test coverage, other changes

author: Paul Kehrer <paul.l.kehrer@gmail.com> 2014-01-28 12:05:51 -0600
committer: Paul Kehrer <paul.l.kehrer@gmail.com> 2014-01-28 12:05:51 -0600
commit: 6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299 (patch)
tree: 7747afef1e8097b7d73541857984ada6eef92d13
parent: b6d764c3f28837ed8854dfa836029a0b4650246f (diff)
download: cryptography-6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299.tar.gz
cryptography-6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299.tar.bz2
cryptography-6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299.zip
2 files changed, 76 insertions, 4 deletions
diff --git a/cryptography/hazmat/primitives/kdf/pbkdf2.py b/cryptography/hazmat/primitives/kdf/pbkdf2.py
index 014529b0..27f9c7e2 100644
--- a/cryptography/hazmat/primitives/kdf/pbkdf2.py
+++ b/cryptography/hazmat/primitives/kdf/pbkdf2.py
@@ -13,26 +13,34 @@
 
 from __future__ import absolute_import, division, print_function
 
-from cryptography.exceptions import InvalidKey, UnsupportedAlgorithm
-from cryptography.hazmat.primitives import constant_time
+from cryptography import utils
+from cryptography.exceptions import (
+    InvalidKey, UnsupportedAlgorithm, AlreadyFinalized
+)
+from cryptography.hazmat.primitives import constant_time, interfaces
 
 
+@utils.register_interface(interfaces.KeyDerivationFunction)
 class PBKDF2(object):
     def __init__(self, algorithm, length, salt, iterations, backend):
         if not backend.pbkdf2_hash_supported(algorithm):
             raise UnsupportedAlgorithm(
                 "{0} is not supported by this backend".format(algorithm.name)
             )
+        self._called = False
         self.algorithm = algorithm
         if length > 2**31 - 1:
             raise ValueError("Requested length too large.")
         self._length = length
-        # TODO: handle salt
         self._salt = salt
         self.iterations = iterations
         self._backend = backend
 
     def derive(self, key_material):
+        if self._called:
+            raise AlreadyFinalized("PBKDF2 instances can only be called once")
+        else:
+            self._called = True
         return self._backend.derive_pbkdf2(
             self.algorithm,
             self._length,
@@ -42,5 +50,6 @@ class PBKDF2(object):
         )
 
     def verify(self, key_material, expected_key):
-        if not constant_time.bytes_eq(key_material, expected_key):
+        derived_key = self.derive(key_material)
+        if not constant_time.bytes_eq(derived_key, expected_key):
             raise InvalidKey("Keys do not match.")
diff --git a/tests/hazmat/primitives/test_pbkdf2.py b/tests/hazmat/primitives/test_pbkdf2.py
new file mode 100644
index 00000000..6dd10129
--- /dev/null
+++ b/tests/hazmat/primitives/test_pbkdf2.py
@@ -0,0 +1,63 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import absolute_import, division, print_function
+
+import pytest
+
+from cryptography import utils
+from cryptography.exceptions import (
+    InvalidKey, UnsupportedAlgorithm, AlreadyFinalized
+)
+from cryptography.hazmat.primitives import hashes, interfaces
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2
+from cryptography.hazmat.backends import default_backend
+
+
+@utils.register_interface(interfaces.HashAlgorithm)
+class UnsupportedDummyHash(object):
+    name = "unsupported-dummy-hash"
+
+
+class TestPBKDF2(object):
+    def test_already_finalized(self):
+        kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend())
+        kdf.derive(b"password")
+        with pytest.raises(AlreadyFinalized):
+            kdf.derive(b"password2")
+
+        kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend())
+        key = kdf.derive(b"password")
+        with pytest.raises(AlreadyFinalized):
+            kdf.verify(b"password", key)
+
+        kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend())
+        kdf.verify(b"password", key)
+        with pytest.raises(AlreadyFinalized):
+            kdf.verify(b"password", key)
+
+    def test_unsupported_algorithm(self):
+        with pytest.raises(UnsupportedAlgorithm):
+            PBKDF2(UnsupportedDummyHash(), 20, b"salt", 10, default_backend())
+
+    def test_invalid_key(self):
+        kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend())
+        key = kdf.derive(b"password")
+
+        kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend())
+        with pytest.raises(InvalidKey):
+            kdf.verify(b"password2", key)
+
+    def test_salt_too_long(self):
+        with pytest.raises(ValueError):
+            PBKDF2(hashes.SHA1(), 2**31, b"salt", 10, default_backend())
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2014-01-28 12:05:51 -0600
committer	Paul Kehrer <paul.l.kehrer@gmail.com>	2014-01-28 12:05:51 -0600
commit	6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299 (patch)
tree	7747afef1e8097b7d73541857984ada6eef92d13
parent	b6d764c3f28837ed8854dfa836029a0b4650246f (diff)
download	cryptography-6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299.tar.gz cryptography-6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299.tar.bz2 cryptography-6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299.zip