
+
+
+class _KBKDFDeriver:
+    def __init__(
+        self,
+        prf: typing.Callable,
+        mode: Mode,
+        length: int,
+        rlen: int,
+        llen: typing.Optional[int],
+        location: CounterLocation,
+        label: typing.Optional[bytes],
+        context: typing.Optional[bytes],
+        fixed: typing.Optional[bytes],
+    ):
+        assert callable(prf)
+
+        if not isinstance(mode, Mode):
+            raise TypeError("mode must be of type Mode")
+
+        if not isinstance(location, CounterLocation):
+            raise TypeError("location must be of type CounterLocation")
+
+        if (label or context) and fixed:
+            raise ValueError(
+                "When supplying fixed data, " "label and context are ignored."
+            )
+
+        if rlen is None or not self._valid_byte_length(rlen):
+            raise ValueError("rlen must be between 1 and 4")
+
+        if llen is None and fixed is None:
+            raise ValueError("Please specify an llen")
+
+        if llen is not None and not isinstance(llen, int):
+            raise TypeError("llen must be an integer")
+
+        if label is None:
+            label = b""
+
+        if context is None:
+            context = b""
+
+        utils._check_bytes("label", label)
+        utils._check_bytes("context", context)
+        self._prf = prf
+        self._mode = mode
+        self._length = length
+        self._rlen = rlen
+        self._llen = llen
+        self._location = location
+        self._label = label
+        self._context = context
+        self._used = False
+        self._fixed_data = fixed
+
+    @staticmethod
+    def _valid_byte_length(value: int) -> bool:
+        if not isinstance(value, int):
+            raise TypeError("value must be of type int")
+
+        value_bin = utils.int_to_bytes(1, value)
+        if not 1 <= len(value_bin) <= 4:
+            return False
+        return True
+
+    def derive(self, key_material: bytes, prf_output_size: int) -> bytes:
+        if self._used:
+            raise AlreadyFinalized
+
+        utils._check_byteslike("key_material", key_material)
+        self._used = True
+
+        # inverse floor division (equivalent to ceiling)
+        rounds = -(-self._length // prf_output_size)
+
+        output = [b""]
+
+        # For counter mode, the number of iterations shall not be
+        # larger than 2^r-1, where r <= 32 is the binary length of the counter
+        # This ensures that the counter values used as an input to the
+        # PRF will not repeat during a particular call to the KDF function.
+        r_bin = utils.int_to_bytes(1, self._rlen)
+        if rounds > pow(2, len(r_bin) * 8) - 1:
+            raise ValueError("There are too many iterations.")
+
+        for i in range(1, rounds + 1):
+            h = self._prf(key_material)
+
+            counter = utils.int_to_bytes(i, self._rlen)
+            if self._location == CounterLocation.BeforeFixed:
+                h.update(counter)
+
+            h.update(self._generate_fixed_input())
+
+            if self._location == CounterLocation.AfterFixed:
+                h.update(counter)
+
+            output.append(h.finalize())
+
+        return b"".join(output)[: self._length]
+
+    def _generate_fixed_input(self) -> bytes:
+        if self._fixed_data and isinstance(self._fixed_data, bytes):
+            return self._fixed_data
+
+        l_val = utils.int_to_bytes(self._length * 8, self._llen)
+
+        return b"".join([self._label, b"\x00", self._context, l_val])
+
+
+class KBKDFHMAC(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm: hashes.HashAlgorithm,
+        mode: Mode,
+        length: int,
+        rlen: int,
+        llen: typing.Optional[int],
+        location: CounterLocation,
+        label: typing.Optional[bytes],
+        context: typing.Optional[bytes],
+        fixed: typing.Optional[bytes],
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+        if not isinstance(backend, HMACBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement HMACBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+
+        if not isinstance(algorithm, hashes.HashAlgorithm):
+            raise UnsupportedAlgorithm(
+                "Algorithm supplied is not a supported hash algorithm.",
+                _Reasons.UNSUPPORTED_HASH,
+            )
+
+        if not backend.hmac_supported(algorithm):
+            raise UnsupportedAlgorithm(
+                "Algorithm supplied is not a supported hmac algorithm.",
+                _Reasons.UNSUPPORTED_HASH,
+            )
+
+        self._algorithm = algorithm
+        self._backend = backend
+
+        self._deriver = _KBKDFDeriver(
+            self._prf,
+            mode,
+            length,
+            rlen,
+            llen,
+            location,
+            label,
+            context,
+            fixed,
+        )
+
+    def _prf(self, key_material: bytes):
+        return hmac.HMAC(key_material, self._algorithm, backend=self._backend)
+
+    def derive(self, key_material) -> bytes:
+        return self._deriver.derive(key_material, self._algorithm.digest_size)
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
+            raise InvalidKey
+
+
+class KBKDFCMAC(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm,
+        mode: Mode,
+        length: int,
+        rlen: int,
+        llen: typing.Optional[int],
+        location: CounterLocation,
+        label: typing.Optional[bytes],
+        context: typing.Optional[bytes],
+        fixed: typing.Optional[bytes],
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+        if not isinstance(backend, CMACBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement CMACBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+
+        if not issubclass(
+            algorithm, ciphers.BlockCipherAlgorithm
+        ) or not issubclass(algorithm, ciphers.CipherAlgorithm):
+            raise UnsupportedAlgorithm(
+                "Algorithm supplied is not a supported cipher algorithm.",
+                _Reasons.UNSUPPORTED_CIPHER,
+            )
+
+        self._algorithm = algorithm
+        self._backend = backend
+        self._cipher: typing.Optional[ciphers.BlockCipherAlgorithm] = None
+
+        self._deriver = _KBKDFDeriver(
+            self._prf,
+            mode,
+            length,
+            rlen,
+            llen,
+            location,
+            label,
+            context,
+            fixed,
+        )
+
+    def _prf(self, _: bytes):
+        assert self._cipher is not None
+
+        return cmac.CMAC(self._cipher, backend=self._backend)
+
+    def derive(self, key_material: bytes) -> bytes:
+        self._cipher = self._algorithm(key_material)
+
+        assert self._cipher is not None
+
+        if not self._backend.cmac_algorithm_supported(self._cipher):
+            raise UnsupportedAlgorithm(
+                "Algorithm supplied is not a supported cipher algorithm.",
+                _Reasons.UNSUPPORTED_CIPHER,
+            )
+
+        return self._deriver.derive(key_material, self._cipher.block_size // 8)
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
+            raise InvalidKey

asq-env/lib/python3.9/site-packages/cryptography/hazmat/primitives/kdf/pbkdf2.py

@@ -0,0 +1,69 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import (
+    AlreadyFinalized,
+    InvalidKey,
+    UnsupportedAlgorithm,
+    _Reasons,
+)
+from cryptography.hazmat.backends import _get_backend
+from cryptography.hazmat.backends.interfaces import Backend, PBKDF2HMACBackend
+from cryptography.hazmat.primitives import constant_time, hashes
+from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
+
+
+class PBKDF2HMAC(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm: hashes.HashAlgorithm,
+        length: int,
+        salt: bytes,
+        iterations: int,
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+        if not isinstance(backend, PBKDF2HMACBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement PBKDF2HMACBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+
+        if not backend.pbkdf2_hmac_supported(algorithm):
+            raise UnsupportedAlgorithm(
+                "{} is not supported for PBKDF2 by this backend.".format(
+                    algorithm.name
+                ),
+                _Reasons.UNSUPPORTED_HASH,
+            )
+        self._used = False
+        self._algorithm = algorithm
+        self._length = length
+        utils._check_bytes("salt", salt)
+        self._salt = salt
+        self._iterations = iterations
+        self._backend = backend
+
+    def derive(self, key_material: bytes) -> bytes:
+        if self._used:
+            raise AlreadyFinalized("PBKDF2 instances can only be used once.")
+        self._used = True
+
+        utils._check_byteslike("key_material", key_material)
+        return self._backend.derive_pbkdf2_hmac(
+            self._algorithm,
+            self._length,
+            self._salt,
+            self._iterations,
+            key_material,
+        )
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        derived_key = self.derive(key_material)
+        if not constant_time.bytes_eq(derived_key, expected_key):
+            raise InvalidKey("Keys do not match.")

asq-env/lib/python3.9/site-packages/cryptography/hazmat/primitives/kdf/scrypt.py

@@ -0,0 +1,75 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+import sys
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import (
+    AlreadyFinalized,
+    InvalidKey,
+    UnsupportedAlgorithm,
+    _Reasons,
+)
+from cryptography.hazmat.backends import _get_backend
+from cryptography.hazmat.backends.interfaces import Backend, ScryptBackend
+from cryptography.hazmat.primitives import constant_time
+from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
+
+
+# This is used by the scrypt tests to skip tests that require more memory
+# than the MEM_LIMIT
+_MEM_LIMIT = sys.maxsize // 2
+
+
+class Scrypt(KeyDerivationFunction):
+    def __init__(
+        self,
+        salt: bytes,
+        length: int,
+        n: int,
+        r: int,
+        p: int,
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+        if not isinstance(backend, ScryptBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement ScryptBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+
+        self._length = length
+        utils._check_bytes("salt", salt)
+        if n < 2 or (n & (n - 1)) != 0:
+            raise ValueError("n must be greater than 1 and be a power of 2.")
+
+        if r < 1:
+            raise ValueError("r must be greater than or equal to 1.")
+
+        if p < 1:
+            raise ValueError("p must be greater than or equal to 1.")
+
+        self._used = False
+        self._salt = salt
+        self._n = n
+        self._r = r
+        self._p = p
+        self._backend = backend
+
+    def derive(self, key_material: bytes) -> bytes:
+        if self._used:
+            raise AlreadyFinalized("Scrypt instances can only be used once.")
+        self._used = True
+
+        utils._check_byteslike("key_material", key_material)
+        return self._backend.derive_scrypt(
+            key_material, self._salt, self._length, self._n, self._r, self._p
+        )
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        derived_key = self.derive(key_material)
+        if not constant_time.bytes_eq(derived_key, expected_key):
+            raise InvalidKey("Keys do not match.")

asq-env/lib/python3.9/site-packages/cryptography/hazmat/primitives/kdf/x963kdf.py

@@ -0,0 +1,79 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+import struct
+import typing
+
+from cryptography import utils
+from cryptography.exceptions import (
+    AlreadyFinalized,
+    InvalidKey,
+    UnsupportedAlgorithm,
+    _Reasons,
+)
+from cryptography.hazmat.backends import _get_backend
+from cryptography.hazmat.backends.interfaces import Backend, HashBackend
+from cryptography.hazmat.primitives import constant_time, hashes
+from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
+
+
+def _int_to_u32be(n):
+    return struct.pack(">I", n)
+
+
+class X963KDF(KeyDerivationFunction):
+    def __init__(
+        self,
+        algorithm: hashes.HashAlgorithm,
+        length: int,
+        sharedinfo: typing.Optional[bytes],
+        backend: typing.Optional[Backend] = None,
+    ):
+        backend = _get_backend(backend)
+
+        max_len = algorithm.digest_size * (2 ** 32 - 1)
+        if length > max_len:
+            raise ValueError(
+                "Cannot derive keys larger than {} bits.".format(max_len)
+            )
+        if sharedinfo is not None:
+            utils._check_bytes("sharedinfo", sharedinfo)
+
+        self._algorithm = algorithm
+        self._length = length
+        self._sharedinfo = sharedinfo
+
+        if not isinstance(backend, HashBackend):
+            raise UnsupportedAlgorithm(
+                "Backend object does not implement HashBackend.",
+                _Reasons.BACKEND_MISSING_INTERFACE,
+            )
+        self._backend = backend
+        self._used = False
+
+    def derive(self, key_material: bytes) -> bytes:
+        if self._used:
+            raise AlreadyFinalized
+        self._used = True
+        utils._check_byteslike("key_material", key_material)
+        output = [b""]
+        outlen = 0
+        counter = 1
+
+        while self._length > outlen:
+            h = hashes.Hash(self._algorithm, self._backend)
+            h.update(key_material)
+            h.update(_int_to_u32be(counter))
+            if self._sharedinfo is not None:
+                h.update(self._sharedinfo)
+            output.append(h.finalize())
+            outlen += len(output[-1])
+            counter += 1
+
+        return b"".join(output)[: self._length]
+
+    def verify(self, key_material: bytes, expected_key: bytes) -> None:
+        if not constant_time.bytes_eq(self.derive(key_material), expected_key):
+            raise InvalidKey