From 763990efa6c158d8a4dec8d71693665d026588a2 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@davidben.net>
Date: Mon, 14 May 2018 22:49:24 -0400
Subject: Validate the public/private halves of EC keys on import. (#4241)

* Validate the public/private halves of EC keys on import.

OpenSSL's API is a little finicky. If one sets the public key before the
private key, it does not validate that they match. If set in the other
order, it does validate this.

In particular, KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax
describes error code 7 as:

  Result = F (7 - IUT's Static private key d changed-prikey validity)

Reordering the two operations makes those tests to fail on key import,
which is what CAVP appears to have intended.

* Wrap to 79 rather than 80 columns
---
 tests/hazmat/primitives/test_ec.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'tests/hazmat/primitives/test_ec.py')

diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
index 1b491a10..59e4c995 100644
--- a/tests/hazmat/primitives/test_ec.py
+++ b/tests/hazmat/primitives/test_ec.py
@@ -1068,9 +1068,9 @@ class TestECDH(object):
                 ec._CURVE_TYPES[vector['curve']]()
             )
         )
-        # Errno 5 and 6 indicates a bad public key, this doesn't test the ECDH
-        # code at all
-        if vector['fail'] and vector['errno'] in [5, 6]:
+        # Errno 5-7 indicates a bad public or private key, this doesn't test
+        # the ECDH code at all
+        if vector['fail'] and vector['errno'] in [5, 6, 7]:
             with pytest.raises(ValueError):
                 private_numbers.private_key(backend)
             return
-- 
cgit v1.2.3