diff options
Diffstat (limited to 'tests')
26 files changed, 498 insertions, 194 deletions
diff --git a/tests/doubles.py b/tests/doubles.py new file mode 100644 index 00000000..2ff1942f --- /dev/null +++ b/tests/doubles.py @@ -0,0 +1,43 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +from cryptography import utils +from cryptography.hazmat.primitives import hashes, serialization +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.primitives.ciphers import CipherAlgorithm +from cryptography.hazmat.primitives.ciphers.modes import Mode + + +@utils.register_interface(CipherAlgorithm) +class DummyCipherAlgorithm(object): + name = "dummy-cipher" + block_size = 128 + key_size = None + + +@utils.register_interface(Mode) +class DummyMode(object): + name = "dummy-mode" + + def validate_for_algorithm(self, algorithm): + pass + + +@utils.register_interface(hashes.HashAlgorithm) +class DummyHashAlgorithm(object): + name = "dummy-hash" + block_size = None + digest_size = None + + +@utils.register_interface(serialization.KeySerializationEncryption) +class DummyKeySerializationEncryption(object): + pass + + +@utils.register_interface(padding.AsymmetricPadding) +class DummyAsymmetricPadding(object): + name = "dummy-padding" diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py index f7200016..2b730e93 100644 --- a/tests/hazmat/backends/test_commoncrypto.py +++ b/tests/hazmat/backends/test_commoncrypto.py @@ -6,23 +6,16 @@ from __future__ import absolute_import, division, print_function import pytest -from cryptography import utils from cryptography.exceptions import InternalError, _Reasons from cryptography.hazmat.backends import _available_backends -from cryptography.hazmat.primitives.ciphers import Cipher, CipherAlgorithm +from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC, GCM +from ...doubles import DummyCipherAlgorithm from ...utils import raises_unsupported_algorithm -@utils.register_interface(CipherAlgorithm) -class DummyCipher(object): - name = "dummy-cipher" - block_size = None - key_size = None - - @pytest.mark.skipif("commoncrypto" not in [i.name for i in _available_backends()], reason="CommonCrypto not available") @@ -55,7 +48,7 @@ class TestCommonCrypto(object): from cryptography.hazmat.backends.commoncrypto.backend import Backend b = Backend() cipher = Cipher( - DummyCipher(), GCM(b"fake_iv_here"), backend=b, + DummyCipherAlgorithm(), GCM(b"fake_iv_here"), backend=b, ) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): cipher.encryptor() diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py index 74835716..bf54d5ce 100644 --- a/tests/hazmat/backends/test_multibackend.py +++ b/tests/hazmat/backends/test_multibackend.py @@ -4,6 +4,8 @@ from __future__ import absolute_import, division, print_function +import pytest + from cryptography import utils from cryptography.exceptions import ( UnsupportedAlgorithm, _Reasons @@ -21,6 +23,10 @@ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from ...utils import raises_unsupported_algorithm +class DummyBackend(object): + pass + + @utils.register_interface(CipherBackend) class DummyCipherBackend(object): def __init__(self, supported_ciphers): @@ -226,6 +232,10 @@ class DummyX509Backend(object): class TestMultiBackend(object): + def test_raises_error_with_empty_list(self): + with pytest.raises(ValueError): + MultiBackend([]) + def test_ciphers(self): backend = MultiBackend([ DummyHashBackend([]), @@ -310,7 +320,7 @@ class TestMultiBackend(object): backend.load_rsa_public_numbers("public_numbers") - backend = MultiBackend([]) + backend = MultiBackend([DummyBackend()]) with raises_unsupported_algorithm( _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM ): @@ -353,7 +363,7 @@ class TestMultiBackend(object): backend.load_dsa_public_numbers("numbers") backend.load_dsa_parameter_numbers("numbers") - backend = MultiBackend([]) + backend = MultiBackend([DummyBackend()]) with raises_unsupported_algorithm( _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM ): @@ -491,7 +501,7 @@ class TestMultiBackend(object): backend.load_pem_private_key(b"keydata", None) backend.load_pem_public_key(b"keydata") - backend = MultiBackend([]) + backend = MultiBackend([DummyBackend()]) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): backend.load_pem_private_key(b"keydata", None) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): @@ -503,7 +513,7 @@ class TestMultiBackend(object): backend.load_der_private_key(b"keydata", None) backend.load_der_public_key(b"keydata") - backend = MultiBackend([]) + backend = MultiBackend([DummyBackend()]) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): backend.load_der_private_key(b"keydata", None) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_SERIALIZATION): @@ -523,7 +533,7 @@ class TestMultiBackend(object): backend.create_x509_crl(object(), b"privatekey", hashes.SHA1()) backend.create_x509_revoked_certificate(object()) - backend = MultiBackend([]) + backend = MultiBackend([DummyBackend()]) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): backend.load_pem_x509_certificate(b"certdata") with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_X509): diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 0b55a485..52bee7b3 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -21,15 +21,17 @@ from cryptography.hazmat.backends.openssl.backend import ( from cryptography.hazmat.backends.openssl.ec import _sn_to_elliptic_curve from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding -from cryptography.hazmat.primitives.ciphers import ( - BlockCipherAlgorithm, Cipher, CipherAlgorithm -) +from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.ciphers.algorithms import AES -from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode +from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR from ..primitives.fixtures_dsa import DSA_KEY_2048 from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 from ..primitives.test_ec import _skip_curve_unsupported +from ...doubles import ( + DummyAsymmetricPadding, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode +) +from ...test_x509 import _load_cert from ...utils import load_vectors_from_file, raises_unsupported_algorithm @@ -47,32 +49,6 @@ class TestLibreSkip(object): skip_if_libre_ssl(u"LibreSSL 2.1.6") -@utils.register_interface(Mode) -class DummyMode(object): - name = "dummy-mode" - - def validate_for_algorithm(self, algorithm): - pass - - -@utils.register_interface(CipherAlgorithm) -class DummyCipher(object): - name = "dummy-cipher" - key_size = None - - -@utils.register_interface(padding.AsymmetricPadding) -class DummyPadding(object): - name = "dummy-cipher" - - -@utils.register_interface(hashes.HashAlgorithm) -class DummyHash(object): - name = "dummy-hash" - block_size = None - digest_size = None - - class DummyMGF(object): _salt_length = 0 @@ -111,12 +87,12 @@ class TestOpenSSL(object): def test_nonexistent_cipher(self, mode): b = Backend() b.register_cipher_adapter( - DummyCipher, + DummyCipherAlgorithm, type(mode), lambda backend, cipher, mode: backend._ffi.NULL ) cipher = Cipher( - DummyCipher(), mode, backend=b, + DummyCipherAlgorithm(), mode, backend=b, ) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): cipher.encryptor() @@ -268,7 +244,8 @@ class TestOpenSSLRandomEngine(object): subprocess.check_call( [sys.executable, "-c", engine_printer], env=env, - stdout=out + stdout=out, + stderr=subprocess.PIPE, ) osrandom_engine_name = backend._ffi.string( @@ -382,11 +359,11 @@ class TestOpenSSLRSA(object): def test_rsa_padding_unsupported_pss_mgf1_hash(self): assert backend.rsa_padding_supported( - padding.PSS(mgf=padding.MGF1(DummyHash()), salt_length=0) + padding.PSS(mgf=padding.MGF1(DummyHashAlgorithm()), salt_length=0) ) is False def test_rsa_padding_unsupported(self): - assert backend.rsa_padding_supported(DummyPadding()) is False + assert backend.rsa_padding_supported(DummyAsymmetricPadding()) is False def test_rsa_padding_supported_pkcs1v15(self): assert backend.rsa_padding_supported(padding.PKCS1v15()) is True @@ -461,12 +438,8 @@ class TestOpenSSLRSA(object): ) class TestOpenSSLCMAC(object): def test_unsupported_cipher(self): - @utils.register_interface(BlockCipherAlgorithm) - class FakeAlgorithm(object): - block_size = 64 - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - backend.create_cmac_ctx(FakeAlgorithm()) + backend.create_cmac_ctx(DummyCipherAlgorithm()) class TestOpenSSLCreateX509CSR(object): @@ -497,7 +470,9 @@ class TestOpenSSLSignX509Certificate(object): private_key = RSA_KEY_2048.private_key(backend) with pytest.raises(TypeError): - backend.create_x509_certificate(object(), private_key, DummyHash()) + backend.create_x509_certificate( + object(), private_key, DummyHashAlgorithm() + ) @pytest.mark.skipif( backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000, @@ -682,3 +657,23 @@ class TestRSAPEMSerialization(object): serialization.PrivateFormat.PKCS8, serialization.BestAvailableEncryption(password) ) + + +class TestGOSTCertificate(object): + @pytest.mark.skipif( + backend._lib.OPENSSL_VERSION_NUMBER < 0x1000000f, + reason="Requires a newer OpenSSL. Must be >= 1.0.0" + ) + def test_numeric_string_x509_name_entry(self): + cert = _load_cert( + os.path.join("x509", "e-trust.ru.der"), + x509.load_der_x509_certificate, + backend + ) + with pytest.raises(ValueError) as exc: + cert.subject + + # We assert on the message in this case because if the certificate + # fails to load it will also raise a ValueError and this test could + # erroneously pass. + assert str(exc.value) == "Unsupported ASN1 string type. Type: 18" diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 76a9218b..457799d3 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -6,7 +6,10 @@ from __future__ import absolute_import, division, print_function import pytest -from cryptography.hazmat.bindings.openssl.binding import Binding +from cryptography.exceptions import InternalError +from cryptography.hazmat.bindings.openssl.binding import ( + Binding, _OpenSSLErrorWithText, _openssl_assert +) class TestOpenSSL(object): @@ -149,3 +152,26 @@ class TestOpenSSL(object): else: with pytest.raises(AttributeError): b.lib.CMAC_Init + + def test_openssl_assert_error_on_stack(self): + b = Binding() + b.lib.ERR_put_error( + b.lib.ERR_LIB_EVP, + b.lib.EVP_F_EVP_ENCRYPTFINAL_EX, + b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, + b"", + -1 + ) + with pytest.raises(InternalError) as exc_info: + _openssl_assert(b.lib, False) + + assert exc_info.value.err_code == [_OpenSSLErrorWithText( + code=101183626, + lib=b.lib.ERR_LIB_EVP, + func=b.lib.EVP_F_EVP_ENCRYPTFINAL_EX, + reason=b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, + reason_text=( + b'error:0607F08A:digital envelope routines:EVP_EncryptFinal_' + b'ex:data not multiple of block length' + ) + )] diff --git a/tests/hazmat/primitives/fixtures_rsa.py b/tests/hazmat/primitives/fixtures_rsa.py index f93361de..a531783e 100644 --- a/tests/hazmat/primitives/fixtures_rsa.py +++ b/tests/hazmat/primitives/fixtures_rsa.py @@ -529,3 +529,75 @@ RSA_KEY_2048 = RSAPrivateNumbers( "de04fd053846ca10a223b10cc841cc80fdebee44f3114c13e886af583", 16), ) ) + +RSA_KEY_2048_ALT = RSAPrivateNumbers( + d=int( + "7522768467449591813737881904131688860626637897199391200040629" + "8641018746450502628484395471408986929218353894683769457466923" + "3079369551423094451013669595729568593462009746342148367797495" + "5529909313614750246672441810743580455199636293179539903480635" + "3091286716112931976896334411287175213124504134181121011488550" + "5290054443979198998564749640800633368957384058700741073997703" + "8877364695937023906368630297588990131009278072614118207348356" + "4640244134189285070202534488517371577359510236833464698189075" + "5160693085297816063285814039518178249628112908466649245545732" + "5791532385553960363601827996980725025898649392004494256400884" + "092073" + ), + dmp1=int( + "5847872614112935747739644055317429405973942336206460017493394" + "9737607778799766591021036792892472774720417920838206576785118" + "8889624058962939702950175807073343659386156232294197300491647" + "1029508414050591959344812347424476498076532682798598325230069" + "0925827594762920534235575029199380552228825468180187156871965" + "973" + ), + dmq1=int( + "2949536259161239302081155875068405238857801001054083407704879" + "8210876832264504685327766351157044892283801611558399025326793" + "4131638001934454489864437565651739832511702151461257267169691" + "6611992398459006200708626815153304591390855807749769768978152" + "9854112656599931724820610358669306523835327459478374630794532" + "167" + ), + iqmp=int( + "7331180989818931535458916053540252830484856703208982675535284" + "4613815808798190559315018094080936347757336989616401164752221" + "8101156529898067044923499386460167055405998646366011838018441" + "3678947694258190172377716154009305082091341215866326061721180" + "3836418654472188816187630316821692982783286322262994892003058" + "782" + ), + p=int( + "1460007723851883695617573533155574746587863843382715314919865" + "2434108956187429726002840717317310431378483921058946835896252" + "7109559207437158778332364464259678946305487699031865937075508" + "8616612925453842458055546540240601585731206561647892336916583" + "0023641764106581040198845259766246869529221084602380669333021" + "0819" + ), + q=int( + "1433897765867889178402883410610177836503402597775250087462018" + "4617952933433119527945447840336616357136736935069377619782227" + "2822380830300262175671282877680573202309319960687756231128996" + "9764855320953993690199846269451095044922353809602378616938811" + "7513900906279873343591486841303392490561500301994171338761080" + "4439" + ), + public_numbers=RSAPublicNumbers( + e=65537, + n=int( + "209350181338107812610165420955871971489973659392253291327" + "839812910252466502190690572476688311285621239204212139711" + "207388949164851984253143698667018532039612470954223918242" + "145976986600705122576087630525229796950722166468064721258" + "490916138706756006902066136471049807637157890128560592039" + "941717275079733754782848729566190631725183735944031456237" + "089928120178187552521649483240599003240074352860189285952" + "078970127554801074176375499583703254849309993132931268013" + "715070507278514207864914944621214574162116786377990456375" + "964817771730371110612100247262908550409785456157505694419" + "00451152778245269283276012328748538414051025541" + ) + ) +) diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 0197353e..586afb47 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -22,7 +22,7 @@ from ...utils import load_nist_vectors @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.CBC("\x00" * 8) + algorithms.TripleDES(b"\x00" * 8), modes.CBC(b"\x00" * 8) ), skip_message="Does not support TripleDES CBC", ) @@ -59,7 +59,7 @@ class TestTripleDESModeCBC(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.OFB("\x00" * 8) + algorithms.TripleDES(b"\x00" * 8), modes.OFB(b"\x00" * 8) ), skip_message="Does not support TripleDES OFB", ) @@ -96,7 +96,7 @@ class TestTripleDESModeOFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.CFB("\x00" * 8) + algorithms.TripleDES(b"\x00" * 8), modes.CFB(b"\x00" * 8) ), skip_message="Does not support TripleDES CFB", ) @@ -133,7 +133,7 @@ class TestTripleDESModeCFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.CFB8("\x00" * 8) + algorithms.TripleDES(b"\x00" * 8), modes.CFB8(b"\x00" * 8) ), skip_message="Does not support TripleDES CFB8", ) diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 2c3e5f90..8826aae8 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -18,7 +18,7 @@ from ...utils import load_nist_vectors @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CBC("\x00" * 16) + algorithms.AES(b"\x00" * 16), modes.CBC(b"\x00" * 16) ), skip_message="Does not support AES CBC", ) @@ -84,7 +84,7 @@ class TestAESModeECB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.OFB("\x00" * 16) + algorithms.AES(b"\x00" * 16), modes.OFB(b"\x00" * 16) ), skip_message="Does not support AES OFB", ) @@ -117,7 +117,7 @@ class TestAESModeOFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CFB("\x00" * 16) + algorithms.AES(b"\x00" * 16), modes.CFB(b"\x00" * 16) ), skip_message="Does not support AES CFB", ) @@ -150,7 +150,7 @@ class TestAESModeCFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CFB8("\x00" * 16) + algorithms.AES(b"\x00" * 16), modes.CFB8(b"\x00" * 16) ), skip_message="Does not support AES CFB8", ) @@ -183,7 +183,7 @@ class TestAESModeCFB8(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CTR("\x00" * 16) + algorithms.AES(b"\x00" * 16), modes.CTR(b"\x00" * 16) ), skip_message="Does not support AES CTR", ) @@ -200,7 +200,7 @@ class TestAESModeCTR(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) + algorithms.AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) ), skip_message="Does not support AES GCM", ) diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/test_arc4.py index 00fc95b0..1a173444 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/test_arc4.py @@ -18,7 +18,7 @@ from ...utils import load_nist_vectors @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.ARC4("\x00" * 16), None + algorithms.ARC4(b"\x00" * 16), None ), skip_message="Does not support ARC4", ) diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py index 1b3fc1cb..eb0a2c3b 100644 --- a/tests/hazmat/primitives/test_block.py +++ b/tests/hazmat/primitives/test_block.py @@ -8,7 +8,6 @@ import binascii import pytest -from cryptography import utils from cryptography.exceptions import ( AlreadyFinalized, _Reasons ) @@ -20,23 +19,10 @@ from cryptography.hazmat.primitives.ciphers import ( from .utils import ( generate_aead_exception_test, generate_aead_tag_exception_test ) +from ...doubles import DummyCipherAlgorithm, DummyMode from ...utils import raises_unsupported_algorithm -@utils.register_interface(modes.Mode) -class DummyMode(object): - name = "dummy-mode" - - def validate_for_algorithm(self, algorithm): - pass - - -@utils.register_interface(base.CipherAlgorithm) -class DummyCipher(object): - name = "dummy-cipher" - key_size = None - - @pytest.mark.requires_backend_interface(interface=CipherBackend) class TestCipher(object): def test_creates_encryptor(self, backend): @@ -107,7 +93,7 @@ class TestCipherContext(object): @pytest.mark.parametrize("mode", [DummyMode(), None]) def test_nonexistent_cipher(self, backend, mode): cipher = Cipher( - DummyCipher(), mode, backend + DummyCipherAlgorithm(), mode, backend ) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): cipher.encryptor() @@ -134,7 +120,7 @@ class TestCipherContext(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) + algorithms.AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) ), skip_message="Does not support AES GCM", ) @@ -191,3 +177,33 @@ class TestModeValidation(object): modes.CTR(b"abc"), backend, ) + + +class TestModesRequireBytes(object): + def test_cbc(self): + with pytest.raises(TypeError): + modes.CBC([1] * 16) + + def test_cfb(self): + with pytest.raises(TypeError): + modes.CFB([1] * 16) + + def test_cfb8(self): + with pytest.raises(TypeError): + modes.CFB8([1] * 16) + + def test_ofb(self): + with pytest.raises(TypeError): + modes.OFB([1] * 16) + + def test_ctr(self): + with pytest.raises(TypeError): + modes.CTR([1] * 16) + + def test_gcm_iv(self): + with pytest.raises(TypeError): + modes.GCM([1] * 16) + + def test_gcm_tag(self): + with pytest.raises(TypeError): + modes.GCM(b"\x00" * 16, [1] * 16) diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py index de49e86d..0c38b981 100644 --- a/tests/hazmat/primitives/test_blowfish.py +++ b/tests/hazmat/primitives/test_blowfish.py @@ -18,7 +18,7 @@ from ...utils import load_nist_vectors @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.ECB() + algorithms.Blowfish(b"\x00" * 56), modes.ECB() ), skip_message="Does not support Blowfish ECB", ) @@ -35,7 +35,7 @@ class TestBlowfishModeECB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.CBC("\x00" * 8) + algorithms.Blowfish(b"\x00" * 56), modes.CBC(b"\x00" * 8) ), skip_message="Does not support Blowfish CBC", ) @@ -52,7 +52,7 @@ class TestBlowfishModeCBC(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.OFB("\x00" * 8) + algorithms.Blowfish(b"\x00" * 56), modes.OFB(b"\x00" * 8) ), skip_message="Does not support Blowfish OFB", ) @@ -69,7 +69,7 @@ class TestBlowfishModeOFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.CFB("\x00" * 8) + algorithms.Blowfish(b"\x00" * 56), modes.CFB(b"\x00" * 8) ), skip_message="Does not support Blowfish CFB", ) diff --git a/tests/hazmat/primitives/test_camellia.py b/tests/hazmat/primitives/test_camellia.py index 8bdcb309..87fcfe3d 100644 --- a/tests/hazmat/primitives/test_camellia.py +++ b/tests/hazmat/primitives/test_camellia.py @@ -20,7 +20,7 @@ from ...utils import ( @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.ECB() + algorithms.Camellia(b"\x00" * 16), modes.ECB() ), skip_message="Does not support Camellia ECB", ) @@ -41,7 +41,7 @@ class TestCamelliaModeECB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.CBC("\x00" * 16) + algorithms.Camellia(b"\x00" * 16), modes.CBC(b"\x00" * 16) ), skip_message="Does not support Camellia CBC", ) @@ -58,7 +58,7 @@ class TestCamelliaModeCBC(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.OFB("\x00" * 16) + algorithms.Camellia(b"\x00" * 16), modes.OFB(b"\x00" * 16) ), skip_message="Does not support Camellia OFB", ) @@ -75,7 +75,7 @@ class TestCamelliaModeOFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.CFB("\x00" * 16) + algorithms.Camellia(b"\x00" * 16), modes.CFB(b"\x00" * 16) ), skip_message="Does not support Camellia CFB", ) diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index 0e4f879c..59af84f5 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -18,7 +18,7 @@ from ...utils import load_nist_vectors @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.CAST5("\x00" * 16), modes.ECB() + algorithms.CAST5(b"\x00" * 16), modes.ECB() ), skip_message="Does not support CAST5 ECB", ) @@ -35,7 +35,7 @@ class TestCAST5ModeECB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.CAST5("\x00" * 16), modes.CBC("\x00" * 8) + algorithms.CAST5(b"\x00" * 16), modes.CBC(b"\x00" * 8) ), skip_message="Does not support CAST5 CBC", ) @@ -52,7 +52,7 @@ class TestCAST5ModeCBC(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.CAST5("\x00" * 16), modes.OFB("\x00" * 8) + algorithms.CAST5(b"\x00" * 16), modes.OFB(b"\x00" * 8) ), skip_message="Does not support CAST5 OFB", ) @@ -69,7 +69,7 @@ class TestCAST5ModeOFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.CAST5("\x00" * 16), modes.CFB("\x00" * 8) + algorithms.CAST5(b"\x00" * 16), modes.CFB(b"\x00" * 8) ), skip_message="Does not support CAST5 CFB", ) @@ -86,7 +86,7 @@ class TestCAST5ModeCFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.CAST5("\x00" * 16), modes.CTR("\x00" * 8) + algorithms.CAST5(b"\x00" * 16), modes.CTR(b"\x00" * 8) ), skip_message="Does not support CAST5 CTR", ) diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index fcfda614..b02cadc8 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -9,7 +9,6 @@ import os import pytest -from cryptography import utils from cryptography.exceptions import AlreadyFinalized, InvalidSignature from cryptography.hazmat.backends.interfaces import ( DSABackend, PEMSerializationBackend @@ -24,24 +23,13 @@ from cryptography.utils import bit_length from .fixtures_dsa import ( DSA_KEY_1024, DSA_KEY_2048, DSA_KEY_3072 ) +from ...doubles import DummyHashAlgorithm, DummyKeySerializationEncryption from ...utils import ( load_fips_dsa_key_pair_vectors, load_fips_dsa_sig_vectors, load_vectors_from_file, ) -@utils.register_interface(serialization.KeySerializationEncryption) -class DummyKeyEncryption(object): - pass - - -@utils.register_interface(hashes.HashAlgorithm) -class DummyHashAlgorithm(object): - name = "dummy" - digest_size = 32 - block_size = 64 - - def _skip_if_dsa_not_supported(backend, algorithm, p, q, g): if ( not backend.dsa_parameters_supported(p, q, g) or @@ -994,7 +982,7 @@ class TestDSASerialization(object): key.private_bytes( serialization.Encoding.PEM, serialization.PrivateFormat.TraditionalOpenSSL, - DummyKeyEncryption() + DummyKeySerializationEncryption() ) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 600ea27f..08619b48 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -23,6 +23,7 @@ from cryptography.hazmat.primitives.asymmetric.utils import ( ) from .fixtures_ec import EC_KEY_SECP384R1 +from ...doubles import DummyKeySerializationEncryption from ...utils import ( load_fips_ecdsa_key_pair_vectors, load_fips_ecdsa_signing_vectors, load_kasvs_ecdh_vectors, load_vectors_from_file, @@ -81,11 +82,6 @@ class DummySignatureAlgorithm(object): algorithm = None -@utils.register_interface(serialization.KeySerializationEncryption) -class DummyKeyEncryption(object): - pass - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) def test_skip_curve_unsupported(backend): with pytest.raises(pytest.skip.Exception): @@ -741,7 +737,7 @@ class TestECSerialization(object): key.private_bytes( serialization.Encoding.PEM, serialization.PrivateFormat.TraditionalOpenSSL, - DummyKeyEncryption() + DummyKeySerializationEncryption() ) def test_public_bytes_from_derived_public_key(self, backend): diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index 8f7fdb18..a109c219 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -8,23 +8,16 @@ import pretend import pytest -from cryptography import utils from cryptography.exceptions import AlreadyFinalized, _Reasons from cryptography.hazmat.backends.interfaces import HashBackend from cryptography.hazmat.primitives import hashes from .utils import generate_base_hash_test from ..backends.test_multibackend import DummyHashBackend +from ...doubles import DummyHashAlgorithm from ...utils import raises_unsupported_algorithm -@utils.register_interface(hashes.HashAlgorithm) -class UnsupportedDummyHash(object): - name = "unsupported-dummy-hash" - block_size = None - digest_size = None - - @pytest.mark.requires_backend_interface(interface=HashBackend) class TestHashContext(object): def test_hash_reject_unicode(self, backend): @@ -59,7 +52,7 @@ class TestHashContext(object): def test_unsupported_hash(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): - hashes.Hash(UnsupportedDummyHash(), backend) + hashes.Hash(DummyHashAlgorithm(), backend) @pytest.mark.supported( diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 83b18cbc..82082a2d 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -8,7 +8,6 @@ import pretend import pytest -from cryptography import utils from cryptography.exceptions import ( AlreadyFinalized, InvalidSignature, _Reasons ) @@ -17,16 +16,10 @@ from cryptography.hazmat.primitives import hashes, hmac from .utils import generate_base_hmac_test from ..backends.test_multibackend import DummyHMACBackend +from ...doubles import DummyHashAlgorithm from ...utils import raises_unsupported_algorithm -@utils.register_interface(hashes.HashAlgorithm) -class UnsupportedDummyHash(object): - name = "unsupported-dummy-hash" - block_size = None - digest_size = None - - @pytest.mark.supported( only_if=lambda backend: backend.hmac_supported(hashes.MD5()), skip_message="Does not support MD5", @@ -95,7 +88,7 @@ class TestHMAC(object): def test_unsupported_hash(self, backend): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): - hmac.HMAC(b"key", UnsupportedDummyHash(), backend) + hmac.HMAC(b"key", DummyHashAlgorithm(), backend) def test_invalid_backend(): diff --git a/tests/hazmat/primitives/test_idea.py b/tests/hazmat/primitives/test_idea.py index 1b15ed67..75116dc1 100644 --- a/tests/hazmat/primitives/test_idea.py +++ b/tests/hazmat/primitives/test_idea.py @@ -18,7 +18,7 @@ from ...utils import load_nist_vectors @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.IDEA("\x00" * 16), modes.ECB() + algorithms.IDEA(b"\x00" * 16), modes.ECB() ), skip_message="Does not support IDEA ECB", ) @@ -35,7 +35,7 @@ class TestIDEAModeECB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.IDEA("\x00" * 16), modes.CBC("\x00" * 8) + algorithms.IDEA(b"\x00" * 16), modes.CBC(b"\x00" * 8) ), skip_message="Does not support IDEA CBC", ) @@ -52,7 +52,7 @@ class TestIDEAModeCBC(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.IDEA("\x00" * 16), modes.OFB("\x00" * 8) + algorithms.IDEA(b"\x00" * 16), modes.OFB(b"\x00" * 8) ), skip_message="Does not support IDEA OFB", ) @@ -69,7 +69,7 @@ class TestIDEAModeOFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.IDEA("\x00" * 16), modes.CFB("\x00" * 8) + algorithms.IDEA(b"\x00" * 16), modes.CFB(b"\x00" * 8) ), skip_message="Does not support IDEA CFB", ) diff --git a/tests/hazmat/primitives/test_keywrap.py b/tests/hazmat/primitives/test_keywrap.py index f1238c9a..f41baedb 100644 --- a/tests/hazmat/primitives/test_keywrap.py +++ b/tests/hazmat/primitives/test_keywrap.py @@ -29,7 +29,7 @@ class TestAESKeyWrap(object): ) @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.ECB() + algorithms.AES(b"\x00" * 16), modes.ECB() ), skip_message="Does not support AES key wrap (RFC 3394) because AES-ECB" " is unsupported", @@ -50,7 +50,7 @@ class TestAESKeyWrap(object): ) @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.ECB() + algorithms.AES(b"\x00" * 16), modes.ECB() ), skip_message="Does not support AES key wrap (RFC 3394) because AES-ECB" " is unsupported", @@ -69,7 +69,7 @@ class TestAESKeyWrap(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.ECB() + algorithms.AES(b"\x00" * 16), modes.ECB() ), skip_message="Does not support AES key wrap (RFC 3394) because AES-ECB" " is unsupported", @@ -81,7 +81,7 @@ class TestAESKeyWrap(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.ECB() + algorithms.AES(b"\x00" * 16), modes.ECB() ), skip_message="Does not support AES key wrap (RFC 3394) because AES-ECB" " is unsupported", @@ -92,7 +92,7 @@ class TestAESKeyWrap(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.ECB() + algorithms.AES(b"\x00" * 16), modes.ECB() ), skip_message="Does not support AES key wrap (RFC 3394) because AES-ECB" " is unsupported", diff --git a/tests/hazmat/primitives/test_pbkdf2hmac.py b/tests/hazmat/primitives/test_pbkdf2hmac.py index 7fb6bbd6..d971ebd0 100644 --- a/tests/hazmat/primitives/test_pbkdf2hmac.py +++ b/tests/hazmat/primitives/test_pbkdf2hmac.py @@ -6,7 +6,6 @@ from __future__ import absolute_import, division, print_function import pytest -from cryptography import utils from cryptography.exceptions import ( AlreadyFinalized, InvalidKey, _Reasons ) @@ -14,16 +13,10 @@ from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from ...doubles import DummyHashAlgorithm from ...utils import raises_unsupported_algorithm -@utils.register_interface(hashes.HashAlgorithm) -class DummyHash(object): - name = "dummy-hash" - block_size = None - digest_size = None - - class TestPBKDF2HMAC(object): def test_already_finalized(self): kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) @@ -43,7 +36,9 @@ class TestPBKDF2HMAC(object): def test_unsupported_algorithm(self): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): - PBKDF2HMAC(DummyHash(), 20, b"salt", 10, default_backend()) + PBKDF2HMAC( + DummyHashAlgorithm(), 20, b"salt", 10, default_backend() + ) def test_invalid_key(self): kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index c0b8923f..2331a935 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -11,7 +11,6 @@ import os import pytest -from cryptography import utils from cryptography.exceptions import ( AlreadyFinalized, InvalidSignature, _Reasons ) @@ -27,39 +26,25 @@ from cryptography.hazmat.primitives.asymmetric.rsa import ( from .fixtures_rsa import ( RSA_KEY_1024, RSA_KEY_1025, RSA_KEY_1026, RSA_KEY_1027, RSA_KEY_1028, RSA_KEY_1029, RSA_KEY_1030, RSA_KEY_1031, RSA_KEY_1536, RSA_KEY_2048, - RSA_KEY_512, RSA_KEY_512_ALT, RSA_KEY_522, RSA_KEY_599, RSA_KEY_745, - RSA_KEY_768, + RSA_KEY_2048_ALT, RSA_KEY_512, RSA_KEY_512_ALT, RSA_KEY_522, RSA_KEY_599, + RSA_KEY_745, RSA_KEY_768, ) from .utils import ( _check_rsa_private_numbers, generate_rsa_verification_test ) +from ...doubles import ( + DummyAsymmetricPadding, DummyHashAlgorithm, DummyKeySerializationEncryption +) from ...utils import ( load_pkcs1_vectors, load_rsa_nist_vectors, load_vectors_from_file, raises_unsupported_algorithm ) -@utils.register_interface(padding.AsymmetricPadding) -class DummyPadding(object): - name = "UNSUPPORTED-PADDING" - - class DummyMGF(object): _salt_length = 0 -@utils.register_interface(serialization.KeySerializationEncryption) -class DummyKeyEncryption(object): - pass - - -@utils.register_interface(hashes.HashAlgorithm) -class DummyHashAlgorithm(object): - name = "dummy-hash" - digest_size = 32 - block_size = 64 - - def _check_rsa_private_numbers_if_serializable(key): if isinstance(key, rsa.RSAPrivateKeyWithSerialization): _check_rsa_private_numbers(key.private_numbers()) @@ -405,7 +390,7 @@ class TestRSASignature(object): def test_unsupported_padding(self, backend): private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): - private_key.signer(DummyPadding(), hashes.SHA1()) + private_key.signer(DummyAsymmetricPadding(), hashes.SHA1()) def test_padding_incorrect_type(self, backend): private_key = RSA_KEY_512.private_key(backend) @@ -703,7 +688,9 @@ class TestRSAVerification(object): private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): - public_key.verifier(b"sig", DummyPadding(), hashes.SHA1()) + public_key.verifier( + b"sig", DummyAsymmetricPadding(), hashes.SHA1() + ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( @@ -1130,7 +1117,7 @@ class TestRSADecryption(object): def test_unsupported_padding(self, backend): private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): - private_key.decrypt(b"0" * 64, DummyPadding()) + private_key.decrypt(b"0" * 64, DummyAsymmetricPadding()) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( @@ -1257,6 +1244,44 @@ class TestRSADecryption(object): ) ) + @pytest.mark.supported( + only_if=lambda backend: backend.rsa_padding_supported( + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ), + skip_message="Does not support OAEP." + ) + def test_invalid_oaep_decryption_data_to_large_for_modulus(self, backend): + key = RSA_KEY_2048_ALT.private_key(backend) + + ciphertext = ( + b'\xb1ph\xc0\x0b\x1a|\xe6\xda\xea\xb5\xd7%\x94\x07\xf96\xfb\x96' + b'\x11\x9b\xdc4\xea.-\x91\x80\x13S\x94\x04m\xe9\xc5/F\x1b\x9b:\\' + b'\x1d\x04\x16ML\xae\xb32J\x01yuA\xbb\x83\x1c\x8f\xf6\xa5\xdbp\xcd' + b'\nx\xc7\xf6\x15\xb2/\xdcH\xae\xe7\x13\x13by\r4t\x99\x0fc\x1f\xc1' + b'\x1c\xb1\xdd\xc5\x08\xd1\xee\xa1XQ\xb8H@L5v\xc3\xaf\xf2\r\x97' + b'\xed\xaa\xe7\xf1\xd4xai\xd3\x83\xd9\xaa9\xbfx\xe1\x87F \x01\xff' + b'L\xccv}ae\xb3\xfa\xf2B\xb8\xf9\x04H\x94\x85\xcb\x86\xbb\\ghx!W31' + b'\xc7;t\na_E\xc2\x16\xb0;\xa1\x18\t\x1b\xe1\xdb\x80>)\x15\xc6\x12' + b'\xcb\xeeg`\x8b\x9b\x1b\x05y4\xb0\x84M6\xcd\xa1\x827o\xfd\x96\xba' + b'Z#\x8d\xae\x01\xc9\xf2\xb6\xde\x89{8&eQ\x1e8\x03\x01#?\xb66\\' + b'\xad.\xe9\xfa!\x95 c{\xcaz\xe0*\tP\r\x91\x9a)B\xb5\xadN\xf4$\x83' + b'\t\xb5u\xab\x19\x99' + ) + + with pytest.raises(ValueError): + key.decrypt( + ciphertext, + padding.OAEP( + algorithm=hashes.SHA1(), + mgf=padding.MGF1(hashes.SHA1()), + label=None + ) + ) + def test_unsupported_oaep_mgf(self, backend): private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): @@ -1370,7 +1395,7 @@ class TestRSAEncryption(object): public_key = private_key.public_key() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_PADDING): - public_key.encrypt(b"somedata", DummyPadding()) + public_key.encrypt(b"somedata", DummyAsymmetricPadding()) with pytest.raises(TypeError): public_key.encrypt(b"somedata", padding=object()) @@ -1995,7 +2020,7 @@ class TestRSAPrivateKeySerialization(object): key.private_bytes( serialization.Encoding.PEM, serialization.PrivateFormat.TraditionalOpenSSL, - DummyKeyEncryption() + DummyKeySerializationEncryption() ) diff --git a/tests/hazmat/primitives/test_seed.py b/tests/hazmat/primitives/test_seed.py index 7697bd8b..29cae4fe 100644 --- a/tests/hazmat/primitives/test_seed.py +++ b/tests/hazmat/primitives/test_seed.py @@ -18,7 +18,7 @@ from ...utils import load_nist_vectors @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.SEED("\x00" * 16), modes.ECB() + algorithms.SEED(b"\x00" * 16), modes.ECB() ), skip_message="Does not support SEED ECB", ) @@ -35,7 +35,7 @@ class TestSEEDModeECB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.SEED("\x00" * 16), modes.CBC("\x00" * 16) + algorithms.SEED(b"\x00" * 16), modes.CBC(b"\x00" * 16) ), skip_message="Does not support SEED CBC", ) @@ -52,7 +52,7 @@ class TestSEEDModeCBC(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.SEED("\x00" * 16), modes.OFB("\x00" * 16) + algorithms.SEED(b"\x00" * 16), modes.OFB(b"\x00" * 16) ), skip_message="Does not support SEED OFB", ) @@ -69,7 +69,7 @@ class TestSEEDModeOFB(object): @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.SEED("\x00" * 16), modes.CFB("\x00" * 16) + algorithms.SEED(b"\x00" * 16), modes.CFB(b"\x00" * 16) ), skip_message="Does not support SEED CFB", ) diff --git a/tests/hazmat/primitives/test_x963_vectors.py b/tests/hazmat/primitives/test_x963_vectors.py index 0332e601..b09d1653 100644 --- a/tests/hazmat/primitives/test_x963_vectors.py +++ b/tests/hazmat/primitives/test_x963_vectors.py @@ -9,22 +9,15 @@ import os import pytest -from cryptography import utils from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends.interfaces import HashBackend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.kdf.x963kdf import X963KDF +from ...doubles import DummyHashAlgorithm from ...utils import load_vectors_from_file, load_x963_vectors -@utils.register_interface(hashes.HashAlgorithm) -class UnsupportedDummyHash(object): - name = "unsupported-dummy-hash" - block_size = None - digest_size = None - - def _skip_hashfn_unsupported(backend, hashfn): if not backend.hash_supported(hashfn): pytest.skip( @@ -69,4 +62,4 @@ class TestX963(object): xkdf.verify(key, key_data) def test_unsupported_hash(self, backend): - _skip_hashfn_unsupported(backend, UnsupportedDummyHash()) + _skip_hashfn_unsupported(backend, DummyHashAlgorithm()) diff --git a/tests/test_fernet.py b/tests/test_fernet.py index c272eec0..dbce44fb 100644 --- a/tests/test_fernet.py +++ b/tests/test_fernet.py @@ -45,7 +45,7 @@ def test_default_backend(): @pytest.mark.requires_backend_interface(interface=HMACBackend) @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16) + algorithms.AES(b"\x00" * 32), modes.CBC(b"\x00" * 16) ), skip_message="Does not support AES CBC", ) @@ -126,7 +126,7 @@ class TestFernet(object): @pytest.mark.requires_backend_interface(interface=HMACBackend) @pytest.mark.supported( only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 32), modes.CBC("\x00" * 16) + algorithms.AES(b"\x00" * 32), modes.CBC(b"\x00" * 16) ), skip_message="Does not support AES CBC", ) diff --git a/tests/test_x509.py b/tests/test_x509.py index 6145edb1..aaeefae9 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1241,6 +1241,22 @@ class TestRSACertificateRequest(object): with pytest.raises(TypeError): request.public_bytes('NotAnEncoding') + def test_signature_invalid(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "invalid_signature.pem"), + x509.load_pem_x509_csr, + backend + ) + assert not request.is_signature_valid + + def test_signature_valid(self, backend): + request = _load_cert( + os.path.join("x509", "requests", "rsa_sha256.pem"), + x509.load_pem_x509_csr, + backend + ) + assert request.is_signature_valid + @pytest.mark.parametrize( ("request_path", "loader_func", "encoding"), [ @@ -2209,6 +2225,54 @@ class TestCertificateBuilder(object): ) assert ext.value == x509.InhibitAnyPolicy(3) + @pytest.mark.parametrize( + "pc", + [ + x509.PolicyConstraints( + require_explicit_policy=None, + inhibit_policy_mapping=1 + ), + x509.PolicyConstraints( + require_explicit_policy=3, + inhibit_policy_mapping=1 + ), + x509.PolicyConstraints( + require_explicit_policy=0, + inhibit_policy_mapping=None + ), + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_policy_constraints(self, backend, pc): + issuer_private_key = RSA_KEY_2048.private_key(backend) + subject_private_key = RSA_KEY_2048.private_key(backend) + + not_valid_before = datetime.datetime(2002, 1, 1, 12, 1) + not_valid_after = datetime.datetime(2030, 12, 31, 8, 30) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).not_valid_before( + not_valid_before + ).not_valid_after( + not_valid_after + ).public_key( + subject_private_key.public_key() + ).serial_number( + 123 + ).add_extension( + pc, critical=False + ).sign(issuer_private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_class( + x509.PolicyConstraints + ) + assert ext.critical is False + assert ext.value == pc + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_name_constraints(self, backend): @@ -2318,6 +2382,39 @@ class TestCertificateBuilder(object): ) assert basic_constraints.value.path_length is None + @pytest.mark.parametrize( + "unrecognized", [ + x509.UnrecognizedExtension( + x509.ObjectIdentifier("1.2.3.4.5"), + b"abcdef", + ) + ] + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_unrecognized_extension(self, backend, unrecognized): + private_key = RSA_KEY_2048.private_key(backend) + + cert = x509.CertificateBuilder().subject_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US')]) + ).not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ).not_valid_after( + datetime.datetime(2030, 12, 31, 8, 30) + ).public_key( + private_key.public_key() + ).serial_number( + 123 + ).add_extension( + unrecognized, critical=False + ).sign(private_key, hashes.SHA256(), backend) + + ext = cert.extensions.get_extension_for_oid(unrecognized.oid) + + assert ext.value == unrecognized + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): @@ -3327,6 +3424,20 @@ class TestNameAttribute(object): b'bytes' ) + def test_init_bad_country_code_value(self): + with pytest.raises(ValueError): + x509.NameAttribute( + NameOID.COUNTRY_NAME, + u'United States' + ) + + # unicode string of length 2, but > 2 bytes + with pytest.raises(ValueError): + x509.NameAttribute( + NameOID.COUNTRY_NAME, + u'\U0001F37A\U0001F37A' + ) + def test_eq(self): assert x509.NameAttribute( x509.ObjectIdentifier('2.999.1'), u'value' diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index ceb11dfe..28ddab87 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -2280,6 +2280,39 @@ class TestPolicyConstraints(object): assert pc != object() +@pytest.mark.requires_backend_interface(interface=RSABackend) +@pytest.mark.requires_backend_interface(interface=X509Backend) +class TestPolicyConstraintsExtension(object): + def test_inhibit_policy_mapping(self, backend): + cert = _load_cert( + os.path.join("x509", "department-of-state-root.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.POLICY_CONSTRAINTS, + ) + assert ext.critical is True + + assert ext.value == x509.PolicyConstraints( + require_explicit_policy=None, inhibit_policy_mapping=0, + ) + + def test_require_explicit_policy(self, backend): + cert = _load_cert( + os.path.join("x509", "custom", "policy_constraints_explicit.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.POLICY_CONSTRAINTS + ) + assert ext.critical is True + assert ext.value == x509.PolicyConstraints( + require_explicit_policy=1, inhibit_policy_mapping=None, + ) + + class TestAuthorityInformationAccess(object): def test_invalid_descriptions(self): with pytest.raises(TypeError): @@ -2601,6 +2634,28 @@ class TestAuthorityKeyIdentifierExtension(object): ) assert ext.value == aki + def test_from_issuer_subject_key_identifier(self, backend): + issuer_cert = _load_cert( + os.path.join("x509", "rapidssl_sha256_ca_g3.pem"), + x509.load_pem_x509_certificate, + backend + ) + cert = _load_cert( + os.path.join("x509", "cryptography.io.pem"), + x509.load_pem_x509_certificate, + backend + ) + ext = cert.extensions.get_extension_for_oid( + ExtensionOID.AUTHORITY_KEY_IDENTIFIER + ) + ski = issuer_cert.extensions.get_extension_for_class( + x509.SubjectKeyIdentifier + ) + aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + ski + ) + assert ext.value == aki + class TestNameConstraints(object): def test_ipaddress_wrong_type(self): |