Merge branch 'master' into bind-pkcs12

Conflicts:
	cryptography/bindings/openssl/api.py

11 files changed, 774 insertions, 2 deletions

diff --git a/cryptography/bindings/openssl/api.py b/cryptography/bindings/openssl/api.py
index d04ca0c0..3502dd5a 100644
--- a/cryptography/bindings/openssl/api.py
+++ b/cryptography/bindings/openssl/api.py
@@ -36,10 +36,13 @@ class API(object):
         "err",
         "evp",
         "opensslv",
+        "pkcs7",
         "pkcs12",
         "rand",
         "rsa",
         "ssl",
+        "x509name",
+        "x509"
     ]
 
     def __init__(self):
@@ -141,5 +144,35 @@ class API(object):
         assert res != 0
         return self.ffi.buffer(buf)[:outlen[0]]
 
+    def supports_hash(self, hash_cls):
+        return (self.ffi.NULL !=
+                self.lib.EVP_get_digestbyname(hash_cls.name.encode("ascii")))
+
+    def create_hash_context(self, hashobject):
+        ctx = self.lib.EVP_MD_CTX_create()
+        ctx = self.ffi.gc(ctx, self.lib.EVP_MD_CTX_destroy)
+        evp_md = self.lib.EVP_get_digestbyname(hashobject.name.encode("ascii"))
+        assert evp_md != self.ffi.NULL
+        res = self.lib.EVP_DigestInit_ex(ctx, evp_md, self.ffi.NULL)
+        assert res != 0
+        return ctx
+
+    def update_hash_context(self, ctx, data):
+        res = self.lib.EVP_DigestUpdate(ctx, data, len(data))
+        assert res != 0
+
+    def finalize_hash_context(self, ctx, digest_size):
+        buf = self.ffi.new("unsigned char[]", digest_size)
+        res = self.lib.EVP_DigestFinal_ex(ctx, buf, self.ffi.NULL)
+        assert res != 0
+        return self.ffi.buffer(buf)[:digest_size]
+
+    def copy_hash_context(self, ctx):
+        copied_ctx = self.lib.EVP_MD_CTX_create()
+        copied_ctx = self.ffi.gc(copied_ctx, self.lib.EVP_MD_CTX_destroy)
+        res = self.lib.EVP_MD_CTX_copy_ex(copied_ctx, ctx)
+        assert res != 0
+        return copied_ctx
+
 
 api = API()
diff --git a/cryptography/bindings/openssl/pkcs7.py b/cryptography/bindings/openssl/pkcs7.py
new file mode 100644
index 00000000..752bfa00
--- /dev/null
+++ b/cryptography/bindings/openssl/pkcs7.py
@@ -0,0 +1,34 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+INCLUDES = """
+#include <openssl/pkcs7.h>
+"""
+
+TYPES = """
+typedef struct {
+    ASN1_OBJECT *type;
+    ...;
+} PKCS7;
+"""
+
+FUNCTIONS = """
+void PKCS7_free(PKCS7 *);
+"""
+
+MACROS = """
+int PKCS7_type_is_signed(PKCS7 *);
+int PKCS7_type_is_enveloped(PKCS7 *);
+int PKCS7_type_is_signedAndEnveloped(PKCS7 *);
+int PKCS7_type_is_data(PKCS7 *);
+"""
diff --git a/cryptography/bindings/openssl/x509.py b/cryptography/bindings/openssl/x509.py
new file mode 100644
index 00000000..9a51a6d0
--- /dev/null
+++ b/cryptography/bindings/openssl/x509.py
@@ -0,0 +1,187 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+INCLUDES = """
+#include <openssl/ssl.h>
+"""
+
+TYPES = """
+typedef struct {
+    ASN1_OBJECT *algorithm;
+    ...;
+} X509_ALGOR;
+
+typedef struct {
+    X509_ALGOR *signature;
+    ...;
+} X509_CINF;
+
+typedef struct {
+    ASN1_OBJECT *object;
+    ASN1_BOOLEAN critical;
+    ASN1_OCTET_STRING *value;
+} X509_EXTENSION;
+
+typedef ... X509_EXTENSIONS;
+
+typedef ... X509_REQ;
+
+typedef ... x509_revoked_st;
+
+typedef struct {
+    ASN1_INTEGER *serialNumber;
+    ASN1_TIME *revocationDate;
+    X509_EXTENSIONS *extensions;
+    int sequence;
+    ...;
+} X509_REVOKED;
+
+typedef struct {
+    struct x509_revoked_st *revoked;
+    ...;
+} X509_CRL_INFO;
+
+typedef struct {
+    X509_CRL_INFO *crl;
+    ...;
+} X509_CRL;
+
+typedef struct {
+    X509_CINF *cert_info;
+    ...;
+} X509;
+
+typedef ... X509_STORE;
+typedef ... NETSCAPE_SPKI;
+"""
+
+FUNCTIONS = """
+X509 *X509_new();
+void X509_free(X509 *);
+X509 *X509_dup(X509 *);
+
+int X509_print_ex(BIO *, X509 *, unsigned long, unsigned long);
+
+int X509_set_version(X509 *, long);
+
+EVP_PKEY *X509_get_pubkey(X509 *);
+int X509_set_pubkey(X509 *, EVP_PKEY *);
+
+unsigned char *X509_alias_get0(X509 *, int *);
+int X509_sign(X509 *, EVP_PKEY *, const EVP_MD *);
+
+int X509_digest(const X509 *, const EVP_MD *, unsigned char *, unsigned int *);
+
+ASN1_TIME *X509_gmtime_adj(ASN1_TIME *, long);
+
+unsigned long X509_subject_name_hash(X509 *);
+
+X509_NAME *X509_get_subject_name(X509 *);
+int X509_set_subject_name(X509 *, X509_NAME *);
+
+X509_NAME *X509_get_issuer_name(X509 *);
+int X509_set_issuer_name(X509 *, X509_NAME *);
+
+int X509_get_ext_count(X509 *);
+int X509_add_ext(X509 *, X509_EXTENSION *, int);
+X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *);
+X509_EXTENSION *X509_get_ext(X509 *, int);
+int X509_EXTENSION_get_critical(X509_EXTENSION *);
+ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *);
+void X509_EXTENSION_free(X509_EXTENSION *);
+
+int X509_REQ_set_version(X509_REQ *, long);
+X509_REQ *X509_REQ_new();
+void X509_REQ_free(X509_REQ *);
+int X509_REQ_set_pubkey(X509_REQ *, EVP_PKEY *);
+int X509_REQ_sign(X509_REQ *, EVP_PKEY *, const EVP_MD *);
+int X509_REQ_verify(X509_REQ *, EVP_PKEY *);
+EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *);
+int X509_REQ_add_extensions(X509_REQ *, X509_EXTENSIONS *);
+int X509_REQ_print_ex(BIO *, X509_REQ *, unsigned long, unsigned long);
+
+int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int);
+ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *);
+
+X509_REVOKED *X509_REVOKED_new();
+void X509_REVOKED_free(X509_REVOKED *);
+
+int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *);
+
+int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long);
+
+X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **);
+X509_CRL *X509_CRL_new();
+void X509_CRL_free(X509_CRL *);
+int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *);
+int i2d_X509_CRL_bio(BIO *, X509_CRL *);
+int X509_CRL_print(BIO *, X509_CRL *);
+int X509_CRL_set_issuer_name(X509_CRL *, X509_NAME *);
+int X509_CRL_sign(X509_CRL *, EVP_PKEY *, const EVP_MD *);
+
+int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *, EVP_PKEY *);
+int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *);
+char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *);
+EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *);
+int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *);
+NETSCAPE_SPKI *NETSCAPE_SPKI_new();
+void NETSCAPE_SPKI_free(NETSCAPE_SPKI *);
+
+/*  ASN1 serialization */
+int i2d_X509_bio(BIO *, X509 *);
+X509 *d2i_X509_bio(BIO *, X509 **);
+
+int i2d_X509_REQ_bio(BIO *, X509_REQ *);
+X509_REQ *d2i_X509_REQ_bio(BIO *, X509_REQ **);
+
+int i2d_PrivateKey_bio(BIO *, EVP_PKEY *);
+EVP_PKEY *d2i_PrivateKey_bio(BIO *, EVP_PKEY **);
+
+ASN1_INTEGER *X509_get_serialNumber(X509 *);
+int X509_set_serialNumber(X509 *, ASN1_INTEGER *);
+
+/*  X509_STORE */
+X509_STORE *X509_STORE_new();
+void X509_STORE_free(X509_STORE *);
+int X509_STORE_add_cert(X509_STORE *, X509 *);
+"""
+
+MACROS = """
+long X509_get_version(X509 *);
+
+ASN1_TIME *X509_get_notBefore(X509 *);
+ASN1_TIME *X509_get_notAfter(X509 *);
+
+long X509_REQ_get_version(X509_REQ *);
+X509_NAME *X509_REQ_get_subject_name(X509_REQ *);
+
+struct stack_st_X509 *sk_X509_new_null();
+void sk_X509_free(struct stack_st_X509 *);
+int sk_X509_num(struct stack_st_X509 *);
+int sk_X509_push(struct stack_st_X509 *, X509 *);
+X509 *sk_X509_value(struct stack_st_X509 *, int);
+
+X509_EXTENSIONS *sk_X509_EXTENSION_new_null();
+int sk_X509_EXTENSION_num(X509_EXTENSIONS *);
+X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int);
+int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *);
+void sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int);
+void sk_X509_EXTENSION_free(X509_EXTENSIONS *);
+
+int sk_X509_REVOKED_num(struct x509_revoked_st *);
+X509_REVOKED *sk_X509_REVOKED_value(struct x509_revoked_st *, int);
+
+/* These aren't macros these arguments are all const X on openssl > 1.0.x */
+int X509_CRL_set_lastUpdate(X509_CRL *, const ASN1_TIME *);
+int X509_CRL_set_nextUpdate(X509_CRL *, const ASN1_TIME *);
+"""
diff --git a/cryptography/bindings/openssl/x509name.py b/cryptography/bindings/openssl/x509name.py
new file mode 100644
index 00000000..bd7abe2d
--- /dev/null
+++ b/cryptography/bindings/openssl/x509name.py
@@ -0,0 +1,48 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+INCLUDES = """
+#include <openssl/x509.h>
+"""
+
+TYPES = """
+typedef ... X509_NAME;
+typedef ... X509_NAME_ENTRY;
+"""
+
+FUNCTIONS = """
+int X509_NAME_entry_count(X509_NAME *);
+X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *, int);
+ASN1_OBJECT *X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *);
+ASN1_STRING *X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *);
+unsigned long X509_NAME_hash(X509_NAME *);
+
+int i2d_X509_NAME(X509_NAME *, unsigned char **);
+int X509_NAME_add_entry_by_NID(X509_NAME *, int, int, unsigned char *,
+                               int, int, int);
+X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *, int);
+void X509_NAME_ENTRY_free(X509_NAME_ENTRY *);
+int X509_NAME_get_index_by_NID(X509_NAME *, int, int);
+int X509_NAME_cmp(const X509_NAME *, const X509_NAME *);
+char *X509_NAME_oneline(X509_NAME *, char *, int);
+X509_NAME *X509_NAME_dup(X509_NAME *);
+void X509_NAME_free(X509_NAME *);
+"""
+
+MACROS = """
+struct stack_st_X509_NAME *sk_X509_NAME_new_null();
+int sk_X509_NAME_num(struct stack_st_X509_NAME *);
+int sk_X509_NAME_push(struct stack_st_X509_NAME *, X509_NAME *);
+X509_NAME *sk_X509_NAME_value(struct stack_st_X509_NAME *, int);
+void sk_X509_NAME_free(struct stack_st_X509_NAME *);
+"""
diff --git a/cryptography/primitives/hashes.py b/cryptography/primitives/hashes.py
new file mode 100644
index 00000000..affca564
--- /dev/null
+++ b/cryptography/primitives/hashes.py
@@ -0,0 +1,78 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+import binascii
+
+from cryptography.bindings import _default_api
+
+
+class BaseHash(object):
+    def __init__(self, api=None, ctx=None):
+        if api is None:
+            api = _default_api
+        self._api = api
+        self._ctx = self._api.create_hash_context(self) if ctx is None else ctx
+
+    def update(self, string):
+        self._api.update_hash_context(self._ctx, string)
+
+    def copy(self):
+        return self.__class__(ctx=self._copy_ctx())
+
+    def digest(self):
+        return self._api.finalize_hash_context(self._copy_ctx(),
+                                               self.digest_size)
+
+    def hexdigest(self):
+        return binascii.hexlify(self.digest()).decode("ascii")
+
+    def _copy_ctx(self):
+        return self._api.copy_hash_context(self._ctx)
+
+
+class SHA1(BaseHash):
+    name = "sha1"
+    digest_size = 20
+    block_size = 64
+
+
+class SHA224(BaseHash):
+    name = "sha224"
+    digest_size = 28
+    block_size = 64
+
+
+class SHA256(BaseHash):
+    name = "sha256"
+    digest_size = 32
+    block_size = 64
+
+
+class SHA384(BaseHash):
+    name = "sha384"
+    digest_size = 48
+    block_size = 128
+
+
+class SHA512(BaseHash):
+    name = "sha512"
+    digest_size = 64
+    block_size = 128
+
+
+class RIPEMD160(BaseHash):
+    name = "ripemd160"
+    digest_size = 20
+    block_size = 64
diff --git a/tests/primitives/test_hash_vectors.py b/tests/primitives/test_hash_vectors.py
new file mode 100644
index 00000000..51c4b85d
--- /dev/null
+++ b/tests/primitives/test_hash_vectors.py
@@ -0,0 +1,111 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+import os
+
+from cryptography.primitives import hashes
+
+from .utils import generate_hash_test, generate_long_string_hash_test
+from ..utils import load_hash_vectors_from_file
+
+
+class TestSHA1(object):
+    test_SHA1 = generate_hash_test(
+        load_hash_vectors_from_file,
+        os.path.join("NIST", "SHABYTE"),
+        [
+            "SHA1LongMsg.rsp",
+            "SHA1ShortMsg.rsp",
+        ],
+        hashes.SHA1,
+        only_if=lambda api: api.supports_hash(hashes.SHA1),
+        skip_message="Does not support SHA1",
+    )
+
+
+class TestSHA224(object):
+    test_SHA224 = generate_hash_test(
+        load_hash_vectors_from_file,
+        os.path.join("NIST", "SHABYTE"),
+        [
+            "SHA224LongMsg.rsp",
+            "SHA224ShortMsg.rsp",
+        ],
+        hashes.SHA224,
+        only_if=lambda api: api.supports_hash(hashes.SHA224),
+        skip_message="Does not support SHA224",
+    )
+
+
+class TestSHA256(object):
+    test_SHA256 = generate_hash_test(
+        load_hash_vectors_from_file,
+        os.path.join("NIST", "SHABYTE"),
+        [
+            "SHA256LongMsg.rsp",
+            "SHA256ShortMsg.rsp",
+        ],
+        hashes.SHA256,
+        only_if=lambda api: api.supports_hash(hashes.SHA256),
+        skip_message="Does not support SHA256",
+    )
+
+
+class TestSHA384(object):
+    test_SHA384 = generate_hash_test(
+        load_hash_vectors_from_file,
+        os.path.join("NIST", "SHABYTE"),
+        [
+            "SHA384LongMsg.rsp",
+            "SHA384ShortMsg.rsp",
+        ],
+        hashes.SHA384,
+        only_if=lambda api: api.supports_hash(hashes.SHA384),
+        skip_message="Does not support SHA384",
+    )
+
+
+class TestSHA512(object):
+    test_SHA512 = generate_hash_test(
+        load_hash_vectors_from_file,
+        os.path.join("NIST", "SHABYTE"),
+        [
+            "SHA512LongMsg.rsp",
+            "SHA512ShortMsg.rsp",
+        ],
+        hashes.SHA512,
+        only_if=lambda api: api.supports_hash(hashes.SHA512),
+        skip_message="Does not support SHA512",
+    )
+
+
+class TestRIPEMD160(object):
+    test_RIPEMD160 = generate_hash_test(
+        load_hash_vectors_from_file,
+        os.path.join("ISO", "ripemd160"),
+        [
+            "ripevectors.txt",
+        ],
+        hashes.RIPEMD160,
+        only_if=lambda api: api.supports_hash(hashes.RIPEMD160),
+        skip_message="Does not support RIPEMD160",
+    )
+
+    test_RIPEMD160_long_string = generate_long_string_hash_test(
+        hashes.RIPEMD160,
+        "52783243c1697bdbe16d37f97f68f08325dc1528",
+        only_if=lambda api: api.supports_hash(hashes.RIPEMD160),
+        skip_message="Does not support RIPEMD160",
+    )
diff --git a/tests/primitives/test_hashes.py b/tests/primitives/test_hashes.py
new file mode 100644
index 00000000..bfb45037
--- /dev/null
+++ b/tests/primitives/test_hashes.py
@@ -0,0 +1,78 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+from cryptography.primitives import hashes
+
+from .utils import generate_base_hash_test
+
+
+class TestSHA1(object):
+    test_SHA1 = generate_base_hash_test(
+        hashes.SHA1,
+        digest_size=20,
+        block_size=64,
+        only_if=lambda api: api.supports_hash(hashes.SHA1),
+        skip_message="Does not support SHA1",
+    )
+
+
+class TestSHA224(object):
+    test_SHA224 = generate_base_hash_test(
+        hashes.SHA224,
+        digest_size=28,
+        block_size=64,
+        only_if=lambda api: api.supports_hash(hashes.SHA224),
+        skip_message="Does not support SHA224",
+    )
+
+
+class TestSHA256(object):
+    test_SHA256 = generate_base_hash_test(
+        hashes.SHA256,
+        digest_size=32,
+        block_size=64,
+        only_if=lambda api: api.supports_hash(hashes.SHA256),
+        skip_message="Does not support SHA256",
+    )
+
+
+class TestSHA384(object):
+    test_SHA384 = generate_base_hash_test(
+        hashes.SHA384,
+        digest_size=48,
+        block_size=128,
+        only_if=lambda api: api.supports_hash(hashes.SHA384),
+        skip_message="Does not support SHA384",
+    )
+
+
+class TestSHA512(object):
+    test_SHA512 = generate_base_hash_test(
+        hashes.SHA512,
+        digest_size=64,
+        block_size=128,
+        only_if=lambda api: api.supports_hash(hashes.SHA512),
+        skip_message="Does not support SHA512",
+    )
+
+
+class TestRIPEMD160(object):
+    test_RIPEMD160 = generate_base_hash_test(
+        hashes.RIPEMD160,
+        digest_size=20,
+        block_size=64,
+        only_if=lambda api: api.supports_hash(hashes.RIPEMD160),
+        skip_message="Does not support RIPEMD160",
+    )
diff --git a/tests/primitives/test_utils.py b/tests/primitives/test_utils.py
index 4666ece7..9888309e 100644
--- a/tests/primitives/test_utils.py
+++ b/tests/primitives/test_utils.py
@@ -1,6 +1,7 @@
 import pytest
 
-from .utils import encrypt_test
+from .utils import (base_hash_test, encrypt_test, hash_test,
+    long_string_hash_test)
 
 
 class TestEncryptTest(object):
@@ -12,3 +13,36 @@ class TestEncryptTest(object):
                 skip_message="message!"
             )
         assert exc_info.value.args[0] == "message!"
+
+
+class TestHashTest(object):
+    def test_skips_if_only_if_returns_false(self):
+        with pytest.raises(pytest.skip.Exception) as exc_info:
+            hash_test(
+                None, None, None,
+                only_if=lambda api: False,
+                skip_message="message!"
+            )
+        assert exc_info.value.args[0] == "message!"
+
+
+class TestBaseHashTest(object):
+    def test_skips_if_only_if_returns_false(self):
+        with pytest.raises(pytest.skip.Exception) as exc_info:
+            base_hash_test(
+                None, None, None, None,
+                only_if=lambda api: False,
+                skip_message="message!"
+            )
+        assert exc_info.value.args[0] == "message!"
+
+
+class TestLongHashTest(object):
+    def test_skips_if_only_if_returns_false(self):
+        with pytest.raises(pytest.skip.Exception) as exc_info:
+            long_string_hash_test(
+                None, None, None,
+                only_if=lambda api: False,
+                skip_message="message!"
+            )
+        assert exc_info.value.args[0] == "message!"
diff --git a/tests/primitives/utils.py b/tests/primitives/utils.py
index 3cf08c28..8b32700b 100644
--- a/tests/primitives/utils.py
+++ b/tests/primitives/utils.py
@@ -40,3 +40,81 @@ def encrypt_test(api, cipher_factory, mode_factory, params, only_if,
     actual_ciphertext = cipher.encrypt(binascii.unhexlify(plaintext))
     actual_ciphertext += cipher.finalize()
     assert actual_ciphertext == binascii.unhexlify(ciphertext)
+
+
+def generate_hash_test(param_loader, path, file_names, hash_cls,
+                       only_if=lambda api: True, skip_message=None):
+    def test_hash(self):
+        for api in _ALL_APIS:
+            for file_name in file_names:
+                for params in param_loader(os.path.join(path, file_name)):
+                    yield (
+                        hash_test,
+                        api,
+                        hash_cls,
+                        params,
+                        only_if,
+                        skip_message
+                    )
+    return test_hash
+
+
+def hash_test(api, hash_cls, params, only_if, skip_message):
+    if not only_if(api):
+        pytest.skip(skip_message)
+    msg = params[0]
+    md = params[1]
+    m = hash_cls(api=api)
+    m.update(binascii.unhexlify(msg))
+    assert m.hexdigest() == md.replace(" ", "").lower()
+
+
+def generate_base_hash_test(hash_cls, digest_size, block_size,
+                            only_if=lambda api: True, skip_message=None):
+    def test_base_hash(self):
+        for api in _ALL_APIS:
+            yield (
+                base_hash_test,
+                api,
+                hash_cls,
+                digest_size,
+                block_size,
+                only_if,
+                skip_message,
+            )
+    return test_base_hash
+
+
+def base_hash_test(api, hash_cls, digest_size, block_size, only_if,
+                   skip_message):
+    if not only_if(api):
+        pytest.skip(skip_message)
+    m = hash_cls(api=api)
+    assert m.digest_size == digest_size
+    assert m.block_size == block_size
+    m_copy = m.copy()
+    assert m != m_copy
+    assert m._ctx != m_copy._ctx
+
+
+def generate_long_string_hash_test(hash_factory, md, only_if=lambda api: True,
+                                   skip_message=None):
+    def test_long_string_hash(self):
+        for api in _ALL_APIS:
+            yield(
+                long_string_hash_test,
+                api,
+                hash_factory,
+                md,
+                only_if,
+                skip_message
+            )
+    return test_long_string_hash
+
+
+def long_string_hash_test(api, hash_factory, md, only_if, skip_message):
+    if not only_if(api):
+        pytest.skip(skip_message)
+    m = hash_factory(api)
+    m.update(b"a" * 1000000)
+    assert m.hexdigest() == md.lower()
diff --git a/tests/test_utils.py b/tests/test_utils.py
index 28e7407b..a9bb6a87 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -13,9 +13,12 @@
 
 import textwrap
 
+import pytest
+
 from .utils import (load_nist_vectors, load_nist_vectors_from_file,
     load_cryptrec_vectors, load_cryptrec_vectors_from_file,
-    load_openssl_vectors, load_openssl_vectors_from_file)
+    load_openssl_vectors, load_openssl_vectors_from_file, load_hash_vectors,
+    load_hash_vectors_from_file)
 
 
 def test_load_nist_vectors_encrypt():
@@ -360,3 +363,56 @@ def test_load_openssl_vectors_from_file():
             "ciphertext": b"D776379BE0E50825E681DA1A4C980E8E",
         },
     ]
+
+
+def test_load_hash_vectors():
+    vector_data = textwrap.dedent("""
+
+        # http://tools.ietf.org/html/rfc1321
+        [irrelevant]
+
+        Len = 0
+        Msg = 00
+        MD = d41d8cd98f00b204e9800998ecf8427e
+
+        Len = 8
+        Msg = 61
+        MD = 0cc175b9c0f1b6a831c399e269772661
+
+        Len = 24
+        Msg = 616263
+        MD = 900150983cd24fb0d6963f7d28e17f72
+
+        Len = 112
+        Msg = 6d65737361676520646967657374
+        MD = f96b697d7cb7938d525a2f31aaf161d0
+    """).splitlines()
+    assert load_hash_vectors(vector_data) == [
+        (b"", "d41d8cd98f00b204e9800998ecf8427e"),
+        (b"61", "0cc175b9c0f1b6a831c399e269772661"),
+        (b"616263", "900150983cd24fb0d6963f7d28e17f72"),
+        (b"6d65737361676520646967657374", "f96b697d7cb7938d525a2f31aaf161d0"),
+    ]
+
+
+def test_load_hash_vectors_bad_data():
+    vector_data = textwrap.dedent("""
+        # http://tools.ietf.org/html/rfc1321
+
+        Len = 0
+        Msg = 00
+        UNKNOWN=Hello World
+    """).splitlines()
+    with pytest.raises(ValueError):
+        load_hash_vectors(vector_data)
+
+
+def test_load_hash_vectors_from_file():
+    test_list = load_hash_vectors_from_file("RFC/MD5/rfc-1321.txt")
+    assert len(test_list) == 7
+    assert test_list[:4] == [
+        (b"", "d41d8cd98f00b204e9800998ecf8427e"),
+        (b"61", "0cc175b9c0f1b6a831c399e269772661"),
+        (b"616263", "900150983cd24fb0d6963f7d28e17f72"),
+        (b"6d65737361676520646967657374", "f96b697d7cb7938d525a2f31aaf161d0"),
+    ]
diff --git a/tests/utils.py b/tests/utils.py
index 6b1cfd79..03b780f8 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -119,3 +119,38 @@ def load_openssl_vectors(vector_data):
             "ciphertext": vector[4].encode("ascii"),
         })
     return vectors
+
+
+def load_hash_vectors(vector_data):
+    vectors = []
+
+    for line in vector_data:
+        line = line.strip()
+
+        if not line or line.startswith("#") or line.startswith("["):
+            continue
+
+        if line.startswith("Len"):
+            length = int(line.split(" = ")[1])
+        elif line.startswith("Msg"):
+            """
+            In the NIST vectors they have chosen to represent an empty
+            string as hex 00, which is of course not actually an empty
+            string. So we parse the provided length and catch this edge case.
+            """
+            msg = line.split(" = ")[1].encode("ascii") if length > 0 else b""
+        elif line.startswith("MD"):
+            md = line.split(" = ")[1]
+            # after MD is found the Msg+MD tuple is complete
+            vectors.append((msg, md))
+        else:
+            raise ValueError("Unknown line in hash vector")
+    return vectors
+
+
+def load_hash_vectors_from_file(filename):
+    base = os.path.join(
+        os.path.dirname(__file__), "primitives", "vectors"
+    )
+    with open(os.path.join(base, filename), "r") as vector_file:
+        return load_hash_vectors(vector_file)