diff options
author | Alex Gaynor <alex.gaynor@gmail.com> | 2017-05-10 23:11:30 -0400 |
---|---|---|
committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-05-10 22:11:30 -0500 |
commit | 5ca9946a5ae87ceedc4b6f2744b9300e957c8a98 (patch) | |
tree | 578edda39ca9d7a6b290f376ebb21f4961a199a6 | |
parent | 92f570eabe713653e5fe2dc9ba666493df047ccb (diff) | |
download | cryptography-5ca9946a5ae87ceedc4b6f2744b9300e957c8a98.tar.gz cryptography-5ca9946a5ae87ceedc4b6f2744b9300e957c8a98.tar.bz2 cryptography-5ca9946a5ae87ceedc4b6f2744b9300e957c8a98.zip |
Fixes #3538 -- Make our OpenSSL EC verifier's implementation match the API (#3539)
* Document our real API for EC verification, not an accident
* formatting consistency
* fix the code itself
* fixed class name
* fixed a test too
-rw-r--r-- | CHANGELOG.rst | 6 | ||||
-rw-r--r-- | docs/hazmat/primitives/asymmetric/ec.rst | 33 | ||||
-rw-r--r-- | src/cryptography/hazmat/backends/openssl/ec.py | 5 | ||||
-rw-r--r-- | tests/hazmat/primitives/test_ec.py | 2 |
4 files changed, 28 insertions, 18 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5223fea0..8935285c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,6 +9,12 @@ Changelog * Add support for providing ``tag`` during :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` finalization via :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag`. +* **BACKWARDS INCOMPATIBLE:** Elliptic Curve signature verification no long + returns ``True`` on success. This brings it in line with the interface's + documentation, and our intent. The correct way to use + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.verify` + has always been to check whether or not + :class:`~cryptography.exceptions.InvalidSignature` was raised. 1.8.1 - 2017-03-10 diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 56e2e0ec..3c595fac 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -78,20 +78,24 @@ Elliptic Curve Signature Algorithms :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`. - Verification requires the public key, the signature itself, the signed data, and knowledge of the hashing algorithm that was used when producing the signature: + Verification requires the public key, the signature itself, the signed + data, and knowledge of the hashing algorithm that was used when producing + the signature: >>> public_key = private_key.public_key() >>> verifier = public_key.verifier(signature, ec.ECDSA(hashes.SHA256())) >>> verifier.update(b"this is some data I'd like") >>> verifier.update(b" to sign") >>> verifier.verify() - True - The last call will either return ``True`` or raise an :class:`~cryptography.exceptions.InvalidSignature` exception. + If the signature is not valid, an + :class:`~cryptography.exceptions.InvalidSignature` exception will be raised. .. note:: - Although in this case the public key was derived from the private one, in a typical setting you will not possess the private key. The `Key loading`_ section explains how to load the public key from other sources. - + Although in this case the public key was derived from the private one, + in a typical setting you will not possess the private key. The + `Key loading`_ section explains how to load the public key from other + sources. .. class:: EllipticCurvePrivateNumbers(private_value, public_numbers) @@ -589,7 +593,7 @@ This sample demonstrates how to generate a private key and serialize it. ... encoding=serialization.Encoding.PEM, ... format=serialization.PrivateFormat.PKCS8, ... encryption_algorithm=serialization.BestAvailableEncryption(b'testpassword') - ... ) + ... ) >>> serialized_private.splitlines()[0] '-----BEGIN ENCRYPTED PRIVATE KEY-----' @@ -605,7 +609,7 @@ The public key is serialized as follows: >>> serialized_public = public_key.public_bytes( ... encoding=serialization.Encoding.PEM, ... format=serialization.PublicFormat.SubjectPublicKeyInfo - ... ) + ... ) >>> serialized_public.splitlines()[0] '-----BEGIN PUBLIC KEY-----' @@ -622,15 +626,16 @@ in PEM format. .. doctest:: >>> loaded_public_key = serialization.load_pem_public_key( - ... serialized_public, - ... backend=default_backend() - ... ) + ... serialized_public, + ... backend=default_backend() + ... ) >>> loaded_private_key = serialization.load_pem_private_key( - ... serialized_private, - ... password=b'testpassword', # or password=None, if in plain text - ... backend=default_backend() - ... ) + ... serialized_private, + ... # or password=None, if in plain text + ... password=b'testpassword', + ... backend=default_backend() + ... ) .. _`FIPS 186-3`: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index cecd25e1..68a35b21 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -86,7 +86,6 @@ def _ecdsa_sig_verify(backend, public_key, signature, data): if res != 1: backend._consume_errors() raise InvalidSignature - return True @utils.register_interface(AsymmetricSignatureContext) @@ -118,7 +117,7 @@ class _ECDSAVerificationContext(object): def verify(self): digest = self._digest.finalize() - return _ecdsa_sig_verify( + _ecdsa_sig_verify( self._backend, self._public_key, self._signature, digest ) @@ -283,4 +282,4 @@ class _EllipticCurvePublicKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, signature_algorithm._algorithm ) - return _ecdsa_sig_verify(self._backend, self, signature, data) + _ecdsa_sig_verify(self._backend, self, signature, data) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 7127071f..ad4bbc51 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -508,7 +508,7 @@ class TestECDSAVectors(object): ec.ECDSA(hash_type()) ) verifier.update(vector['message']) - assert verifier.verify() + verifier.verify() @pytest.mark.parametrize( "vector", |