From d77b97a4226b83e1c00e2673c11662a8b5422639 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 7 Jul 2014 13:38:07 -0700 Subject: Advanced and remove the deprecated MGF1 sale length code --- cryptography/hazmat/backends/openssl/rsa.py | 5 +- .../hazmat/primitives/asymmetric/padding.py | 40 ++------- cryptography/utils.py | 3 +- docs/hazmat/primitives/asymmetric/padding.rst | 4 +- tests/hazmat/primitives/test_rsa.py | 100 ++++----------------- 5 files changed, 27 insertions(+), 125 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py index 6f28c541..21ac1573 100644 --- a/cryptography/hazmat/backends/openssl/rsa.py +++ b/cryptography/hazmat/backends/openssl/rsa.py @@ -30,10 +30,7 @@ from cryptography.hazmat.primitives.interfaces import ( def _get_rsa_pss_salt_length(pss, key_size, digest_size): - if pss._mgf._salt_length is not None: - salt = pss._mgf._salt_length - else: - salt = pss._salt_length + salt = pss._salt_length if salt is MGF1.MAX_LENGTH or salt is PSS.MAX_LENGTH: # bit length - 1 per RFC 3447 diff --git a/cryptography/hazmat/primitives/asymmetric/padding.py b/cryptography/hazmat/primitives/asymmetric/padding.py index d44bbda5..2ed73d1b 100644 --- a/cryptography/hazmat/primitives/asymmetric/padding.py +++ b/cryptography/hazmat/primitives/asymmetric/padding.py @@ -31,23 +31,15 @@ class PSS(object): MAX_LENGTH = object() name = "EMSA-PSS" - def __init__(self, mgf, salt_length=None): + def __init__(self, mgf, salt_length): self._mgf = mgf - if salt_length is None: - warnings.warn( - "salt_length is deprecated on MGF1 and should be added via the" - " PSS constructor.", - utils.DeprecatedIn04, - stacklevel=2 - ) - else: - if (not isinstance(salt_length, six.integer_types) and - salt_length is not self.MAX_LENGTH): - raise TypeError("salt_length must be an integer.") - - if salt_length is not self.MAX_LENGTH and salt_length < 0: - raise ValueError("salt_length must be zero or greater.") + if (not isinstance(salt_length, six.integer_types) and + salt_length is not self.MAX_LENGTH): + raise TypeError("salt_length must be an integer.") + + if salt_length is not self.MAX_LENGTH and salt_length < 0: + raise ValueError("salt_length must be zero or greater.") if salt_length is None and self._mgf._salt_length is None: raise ValueError("You must supply salt_length.") @@ -71,24 +63,8 @@ class OAEP(object): class MGF1(object): MAX_LENGTH = object() - def __init__(self, algorithm, salt_length=None): + def __init__(self, algorithm): if not isinstance(algorithm, interfaces.HashAlgorithm): raise TypeError("Expected instance of interfaces.HashAlgorithm.") self._algorithm = algorithm - - if salt_length is not None: - warnings.warn( - "salt_length is deprecated on MGF1 and should be passed to " - "the PSS constructor instead.", - utils.DeprecatedIn04, - stacklevel=2 - ) - if (not isinstance(salt_length, six.integer_types) and - salt_length is not self.MAX_LENGTH): - raise TypeError("salt_length must be an integer.") - - if salt_length is not self.MAX_LENGTH and salt_length < 0: - raise ValueError("salt_length must be zero or greater.") - - self._salt_length = salt_length diff --git a/cryptography/utils.py b/cryptography/utils.py index 1db16151..9c574085 100644 --- a/cryptography/utils.py +++ b/cryptography/utils.py @@ -16,8 +16,7 @@ from __future__ import absolute_import, division, print_function import sys -DeprecatedIn04 = DeprecationWarning -DeprecatedIn05 = PendingDeprecationWarning +DeprecatedIn05 = DeprecationWarning def register_interface(iface): diff --git a/docs/hazmat/primitives/asymmetric/padding.rst b/docs/hazmat/primitives/asymmetric/padding.rst index 40084799..00c77590 100644 --- a/docs/hazmat/primitives/asymmetric/padding.rst +++ b/docs/hazmat/primitives/asymmetric/padding.rst @@ -63,8 +63,8 @@ Mask generation functions .. versionadded:: 0.3 - .. versionchanged:: 0.4 - Deprecated the ``salt_length`` parameter. + .. versionchanged:: 0.6 + Removed the deprecated ``salt_length`` parameter. MGF1 (Mask Generation Function 1) is used as the mask generation function in :class:`PSS` padding. It takes a hash algorithm and a salt length. diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 04908453..94cc6d3f 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -511,46 +511,6 @@ class TestRSASignature(object): verifier.update(binascii.unhexlify(example["message"])) verifier.verify() - @pytest.mark.supported( - only_if=lambda backend: backend.rsa_padding_supported( - padding.PSS( - mgf=padding.MGF1(hashes.SHA1()), - salt_length=padding.PSS.MAX_LENGTH - ) - ), - skip_message="Does not support PSS." - ) - def test_deprecated_pss_mgf1_salt_length(self, backend): - private_key = RSA_KEY_512.private_key(backend) - signer = private_key.signer( - pytest.deprecated_call( - padding.PSS, - mgf=pytest.deprecated_call( - padding.MGF1, - algorithm=hashes.SHA1(), - salt_length=padding.MGF1.MAX_LENGTH - ) - ), - hashes.SHA1() - ) - signer.update(b"so deprecated") - signature = signer.finalize() - assert len(signature) == math.ceil(private_key.key_size / 8.0) - verifier = private_key.public_key().verifier( - signature, - pytest.deprecated_call( - padding.PSS, - mgf=pytest.deprecated_call( - padding.MGF1, - algorithm=hashes.SHA1(), - salt_length=padding.MGF1.MAX_LENGTH - ) - ), - hashes.SHA1() - ) - verifier.update(b"so deprecated") - verifier.verify() - @pytest.mark.parametrize( "hash_alg", [hashes.SHA224(), hashes.SHA256(), hashes.SHA384(), hashes.SHA512()] @@ -701,7 +661,13 @@ class TestRSASignature(object): def test_unsupported_pss_mgf(self, backend): private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): - private_key.signer(padding.PSS(mgf=DummyMGF()), hashes.SHA1()) + private_key.signer( + padding.PSS( + mgf=DummyMGF(), + salt_length=padding.PSS.MAX_LENGTH + ), + hashes.SHA1() + ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( @@ -1014,8 +980,14 @@ class TestRSAVerification(object): private_key = RSA_KEY_512.private_key(backend) public_key = private_key.public_key() with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): - public_key.verifier(b"sig", padding.PSS(mgf=DummyMGF()), - hashes.SHA1()) + public_key.verifier( + b"sig", + padding.PSS( + mgf=DummyMGF(), + salt_length=padding.PSS.MAX_LENGTH + ), + hashes.SHA1() + ) @pytest.mark.supported( only_if=lambda backend: backend.rsa_padding_supported( @@ -1307,12 +1279,6 @@ class TestRSAPKCS1Verification(object): class TestPSS(object): - def test_deprecation_warning(self): - pytest.deprecated_call( - padding.PSS, - mgf=padding.MGF1(hashes.SHA1(), 20) - ) - def test_invalid_salt_length_not_integer(self): with pytest.raises(TypeError): padding.PSS( @@ -1331,10 +1297,6 @@ class TestPSS(object): salt_length=-1 ) - def test_no_salt_length_supplied_pss_or_mgf1(self): - with pytest.raises(ValueError): - padding.PSS(mgf=padding.MGF1(hashes.SHA1())) - def test_valid_pss_parameters(self): algorithm = hashes.SHA1() salt_length = algorithm.digest_size @@ -1351,38 +1313,6 @@ class TestPSS(object): assert pss._salt_length == padding.PSS.MAX_LENGTH -class TestMGF1(object): - def test_deprecation_warning(self): - pytest.deprecated_call( - padding.MGF1, algorithm=hashes.SHA1(), salt_length=20 - ) - - def test_invalid_hash_algorithm(self): - with pytest.raises(TypeError): - padding.MGF1(b"not_a_hash", 0) - - def test_invalid_salt_length_not_integer(self): - with pytest.raises(TypeError): - padding.MGF1(hashes.SHA1(), b"not_a_length") - - def test_invalid_salt_length_negative_integer(self): - with pytest.raises(ValueError): - padding.MGF1(hashes.SHA1(), -1) - - def test_valid_mgf1_parameters(self): - algorithm = hashes.SHA1() - salt_length = algorithm.digest_size - mgf = padding.MGF1(algorithm, salt_length) - assert mgf._algorithm == algorithm - assert mgf._salt_length == salt_length - - def test_valid_mgf1_parameters_maximum(self): - algorithm = hashes.SHA1() - mgf = padding.MGF1(algorithm, padding.MGF1.MAX_LENGTH) - assert mgf._algorithm == algorithm - assert mgf._salt_length == padding.MGF1.MAX_LENGTH - - class TestOAEP(object): def test_invalid_algorithm(self): mgf = padding.MGF1(hashes.SHA1()) -- cgit v1.2.3 From e8845dc7bcf215550599acb6c2851b7fd4b6d098 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 7 Jul 2014 15:47:30 -0700 Subject: Unused import --- cryptography/hazmat/primitives/asymmetric/padding.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/cryptography/hazmat/primitives/asymmetric/padding.py b/cryptography/hazmat/primitives/asymmetric/padding.py index 2ed73d1b..5fceb35f 100644 --- a/cryptography/hazmat/primitives/asymmetric/padding.py +++ b/cryptography/hazmat/primitives/asymmetric/padding.py @@ -13,8 +13,6 @@ from __future__ import absolute_import, division, print_function -import warnings - import six from cryptography import utils -- cgit v1.2.3 From 88d4a141dd25a87aa51fe66e5d048d5a1d14b157 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 7 Jul 2014 17:48:56 -0700 Subject: This is unused --- cryptography/hazmat/primitives/asymmetric/padding.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/cryptography/hazmat/primitives/asymmetric/padding.py b/cryptography/hazmat/primitives/asymmetric/padding.py index 5fceb35f..3967e065 100644 --- a/cryptography/hazmat/primitives/asymmetric/padding.py +++ b/cryptography/hazmat/primitives/asymmetric/padding.py @@ -39,9 +39,6 @@ class PSS(object): if salt_length is not self.MAX_LENGTH and salt_length < 0: raise ValueError("salt_length must be zero or greater.") - if salt_length is None and self._mgf._salt_length is None: - raise ValueError("You must supply salt_length.") - self._salt_length = salt_length -- cgit v1.2.3 From 7f68ccda2080c427f5e34b4ecc16cba9a030f2c6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 7 Jul 2014 17:51:18 -0700 Subject: Restore these tests --- tests/hazmat/primitives/test_rsa.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 94cc6d3f..8e850737 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -1313,6 +1313,17 @@ class TestPSS(object): assert pss._salt_length == padding.PSS.MAX_LENGTH +class TestMGF1(object): + def test_invalid_hash_algorithm(self): + with pytest.raises(TypeError): + padding.MGF1(b"not_a_hash") + + def test_valid_mgf1_parameters(self): + algorithm = hashes.SHA1() + mgf = padding.MGF1(algorithm) + assert mgf._algorithm == algorithm + + class TestOAEP(object): def test_invalid_algorithm(self): mgf = padding.MGF1(hashes.SHA1()) -- cgit v1.2.3 From 1658f948a5641d27a50f09dbd7b1cbf44408c34e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 8 Jul 2014 00:02:37 -0700 Subject: Added a changelog entry --- CHANGELOG.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 055c5abf..d0629c24 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,11 @@ Changelog .. note:: This version is not yet released and is under active development. +* Removed the, deprecated in 0.4, support for the ``salt_length`` argument to + the :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` + constructor. The ``salt_length`` should be passed to + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` instead. + 0.5.1 - 2014-07-07 ~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3