From 66c9cd928601725e27aa64255e56b3a7e481a08d Mon Sep 17 00:00:00 2001 From: David Reid Date: Mon, 20 Jan 2014 16:05:53 -0800 Subject: Refactor HKDF support and provide vectors for tests. --- tests/hazmat/primitives/utils.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 6b1d055d..e546fa79 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -6,6 +6,8 @@ import pytest from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.ciphers import Cipher +from cryptography.hazmat.primitives.kdf.hkdf import hkdf_derive + from cryptography.exceptions import ( AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag, ) @@ -297,3 +299,32 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory): ) with pytest.raises(ValueError): cipher.encryptor() + + +def hkdf_test(backend, algorithm, params): + ikm = params[0] + salt = params[1] + info = params[2] + length = params[3] + expected_okm = params[4] + + okm = hkdf_derive( + binascii.unhexlify(ikm), + length, + binascii.unhexlify(salt), + binascii.unhexlify(info), + algorithm, + backend=backend + ) + + assert binascii.hexlify(okm) == expected_okm + + +def generate_hkdf_test(param_loader, path, file_names, algorithm): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_hkdf(self, backend, params): + hkdf_test(backend, algorithm, params) + + return test_hkdf -- cgit v1.2.3 From 5443e9d949a1b720642ac25c2a2eb712515e77b0 Mon Sep 17 00:00:00 2001 From: David Reid Date: Wed, 22 Jan 2014 17:18:49 -0800 Subject: Break up hkdf_derive into hkdf_extract and hkdf_expand. Testing each individually against all the vectors and actually asserting about the intermediate state. hkdf_derive is now just a helper function which copes with the default arguments. --- tests/hazmat/primitives/utils.py | 50 ++++++++++++++++++++++++++++++++-------- 1 file changed, 41 insertions(+), 9 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index e546fa79..963838eb 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -1,12 +1,16 @@ import binascii import os +import itertools + import pytest from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.ciphers import Cipher -from cryptography.hazmat.primitives.kdf.hkdf import hkdf_derive +from cryptography.hazmat.primitives.kdf.hkdf import ( + hkdf_derive, hkdf_extract, hkdf_expand +) from cryptography.exceptions import ( AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag, @@ -301,12 +305,8 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory): cipher.encryptor() -def hkdf_test(backend, algorithm, params): - ikm = params[0] - salt = params[1] - info = params[2] - length = params[3] - expected_okm = params[4] +def hkdf_derive_test(backend, algorithm, params): + ikm, salt, info, length, prk, expected_okm = params okm = hkdf_derive( binascii.unhexlify(ikm), @@ -320,11 +320,43 @@ def hkdf_test(backend, algorithm, params): assert binascii.hexlify(okm) == expected_okm +def hkdf_extract_test(backend, algorithm, params): + ikm, salt, info, length, expected_prk, okm = params + + prk = hkdf_extract( + algorithm, + binascii.unhexlify(ikm), + binascii.unhexlify(salt), + backend=backend + ) + + assert prk == binascii.unhexlify(expected_prk) + + +def hkdf_expand_test(backend, algorithm, params): + ikm, salt, info, length, prk, expected_okm = params + + okm = hkdf_expand( + algorithm, + binascii.unhexlify(prk), + binascii.unhexlify(info), + length, + backend=backend + ) + + assert okm == binascii.unhexlify(expected_okm) + + def generate_hkdf_test(param_loader, path, file_names, algorithm): all_params = _load_all_params(path, file_names, param_loader) - @pytest.mark.parametrize("params", all_params) - def test_hkdf(self, backend, params): + all_tests = [hkdf_extract_test, hkdf_expand_test, hkdf_derive_test] + + @pytest.mark.parametrize( + ("params", "hkdf_test"), + itertools.product(all_params, all_tests) + ) + def test_hkdf(self, backend, params, hkdf_test): hkdf_test(backend, algorithm, params) return test_hkdf -- cgit v1.2.3 From 14367303f16bc271f4a8f11f09b02342f44c3a7e Mon Sep 17 00:00:00 2001 From: David Reid Date: Mon, 27 Jan 2014 16:33:31 -0800 Subject: Use the nist vector loader. --- tests/hazmat/primitives/utils.py | 30 ++++++++++++------------------ 1 file changed, 12 insertions(+), 18 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 963838eb..9e9088a3 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -306,45 +306,39 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory): def hkdf_derive_test(backend, algorithm, params): - ikm, salt, info, length, prk, expected_okm = params - okm = hkdf_derive( - binascii.unhexlify(ikm), - length, - binascii.unhexlify(salt), - binascii.unhexlify(info), + binascii.unhexlify(params["ikm"]), + int(params["l"]), + binascii.unhexlify(params["salt"]), + binascii.unhexlify(params["info"]), algorithm, backend=backend ) - assert binascii.hexlify(okm) == expected_okm + assert okm == binascii.unhexlify(params["okm"]) def hkdf_extract_test(backend, algorithm, params): - ikm, salt, info, length, expected_prk, okm = params - prk = hkdf_extract( algorithm, - binascii.unhexlify(ikm), - binascii.unhexlify(salt), + binascii.unhexlify(params["ikm"]), + binascii.unhexlify(params["salt"]), backend=backend ) - assert prk == binascii.unhexlify(expected_prk) + assert prk == binascii.unhexlify(params["prk"]) def hkdf_expand_test(backend, algorithm, params): - ikm, salt, info, length, prk, expected_okm = params - okm = hkdf_expand( algorithm, - binascii.unhexlify(prk), - binascii.unhexlify(info), - length, + binascii.unhexlify(params["prk"]), + binascii.unhexlify(params["info"]), + int(params["l"]), backend=backend ) - assert okm == binascii.unhexlify(expected_okm) + assert okm == binascii.unhexlify(params["okm"]) def generate_hkdf_test(param_loader, path, file_names, algorithm): -- cgit v1.2.3 From 0d492db1be3e287b5f49a5ce408196401bdd0a2b Mon Sep 17 00:00:00 2001 From: David Reid Date: Mon, 27 Jan 2014 17:05:49 -0800 Subject: Closer to proposed interface in #513. --- tests/hazmat/primitives/utils.py | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 9e9088a3..2584272a 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -8,9 +8,7 @@ import pytest from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.ciphers import Cipher -from cryptography.hazmat.primitives.kdf.hkdf import ( - hkdf_derive, hkdf_extract, hkdf_expand -) +from cryptography.hazmat.primitives.kdf.hkdf import HKDF from cryptography.exceptions import ( AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag, @@ -306,38 +304,44 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory): def hkdf_derive_test(backend, algorithm, params): - okm = hkdf_derive( - binascii.unhexlify(params["ikm"]), - int(params["l"]), - binascii.unhexlify(params["salt"]), - binascii.unhexlify(params["info"]), + hkdf = HKDF( algorithm, + int(params["l"]), + salt=binascii.unhexlify(params["salt"]) or None, + info=binascii.unhexlify(params["info"]) or None, backend=backend ) + okm = hkdf.derive(binascii.unhexlify(params["ikm"])) + assert okm == binascii.unhexlify(params["okm"]) def hkdf_extract_test(backend, algorithm, params): - prk = hkdf_extract( + hkdf = HKDF( algorithm, - binascii.unhexlify(params["ikm"]), - binascii.unhexlify(params["salt"]), + int(params["l"]), + salt=binascii.unhexlify(params["salt"]) or None, + info=binascii.unhexlify(params["info"]) or None, backend=backend ) + prk = hkdf.extract(binascii.unhexlify(params["ikm"])) + assert prk == binascii.unhexlify(params["prk"]) def hkdf_expand_test(backend, algorithm, params): - okm = hkdf_expand( + hkdf = HKDF( algorithm, - binascii.unhexlify(params["prk"]), - binascii.unhexlify(params["info"]), int(params["l"]), + salt=binascii.unhexlify(params["salt"]) or None, + info=binascii.unhexlify(params["info"]) or None, backend=backend ) + okm = hkdf.expand(binascii.unhexlify(params["prk"])) + assert okm == binascii.unhexlify(params["okm"]) -- cgit v1.2.3 From 15fd6433ea357fc6d06052db85c0d0140a9c1d13 Mon Sep 17 00:00:00 2001 From: David Reid Date: Thu, 30 Jan 2014 15:28:09 -0800 Subject: Don't expose extract and expand on this class yet because we don't know how best to expose verify functionality, continue testing the stages using the private methods. --- tests/hazmat/primitives/utils.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'tests/hazmat/primitives/utils.py') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 2584272a..5a8dc3ab 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -326,7 +326,7 @@ def hkdf_extract_test(backend, algorithm, params): backend=backend ) - prk = hkdf.extract(binascii.unhexlify(params["ikm"])) + prk = hkdf._extract(binascii.unhexlify(params["ikm"])) assert prk == binascii.unhexlify(params["prk"]) @@ -340,7 +340,7 @@ def hkdf_expand_test(backend, algorithm, params): backend=backend ) - okm = hkdf.expand(binascii.unhexlify(params["prk"])) + okm = hkdf._expand(binascii.unhexlify(params["prk"])) assert okm == binascii.unhexlify(params["okm"]) -- cgit v1.2.3