diff options
38 files changed, 749 insertions, 86 deletions
diff --git a/.travis.yml b/.travis.yml index b7fa090e..7d5663d8 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,11 +16,13 @@ env: - TOX_ENV=py27 - TOX_ENV=py32 - TOX_ENV=py33 + - TOX_ENV=py34 - TOX_ENV=pypy - TOX_ENV=py26 OPENSSL=0.9.8 - TOX_ENV=py27 OPENSSL=0.9.8 - TOX_ENV=py32 OPENSSL=0.9.8 - TOX_ENV=py33 OPENSSL=0.9.8 + - TOX_ENV=py34 OPENSSL=0.9.8 - TOX_ENV=pypy OPENSSL=0.9.8 - TOX_ENV=docs - TOX_ENV=pep8 @@ -60,6 +62,9 @@ matrix: env: TOX_ENV=py33 compiler: gcc - os: osx + env: TOX_ENV=py34 + compiler: gcc + - os: osx env: TOX_ENV=pypy compiler: gcc - os: osx @@ -75,6 +80,9 @@ matrix: env: TOX_ENV=py33 OPENSSL=0.9.8 compiler: gcc - os: osx + env: TOX_ENV=py34 OPENSSL=0.9.8 + compiler: gcc + - os: osx env: TOX_ENV=pypy OPENSSL=0.9.8 compiler: gcc - os: osx diff --git a/.travis/install.sh b/.travis/install.sh index 7e77fc87..58d7404d 100755 --- a/.travis/install.sh +++ b/.travis/install.sh @@ -52,8 +52,13 @@ if [[ "$(uname -s)" == "Darwin" ]]; then pip install virtualenv ;; py33) - pyenv install 3.3.2 - pyenv global 3.3.2 + pyenv install 3.3.5 + pyenv global 3.3.5 + pip install virtualenv + ;; + py34) + pyenv install 3.4.0 + pyenv global 3.4.0 pip install virtualenv ;; docs) @@ -78,6 +83,9 @@ else py33) sudo apt-get install python3.3 python3.3-dev ;; + py34) + sudo apt-get install python3.4 python3.4-dev + ;; py3pep8) sudo apt-get install python3.3 python3.3-dev ;; diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index a68bc089..7c058f58 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -16,10 +16,12 @@ from __future__ import absolute_import, division, print_function import collections import itertools +import six + from cryptography import utils from cryptography.exceptions import ( InvalidTag, InternalError, AlreadyFinalized, UnsupportedCipher, - UnsupportedHash, UnsupportedPadding, InvalidSignature + UnsupportedAlgorithm, UnsupportedHash, UnsupportedPadding, InvalidSignature ) from cryptography.hazmat.backends.interfaces import ( CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend, RSABackend @@ -27,6 +29,9 @@ from cryptography.hazmat.backends.interfaces import ( from cryptography.hazmat.bindings.openssl.binding import Binding from cryptography.hazmat.primitives import interfaces, hashes from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives.asymmetric.padding import ( + PKCS1v15, PSS, MGF1 +) from cryptography.hazmat.primitives.ciphers.algorithms import ( AES, Blowfish, Camellia, CAST5, TripleDES, ARC4, IDEA ) @@ -259,11 +264,24 @@ class Backend(object): ) def _bn_to_int(self, bn): - hex_cdata = self._lib.BN_bn2hex(bn) - assert hex_cdata != self._ffi.NULL - hex_str = self._ffi.string(hex_cdata) - self._lib.OPENSSL_free(hex_cdata) - return int(hex_str, 16) + if six.PY3: + # Python 3 has constant time from_bytes, so use that. + + bn_num_bytes = (self._lib.BN_num_bits(bn) + 7) // 8 + bin_ptr = self._ffi.new("unsigned char[]", bn_num_bytes) + bin_len = self._lib.BN_bn2bin(bn, bin_ptr) + assert bin_len > 0 + assert bin_ptr != self._ffi.NULL + return int.from_bytes(self._ffi.buffer(bin_ptr)[:bin_len], "big") + + else: + # Under Python 2 the best we can do is hex() + + hex_cdata = self._lib.BN_bn2hex(bn) + assert hex_cdata != self._ffi.NULL + hex_str = self._ffi.string(hex_cdata) + self._lib.OPENSSL_free(hex_cdata) + return int(hex_str, 16) def _int_to_bn(self, num): """ @@ -272,12 +290,24 @@ class Backend(object): ownership of the object). Be sure to register it for GC if it will be discarded after use. """ - hex_num = hex(num).rstrip("L").lstrip("0x").encode("ascii") or b"0" - bn_ptr = self._ffi.new("BIGNUM **") - res = self._lib.BN_hex2bn(bn_ptr, hex_num) - assert res != 0 - assert bn_ptr[0] != self._ffi.NULL - return bn_ptr[0] + + if six.PY3: + # Python 3 has constant time to_bytes, so use that. + + binary = num.to_bytes(int(num.bit_length() / 8.0 + 1), "big") + bn_ptr = self._lib.BN_bin2bn(binary, len(binary), self._ffi.NULL) + assert bn_ptr != self._ffi.NULL + return bn_ptr + + else: + # Under Python 2 the best we can do is hex() + + hex_num = hex(num).rstrip("L").lstrip("0x").encode("ascii") or b"0" + bn_ptr = self._ffi.new("BIGNUM **") + res = self._lib.BN_hex2bn(bn_ptr, hex_num) + assert res != 0 + assert bn_ptr[0] != self._ffi.NULL + return bn_ptr[0] def generate_rsa_private_key(self, public_exponent, key_size): if public_exponent < 3: @@ -377,6 +407,12 @@ class Backend(object): return _RSAVerificationContext(self, public_key, signature, padding, algorithm) + def mgf1_hash_supported(self, algorithm): + if self._lib.Cryptography_HAS_MGF1_MD: + return self.hash_supported(algorithm) + else: + return isinstance(algorithm, hashes.SHA1) + class GetCipherByName(object): def __init__(self, fmt): @@ -760,12 +796,29 @@ class _RSAVerificationContext(object): raise TypeError( "Expected provider of interfaces.AsymmetricPadding") - if padding.name == "EMSA-PKCS1-v1_5": + if isinstance(padding, PKCS1v15): if self._backend._lib.Cryptography_HAS_PKEY_CTX: self._verify_method = self._verify_pkey_ctx self._padding_enum = self._backend._lib.RSA_PKCS1_PADDING else: self._verify_method = self._verify_pkcs1 + elif isinstance(padding, PSS): + if not isinstance(padding._mgf, MGF1): + raise UnsupportedAlgorithm( + "Only MGF1 is supported by this backend" + ) + + if not self._backend.mgf1_hash_supported(padding._mgf._algorithm): + raise UnsupportedHash( + "When OpenSSL is older than 1.0.1 then only SHA1 is " + "supported with MGF1." + ) + + if self._backend._lib.Cryptography_HAS_PKEY_CTX: + self._verify_method = self._verify_pkey_ctx + self._padding_enum = self._backend._lib.RSA_PKCS1_PSS_PADDING + else: + self._verify_method = self._verify_pss else: raise UnsupportedPadding @@ -806,6 +859,20 @@ class _RSAVerificationContext(object): res = self._backend._lib.EVP_PKEY_CTX_set_rsa_padding( pkey_ctx, self._padding_enum) assert res > 0 + if isinstance(self._padding, PSS): + res = self._backend._lib.EVP_PKEY_CTX_set_rsa_pss_saltlen( + pkey_ctx, self._get_salt_length()) + assert res > 0 + if self._backend._lib.Cryptography_HAS_MGF1_MD: + # MGF1 MD is configurable in OpenSSL 1.0.1+ + mgf1_md = self._backend._lib.EVP_get_digestbyname( + self._padding._mgf._algorithm.name.encode("ascii")) + assert mgf1_md != self._backend._ffi.NULL + res = self._backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( + pkey_ctx, mgf1_md + ) + assert res > 0 + data_to_verify = self._hash_ctx.finalize() self._hash_ctx = None res = self._backend._lib.EVP_PKEY_verify( @@ -842,5 +909,45 @@ class _RSAVerificationContext(object): assert errors raise InvalidSignature + def _verify_pss(self, evp_pkey, evp_md): + pkey_size = self._backend._lib.EVP_PKEY_size(evp_pkey) + assert pkey_size > 0 + rsa_cdata = self._backend._lib.EVP_PKEY_get1_RSA(evp_pkey) + assert rsa_cdata != self._backend._ffi.NULL + rsa_cdata = self._backend._ffi.gc(rsa_cdata, + self._backend._lib.RSA_free) + buf = self._backend._ffi.new("unsigned char[]", pkey_size) + res = self._backend._lib.RSA_public_decrypt( + len(self._signature), + self._signature, + buf, + rsa_cdata, + self._backend._lib.RSA_NO_PADDING + ) + if res != pkey_size: + errors = self._backend._consume_errors() + assert errors + raise InvalidSignature + + data_to_verify = self._hash_ctx.finalize() + self._hash_ctx = None + res = self._backend._lib.RSA_verify_PKCS1_PSS( + rsa_cdata, + data_to_verify, + evp_md, + buf, + self._get_salt_length() + ) + if res != 1: + errors = self._backend._consume_errors() + assert errors + raise InvalidSignature + + def _get_salt_length(self): + if self._padding._mgf._salt_length is MGF1.MAX_LENGTH: + return -2 + else: + return self._padding._mgf._salt_length + backend = Backend() diff --git a/cryptography/hazmat/bindings/utils.py b/cryptography/hazmat/bindings/utils.py index b8253483..318b82bb 100644 --- a/cryptography/hazmat/bindings/utils.py +++ b/cryptography/hazmat/bindings/utils.py @@ -13,6 +13,8 @@ from __future__ import absolute_import, division, print_function +import binascii + import sys import cffi @@ -50,7 +52,8 @@ def build_ffi(module_prefix, modules, pre_include, post_include, libraries): includes.append(module.INCLUDES) customizations.append(module.CUSTOMIZATIONS) - ffi.cdef("\n".join(types + functions + macros)) + cdef_sources = types + functions + macros + ffi.cdef("\n".join(cdef_sources)) # We include functions here so that if we got any of their definitions # wrong, the underlying C compiler will explode. In C you are allowed @@ -60,14 +63,16 @@ def build_ffi(module_prefix, modules, pre_include, post_include, libraries): # is legal, but the following will fail to compile: # int foo(int); # int foo(short); + source = "\n".join( + [pre_include] + + includes + + [post_include] + + functions + + customizations + ) lib = ffi.verify( - source="\n".join( - [pre_include] + - includes + - [post_include] + - functions + - customizations - ), + source=source, + modulename=_create_modulename(cdef_sources, source, sys.version), libraries=libraries, ext_package="cryptography", ) @@ -81,3 +86,20 @@ def build_ffi(module_prefix, modules, pre_include, post_include, libraries): delattr(lib, name) return ffi, lib + + +def _create_modulename(cdef_sources, source, sys_version): + """ + cffi creates a modulename internally that incorporates the cffi version. + This will cause cryptography's wheels to break when the version of cffi + the user has does not match what was used when building the wheel. To + resolve this we build our own modulename that uses most of the same code + from cffi but elides the version key. + """ + key = '\x00'.join([sys_version[:3], source] + cdef_sources) + key = key.encode('utf-8') + k1 = hex(binascii.crc32(key[0::2]) & 0xffffffff) + k1 = k1.lstrip('0x').rstrip('L') + k2 = hex(binascii.crc32(key[1::2]) & 0xffffffff) + k2 = k2.lstrip('0').rstrip('L') + return '_Cryptography_cffi_{0}{1}'.format(k1, k2) diff --git a/cryptography/hazmat/primitives/asymmetric/padding.py b/cryptography/hazmat/primitives/asymmetric/padding.py index 46e00b8e..02aff280 100644 --- a/cryptography/hazmat/primitives/asymmetric/padding.py +++ b/cryptography/hazmat/primitives/asymmetric/padding.py @@ -24,6 +24,14 @@ class PKCS1v15(object): name = "EMSA-PKCS1-v1_5" +@utils.register_interface(interfaces.AsymmetricPadding) +class PSS(object): + name = "EMSA-PSS" + + def __init__(self, mgf): + self._mgf = mgf + + class MGF1(object): MAX_LENGTH = object() diff --git a/docs/api-stability.rst b/docs/api-stability.rst index 6a2e60e2..53669b0f 100644 --- a/docs/api-stability.rst +++ b/docs/api-stability.rst @@ -1,4 +1,4 @@ -API Stability +API stability ============= From its first release, ``cryptography`` will have a strong API stability diff --git a/docs/development/custom-vectors/cast5.rst b/docs/development/custom-vectors/cast5.rst index f5400270..98c5ba75 100644 --- a/docs/development/custom-vectors/cast5.rst +++ b/docs/development/custom-vectors/cast5.rst @@ -1,4 +1,4 @@ -CAST5 Vector Creation +CAST5 vector creation ===================== This page documents the code that was used to generate the CAST5 CBC, CFB, OFB, diff --git a/docs/development/custom-vectors/idea.rst b/docs/development/custom-vectors/idea.rst index 68c00b85..e0db58d9 100644 --- a/docs/development/custom-vectors/idea.rst +++ b/docs/development/custom-vectors/idea.rst @@ -1,4 +1,4 @@ -IDEA Vector Creation +IDEA vector creation ===================== This page documents the code that was used to generate the IDEA CBC, CFB, and diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst index 412f0545..3d9012eb 100644 --- a/docs/development/getting-started.rst +++ b/docs/development/getting-started.rst @@ -1,4 +1,4 @@ -Getting Started +Getting started =============== Working on ``cryptography`` requires the installation of a small number of @@ -14,7 +14,7 @@ dependencies, install ``cryptography`` in ``editable`` mode. For example: You are now ready to run the tests and build the documentation. -Running Tests +Running tests ~~~~~~~~~~~~~ ``cryptography`` unit tests are found in the ``tests/`` directory and are @@ -49,7 +49,7 @@ You may not have all the required Python versions installed, in which case you will see one or more ``InterpreterNotFound`` errors. -Explicit Backend Selection +Explicit backend selection ~~~~~~~~~~~~~~~~~~~~~~~~~~ While testing you may want to run tests against a subset of the backends that @@ -63,7 +63,7 @@ delimited list of backend names. $ tox -- --backend=openssl $ py.test --backend=openssl,commoncrypto -Building Documentation +Building documentation ~~~~~~~~~~~~~~~~~~~~~~ ``cryptography`` documentation is stored in the ``docs/`` directory. It is diff --git a/docs/development/reviewing-patches.rst b/docs/development/reviewing-patches.rst index 302c998e..9147a731 100644 --- a/docs/development/reviewing-patches.rst +++ b/docs/development/reviewing-patches.rst @@ -1,4 +1,4 @@ -Reviewing/Merging Patches +Reviewing/merging patches ========================= Everyone is encouraged to review open pull requests. When reviewing a patch try @@ -32,7 +32,7 @@ These are small things that are not caught by the automated style checkers. * Does a variable need a better name? * Should this be a keyword argument? -Merge Requirements +Merge requirements ------------------ Because cryptography is so complex, and the implications of getting it wrong so diff --git a/docs/development/submitting-patches.rst b/docs/development/submitting-patches.rst index 1797b9c1..f1bf954b 100644 --- a/docs/development/submitting-patches.rst +++ b/docs/development/submitting-patches.rst @@ -1,4 +1,4 @@ -Submitting Patches +Submitting patches ================== * Always make a new branch for your work. @@ -29,7 +29,7 @@ Additionally, every Python code file must contain from __future__ import absolute_import, division, print_function -API Considerations +API considerations ~~~~~~~~~~~~~~~~~~ Most projects' APIs are designed with a philosophy of "make easy things easy, diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 1d768179..164d0abd 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -1,4 +1,4 @@ -Test Vectors +Test vectors ============ Testing the correctness of the primitives implemented in each ``cryptography`` @@ -10,7 +10,7 @@ vector file as input to verify consistency between implemented backends. Sources ------- -Asymmetric Ciphers +Asymmetric ciphers ~~~~~~~~~~~~~~~~~~ * RSA PKCS #1 from the RSA FTP site (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/ @@ -43,7 +43,7 @@ HMAC * HMAC-RIPEMD160 from :rfc:`2286`. * HMAC-SHA2 (224, 256, 384, 512) from :rfc:`4231`. -Key Derivation Functions +Key derivation functions ~~~~~~~~~~~~~~~~~~~~~~~~ * HKDF (SHA1, SHA256) from :rfc:`5869`. @@ -55,7 +55,7 @@ Recipes * Fernet from its `specification repository`_. -Symmetric Ciphers +Symmetric ciphers ~~~~~~~~~~~~~~~~~ * AES (CBC, CFB, ECB, GCM, OFB) from `NIST CAVP`_. @@ -72,14 +72,14 @@ Symmetric Ciphers * IDEA (CBC, CFB, OFB) generated by this project. See: :doc:`/development/custom-vectors/idea` -Two Factor Authentication +Two factor authentication ~~~~~~~~~~~~~~~~~~~~~~~~~ * HOTP from :rfc:`4226` * TOTP from :rfc:`6238` (Note that an `errata`_ for the test vectors in RFC 6238 exists) -Creating Test Vectors +Creating test vectors --------------------- When official vectors are unavailable ``cryptography`` may choose to build diff --git a/docs/doing-a-release.rst b/docs/doing-a-release.rst index 15583afb..8b37df78 100644 --- a/docs/doing-a-release.rst +++ b/docs/doing-a-release.rst @@ -1,4 +1,4 @@ -Doing a Release +Doing a release =============== Doing a release of ``cryptography`` is a two part process. diff --git a/docs/faq.rst b/docs/faq.rst index cbbb74ad..0b7bdce4 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -1,4 +1,4 @@ -Frequently Asked Questions +Frequently asked questions ========================== How does ``cryptography`` compare to NaCl (Networking and Cryptography Library)? diff --git a/docs/fernet.rst b/docs/fernet.rst index 40f1a3c8..f55a2d60 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -1,4 +1,4 @@ -Fernet (Symmetric encryption) +Fernet (symmetric encryption) ============================= .. currentmodule:: cryptography.fernet diff --git a/docs/hazmat/backends/commoncrypto.rst b/docs/hazmat/backends/commoncrypto.rst index d31391d7..77d6612c 100644 --- a/docs/hazmat/backends/commoncrypto.rst +++ b/docs/hazmat/backends/commoncrypto.rst @@ -1,6 +1,6 @@ .. hazmat:: -CommonCrypto Backend +CommonCrypto backend ==================== The `CommonCrypto`_ C library provided by Apple on OS X and iOS. The CommonCrypto diff --git a/docs/hazmat/backends/index.rst b/docs/hazmat/backends/index.rst index 983a44e9..aec7a1e0 100644 --- a/docs/hazmat/backends/index.rst +++ b/docs/hazmat/backends/index.rst @@ -3,7 +3,7 @@ Backends ======== -Getting a Backend +Getting a backend ----------------- .. currentmodule:: cryptography.hazmat.backends @@ -24,7 +24,7 @@ the libraries we use in those backends changes. :class:`~interfaces.CipherBackend`, :class:`~interfaces.HashBackend`, and :class:`~interfaces.HMACBackend`. -Individual Backends +Individual backends ------------------- .. toctree:: diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst index c3ea164a..c38f818f 100644 --- a/docs/hazmat/backends/interfaces.rst +++ b/docs/hazmat/backends/interfaces.rst @@ -1,6 +1,6 @@ .. hazmat:: -Backend Interfaces +Backend interfaces ================== .. currentmodule:: cryptography.hazmat.backends.interfaces diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst index 547fe769..fdfadf0b 100644 --- a/docs/hazmat/backends/openssl.rst +++ b/docs/hazmat/backends/openssl.rst @@ -1,6 +1,6 @@ .. hazmat:: -OpenSSL Backend +OpenSSL backend =============== The `OpenSSL`_ C library. Cryptography supports version ``0.9.8e`` (present in @@ -34,7 +34,7 @@ Red Hat Enterprise Linux 5) and greater. Earlier versions may work but are This will activate the default OpenSSL CSPRNG. -OS Random Engine +OS random engine ---------------- OpenSSL uses a user-space CSPRNG that is seeded from system random ( @@ -58,7 +58,7 @@ When importing only the binding it is added to the engine list but **not activated**. -OS Random Sources +OS random sources ----------------- On OS X and FreeBSD ``/dev/urandom`` is an alias for ``/dev/random`` and diff --git a/docs/hazmat/bindings/commoncrypto.rst b/docs/hazmat/bindings/commoncrypto.rst index e5a673b3..9484cfa1 100644 --- a/docs/hazmat/bindings/commoncrypto.rst +++ b/docs/hazmat/bindings/commoncrypto.rst @@ -1,6 +1,6 @@ .. hazmat:: -CommonCrypto Binding +CommonCrypto binding ==================== .. currentmodule:: cryptography.hazmat.bindings.commoncrypto.binding diff --git a/docs/hazmat/bindings/index.rst b/docs/hazmat/bindings/index.rst index caab8d6a..ccd36e3e 100644 --- a/docs/hazmat/bindings/index.rst +++ b/docs/hazmat/bindings/index.rst @@ -13,7 +13,7 @@ Using these functions directly is likely to require you to be careful in managing memory allocation, locking and other resources. -Individual Bindings +Individual bindings ------------------- .. toctree:: diff --git a/docs/hazmat/bindings/openssl.rst b/docs/hazmat/bindings/openssl.rst index 9fce8f77..a6d1c484 100644 --- a/docs/hazmat/bindings/openssl.rst +++ b/docs/hazmat/bindings/openssl.rst @@ -1,6 +1,6 @@ .. hazmat:: -OpenSSL Binding +OpenSSL binding =============== .. currentmodule:: cryptography.hazmat.bindings.openssl.binding diff --git a/docs/hazmat/primitives/asymmetric/index.rst b/docs/hazmat/primitives/asymmetric/index.rst index 10319fad..7ec1c5f2 100644 --- a/docs/hazmat/primitives/asymmetric/index.rst +++ b/docs/hazmat/primitives/asymmetric/index.rst @@ -1,6 +1,6 @@ .. hazmat:: -Asymmetric Algorithms +Asymmetric algorithms ===================== .. toctree:: diff --git a/docs/hazmat/primitives/asymmetric/padding.rst b/docs/hazmat/primitives/asymmetric/padding.rst index 8a034329..2a5de3c7 100644 --- a/docs/hazmat/primitives/asymmetric/padding.rst +++ b/docs/hazmat/primitives/asymmetric/padding.rst @@ -10,6 +10,17 @@ Padding correct padding signatures can be forged, messages decrypted, and private keys compromised. +.. class:: PSS(mgf) + + .. versionadded:: 0.3 + + PSS (Probabilistic Signature Scheme) is a signature scheme defined in + :rfc:`3447`. It is more complex than PKCS1 but possesses a `security proof`_. + This is the `recommended padding algorithm`_ for RSA signatures. + + :param mgf: A mask generation function object. At this time the only + supported MGF is :class:`MGF1`. + .. class:: PKCS1v15() .. versionadded:: 0.3 @@ -17,7 +28,7 @@ Padding PKCS1 v1.5 (also known as simply PKCS1) is a simple padding scheme developed for use with RSA keys. It is defined in :rfc:`3447`. -Mask Generation Functions +Mask generation functions ~~~~~~~~~~~~~~~~~~~~~~~~~ .. class:: MGF1(algorithm, salt_length) @@ -41,3 +52,5 @@ Mask Generation Functions .. _`Padding is critical`: http://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/ +.. _`security proof`: http://eprint.iacr.org/2001/062.pdf +.. _`recommended padding algorithm`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index b7eee2f5..c318feeb 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -1,6 +1,6 @@ .. hazmat:: -Message Digests +Message digests =============== .. currentmodule:: cryptography.hazmat.primitives.hashes @@ -90,7 +90,7 @@ SHA-1 SHA-1 is a cryptographic hash function standardized by NIST. It produces an 160-bit message digest. -SHA-2 Family +SHA-2 family ~~~~~~~~~~~~ .. class:: SHA224() diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst index ce4e8803..5d511bc4 100644 --- a/docs/hazmat/primitives/hmac.rst +++ b/docs/hazmat/primitives/hmac.rst @@ -1,6 +1,6 @@ .. hazmat:: -Hash-based Message Authentication Codes +Hash-based message authentication codes ======================================= .. currentmodule:: cryptography.hazmat.primitives.hmac diff --git a/docs/hazmat/primitives/interfaces.rst b/docs/hazmat/primitives/interfaces.rst index cefd81ac..9a1f3307 100644 --- a/docs/hazmat/primitives/interfaces.rst +++ b/docs/hazmat/primitives/interfaces.rst @@ -12,7 +12,7 @@ to document argument and return types. .. _`Abstract Base Classes`: http://docs.python.org/3.2/library/abc.html -Symmetric Ciphers +Symmetric ciphers ~~~~~~~~~~~~~~~~~ .. currentmodule:: cryptography.hazmat.primitives.interfaces @@ -47,7 +47,7 @@ Symmetric Ciphers The number of bits in a block. -Cipher Modes +Cipher modes ------------ Interfaces used by the symmetric cipher modes described in @@ -103,7 +103,7 @@ Interfaces used by the symmetric cipher modes described in Exact requirements of the nonce are described by the documentation of individual modes. -Asymmetric Interfaces +Asymmetric interfaces ~~~~~~~~~~~~~~~~~~~~~ .. class:: RSAPrivateKey @@ -377,7 +377,7 @@ Asymmetric Interfaces .. attribute:: name -Hash Algorithms +Hash algorithms ~~~~~~~~~~~~~~~ .. class:: HashAlgorithm @@ -402,7 +402,7 @@ Hash Algorithms The internal block size of the hash algorithm in bytes. -Key Derivation Functions +Key derivation functions ~~~~~~~~~~~~~~~~~~~~~~~~ .. class:: KeyDerivationFunction diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 174b68d2..6196d951 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -1,6 +1,6 @@ .. hazmat:: -Key Derivation Functions +Key derivation functions ======================== .. currentmodule:: cryptography.hazmat.primitives.kdf diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 71a1064e..f7e8d5b7 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -1,7 +1,7 @@ .. hazmat:: /fernet -Symmetric Encryption +Symmetric encryption ==================== .. currentmodule:: cryptography.hazmat.primitives.ciphers @@ -130,7 +130,7 @@ Algorithms :param bytes key: The secret key, This must be kept secret. 40 to 128 bits in length in increments of 8 bits. -Weak Ciphers +Weak ciphers ------------ .. warning:: @@ -372,7 +372,7 @@ Modes a secret message! -Insecure Modes +Insecure modes -------------- .. warning:: diff --git a/docs/hazmat/primitives/twofactor.rst b/docs/hazmat/primitives/twofactor.rst index 124d0ef5..e9f5c7ff 100644 --- a/docs/hazmat/primitives/twofactor.rst +++ b/docs/hazmat/primitives/twofactor.rst @@ -1,6 +1,6 @@ .. hazmat:: -Two-factor Authentication +Two-factor authentication ========================= .. currentmodule:: cryptography.hazmat.primitives.twofactor @@ -79,7 +79,7 @@ locks out the account for a period of time after a number of failed attempts. The number of allowed attempts should be as low as possible while still ensuring that usability is not significantly impacted. -Re-synchronization of the Counter +Re-synchronization of the counter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The server's counter value should only be incremented on a successful HOTP @@ -119,6 +119,7 @@ setup( "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.2", "Programming Language :: Python :: 3.3", + "Programming Language :: Python :: 3.4", "Programming Language :: Python :: Implementation :: CPython", "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Security :: Cryptography", diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 599d1531..c5d0a013 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -21,6 +21,7 @@ from cryptography.exceptions import ( ) from cryptography.hazmat.backends.openssl.backend import backend, Backend from cryptography.hazmat.primitives import interfaces, hashes +from cryptography.hazmat.primitives.asymmetric import rsa, padding from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC @@ -137,6 +138,30 @@ class TestOpenSSL(object): with pytest.raises(UnsupportedHash): backend.derive_pbkdf2_hmac(hashes.SHA256(), 10, b"", 1000, b"") + @pytest.mark.skipif( + backend._lib.OPENSSL_VERSION_NUMBER >= 0x1000100f, + reason="Requires an older OpenSSL. Must be < 1.0.1" + ) + def test_non_sha1_pss_mgf1_hash_algorithm_on_old_openssl(self): + private_key = rsa.RSAPrivateKey.generate( + public_exponent=65537, + key_size=512, + backend=backend + ) + public_key = private_key.public_key() + with pytest.raises(UnsupportedHash): + public_key.verifier( + b"sig", + padding.PSS( + mgf=padding.MGF1( + algorithm=hashes.SHA256(), + salt_length=padding.MGF1.MAX_LENGTH + ) + ), + hashes.SHA1(), + backend + ) + # This test is not in the next class because to check if it's really # default we don't want to run the setup_method before it def test_osrandom_engine_is_default(self): diff --git a/tests/hazmat/bindings/test_utils.py b/tests/hazmat/bindings/test_utils.py new file mode 100644 index 00000000..0d5b34de --- /dev/null +++ b/tests/hazmat/bindings/test_utils.py @@ -0,0 +1,25 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +from cryptography.hazmat.bindings import utils + + +def test_create_modulename(): + cdef_sources = ["cdef sources go here"] + source = "source code" + name = utils._create_modulename(cdef_sources, source, "2.7") + assert name == "_Cryptography_cffi_bcba7f4bx4a14b588" + name = utils._create_modulename(cdef_sources, source, "3.2") + assert name == "_Cryptography_cffi_a7462526x4a14b588" diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 0e88bb7f..955e69c9 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -21,11 +21,16 @@ import os import pytest from cryptography import exceptions, utils -from cryptography.exceptions import UnsupportedInterface +from cryptography.exceptions import ( + UnsupportedAlgorithm, UnsupportedInterface +) from cryptography.hazmat.primitives import hashes, interfaces from cryptography.hazmat.primitives.asymmetric import rsa, padding -from ...utils import load_pkcs1_vectors, load_vectors_from_file +from .utils import generate_rsa_pss_test +from ...utils import ( + load_pkcs1_vectors, load_vectors_from_file, load_rsa_nist_vectors +) @utils.register_interface(interfaces.AsymmetricPadding) @@ -33,6 +38,10 @@ class DummyPadding(object): name = "UNSUPPORTED-PADDING" +class DummyMGF(object): + pass + + def _modinv(e, m): """ Modular Multiplicative Inverse. Returns x such that: (x*e) mod m == 1 @@ -530,6 +539,122 @@ class TestRSAVerification(object): with pytest.raises(exceptions.InvalidSignature): verifier.verify() + @pytest.mark.parametrize( + "pkcs1_example", + _flatten_pkcs1_examples(load_vectors_from_file( + os.path.join( + "asymmetric", "RSA", "pkcs-1v2-1d2-vec", "pss-vect.txt"), + load_pkcs1_vectors + )) + ) + def test_pss_verification(self, pkcs1_example, backend): + private, public, example = pkcs1_example + public_key = rsa.RSAPublicKey( + public_exponent=public["public_exponent"], + modulus=public["modulus"] + ) + verifier = public_key.verifier( + binascii.unhexlify(example["signature"]), + padding.PSS( + mgf=padding.MGF1( + algorithm=hashes.SHA1(), + salt_length=padding.MGF1.MAX_LENGTH + ) + ), + hashes.SHA1(), + backend + ) + verifier.update(binascii.unhexlify(example["message"])) + verifier.verify() + + def test_invalid_pss_signature_wrong_data(self, backend): + public_key = rsa.RSAPublicKey( + modulus=int( + b"dffc2137d5e810cde9e4b4612f5796447218bab913b3fa98bdf7982e4fa6" + b"ec4d6653ef2b29fb1642b095befcbea6decc178fb4bed243d3c3592c6854" + b"6af2d3f3", 16 + ), + public_exponent=65537 + ) + signature = binascii.unhexlify( + b"0e68c3649df91c5bc3665f96e157efa75b71934aaa514d91e94ca8418d100f45" + b"6f05288e58525f99666bab052adcffdf7186eb40f583bd38d98c97d3d524808b" + ) + verifier = public_key.verifier( + signature, + padding.PSS( + mgf=padding.MGF1( + algorithm=hashes.SHA1(), + salt_length=padding.MGF1.MAX_LENGTH + ) + ), + hashes.SHA1(), + backend + ) + verifier.update(b"incorrect data") + with pytest.raises(exceptions.InvalidSignature): + verifier.verify() + + def test_invalid_pss_signature_wrong_key(self, backend): + signature = binascii.unhexlify( + b"3a1880165014ba6eb53cc1449d13e5132ebcc0cfd9ade6d7a2494a0503bd0826" + b"f8a46c431e0d7be0ca3e453f8b2b009e2733764da7927cc6dbe7a021437a242e" + ) + public_key = rsa.RSAPublicKey( + modulus=int( + b"381201f4905d67dfeb3dec131a0fbea773489227ec7a1448c3109189ac68" + b"5a95441be90866a14c4d2e139cd16db540ec6c7abab13ffff91443fd46a8" + b"960cbb7658ded26a5c95c86f6e40384e1c1239c63e541ba221191c4dd303" + b"231b42e33c6dbddf5ec9a746f09bf0c25d0f8d27f93ee0ae5c0d723348f4" + b"030d3581e13522e1", 16 + ), + public_exponent=65537 + ) + verifier = public_key.verifier( + signature, + padding.PSS( + mgf=padding.MGF1( + algorithm=hashes.SHA1(), + salt_length=padding.MGF1.MAX_LENGTH + ) + ), + hashes.SHA1(), + backend + ) + verifier.update(b"sign me") + with pytest.raises(exceptions.InvalidSignature): + verifier.verify() + + def test_invalid_pss_signature_data_too_large_for_modulus(self, backend): + signature = binascii.unhexlify( + b"cb43bde4f7ab89eb4a79c6e8dd67e0d1af60715da64429d90c716a490b799c29" + b"194cf8046509c6ed851052367a74e2e92d9b38947ed74332acb115a03fcc0222" + ) + public_key = rsa.RSAPublicKey( + modulus=int( + b"381201f4905d67dfeb3dec131a0fbea773489227ec7a1448c3109189ac68" + b"5a95441be90866a14c4d2e139cd16db540ec6c7abab13ffff91443fd46a8" + b"960cbb7658ded26a5c95c86f6e40384e1c1239c63e541ba221191c4dd303" + b"231b42e33c6dbddf5ec9a746f09bf0c25d0f8d27f93ee0ae5c0d723348f4" + b"030d3581e13522", 16 + ), + public_exponent=65537 + ) + verifier = public_key.verifier( + signature, + padding.PSS( + mgf=padding.MGF1( + algorithm=hashes.SHA1(), + salt_length=padding.MGF1.MAX_LENGTH + ) + ), + hashes.SHA1(), + backend + ) + verifier.update(b"sign me") + with pytest.raises(exceptions.InvalidSignature): + verifier.verify() + def test_use_after_finalize(self, backend): private_key = rsa.RSAPrivateKey.generate( public_exponent=65537, @@ -583,6 +708,130 @@ class TestRSAVerification(object): public_key.verifier( b"foo", padding.PKCS1v15(), hashes.SHA256(), pretend_backend) + def test_unsupported_pss_mgf(self, backend): + private_key = rsa.RSAPrivateKey.generate( + public_exponent=65537, + key_size=512, + backend=backend + ) + public_key = private_key.public_key() + with pytest.raises(UnsupportedAlgorithm): + public_key.verifier(b"sig", padding.PSS(mgf=DummyMGF()), + hashes.SHA1(), backend) + + def test_pss_verify_salt_length_too_long(self, backend): + signature = binascii.unhexlify( + b"8b9a3ae9fb3b64158f3476dd8d8a1f1425444e98940e0926378baa9944d219d8" + b"534c050ef6b19b1bdc6eb4da422e89161106a6f5b5cc16135b11eb6439b646bd" + ) + public_key = rsa.RSAPublicKey( + modulus=int( + b"d309e4612809437548b747d7f9eb9cd3340f54fe42bb3f84a36933b0839c" + b"11b0c8b7f67e11f7252370161e31159c49c784d4bc41c42a78ce0f0b40a3" + b"ca8ffb91", 16 + ), + public_exponent=65537 + ) + verifier = public_key.verifier( + signature, + padding.PSS( + mgf=padding.MGF1( + algorithm=hashes.SHA1(), + salt_length=1000000 + ) + ), + hashes.SHA1(), + backend + ) + verifier.update(b"sign me") + with pytest.raises(exceptions.InvalidSignature): + verifier.verify() + + +@pytest.mark.supported( + only_if=lambda backend: backend.mgf1_hash_supported(hashes.SHA1()), + skip_message="Does not support SHA1 with MGF1." +) +@pytest.mark.rsa +class TestRSAPSSMGF1VerificationSHA1(object): + test_rsa_pss_mgf1_sha1 = generate_rsa_pss_test( + load_rsa_nist_vectors, + os.path.join("asymmetric", "RSA", "FIPS_186-2"), + [ + "SigGenPSS_186-2.rsp", + "SigGenPSS_186-3.rsp", + ], + hashes.SHA1() + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.mgf1_hash_supported(hashes.SHA224()), + skip_message="Does not support SHA224 with MGF1." +) +@pytest.mark.rsa +class TestRSAPSSMGF1VerificationSHA224(object): + test_rsa_pss_mgf1_sha224 = generate_rsa_pss_test( + load_rsa_nist_vectors, + os.path.join("asymmetric", "RSA", "FIPS_186-2"), + [ + "SigGenPSS_186-2.rsp", + "SigGenPSS_186-3.rsp", + ], + hashes.SHA224() + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.mgf1_hash_supported(hashes.SHA256()), + skip_message="Does not support SHA256 with MGF1." +) +@pytest.mark.rsa +class TestRSAPSSMGF1VerificationSHA256(object): + test_rsa_pss_mgf1_sha256 = generate_rsa_pss_test( + load_rsa_nist_vectors, + os.path.join("asymmetric", "RSA", "FIPS_186-2"), + [ + "SigGenPSS_186-2.rsp", + "SigGenPSS_186-3.rsp", + ], + hashes.SHA256() + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.mgf1_hash_supported(hashes.SHA384()), + skip_message="Does not support SHA384 with MGF1." +) +@pytest.mark.rsa +class TestRSAPSSMGF1VerificationSHA384(object): + test_rsa_pss_mgf1_sha384 = generate_rsa_pss_test( + load_rsa_nist_vectors, + os.path.join("asymmetric", "RSA", "FIPS_186-2"), + [ + "SigGenPSS_186-2.rsp", + "SigGenPSS_186-3.rsp", + ], + hashes.SHA384() + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.mgf1_hash_supported(hashes.SHA512()), + skip_message="Does not support SHA512 with MGF1." +) +@pytest.mark.rsa +class TestRSAPSSMGF1VerificationSHA512(object): + test_rsa_pss_mgf1_sha512 = generate_rsa_pss_test( + load_rsa_nist_vectors, + os.path.join("asymmetric", "RSA", "FIPS_186-2"), + [ + "SigGenPSS_186-2.rsp", + "SigGenPSS_186-3.rsp", + ], + hashes.SHA512() + ) + class TestMGF1(object): def test_invalid_hash_algorithm(self): diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index f0a00319..31491023 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -21,6 +21,7 @@ import itertools import pytest from cryptography.hazmat.primitives import hashes, hmac +from cryptography.hazmat.primitives.asymmetric import rsa, padding from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.kdf.hkdf import HKDF @@ -373,3 +374,35 @@ def generate_hkdf_test(param_loader, path, file_names, algorithm): hkdf_test(backend, algorithm, params) return test_hkdf + + +def generate_rsa_pss_test(param_loader, path, file_names, hash_alg): + all_params = _load_all_params(path, file_names, param_loader) + all_params = [i for i in all_params + if i["algorithm"] == hash_alg.name.upper()] + + @pytest.mark.parametrize("params", all_params) + def test_rsa_pss(self, backend, params): + rsa_pss_test(backend, params, hash_alg) + + return test_rsa_pss + + +def rsa_pss_test(backend, params, hash_alg): + public_key = rsa.RSAPublicKey( + public_exponent=params["public_exponent"], + modulus=params["modulus"] + ) + verifier = public_key.verifier( + binascii.unhexlify(params["s"]), + padding.PSS( + mgf=padding.MGF1( + algorithm=hash_alg, + salt_length=params["salt_length"] + ) + ), + hash_alg, + backend + ) + verifier.update(binascii.unhexlify(params["msg"])) + verifier.verify() diff --git a/tests/test_utils.py b/tests/test_utils.py index 433dab04..1003d61d 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -1042,6 +1042,9 @@ def test_load_totp_vectors(): def test_load_rsa_nist_vectors(): vector_data = textwrap.dedent(""" + # CAVS 11.4 + # "SigGen PKCS#1 RSASSA-PSS" information + # Mod sizes selected: 1024 1536 2048 3072 4096 # SHA Algorithm selected:SHA1 SHA224 SHA256 SHA384 SHA512 # Salt len: 20 @@ -1075,31 +1078,170 @@ def test_load_rsa_nist_vectors(): "modulus": int("bcb47b2e0dafcba81ff2a2b5cb115ca7e757184c9d72bcdcda" "707a146b3b4e29989d", 16), "public_exponent": 65537, - "algorithm": b"SHA1", + "algorithm": "SHA1", "salt_length": 20, "msg": b"1248f62a4389f42f7b4bb131053d6c88a994db2075b912ccbe3ea7dc6" b"11714f14e", "s": b"682cf53c1145d22a50caa9eb1a9ba70670c5915e0fdfde6457a765de2a8" - b"fe12de97" + b"fe12de97", + "fail": False }, { "modulus": int("bcb47b2e0dafcba81ff2a2b5cb115ca7e757184c9d72bcdcda" "707a146b3b4e29989d", 16), "public_exponent": 65537, - "algorithm": b"SHA384", + "algorithm": "SHA384", "salt_length": 20, "msg": b"e511903c2f1bfba245467295ac95413ac4746c984c3750a728c388aa6" b"28b0ebf", "s": b"9c748702bbcc1f9468864cd360c8c39d007b2d8aaee833606c70f7593cf" - b"0d1519" + b"0d1519", + "fail": False }, { "modulus": 78187493520, "public_exponent": 65537, - "algorithm": b"SHA512", + "algorithm": "SHA512", "salt_length": 20, "msg": b"3456781293fab829", - "s": b"deadbeef0000" + "s": b"deadbeef0000", + "fail": False + }, + ] + + +def test_load_rsa_nist_pkcs1v15_verification_vectors(): + vector_data = textwrap.dedent(""" + # CAVS 11.0 + # "SigVer PKCS#1 Ver 1.5" information + # Mod sizes selected: 1024 1536 2048 3072 4096 + # SHA Algorithm selected:SHA1 SHA224 SHA256 SHA384 SHA512 + # Generated on Wed Mar 02 00:13:02 2011 + + [mod = 1024] + + n = be499b5e7f06c83fa0293e31465c8eb6b58af920bae52a7b5b9bfeb7aa72db126411 + + p = e7a80c5d211c06acb900939495f26d365fc2b4825b75e356f89003eaa5931e6be5c3 + q = d248aa248000f720258742da67b711940c8f76e1ecd52b67a6ffe1e49354d66ff84f + + SHAAlg = SHA1 + e = 00000000000000000000000000000000000000000000000000000000000000000011 + d = 0d0f17362bdad181db4e1fe03e8de1a3208989914e14bf269558826bfa20faf4b68d + Msg = 6b9cfac0ba1c7890b13e381ce752195cc1375237db2afcf6a9dcd1f95ec733a80c + S = 562d87b5781c01d166fef3972669a0495c145b898a17df4743fbefb0a1582bd6ba9d + SaltVal = 11223344555432167890 + Result = F (3 - Signature changed ) + + SHAAlg = SHA1 + e = 0000000000003 + d = bfa20faf4b68d + Msg = 2a67c70ff14f9b34ddb42e6f89d5971057a0da980fc9ae70c81a84da0c0ac42737 + S = 2b91c6ae2b3c46ff18d5b7abe239634cb752d0acb53eea0ccd8ea8483036a50e8faf + SaltVal = 11223344555432167890 + Result = P + """).splitlines() + + vectors = load_rsa_nist_vectors(vector_data) + assert vectors == [ + { + "modulus": int("be499b5e7f06c83fa0293e31465c8eb6b58af920bae52a7b5b" + "9bfeb7aa72db126411", 16), + "p": int("e7a80c5d211c06acb900939495f26d365fc2b4825b75e356f89003ea" + "a5931e6be5c3", 16), + "q": int("d248aa248000f720258742da67b711940c8f76e1ecd52b67a6ffe1e4" + "9354d66ff84f", 16), + "public_exponent": 17, + "algorithm": "SHA1", + "private_exponent": int("0d0f17362bdad181db4e1fe03e8de1a3208989914" + "e14bf269558826bfa20faf4b68d", 16), + "msg": b"6b9cfac0ba1c7890b13e381ce752195cc1375237db2afcf6a9dcd1f95" + b"ec733a80c", + "s": b"562d87b5781c01d166fef3972669a0495c145b898a17df4743fbefb0a15" + b"82bd6ba9d", + "saltval": b"11223344555432167890", + "fail": True + }, + { + "modulus": int("be499b5e7f06c83fa0293e31465c8eb6b58af920bae52a7b5b" + "9bfeb7aa72db126411", 16), + "p": int("e7a80c5d211c06acb900939495f26d365fc2b4825b75e356f89003ea" + "a5931e6be5c3", 16), + "q": int("d248aa248000f720258742da67b711940c8f76e1ecd52b67a6ffe1e4" + "9354d66ff84f", 16), + "public_exponent": 3, + "algorithm": "SHA1", + "private_exponent": int("bfa20faf4b68d", 16), + "msg": b"2a67c70ff14f9b34ddb42e6f89d5971057a0da980fc9ae70c81a84da0" + b"c0ac42737", + "s": b"2b91c6ae2b3c46ff18d5b7abe239634cb752d0acb53eea0ccd8ea848303" + b"6a50e8faf", + "saltval": b"11223344555432167890", + "fail": False + }, + ] + + +def test_load_rsa_nist_pss_verification_vectors(): + vector_data = textwrap.dedent(""" + # CAVS 11.0 + # "SigVer PKCS#1 RSASSA-PSS" information + # Mod sizes selected: 1024 1536 2048 3072 4096 + # SHA Algorithm selected:SHA1 SHA224 SHA256 SHA384 SHA512 + # Salt len: 10 + # Generated on Wed Mar 02 00:25:22 2011 + + [mod = 1024] + + n = be499b5e7f06c83fa0293e31465c8eb6b5 + + p = e7a80c5d211c06acb900939495f26d365f + q = d248aa248000f720258742da67b711940c + + SHAAlg = SHA1 + e = 00000000000000011 + d = c8e26a88239672cf49b3422a07c4d834ba + Msg = 6b9cfac0ba1c7890b13e381ce752195c + S = 562d87b5781c01d166fef3972669a0495c + SaltVal = 11223344555432167890 + Result = F (3 - Signature changed ) + + SHAAlg = SHA384 + e = 000003 + d = 0d0f17362bdad181db4e1fe03e8de1a320 + Msg = 2a67c70ff14f9b34ddb42e6f89d59710 + S = 2b91c6ae2b3c46ff18d5b7abe239634cb7 + SaltVal = 11223344555432167890 + Result = P + """).splitlines() + + vectors = load_rsa_nist_vectors(vector_data) + assert vectors == [ + { + "modulus": int("be499b5e7f06c83fa0293e31465c8eb6b5", 16), + "p": int("e7a80c5d211c06acb900939495f26d365f", 16), + "q": int("d248aa248000f720258742da67b711940c", 16), + "public_exponent": 17, + "algorithm": "SHA1", + "private_exponent": int("c8e26a88239672cf49b3422a07c4d834ba", 16), + "msg": b"6b9cfac0ba1c7890b13e381ce752195c", + "s": b"562d87b5781c01d166fef3972669a0495c", + "saltval": b"11223344555432167890", + "salt_length": 10, + "fail": True + }, + { + "modulus": int("be499b5e7f06c83fa0293e31465c8eb6b5", 16), + "p": int("e7a80c5d211c06acb900939495f26d365f", 16), + "q": int("d248aa248000f720258742da67b711940c", 16), + "public_exponent": 3, + "algorithm": "SHA384", + "private_exponent": int("0d0f17362bdad181db4e1fe03e8de1a320", 16), + "msg": b"2a67c70ff14f9b34ddb42e6f89d59710", + "s": b"2b91c6ae2b3c46ff18d5b7abe239634cb7", + "saltval": b"11223344555432167890", + "salt_length": 10, + "fail": False }, ] diff --git a/tests/utils.py b/tests/utils.py index 720a9054..4d6882c2 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -302,6 +302,8 @@ def load_pkcs1_vectors(vector_data): def load_rsa_nist_vectors(vector_data): test_data = None + p = None + salt_length = None data = [] for line in vector_data: @@ -322,17 +324,37 @@ def load_rsa_nist_vectors(vector_data): if name == "n": n = int(value, 16) - elif name == "e": + elif name == "e" and p is None: e = int(value, 16) + elif name == "p": + p = int(value, 16) + elif name == "q": + q = int(value, 16) elif name == "SHAAlg": - test_data = { - "modulus": n, - "public_exponent": e, - "salt_length": salt_length, - "algorithm": value.encode("ascii") - } + if p is None: + test_data = { + "modulus": n, + "public_exponent": e, + "salt_length": salt_length, + "algorithm": value, + "fail": False + } + else: + test_data = { + "modulus": n, + "p": p, + "q": q, + "algorithm": value + } + if salt_length is not None: + test_data["salt_length"] = salt_length data.append(test_data) - continue + elif name == "e" and p is not None: + test_data["public_exponent"] = int(value, 16) + elif name == "d": + test_data["private_exponent"] = int(value, 16) + elif name == "Result": + test_data["fail"] = value.startswith("F") # For all other tokens we simply want the name, value stored in # the dictionary else: @@ -1,5 +1,5 @@ [tox] -envlist = py26,py27,pypy,py32,py33,docs,pep8,py3pep8 +envlist = py26,py27,pypy,py32,py33,py34,docs,pep8,py3pep8 [testenv] deps = |