diff options
29 files changed, 617 insertions, 421 deletions
diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py index 524e0a5b..e4faf32c 100644 --- a/cryptography/hazmat/backends/interfaces.py +++ b/cryptography/hazmat/backends/interfaces.py @@ -196,6 +196,24 @@ class DSABackend(object): Return True if the parameters are supported by the backend for DSA. """ + @abc.abstractmethod + def load_dsa_private_numbers(self, numbers): + """ + Returns a DSAPrivateKey provider. + """ + + @abc.abstractmethod + def load_dsa_public_numbers(self, numbers): + """ + Returns a DSAPublicKey provider. + """ + + @abc.abstractmethod + def load_dsa_parameter_numbers(self, numbers): + """ + Returns a DSAParameters provider. + """ + @six.add_metaclass(abc.ABCMeta) class TraditionalOpenSSLSerializationBackend(object): diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 53d92be3..2a7e3cc4 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -930,8 +930,28 @@ class Backend(object): if self._lib.Cryptography_HAS_EC != 1: return False - curves = self._supported_curves() - return curve.name.encode("ascii") in curves + try: + curve_nid = self._elliptic_curve_to_nid(curve) + except UnsupportedAlgorithm: + curve_nid = self._lib.NID_undef + + ctx = self._lib.EC_GROUP_new_by_curve_name(curve_nid) + + if ctx == self._ffi.NULL: + errors = self._consume_errors() + assert ( + curve_nid == self._lib.NID_undef or + errors[0][1:] == ( + self._lib.ERR_LIB_EC, + self._lib.EC_F_EC_GROUP_NEW_BY_CURVE_NAME, + self._lib.EC_R_UNKNOWN_GROUP + ) + ) + return False + else: + assert curve_nid != self._lib.NID_undef + self._lib.EC_GROUP_free(ctx) + return True def elliptic_curve_signature_algorithm_supported( self, signature_algorithm, curve @@ -952,30 +972,6 @@ class Backend(object): return self.elliptic_curve_supported(curve) - def _supported_curves(self): - if self._lib.Cryptography_HAS_EC != 1: - return [] - - num_curves = self._lib.EC_get_builtin_curves(self._ffi.NULL, 0) - curve_array = self._ffi.new("EC_builtin_curve[]", num_curves) - num_curves_assigned = self._lib.EC_get_builtin_curves( - curve_array, num_curves) - assert num_curves == num_curves_assigned - - curves = [ - self._ffi.string(self._lib.OBJ_nid2sn(curve.nid)).decode() - for curve in curve_array - ] - - curve_aliases = { - "prime192v1": "secp192r1", - "prime256v1": "secp256r1" - } - return [ - curve_aliases.get(curve, curve) - for curve in curves - ] - def _create_ecdsa_signature_ctx(self, private_key, ecdsa): return _ECDSASignatureContext(self, private_key, ecdsa.algorithm) @@ -2014,7 +2010,7 @@ def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend): mask = 0xFF >> rshift << rshift # Set the bottom rshift bits to 0 - digest = digest[:-1] + six.int2byte(six.byte2int(digest[-1]) & mask) + digest = digest[:-1] + six.int2byte(six.indexbytes(digest, -1) & mask) return digest diff --git a/cryptography/hazmat/bindings/commoncrypto/common_cryptor.py b/cryptography/hazmat/bindings/commoncrypto/common_cryptor.py index 9bd03a7c..713bc566 100644 --- a/cryptography/hazmat/bindings/commoncrypto/common_cryptor.py +++ b/cryptography/hazmat/bindings/commoncrypto/common_cryptor.py @@ -101,7 +101,7 @@ MACROS = """ """ CUSTOMIZATIONS = """ -// Not defined in the public header +/* Not defined in the public header */ enum { kCCModeGCM = 11 }; diff --git a/cryptography/hazmat/bindings/openssl/aes.py b/cryptography/hazmat/bindings/openssl/aes.py index 58ef0cf1..e4071523 100644 --- a/cryptography/hazmat/bindings/openssl/aes.py +++ b/cryptography/hazmat/bindings/openssl/aes.py @@ -49,7 +49,7 @@ void AES_ctr128_encrypt(const unsigned char *, unsigned char *, """ CUSTOMIZATIONS = """ -// OpenSSL 0.9.8h+ +/* OpenSSL 0.9.8h+ */ #if OPENSSL_VERSION_NUMBER >= 0x0090808fL static const long Cryptography_HAS_AES_WRAP = 1; #else diff --git a/cryptography/hazmat/bindings/openssl/cms.py b/cryptography/hazmat/bindings/openssl/cms.py index a3760f2c..cbf4b283 100644 --- a/cryptography/hazmat/bindings/openssl/cms.py +++ b/cryptography/hazmat/bindings/openssl/cms.py @@ -15,8 +15,8 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ #if !defined(OPENSSL_NO_CMS) && OPENSSL_VERSION_NUMBER >= 0x0090808fL -// The next define should really be in the OpenSSL header, but it is missing. -// Failing to include this on Windows causes compilation failures. +/* The next define should really be in the OpenSSL header, but it is missing. + Failing to include this on Windows causes compilation failures. */ #if defined(OPENSSL_SYS_WINDOWS) #include <windows.h> #endif diff --git a/cryptography/hazmat/bindings/openssl/dh.py b/cryptography/hazmat/bindings/openssl/dh.py index a0f99479..e2e8976e 100644 --- a/cryptography/hazmat/bindings/openssl/dh.py +++ b/cryptography/hazmat/bindings/openssl/dh.py @@ -19,13 +19,13 @@ INCLUDES = """ TYPES = """ typedef struct dh_st { - // prime number (shared) + /* Prime number (shared) */ BIGNUM *p; - // generator of Z_p (shared) + /* Generator of Z_p (shared) */ BIGNUM *g; - // private DH value x + /* Private DH value x */ BIGNUM *priv_key; - // public DH value g^x + /* Public DH value g^x */ BIGNUM *pub_key; ...; } DH; diff --git a/cryptography/hazmat/bindings/openssl/dsa.py b/cryptography/hazmat/bindings/openssl/dsa.py index 7db03326..c9aa8882 100644 --- a/cryptography/hazmat/bindings/openssl/dsa.py +++ b/cryptography/hazmat/bindings/openssl/dsa.py @@ -19,15 +19,15 @@ INCLUDES = """ TYPES = """ typedef struct dsa_st { - // prime number (public) + /* Prime number (public) */ BIGNUM *p; - // 160-bit subprime, q | p-1 (public) + /* Subprime (160-bit, q | p-1, public) */ BIGNUM *q; - // generator of subgroup (public) + /* Generator of subgroup (public) */ BIGNUM *g; - // private key x + /* Private key x */ BIGNUM *priv_key; - // public key y = g^x + /* Public key y = g^x */ BIGNUM *pub_key; ...; } DSA; diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py index 8ed97d0b..232060a2 100644 --- a/cryptography/hazmat/bindings/openssl/err.py +++ b/cryptography/hazmat/bindings/openssl/err.py @@ -21,6 +21,7 @@ TYPES = """ static const int Cryptography_HAS_REMOVE_THREAD_STATE; static const int Cryptography_HAS_098H_ERROR_CODES; static const int Cryptography_HAS_098C_CAMELLIA_CODES; +static const int Cryptography_HAS_EC_CODES; struct ERR_string_data_st { unsigned long error; @@ -29,6 +30,7 @@ struct ERR_string_data_st { typedef struct ERR_string_data_st ERR_STRING_DATA; static const int ERR_LIB_EVP; +static const int ERR_LIB_EC; static const int ERR_LIB_PEM; static const int ERR_LIB_ASN1; static const int ERR_LIB_RSA; @@ -172,6 +174,10 @@ static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM; static const int EVP_R_WRONG_FINAL_BLOCK_LENGTH; static const int EVP_R_WRONG_PUBLIC_KEY_TYPE; +static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME; + +static const int EC_R_UNKNOWN_GROUP; + static const int PEM_F_D2I_PKCS8PRIVATEKEY_BIO; static const int PEM_F_D2I_PKCS8PRIVATEKEY_FP; static const int PEM_F_DO_PK8PKEY; @@ -284,7 +290,7 @@ typedef uint32_t CRYPTO_THREADID; void (*ERR_remove_thread_state)(const CRYPTO_THREADID *) = NULL; #endif -// OpenSSL 0.9.8h+ +/* OpenSSL 0.9.8h+ */ #if OPENSSL_VERSION_NUMBER >= 0x0090808fL static const long Cryptography_HAS_098H_ERROR_CODES = 1; #else @@ -298,7 +304,7 @@ static const int ASN1_R_NO_MULTIPART_BODY_FAILURE = 0; static const int ASN1_R_NO_MULTIPART_BOUNDARY = 0; #endif -// OpenSSL 0.9.8c+ +/* OpenSSL 0.9.8c+ */ #ifdef EVP_F_CAMELLIA_INIT_KEY static const long Cryptography_HAS_098C_CAMELLIA_CODES = 1; #else @@ -306,6 +312,15 @@ static const long Cryptography_HAS_098C_CAMELLIA_CODES = 0; static const int EVP_F_CAMELLIA_INIT_KEY = 0; static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED = 0; #endif + +// OpenSSL without EC. e.g. RHEL +#ifndef OPENSSL_NO_EC +static const long Cryptography_HAS_EC_CODES = 1; +#else +static const long Cryptography_HAS_EC_CODES = 0; +static const int EC_R_UNKNOWN_GROUP = 0; +static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME = 0; +#endif """ CONDITIONAL_NAMES = { @@ -324,5 +339,9 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_098C_CAMELLIA_CODES": [ "EVP_F_CAMELLIA_INIT_KEY", "EVP_R_CAMELLIA_KEY_SETUP_FAILED" + ], + "Cryptography_HAS_EC_CODES": [ + "EC_R_UNKNOWN_GROUP", + "EC_F_EC_GROUP_NEW_BY_CURVE_NAME" ] } diff --git a/cryptography/hazmat/bindings/openssl/evp.py b/cryptography/hazmat/bindings/openssl/evp.py index b3d958e6..11834509 100644 --- a/cryptography/hazmat/bindings/openssl/evp.py +++ b/cryptography/hazmat/bindings/openssl/evp.py @@ -139,7 +139,8 @@ int PKCS5_PBKDF2_HMAC(const char *, int, const unsigned char *, int, int, int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *); -// not macros but must be in this section since they're not available in 0.9.8 +/* These aren't macros, but must be in this section because they're not + available in 0.9.8. */ EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int, ENGINE *); EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *); diff --git a/cryptography/hazmat/bindings/openssl/nid.py b/cryptography/hazmat/bindings/openssl/nid.py index ea6fd4d6..7fa08660 100644 --- a/cryptography/hazmat/bindings/openssl/nid.py +++ b/cryptography/hazmat/bindings/openssl/nid.py @@ -193,7 +193,7 @@ MACROS = """ """ CUSTOMIZATIONS = """ -// OpenSSL 0.9.8g+ +/* OpenSSL 0.9.8g+ */ #if OPENSSL_VERSION_NUMBER >= 0x0090807fL static const long Cryptography_HAS_ECDSA_SHA2_NIDS = 1; #else diff --git a/cryptography/hazmat/bindings/openssl/rsa.py b/cryptography/hazmat/bindings/openssl/rsa.py index c6356101..cb8e701e 100644 --- a/cryptography/hazmat/bindings/openssl/rsa.py +++ b/cryptography/hazmat/bindings/openssl/rsa.py @@ -80,7 +80,7 @@ CUSTOMIZATIONS = """ #if OPENSSL_VERSION_NUMBER >= 0x10000000 static const long Cryptography_HAS_PSS_PADDING = 1; #else -// see evp.py for the definition of Cryptography_HAS_PKEY_CTX +/* see evp.py for the definition of Cryptography_HAS_PKEY_CTX */ static const long Cryptography_HAS_PSS_PADDING = 0; int (*EVP_PKEY_CTX_set_rsa_padding)(EVP_PKEY_CTX *, int) = NULL; int (*EVP_PKEY_CTX_set_rsa_pss_saltlen)(EVP_PKEY_CTX *, int) = NULL; diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index 018a1413..7d805e78 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -456,7 +456,7 @@ static const long Cryptography_HAS_SSL_OP_NO_TICKET = 0; const long SSL_OP_NO_TICKET = 0; #endif -// OpenSSL 0.9.8f+ +/* OpenSSL 0.9.8f+ */ #if OPENSSL_VERSION_NUMBER >= 0x00908070L static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1; #else @@ -483,7 +483,7 @@ static const long Cryptography_HAS_NETBSD_D1_METH = 1; static const long Cryptography_HAS_NETBSD_D1_METH = 1; #endif -// Workaround for #794 caused by cffi const** bug. +/* Workaround for #794 caused by cffi const** bug. */ const SSL_METHOD* Cryptography_SSL_CTX_get_method(const SSL_CTX* ctx) { return ctx->method; } @@ -519,7 +519,7 @@ void (*SSL_get0_next_proto_negotiated)(const SSL *, static const long Cryptography_HAS_NEXTPROTONEG = 1; #endif -// ALPN was added in OpenSSL 1.0.2. +/* ALPN was added in OpenSSL 1.0.2. */ #if OPENSSL_VERSION_NUMBER < 0x10002001L int (*SSL_CTX_set_alpn_protos)(SSL_CTX *, const unsigned char*, diff --git a/cryptography/hazmat/bindings/openssl/x509.py b/cryptography/hazmat/bindings/openssl/x509.py index cf38df32..b74c118b 100644 --- a/cryptography/hazmat/bindings/openssl/x509.py +++ b/cryptography/hazmat/bindings/openssl/x509.py @@ -245,7 +245,7 @@ int i2d_ECPrivateKey_bio(BIO *, EC_KEY *); """ CUSTOMIZATIONS = """ -// OpenSSL 0.9.8e does not have this definition +/* OpenSSL 0.9.8e does not have this definition. */ #if OPENSSL_VERSION_NUMBER <= 0x0090805fL typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; #endif diff --git a/cryptography/hazmat/bindings/openssl/x509_vfy.py b/cryptography/hazmat/bindings/openssl/x509_vfy.py index ed35b1bc..a53716b0 100644 --- a/cryptography/hazmat/bindings/openssl/x509_vfy.py +++ b/cryptography/hazmat/bindings/openssl/x509_vfy.py @@ -45,7 +45,7 @@ typedef ... X509_VERIFY_PARAM; as longs, just in case they ever grow to large, such as what we saw with OP_ALL. */ -// Verification error codes +/* Verification error codes */ static const int X509_V_OK; static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; static const int X509_V_ERR_UNABLE_TO_GET_CRL; @@ -110,7 +110,7 @@ static const int X509_V_ERR_EMAIL_MISMATCH; static const int X509_V_ERR_IP_ADDRESS_MISMATCH; static const int X509_V_ERR_APPLICATION_VERIFICATION; -// Verification parameters +/* Verification parameters */ static const long X509_V_FLAG_CB_ISSUER_CHECK; static const long X509_V_FLAG_USE_CHECK_TIME; static const long X509_V_FLAG_CRL_CHECK; @@ -136,12 +136,12 @@ static const long X509_V_FLAG_PARTIAL_CHAIN; FUNCTIONS = """ int X509_verify_cert(X509_STORE_CTX *); -// X509_STORE +/* X509_STORE */ X509_STORE *X509_STORE_new(void); void X509_STORE_free(X509_STORE *); int X509_STORE_add_cert(X509_STORE *, X509 *); -// X509_STORE_CTX +/* X509_STORE_CTX */ X509_STORE_CTX *X509_STORE_CTX_new(void); void X509_STORE_CTX_cleanup(X509_STORE_CTX *); void X509_STORE_CTX_free(X509_STORE_CTX *); @@ -165,7 +165,7 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *, int, void *); void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *, int); -// X509_VERIFY_PARAM +/* X509_VERIFY_PARAM */ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *, unsigned long); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *, unsigned long); @@ -181,11 +181,11 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *); """ MACROS = """ -// X509_STORE_CTX +/* X509_STORE_CTX */ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *, Cryptography_STACK_OF_X509_CRL *); -// X509_VERIFY_PARAM +/* X509_VERIFY_PARAM */ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const unsigned char *, size_t); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int); @@ -197,7 +197,7 @@ int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); """ CUSTOMIZATIONS = """ -// OpenSSL 1.0.2+, but only some very new releases +/* OpenSSL 1.0.2+, but only some very new releases */ #ifdef X509_VERIFY_PARAM_set_hostflags static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS = 1; #else @@ -206,7 +206,7 @@ void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, unsigned int) = NULL; #endif -// OpenSSL 1.0.2+ verification error codes +/* OpenSSL 1.0.2+ verification error codes */ #if OPENSSL_VERSION_NUMBER >= 0x10002000L static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1; #else @@ -222,12 +222,13 @@ static const long X509_V_ERR_EMAIL_MISMATCH = 0; static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; #endif -// OpenSSL 1.0.2+ verification parameters +/* OpenSSL 1.0.2+ verification parameters */ #if OPENSSL_VERSION_NUMBER >= 0x10002000L static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; #else static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0; -// X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2, but added separately below +/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately + below because it shows up in some earlier 3rd party OpenSSL packages. */ static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0; static const long X509_V_FLAG_SUITEB_192_LOS = 0; static const long X509_V_FLAG_SUITEB_128_LOS = 0; @@ -242,7 +243,7 @@ int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL; #endif -// OpenSSL 1.0.2+, *or* Fedora 20's flavor of OpenSSL 1.0.1e... +/* OpenSSL 1.0.2+, *or* Fedora 20's flavor of OpenSSL 1.0.1e... */ #ifdef X509_V_FLAG_TRUSTED_FIRST static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 1; #else @@ -250,7 +251,7 @@ static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 0; static const long X509_V_FLAG_TRUSTED_FIRST = 0; #endif -// OpenSSL 1.0.0+ verification error codes +/* OpenSSL 1.0.0+ verification error codes */ #if OPENSSL_VERSION_NUMBER >= 0x10000000L static const long Cryptography_HAS_100_VERIFICATION_ERROR_CODES = 1; #else @@ -266,7 +267,7 @@ static const long X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 0; static const long X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 0; #endif -// OpenSSL 1.0.0+ verification parameters +/* OpenSSL 1.0.0+ verification parameters */ #if OPENSSL_VERSION_NUMBER >= 0x10000000L static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 1; #else @@ -275,7 +276,7 @@ static const long X509_V_FLAG_EXTENDED_CRL_SUPPORT = 0; static const long X509_V_FLAG_USE_DELTAS = 0; #endif -// OpenSSL 0.9.8recent+ +/* OpenSSL 0.9.8recent+ */ #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE = 1; #else diff --git a/cryptography/hazmat/primitives/asymmetric/rsa.py b/cryptography/hazmat/primitives/asymmetric/rsa.py index fc117cd4..15ec52ac 100644 --- a/cryptography/hazmat/primitives/asymmetric/rsa.py +++ b/cryptography/hazmat/primitives/asymmetric/rsa.py @@ -377,6 +377,9 @@ class RSAPrivateNumbers(object): def public_numbers(self): return self._public_numbers + def private_key(self, backend): + return backend.load_rsa_private_numbers(self) + class RSAPublicNumbers(object): def __init__(self, e, n): @@ -396,3 +399,6 @@ class RSAPublicNumbers(object): @property def n(self): return self._n + + def public_key(self, backend): + return backend.load_rsa_public_numbers(self) diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index 71852562..dd901aae 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -212,6 +212,7 @@ class RSAPrivateKey(object): @six.add_metaclass(abc.ABCMeta) class RSAPrivateKeyWithNumbers(RSAPrivateKey): + @abc.abstractmethod def private_numbers(self): """ Returns an RSAPrivateNumbers. @@ -241,6 +242,7 @@ class RSAPublicKey(object): @six.add_metaclass(abc.ABCMeta) class RSAPublicKeyWithNumbers(RSAPublicKey): + @abc.abstractmethod def public_numbers(self): """ Returns an RSAPublicNumbers diff --git a/cryptography/hazmat/primitives/serialization.py b/cryptography/hazmat/primitives/serialization.py index 056d4a06..ed73c4c4 100644 --- a/cryptography/hazmat/primitives/serialization.py +++ b/cryptography/hazmat/primitives/serialization.py @@ -24,11 +24,3 @@ def load_pem_pkcs8_private_key(data, password, backend): return backend.load_pkcs8_pem_private_key( data, password ) - - -def load_rsa_private_numbers(numbers, backend): - return backend.load_rsa_private_numbers(numbers) - - -def load_rsa_public_numbers(numbers, backend): - return backend.load_rsa_public_numbers(numbers) diff --git a/docs/development/c-bindings.rst b/docs/development/c-bindings.rst new file mode 100644 index 00000000..56963379 --- /dev/null +++ b/docs/development/c-bindings.rst @@ -0,0 +1,192 @@ +C bindings +========== + +C bindings are bindings to C libraries, using cffi_ whenever possible. + +.. _cffi: http://cffi.readthedocs.org + +Bindings live in :py:mod:`cryptography.hazmat.bindings`. + +Style guide +----------- + +Don't name parameters: + +.. code-block:: c + + /* Good */ + long f(long); + /* Bad */ + long f(long x); + +...unless they're inside a struct: + +.. code-block:: c + + struct my_struct { + char *name; + int number; + ...; + }; + +Include ``void`` if the function takes no arguments: + +.. code-block:: c + + /* Good */ + long f(void); + /* Bad */ + long f(); + +Wrap lines at 80 characters like so: + +.. code-block:: c + + /* Pretend this went to 80 characters */ + long f(long, long, + int *) + +Include a space after commas between parameters: + +.. code-block:: c + + /* Good */ + long f(int, char *) + /* Bad */ + long f(int,char *) + +Use C-style ``/* */`` comments instead of C++-style ``//``: + +.. code-block:: c + + // Bad + /* Good */ + +Values set by ``#define`` should be assigned the appropriate type. If you see +this: + +.. code-block:: c + + #define SOME_INTEGER_LITERAL 0x0; + #define SOME_UNSIGNED_INTEGER_LITERAL 0x0001U; + #define SOME_STRING_LITERAL "hello"; + +...it should be added to the bindings like so: + +.. code-block:: c + + static const int SOME_INTEGER_LITERAL; + static const unsigned int SOME_UNSIGNED_INTEGER_LITERAL; + static const char *const SOME_STRING_LITERAL; + +Adding constant, types, functions... +------------------------------------ + +You can create bindings for any name that exists in some version of +the library you're binding against. However, the project also has to +keep supporting older versions of the library. In order to achieve +this, binding modules have ``CUSTOMIZATIONS`` and +``CONDITIONAL_NAMES`` constants. + +Let's say you want to enable quantum transmogrification. The upstream +library implements this as the following API:: + + static const int QM_TRANSMOGRIFICATION_ALIGNMENT_LEFT; + static const int QM_TRANSMOGRIFICATION_ALIGNMENT_RIGHT; + typedef ... QM_TRANSMOGRIFICATION_CTX; + int QM_transmogrify(QM_TRANSMOGRIFICATION_CTX *, int); + +To start, create a new constant that defines if the *actual* library +has the feature you want, and add it to ``TYPES``:: + + static const long Cryptography_HAS_QUANTUM_TRANSMOGRIFICATION; + +This should start with ``Cryptography_``, since we're adding it in +this library. This prevents namespace collisions. + +Then, define the actual features (constants, types, functions...) you +want to expose. If it's a constant, just add it to ``TYPES``:: + + static const int QM_TRANSMOGRIFICATION_ALIGNMENT_LEFT; + static const int QM_TRANSMOGRIFICATION_ALIGNMENT_RIGHT; + +If it's a struct, add it to ``TYPES`` as well. The following is an +opaque struct:: + + typedef ... QM_TRANSMOGRIFICATION_CTX; + +... but you can also make some or all items in the struct accessible:: + + typedef struct { + /* Fundamental constant k for your particular universe */ + BIGNUM *k; + ...; + } QM_TRANSMOGRIFICATION_CTX; + +Confusingly, functions that aren't always available on all supported +versions of the library, should be defined in ``MACROS`` and *not* in +``FUNCTIONS``. Fortunately, you just have to copy the signature:: + + int QM_transmogrify(QM_TRANSMOGRIFICATION_CTX *, int); + +Then, we define the ``CUSTOMIZATIONS`` entry. To do that, we have to +come up with a C preprocessor expression that decides whether or not a +feature exists in the library. For example:: + + #ifdef QM_transmogrify + +Then, we set the flag that signifies the feature exists:: + + static const long Cryptography_HAS_QUANTUM_TRANSMOGRIFICATION = 1; + +Otherwise, we set that flag to 0:: + + #else + static const long Cryptography_HAS_QUANTUM_TRANSMOGRIFICATION = 0; + +Then, in that ``#else`` block, we define the names that aren't +available as dummy values. For an integer constant, use 0:: + + static const int QM_TRANSMOGRIFICATION_ALIGNMENT_LEFT = 0; + static const int QM_TRANSMOGRIFICATION_ALIGNMENT_RIGHT = 0; + +For a function, it's a bit trickier. You have to define a function +pointer of the appropriate type to be NULL:: + + int (*QM_transmogrify)(QM_TRANSMOGRIFICATION_CTX *, int) = NULL; + +(To do that, copy the signature, put a ``*`` in front of the function +name and wrap it in parentheses, and then put ``= NULL`` at the end). + +Note how types don't need to be conditionally defined, as long as all +the necessarily type definitions are in place. + +Finally, add an entry to ``CONDITIONAL_NAMES`` with all of the things +you want to conditionally export:: + + CONDITIONAL_NAMES = { + ... + "Cryptography_HAS_QUANTUM_TRANSMOGRIFICATION": [ + "QM_TRANSMOGRIFICATION_ALIGNMENT_LEFT", + "QM_TRANSMOGRIFICATION_ALIGNMENT_RIGHT", + "QM_transmogrify" + ] + } + +Caveats +~~~~~~~ + +Sometimes, a set of loosely related features are added in the same +version, and it's impractical to create ``#ifdef`` statements for each +one. In that case, it may make sense to either check for a particular +version. For example, to check for OpenSSL 1.0.0 or newer:: + + #if OPENSSL_VERSION_NUMBER >= 0x10000000L + +Sometimes, the version of a library on a particular platform will have +features that you thought it wouldn't, based on its version. +Occasionally, packagers appear to ship arbitrary VCS checkouts. As a +result, sometimes you may have to add separate ``#ifdef`` statements +for particular features. This kind of issue is typically only caught +by running the tests on a wide variety of systems, which is the job of +our continuous integration infrastructure. diff --git a/docs/development/index.rst b/docs/development/index.rst index 50b60900..f9bc9eea 100644 --- a/docs/development/index.rst +++ b/docs/development/index.rst @@ -14,6 +14,7 @@ bug check out `what to put in your bug report`_. submitting-patches reviewing-patches test-vectors + c-bindings .. _`GitHub`: https://github.com/pyca/cryptography .. _`what to put in your bug report`: http://www.contribution-guide.org/#what-to-put-in-your-bug-report diff --git a/docs/development/submitting-patches.rst b/docs/development/submitting-patches.rst index b7f43283..fe2df431 100644 --- a/docs/development/submitting-patches.rst +++ b/docs/development/submitting-patches.rst @@ -75,70 +75,8 @@ specifying a different backend. C bindings ~~~~~~~~~~ -When binding C code with ``cffi`` we have our own style guide, it's pretty -simple. - -Don't name parameters: - -.. code-block:: c - - // Good - long f(long); - // Bad - long f(long x); - -...unless they're inside a struct: - -.. code-block:: c - - struct my_struct { - char *name; - int number; - ...; - }; - -Include ``void`` if the function takes no arguments: - -.. code-block:: c - - // Good - long f(void); - // Bad - long f(); - -Wrap lines at 80 characters like so: - -.. code-block:: c - - // Pretend this went to 80 characters - long f(long, long, - int *) - -Include a space after commas between parameters: - -.. code-block:: c - - // Good - long f(int, char *) - // Bad - long f(int,char *) - -Values set by ``#define`` should be assigned the appropriate type. If you see -this: - -.. code-block:: c - - #define SOME_INTEGER_LITERAL 0x0; - #define SOME_UNSIGNED_INTEGER_LITERAL 0x0001U; - #define SOME_STRING_LITERAL "hello"; - -...it should be added to the bindings like so: - -.. code-block:: c - - static const int SOME_INTEGER_LITERAL; - static const unsigned int SOME_UNSIGNED_INTEGER_LITERAL; - static const char *const SOME_STRING_LITERAL; +More information on C bindings can be found in :doc:`the dedicated +section of the documentation <c-bindings>`. Tests ----- diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst index 9e476f72..5cbd47d1 100644 --- a/docs/hazmat/backends/interfaces.rst +++ b/docs/hazmat/backends/interfaces.rst @@ -470,6 +470,40 @@ A specific ``backend`` may provide one or more of these interfaces. :returns: ``True`` if the given values of ``p``, ``q``, and ``g`` are supported by this backend, otherwise ``False``. + .. method:: load_dsa_parameter_numbers(numbers): + + :param numbers: An instance of + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameterNumbers`. + + :returns: A provider of + :class:`~cryptography.hazmat.primitives.interfaces.DSAParameters`. + + :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when + any backend specific criteria are not met. + + .. method:: load_dsa_private_numbers(numbers): + + :param numbers: An instance of + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateNumbers`. + + :returns: A provider of + :class:`~cryptography.hazmat.primitives.interfaces.DSAPrivateKey`. + + :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when + any backend specific criteria are not met. + + .. method:: load_dsa_public_numbers(numbers): + + :param numbers: An instance of + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicNumbers`. + + :returns: A provider of + :class:`~cryptography.hazmat.primitives.interfaces.DSAPublicKey`. + + :raises cryptography.exceptions.UnsupportedAlgorithm: This raised when + any backend specific criteria are not met. + + .. class:: CMACBackend diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index 71b7cd9c..c3962901 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -385,6 +385,18 @@ RSA The collection of integers that make up an RSA public key. + .. method:: public_key(backend) + + :param backend: A + :class:`~cryptography.hazmat.backends.interfaces.RSABackend` + provider. + + :return: A :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey` + provider. + + :raises UnsupportedAlgorithm: If the given backend does not support + loading numbers. + .. attribute:: n :type: int @@ -411,6 +423,18 @@ RSA secret. Revealing them will compromise the security of any cryptographic operations performed with a key loaded from them. + .. method:: private_key(backend) + + :param backend: A + :class:`~cryptography.hazmat.backends.interfaces.RSABackend` + provider. + + :return: A :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey` + provider. + + :raises UnsupportedAlgorithm: If the given backend does not support + loading numbers. + .. attribute:: public_numbers :type: :class:`~cryptography.hazmat.primitives.rsa.RSAPublicNumbers` diff --git a/docs/hazmat/primitives/interfaces.rst b/docs/hazmat/primitives/interfaces.rst index 029c4c1f..7d02839a 100644 --- a/docs/hazmat/primitives/interfaces.rst +++ b/docs/hazmat/primitives/interfaces.rst @@ -13,7 +13,7 @@ to document argument and return types. Symmetric ciphers -~~~~~~~~~~~~~~~~~ +----------------- .. currentmodule:: cryptography.hazmat.primitives.interfaces @@ -48,7 +48,7 @@ Symmetric ciphers Cipher modes ------------- +~~~~~~~~~~~~ Interfaces used by the symmetric cipher modes described in :ref:`Symmetric Encryption Modes <symmetric-encryption-modes>`. @@ -104,7 +104,44 @@ Interfaces used by the symmetric cipher modes described in individual modes. Asymmetric interfaces -~~~~~~~~~~~~~~~~~~~~~ +--------------------- + +.. class:: AsymmetricSignatureContext + + .. versionadded:: 0.2 + + .. method:: update(data) + + :param bytes data: The data you want to sign. + + .. method:: finalize() + + :return bytes signature: The signature. + + +.. class:: AsymmetricVerificationContext + + .. versionadded:: 0.2 + + .. method:: update(data) + + :param bytes data: The data you wish to verify using the signature. + + .. method:: verify() + + :raises cryptography.exceptions.InvalidSignature: If the signature does + not validate. + + +.. class:: AsymmetricPadding + + .. versionadded:: 0.2 + + .. attribute:: name + + +RSA +~~~ .. class:: RSAPrivateKey @@ -236,6 +273,9 @@ Asymmetric interfaces instance. +DSA +~~~ + .. class:: DSAParameters .. versionadded:: 0.3 @@ -407,6 +447,9 @@ Asymmetric interfaces The bit length of the curve's base point. +Elliptic Curve +~~~~~~~~~~~~~~ + .. class:: EllipticCurveSignatureAlgorithm .. versionadded:: 0.5 @@ -475,42 +518,8 @@ Asymmetric interfaces The elliptic curve for this key. -.. class:: AsymmetricSignatureContext - - .. versionadded:: 0.2 - - .. method:: update(data) - - :param bytes data: The data you want to sign. - - .. method:: finalize() - - :return bytes signature: The signature. - - -.. class:: AsymmetricVerificationContext - - .. versionadded:: 0.2 - - .. method:: update(data) - - :param bytes data: The data you wish to verify using the signature. - - .. method:: verify() - - :raises cryptography.exceptions.InvalidSignature: If the signature does - not validate. - - -.. class:: AsymmetricPadding - - .. versionadded:: 0.2 - - .. attribute:: name - - Hash algorithms -~~~~~~~~~~~~~~~ +--------------- .. class:: HashAlgorithm @@ -556,7 +565,7 @@ Hash algorithms Key derivation functions -~~~~~~~~~~~~~~~~~~~~~~~~ +------------------------ .. class:: KeyDerivationFunction @@ -601,7 +610,7 @@ Key derivation functions `CMAC`_ -~~~~~~~ +------- .. class:: CMACContext diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index e7a63f26..dc123493 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -30,8 +30,12 @@ invariants iOS Koblitz metadata +namespace +namespaces pickleable plaintext +preprocessor +preprocessors pseudorandom Schneier scrypt diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 0dd91695..bd99c8f2 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -487,11 +487,6 @@ class TestOpenSSLNoEllipticCurve(object): None, None ) is False - def test_supported_curves(self, monkeypatch): - monkeypatch.setattr(backend._lib, "Cryptography_HAS_EC", 0) - - assert backend._supported_curves() == [] - class TestDeprecatedRSABackendMethods(object): def test_create_rsa_signature_ctx(self): diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 1879f4fc..2690e794 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -70,6 +70,15 @@ def _skip_ecdsa_vector(backend, curve_type, hash_type): ) +def _skip_curve_unsupported(backend, curve): + if not backend.elliptic_curve_supported(curve): + pytest.skip( + "Curve {0} is not supported by this backend {1}".format( + curve.name, backend + ) + ) + + @utils.register_interface(interfaces.EllipticCurve) class DummyCurve(object): name = "dummy-curve" @@ -81,6 +90,12 @@ class DummySignatureAlgorithm(object): pass +@pytest.mark.elliptic +def test_skip_curve_unsupported(backend): + with pytest.raises(pytest.skip.Exception): + _skip_curve_unsupported(backend, DummyCurve()) + + def test_ec_numbers(): numbers = ec.EllipticCurvePrivateNumbers( 1, @@ -176,12 +191,7 @@ class TestECDSAVectors(object): "curve", _CURVE_TYPES.values() ) def test_generate_vector_curves(self, backend, curve): - if not backend.elliptic_curve_supported(curve()): - pytest.skip( - "Curve {0} is not supported by this backend {1}".format( - curve().name, backend - ) - ) + _skip_curve_unsupported(backend, curve()) key = ec.generate_private_key(curve(), backend) assert key @@ -205,12 +215,7 @@ class TestECDSAVectors(object): ) is False def test_unknown_signature_algoritm(self, backend): - if not backend.elliptic_curve_supported(ec.SECP192R1()): - pytest.skip( - "Curve secp192r1 is not supported by this backend {0}".format( - backend - ) - ) + _skip_curve_unsupported(backend, ec.SECP192R1()) key = ec.generate_private_key(ec.SECP192R1(), backend) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 5c5422ee..04908453 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -27,9 +27,6 @@ from cryptography.exceptions import ( ) from cryptography.hazmat.primitives import hashes, interfaces from cryptography.hazmat.primitives.asymmetric import padding, rsa -from cryptography.hazmat.primitives.serialization import ( - load_rsa_private_numbers -) from .fixtures_rsa import ( RSA_KEY_1024, RSA_KEY_1025, RSA_KEY_1026, RSA_KEY_1027, RSA_KEY_1028, @@ -102,6 +99,8 @@ class TestRSA(object): if isinstance(skey, interfaces.RSAPrivateKeyWithNumbers): _check_rsa_private_numbers(skey.private_numbers()) + pkey = skey.public_key() + assert isinstance(pkey.public_numbers(), rsa.RSAPublicNumbers) def test_generate_rsa_key_class_method(self, backend): skey = pytest.deprecated_call( @@ -522,7 +521,7 @@ class TestRSASignature(object): skip_message="Does not support PSS." ) def test_deprecated_pss_mgf1_salt_length(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) signer = private_key.signer( pytest.deprecated_call( padding.PSS, @@ -566,7 +565,7 @@ class TestRSASignature(object): pytest.skip( "Does not support {0} in MGF1 using PSS.".format(hash_alg.name) ) - private_key = load_rsa_private_numbers(RSA_KEY_768, backend) + private_key = RSA_KEY_768.private_key(backend) public_key = private_key.public_key() pss = padding.PSS( mgf=padding.MGF1(hash_alg), @@ -592,7 +591,7 @@ class TestRSASignature(object): skip_message="Does not support SHA512." ) def test_pss_minimum_key_size_for_digest(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_522, backend) + private_key = RSA_KEY_522.private_key(backend) signer = private_key.signer( padding.PSS( mgf=padding.MGF1(hashes.SHA1()), @@ -617,7 +616,7 @@ class TestRSASignature(object): skip_message="Does not support SHA512." ) def test_pss_signing_digest_too_large_for_key_size(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with pytest.raises(ValueError): private_key.signer( padding.PSS( @@ -637,7 +636,7 @@ class TestRSASignature(object): skip_message="Does not support PSS." ) def test_pss_signing_salt_length_too_long(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) signer = private_key.signer( padding.PSS( mgf=padding.MGF1(hashes.SHA1()), @@ -656,7 +655,7 @@ class TestRSASignature(object): skip_message="Does not support PKCS1v1.5." ) def test_use_after_finalize(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) signer = private_key.signer(padding.PKCS1v15(), hashes.SHA1()) signer.update(b"sign me") signer.finalize() @@ -666,12 +665,12 @@ class TestRSASignature(object): signer.update(b"more data") def test_unsupported_padding(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): private_key.signer(DummyPadding(), hashes.SHA1()) def test_padding_incorrect_type(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with pytest.raises(TypeError): private_key.signer("notpadding", hashes.SHA1()) @@ -700,7 +699,7 @@ class TestRSASignature(object): skip_message="Does not support PSS." ) def test_unsupported_pss_mgf(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): private_key.signer(padding.PSS(mgf=DummyMGF()), hashes.SHA1()) @@ -711,7 +710,7 @@ class TestRSASignature(object): skip_message="Does not support PKCS1v1.5." ) def test_pkcs1_digest_too_large_for_key_size(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_599, backend) + private_key = RSA_KEY_599.private_key(backend) signer = private_key.signer( padding.PKCS1v15(), hashes.SHA512() @@ -727,7 +726,7 @@ class TestRSASignature(object): skip_message="Does not support PKCS1v1.5." ) def test_pkcs1_minimum_key_size(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_745, backend) + private_key = RSA_KEY_745.private_key(backend) signer = private_key.signer( padding.PKCS1v15(), hashes.SHA512() @@ -774,7 +773,7 @@ class TestRSAVerification(object): skip_message="Does not support PKCS1v1.5." ) def test_invalid_pkcs1v15_signature_wrong_data(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() signer = private_key.signer(padding.PKCS1v15(), hashes.SHA1()) signer.update(b"sign me") @@ -795,8 +794,8 @@ class TestRSAVerification(object): skip_message="Does not support PKCS1v1.5." ) def test_invalid_pkcs1v15_signature_wrong_key(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) - private_key2 = load_rsa_private_numbers(RSA_KEY_512_ALT, backend) + private_key = RSA_KEY_512.private_key(backend) + private_key2 = RSA_KEY_512_ALT.private_key(backend) public_key = private_key2.public_key() signer = private_key.signer(padding.PKCS1v15(), hashes.SHA1()) signer.update(b"sign me") @@ -961,7 +960,7 @@ class TestRSAVerification(object): skip_message="Does not support PKCS1v1.5." ) def test_use_after_finalize(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() signer = private_key.signer(padding.PKCS1v15(), hashes.SHA1()) signer.update(b"sign me") @@ -980,13 +979,13 @@ class TestRSAVerification(object): verifier.update(b"more data") def test_unsupported_padding(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): public_key.verifier(b"sig", DummyPadding(), hashes.SHA1()) def test_padding_incorrect_type(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() with pytest.raises(TypeError): public_key.verifier(b"sig", "notpadding", hashes.SHA1()) @@ -1012,7 +1011,7 @@ class TestRSAVerification(object): skip_message="Does not support PSS." ) def test_unsupported_pss_mgf(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): public_key.verifier(b"sig", padding.PSS(mgf=DummyMGF()), @@ -1032,7 +1031,7 @@ class TestRSAVerification(object): skip_message="Does not support SHA512." ) def test_pss_verify_digest_too_large_for_key_size(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) signature = binascii.unhexlify( b"8b9a3ae9fb3b64158f3476dd8d8a1f1425444e98940e0926378baa9944d219d8" b"534c050ef6b19b1bdc6eb4da422e89161106a6f5b5cc16135b11eb6439b646bd" @@ -1433,7 +1432,7 @@ class TestRSADecryption(object): assert message == binascii.unhexlify(example["message"]) def test_unsupported_padding(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): private_key.decrypt(b"0" * 64, DummyPadding()) @@ -1444,7 +1443,7 @@ class TestRSADecryption(object): skip_message="Does not support PKCS1v1.5." ) def test_decrypt_invalid_decrypt(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with pytest.raises(ValueError): private_key.decrypt( b"\x00" * 64, @@ -1458,7 +1457,7 @@ class TestRSADecryption(object): skip_message="Does not support PKCS1v1.5." ) def test_decrypt_ciphertext_too_large(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with pytest.raises(ValueError): private_key.decrypt( b"\x00" * 65, @@ -1472,7 +1471,7 @@ class TestRSADecryption(object): skip_message="Does not support PKCS1v1.5." ) def test_decrypt_ciphertext_too_small(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) ct = binascii.unhexlify( b"50b4c14136bd198c2f3c3ed243fce036e168d56517984a263cd66492b80804f1" b"69d210f2b9bdfb48b12f9ea05009c77da257cc600ccefe3a6283789d8ea0" @@ -1539,7 +1538,7 @@ class TestRSADecryption(object): assert message == binascii.unhexlify(example["message"]) def test_unsupported_oaep_mgf(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): private_key.decrypt( b"0" * 64, @@ -1613,7 +1612,7 @@ class TestRSAEncryption(object): ) ) def test_rsa_encrypt_pkcs1v15(self, key_data, pad, backend): - private_key = load_rsa_private_numbers(key_data, backend) + private_key = key_data.private_key(backend) pt = b"encrypt me!" public_key = private_key.public_key() ct = public_key.encrypt(pt, pad) @@ -1639,7 +1638,7 @@ class TestRSAEncryption(object): ) ) def test_rsa_encrypt_key_too_small(self, key_data, pad, backend): - private_key = load_rsa_private_numbers(key_data, backend) + private_key = key_data.private_key(backend) public_key = private_key.public_key() # Slightly smaller than the key size but not enough for padding. with pytest.raises(ValueError): @@ -1670,14 +1669,14 @@ class TestRSAEncryption(object): ) def test_unsupported_padding(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): public_key.encrypt(b"somedata", DummyPadding()) def test_unsupported_oaep_mgf(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_512, backend) + private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): @@ -1718,6 +1717,14 @@ class TestRSANumbers(object): assert private_numbers.iqmp == 2 assert private_numbers.public_numbers == public_numbers + def test_rsa_private_numbers_create_key(self, backend): + private_key = RSA_KEY_1024.private_key(backend) + assert private_key + + def test_rsa_public_numbers_create_key(self, backend): + public_key = RSA_KEY_1024.public_numbers.public_key(backend) + assert public_key + def test_public_numbers_invalid_types(self): with pytest.raises(TypeError): rsa.RSAPublicNumbers(e=None, n=15) @@ -1812,19 +1819,19 @@ class TestRSANumbers(object): # Test a modulus < 3. with pytest.raises(ValueError): - backend.load_rsa_public_numbers(rsa.RSAPublicNumbers(e=7, n=2)) + rsa.RSAPublicNumbers(e=7, n=2).public_key(backend) # Test a public_exponent < 3 with pytest.raises(ValueError): - backend.load_rsa_public_numbers(rsa.RSAPublicNumbers(e=1, n=15)) + rsa.RSAPublicNumbers(e=1, n=15).public_key(backend) # Test a public_exponent > modulus with pytest.raises(ValueError): - backend.load_rsa_public_numbers(rsa.RSAPublicNumbers(e=17, n=15)) + rsa.RSAPublicNumbers(e=17, n=15).public_key(backend) # Test a public_exponent that is not odd. with pytest.raises(ValueError): - backend.load_rsa_public_numbers(rsa.RSAPublicNumbers(e=16, n=15)) + rsa.RSAPublicNumbers(e=16, n=15).public_key(backend) def test_invalid_private_numbers_argument_values(self, backend): # Start with p=3, q=11, private_exponent=3, public_exponent=7, @@ -1833,221 +1840,195 @@ class TestRSANumbers(object): # Test a modulus < 3. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=2 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=2 ) - ) + ).private_key(backend) # Test a modulus != p * q. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=35 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=35 ) - ) + ).private_key(backend) # Test a p > modulus. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=37, - q=11, - d=3, - dmp1=1, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=37, + q=11, + d=3, + dmp1=1, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) # Test a q > modulus. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=37, - d=3, - dmp1=1, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=37, + d=3, + dmp1=1, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) # Test a dmp1 > modulus. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=35, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=35, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) # Test a dmq1 > modulus. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=35, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=35, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) # Test an iqmp > modulus. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=3, - iqmp=35, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=3, + iqmp=35, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) # Test a private_exponent > modulus with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=37, - dmp1=1, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=37, + dmp1=1, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) # Test a public_exponent < 3 with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=1, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=1, + n=33 ) - ) + ).private_key(backend) # Test a public_exponent > modulus with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=3, - iqmp=35, - public_numbers=rsa.RSAPublicNumbers( - e=65537, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=3, + iqmp=35, + public_numbers=rsa.RSAPublicNumbers( + e=65537, + n=33 ) - ) + ).private_key(backend) # Test a public_exponent that is not odd. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=6, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=6, + n=33 ) - ) + ).private_key(backend) # Test a dmp1 that is not odd. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=2, - dmq1=3, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=2, + dmq1=3, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) # Test a dmq1 that is not odd. with pytest.raises(ValueError): - backend.load_rsa_private_numbers( - rsa.RSAPrivateNumbers( - p=3, - q=11, - d=3, - dmp1=1, - dmq1=4, - iqmp=2, - public_numbers=rsa.RSAPublicNumbers( - e=7, - n=33 - ) + rsa.RSAPrivateNumbers( + p=3, + q=11, + d=3, + dmp1=1, + dmq1=4, + iqmp=2, + public_numbers=rsa.RSAPublicNumbers( + e=7, + n=33 ) - ) + ).private_key(backend) diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index ae990b64..8a90b30e 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -23,13 +23,9 @@ from cryptography.exceptions import _Reasons from cryptography.hazmat.primitives import interfaces from cryptography.hazmat.primitives.asymmetric import dsa from cryptography.hazmat.primitives.serialization import ( - load_pem_pkcs8_private_key, - load_pem_traditional_openssl_private_key, - load_rsa_private_numbers, - load_rsa_public_numbers + load_pem_pkcs8_private_key, load_pem_traditional_openssl_private_key ) -from .fixtures_rsa import RSA_KEY_1024 from .utils import _check_rsa_private_numbers, load_vectors_from_file from ...utils import raises_unsupported_algorithm @@ -553,18 +549,3 @@ class TestPKCS8Serialisation(object): pemfile.read().encode(), password, backend ) ) - - -@pytest.mark.rsa -class TestLoadRSANumbers(object): - def test_load_private_numbers(self, backend): - private_key = load_rsa_private_numbers(RSA_KEY_1024, backend) - assert private_key - assert private_key.private_numbers() - - def test_load_public_numbers(self, backend): - public_key = load_rsa_public_numbers( - RSA_KEY_1024.public_numbers, backend - ) - assert public_key - assert public_key.public_numbers() diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 54659aa9..49b73f01 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -28,9 +28,6 @@ from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.kdf.hkdf import HKDF, HKDFExpand from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC -from cryptography.hazmat.primitives.serialization import ( - load_rsa_public_numbers -) from ...utils import load_vectors_from_file @@ -395,7 +392,7 @@ def rsa_verification_test(backend, params, hash_alg, pad_factory): e=params["public_exponent"], n=params["modulus"] ) - public_key = load_rsa_public_numbers(public_numbers, backend) + public_key = public_numbers.public_key(backend) pad = pad_factory(params, hash_alg) verifier = public_key.verifier( binascii.unhexlify(params["s"]), |