add wycheproof tests for AES CMAC (#4344)

* add wycheproof tests for AES CMAC

* review feedback

1 files changed, 36 insertions, 0 deletions

diff --git a/tests/wycheproof/test_cmac.py b/tests/wycheproof/test_cmac.py
new file mode 100644
index 00000000..bef85839
--- /dev/null
+++ b/tests/wycheproof/test_cmac.py
@@ -0,0 +1,36 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import binascii
+
+import pytest
+
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.backends.interfaces import CMACBackend
+from cryptography.hazmat.primitives.ciphers.algorithms import AES
+from cryptography.hazmat.primitives.cmac import CMAC
+
+
+@pytest.mark.requires_backend_interface(interface=CMACBackend)
+@pytest.mark.wycheproof_tests("aes_cmac_test.json")
+def test_aes_cmac(backend, wycheproof):
+    key = binascii.unhexlify(wycheproof.testcase["key"])
+    msg = binascii.unhexlify(wycheproof.testcase["msg"])
+    tag = binascii.unhexlify(wycheproof.testcase["tag"])
+
+    # skip truncated tags, which we don't support in the API
+    if wycheproof.valid and len(tag) == 16:
+        ctx = CMAC(AES(key), backend)
+        ctx.update(msg)
+        ctx.verify(tag)
+    elif len(key) not in [16, 24, 32]:
+        with pytest.raises(ValueError):
+            CMAC(AES(key), backend)
+    else:
+        ctx = CMAC(AES(key), backend)
+        ctx.update(msg)
+        with pytest.raises(InvalidSignature):
+            ctx.verify(tag)