Support for traditional OpenSSL and PKCS8 RSA private key serialization

author: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-02-21 18:34:00 -0600
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2015-02-25 07:49:52 -0600
commit: f83e25c81bb186ed8a96d4a569d5068546a24349 (patch)
tree: a34d97e993351ac1396e8d7481457cee21118171 /tests/hazmat
parent: 36394237388d19eacd3a80e79bf8c459cb234700 (diff)
download: cryptography-f83e25c81bb186ed8a96d4a569d5068546a24349.tar.gz
cryptography-f83e25c81bb186ed8a96d4a569d5068546a24349.tar.bz2
cryptography-f83e25c81bb186ed8a96d4a569d5068546a24349.zip
3 files changed, 151 insertions, 6 deletions
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 0e4d75ed..35b7c5c3 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -15,11 +15,12 @@ import pytest
 
 from cryptography import utils
 from cryptography.exceptions import InternalError, _Reasons
+from cryptography.hazmat.backends.interfaces import RSABackend
 from cryptography.hazmat.backends.openssl.backend import (
     Backend, backend
 )
 from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import dsa, padding
 from cryptography.hazmat.primitives.ciphers import (
     BlockCipherAlgorithm, Cipher, CipherAlgorithm
@@ -27,7 +28,7 @@ from cryptography.hazmat.primitives.ciphers import (
 from cryptography.hazmat.primitives.ciphers.algorithms import AES
 from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode
 
-from ..primitives.fixtures_rsa import RSA_KEY_512
+from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
 from ...utils import load_vectors_from_file, raises_unsupported_algorithm
 
 
@@ -493,3 +494,27 @@ class TestOpenSSLEllipticCurve(object):
     def test_sn_to_elliptic_curve_not_supported(self):
         with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_ELLIPTIC_CURVE):
             _sn_to_elliptic_curve(backend, b"fake")
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+class TestRSAPEMSerialization(object):
+    def test_password_length_limit(self):
+        password = b"x" * 1024
+        key = RSA_KEY_2048.private_key(backend)
+        with pytest.raises(ValueError):
+            key.dump(
+                serialization.PKCS8(
+                    serialization.Encoding.PEM
+                ),
+                serialization.BestAvailable(password)
+            )
+
+    def test_unsupported_key_encoding(self):
+        key = RSA_KEY_2048.private_key(backend)
+        with pytest.raises(ValueError):
+            key.dump(
+                serialization.PKCS8(
+                    serialization.Encoding.DER
+                ),
+                serialization.NoEncryption()
+            )
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
index 74183010..72bc08ad 100644
--- a/tests/hazmat/primitives/test_rsa.py
+++ b/tests/hazmat/primitives/test_rsa.py
@@ -15,8 +15,10 @@ from cryptography import utils
 from cryptography.exceptions import (
     AlreadyFinalized, InvalidSignature, _Reasons
 )
-from cryptography.hazmat.backends.interfaces import RSABackend
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.backends.interfaces import (
+    PEMSerializationBackend, RSABackend
+)
+from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding, rsa
 from cryptography.hazmat.primitives.asymmetric.rsa import (
     RSAPrivateNumbers, RSAPublicNumbers
@@ -46,6 +48,11 @@ class DummyMGF(object):
     _salt_length = 0
 
 
+@utils.register_interface(serialization.KeySerializationEncryption)
+class DummyKeyEncryption(object):
+    pass
+
+
 def _flatten_pkcs1_examples(vectors):
     flattened_vectors = []
     for vector in vectors:
@@ -78,6 +85,18 @@ def test_modular_inverse():
     )
 
 
+def _skip_if_no_serialization(key, backend):
+    if not isinstance(key, rsa.RSAPrivateKeyWithSerialization):
+        pytest.skip(
+            "{0} does not support RSA key serialization".format(backend)
+        )
+
+
+def test_skip_if_no_serialization():
+    with pytest.raises(pytest.skip.Exception):
+        _skip_if_no_serialization("notakeywithserialization", "backend")
+
+
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 class TestRSA(object):
     @pytest.mark.parametrize(
@@ -1725,3 +1744,79 @@ class TestRSAPrimeFactorRecovery(object):
     def test_invalid_recover_prime_factors(self):
         with pytest.raises(ValueError):
             rsa.rsa_recover_prime_factors(34, 3, 7)
+
+
+@pytest.mark.requires_backend_interface(interface=RSABackend)
+@pytest.mark.requires_backend_interface(interface=PEMSerializationBackend)
+class TestRSAPEMWriter(object):
+    @pytest.mark.parametrize(
+        ("serializer", "password"),
+        itertools.product(
+            [serialization.TraditionalOpenSSL, serialization.PKCS8],
+            [
+                b"s",
+                b"longerpassword",
+                b"!*$&(@#$*&($T@%_somesymbols",
+                b"\x01" * 1000,
+            ]
+        )
+    )
+    def test_dump_encrypted_pem(self, backend, serializer, password):
+        key = RSA_KEY_2048.private_key(backend)
+        _skip_if_no_serialization(key, backend)
+        serialized = key.dump(
+            serializer(serialization.Encoding.PEM),
+            serialization.BestAvailable(password)
+        )
+        loaded_key = serialization.load_pem_private_key(
+            serialized, password, backend
+        )
+        loaded_priv_num = loaded_key.private_numbers()
+        priv_num = key.private_numbers()
+        assert loaded_priv_num == priv_num
+
+    @pytest.mark.parametrize(
+        "serializer",
+        (serialization.TraditionalOpenSSL, serialization.PKCS8),
+    )
+    def test_dump_unencrypted_pem(self, backend, serializer):
+        key = RSA_KEY_2048.private_key(backend)
+        _skip_if_no_serialization(key, backend)
+        serialized = key.dump(
+            serializer(serialization.Encoding.PEM),
+            serialization.NoEncryption()
+        )
+        loaded_key = serialization.load_pem_private_key(
+            serialized, None, backend
+        )
+        loaded_priv_num = loaded_key.private_numbers()
+        priv_num = key.private_numbers()
+        assert loaded_priv_num == priv_num
+
+    def test_dump_invalid_serializer(self, backend):
+        key = RSA_KEY_2048.private_key(backend)
+        _skip_if_no_serialization(key, backend)
+        with pytest.raises(TypeError):
+            key.dump("notaserializer", serialization.NoEncryption())
+
+    def test_dump_invalid_encryption_algorithm(self, backend):
+        key = RSA_KEY_2048.private_key(backend)
+        _skip_if_no_serialization(key, backend)
+        with pytest.raises(TypeError):
+            key.dump(
+                serialization.TraditionalOpenSSL(
+                    serialization.Encoding.PEM
+                ),
+                "notanencalg"
+            )
+
+    def test_dump_unsupported_encryption_type(self, backend):
+        key = RSA_KEY_2048.private_key(backend)
+        _skip_if_no_serialization(key, backend)
+        with pytest.raises(ValueError):
+            key.dump(
+                serialization.TraditionalOpenSSL(
+                    serialization.Encoding.PEM
+                ),
+                DummyKeyEncryption()
+            )
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
index a17aac4b..2a5fb21d 100644
--- a/tests/hazmat/primitives/test_serialization.py
+++ b/tests/hazmat/primitives/test_serialization.py
@@ -18,8 +18,9 @@ from cryptography.hazmat.backends.interfaces import (
 )
 from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa
 from cryptography.hazmat.primitives.serialization import (
-    load_der_private_key, load_der_public_key, load_pem_private_key,
-    load_pem_public_key, load_ssh_public_key
+    BestAvailable, Encoding, PKCS8, TraditionalOpenSSL, load_der_private_key,
+    load_der_public_key, load_pem_private_key, load_pem_public_key,
+    load_ssh_public_key
 )
 
 
@@ -1159,3 +1160,27 @@ class TestECDSASSHSerialization(object):
         )
         with pytest.raises(ValueError):
             load_ssh_public_key(ssh_key, backend)
+
+
+@pytest.mark.parametrize(
+    "serializer",
+    [PKCS8, TraditionalOpenSSL]
+)
+class TestSerializers(object):
+    def test_invalid_encoding(self, serializer):
+        with pytest.raises(TypeError):
+            serializer("thing")
+
+    def test_valid_params(self, serializer):
+        fmt = serializer(Encoding.PEM)
+        assert isinstance(fmt, (PKCS8, TraditionalOpenSSL))
+
+
+class TestKeySerializationEncryptionTypes(object):
+    def test_non_bytes_password(self):
+        with pytest.raises(ValueError):
+            BestAvailable(object())
+
+    def test_encryption_with_zero_length_password(self):
+        with pytest.raises(ValueError):
+            BestAvailable(b"")
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-02-21 18:34:00 -0600
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2015-02-25 07:49:52 -0600
commit	f83e25c81bb186ed8a96d4a569d5068546a24349 (patch)
tree	a34d97e993351ac1396e8d7481457cee21118171 /tests/hazmat
parent	36394237388d19eacd3a80e79bf8c459cb234700 (diff)
download	cryptography-f83e25c81bb186ed8a96d4a569d5068546a24349.tar.gz cryptography-f83e25c81bb186ed8a96d4a569d5068546a24349.tar.bz2 cryptography-f83e25c81bb186ed8a96d4a569d5068546a24349.zip