diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2014-02-03 14:14:15 -0800 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2014-02-03 14:14:15 -0800 |
| commit | fe5d54ac8d4df056d53efda6c141b054a57bf249 (patch) | |
| tree | c886d921511930197df6a50ffb44c3ba0cbbae3b /tests | |
| parent | 4b12c35982c206b7cba2036d00edc36c19d02ad7 (diff) | |
| parent | 134f1f4acf423c3546b9552a169d10d40dd5fc84 (diff) | |
| download | cryptography-fe5d54ac8d4df056d53efda6c141b054a57bf249.tar.gz cryptography-fe5d54ac8d4df056d53efda6c141b054a57bf249.tar.bz2 cryptography-fe5d54ac8d4df056d53efda6c141b054a57bf249.zip | |
Merge pull request #490 from dreid/hkdf
HKDF - RFC5869 implementation.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/hazmat/primitives/test_hkdf.py | 147 | ||||
| -rw-r--r-- | tests/hazmat/primitives/test_hkdf_vectors.py | 51 | ||||
| -rw-r--r-- | tests/hazmat/primitives/utils.py | 61 |
3 files changed, 259 insertions, 0 deletions
diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py new file mode 100644 index 00000000..e3e2a9df --- /dev/null +++ b/tests/hazmat/primitives/test_hkdf.py @@ -0,0 +1,147 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import six + +import pytest + +from cryptography.exceptions import AlreadyFinalized, InvalidKey +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.hkdf import HKDF + + +@pytest.mark.hmac +class TestHKDF(object): + def test_length_limit(self, backend): + big_length = 255 * (hashes.SHA256().digest_size // 8) + 1 + + with pytest.raises(ValueError): + HKDF( + hashes.SHA256(), + big_length, + salt=None, + info=None, + backend=backend + ) + + def test_already_finalized(self, backend): + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + hkdf.derive(b"\x01" * 16) + + with pytest.raises(AlreadyFinalized): + hkdf.derive(b"\x02" * 16) + + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + hkdf.verify(b"\x01" * 16, b"gJ\xfb{\xb1Oi\xc5sMC\xb7\xe4@\xf7u") + + with pytest.raises(AlreadyFinalized): + hkdf.verify(b"\x02" * 16, b"gJ\xfb{\xb1Oi\xc5sMC\xb7\xe4@\xf7u") + + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + def test_verify(self, backend): + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + hkdf.verify(b"\x01" * 16, b"gJ\xfb{\xb1Oi\xc5sMC\xb7\xe4@\xf7u") + + def test_verify_invalid(self, backend): + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + with pytest.raises(InvalidKey): + hkdf.verify(b"\x02" * 16, b"gJ\xfb{\xb1Oi\xc5sMC\xb7\xe4@\xf7u") + + def test_unicode_typeerror(self, backend): + with pytest.raises(TypeError): + HKDF( + hashes.SHA256(), + 16, + salt=six.u("foo"), + info=None, + backend=backend + ) + + with pytest.raises(TypeError): + HKDF( + hashes.SHA256(), + 16, + salt=None, + info=six.u("foo"), + backend=backend + ) + + with pytest.raises(TypeError): + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + hkdf.derive(six.u("foo")) + + with pytest.raises(TypeError): + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + hkdf.verify(six.u("foo"), b"bar") + + with pytest.raises(TypeError): + hkdf = HKDF( + hashes.SHA256(), + 16, + salt=None, + info=None, + backend=backend + ) + + hkdf.verify(b"foo", six.u("bar")) diff --git a/tests/hazmat/primitives/test_hkdf_vectors.py b/tests/hazmat/primitives/test_hkdf_vectors.py new file mode 100644 index 00000000..1e67234f --- /dev/null +++ b/tests/hazmat/primitives/test_hkdf_vectors.py @@ -0,0 +1,51 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import os + +import pytest + +from cryptography.hazmat.primitives import hashes + +from .utils import generate_hkdf_test +from ...utils import load_nist_vectors + + +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA1()), + skip_message="Does not support SHA1." +) +@pytest.mark.hmac +class TestHKDFSHA1(object): + test_HKDFSHA1 = generate_hkdf_test( + load_nist_vectors, + os.path.join("KDF"), + ["rfc-5869-HKDF-SHA1.txt"], + hashes.SHA1() + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA256()), + skip_message="Does not support SHA256." +) +@pytest.mark.hmac +class TestHKDFSHA256(object): + test_HKDFSHA1 = generate_hkdf_test( + load_nist_vectors, + os.path.join("KDF"), + ["rfc-5869-HKDF-SHA256.txt"], + hashes.SHA256() + ) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 6b1d055d..5a8dc3ab 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -1,11 +1,15 @@ import binascii import os +import itertools + import pytest from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.ciphers import Cipher +from cryptography.hazmat.primitives.kdf.hkdf import HKDF + from cryptography.exceptions import ( AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag, ) @@ -297,3 +301,60 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory): ) with pytest.raises(ValueError): cipher.encryptor() + + +def hkdf_derive_test(backend, algorithm, params): + hkdf = HKDF( + algorithm, + int(params["l"]), + salt=binascii.unhexlify(params["salt"]) or None, + info=binascii.unhexlify(params["info"]) or None, + backend=backend + ) + + okm = hkdf.derive(binascii.unhexlify(params["ikm"])) + + assert okm == binascii.unhexlify(params["okm"]) + + +def hkdf_extract_test(backend, algorithm, params): + hkdf = HKDF( + algorithm, + int(params["l"]), + salt=binascii.unhexlify(params["salt"]) or None, + info=binascii.unhexlify(params["info"]) or None, + backend=backend + ) + + prk = hkdf._extract(binascii.unhexlify(params["ikm"])) + + assert prk == binascii.unhexlify(params["prk"]) + + +def hkdf_expand_test(backend, algorithm, params): + hkdf = HKDF( + algorithm, + int(params["l"]), + salt=binascii.unhexlify(params["salt"]) or None, + info=binascii.unhexlify(params["info"]) or None, + backend=backend + ) + + okm = hkdf._expand(binascii.unhexlify(params["prk"])) + + assert okm == binascii.unhexlify(params["okm"]) + + +def generate_hkdf_test(param_loader, path, file_names, algorithm): + all_params = _load_all_params(path, file_names, param_loader) + + all_tests = [hkdf_extract_test, hkdf_expand_test, hkdf_derive_test] + + @pytest.mark.parametrize( + ("params", "hkdf_test"), + itertools.product(all_params, all_tests) + ) + def test_hkdf(self, backend, params, hkdf_test): + hkdf_test(backend, algorithm, params) + + return test_hkdf |