Merge branch 'master' into crl_ossl_backend

author: Erik Trauschke <erik.trauschke@gmail.com> 2015-10-20 08:18:00 -0700
committer: Erik Trauschke <erik.trauschke@gmail.com> 2015-10-20 08:18:00 -0700
commit: c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8 (patch)
tree: d3ed0f8b77f4f978ee847585e5b1ae1a9994270b /tests
parent: c219b962f8f02f85edf2a3452fe4136b1211f807 (diff)
parent: 018a9659924c5ffe548d716295a4292c6929c341 (diff)
download: cryptography-c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8.tar.gz
cryptography-c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8.tar.bz2
cryptography-c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8.zip
6 files changed, 163 insertions, 8 deletions
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 618d21b6..81a64ce0 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -152,10 +152,7 @@ class DummyEllipticCurveBackend(object):
     ):
         return (
             isinstance(signature_algorithm, ec.ECDSA) and
-            any(
-                isinstance(curve, curve_type)
-                for curve_type in self._curves
-            )
+            self.elliptic_curve_supported(curve)
         )
 
     def generate_elliptic_curve_private_key(self, curve):
@@ -170,6 +167,12 @@ class DummyEllipticCurveBackend(object):
         if not self.elliptic_curve_supported(numbers.curve):
             raise UnsupportedAlgorithm(_Reasons.UNSUPPORTED_ELLIPTIC_CURVE)
 
+    def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve):
+        return (
+            isinstance(algorithm, ec.ECDH) and
+            self.elliptic_curve_supported(curve)
+        )
+
 
 @utils.register_interface(PEMSerializationBackend)
 class DummyPEMSerializationBackend(object):
@@ -468,6 +471,14 @@ class TestMultiBackend(object):
                 )
             )
 
+        assert backend.elliptic_curve_exchange_algorithm_supported(
+            ec.ECDH(), ec.SECT283K1()
+        )
+        backend2 = MultiBackend([DummyEllipticCurveBackend([])])
+        assert not backend2.elliptic_curve_exchange_algorithm_supported(
+            ec.ECDH(), ec.SECT163K1()
+        )
+
     def test_pem_serialization_backend(self):
         backend = MultiBackend([DummyPEMSerializationBackend()])
 
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 8fd0d711..85331595 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -551,6 +551,12 @@ class TestOpenSSLEllipticCurve(object):
         with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_ELLIPTIC_CURVE):
             _sn_to_elliptic_curve(backend, b"fake")
 
+    def test_elliptic_curve_exchange_algorithm_supported(self, monkeypatch):
+        monkeypatch.setattr(backend, "_lib", DummyLibrary())
+        assert not backend.elliptic_curve_exchange_algorithm_supported(
+            ec.ECDH(), ec.SECP256R1()
+        )
+
 
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 class TestRSAPEMSerialization(object):
diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
index 59bdc525..4c4d5b90 100644
--- a/tests/hazmat/primitives/test_ec.py
+++ b/tests/hazmat/primitives/test_ec.py
@@ -7,6 +7,8 @@ from __future__ import absolute_import, division, print_function
 import itertools
 import os
 
+from binascii import hexlify
+
 import pytest
 
 from cryptography import exceptions, utils
@@ -21,7 +23,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
 
 from ...utils import (
     load_fips_ecdsa_key_pair_vectors, load_fips_ecdsa_signing_vectors,
-    load_vectors_from_file, raises_unsupported_algorithm
+    load_kasvs_ecdh_vectors, load_vectors_from_file,
+    raises_unsupported_algorithm
 )
 
 _HASH_TYPES = {
@@ -54,6 +57,17 @@ def _skip_curve_unsupported(backend, curve):
         )
 
 
+def _skip_exchange_algorithm_unsupported(backend, algorithm, curve):
+    if not backend.elliptic_curve_exchange_algorithm_supported(
+        algorithm, curve
+    ):
+        pytest.skip(
+            "Exchange algorithm is not supported by this backend {0}".format(
+                backend
+            )
+        )
+
+
 @utils.register_interface(ec.EllipticCurve)
 class DummyCurve(object):
     name = "dummy-curve"
@@ -76,6 +90,12 @@ def test_skip_curve_unsupported(backend):
         _skip_curve_unsupported(backend, DummyCurve())
 
 
+@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+def test_skip_exchange_algorithm_unsupported(backend):
+    with pytest.raises(pytest.skip.Exception):
+        _skip_exchange_algorithm_unsupported(backend, ec.ECDH(), DummyCurve())
+
+
 def test_ec_numbers():
     numbers = ec.EllipticCurvePrivateNumbers(
         1,
@@ -285,6 +305,35 @@ class TestECDSAVectors(object):
         with pytest.raises(ValueError):
             numbers.private_key(backend)
 
+    def test_load_invalid_public_ec_key_from_numbers(self, backend):
+        _skip_curve_unsupported(backend, ec.SECP521R1())
+
+        # Bad X coordinate
+        numbers = ec.EllipticCurvePublicNumbers(
+            int("000003647356b91f8ace114c7247ecf4f4a622553fc025e04a178f179ef27"
+                "9090c184af678a4c78f635483bdd8aa544851c6ef291c1f0d6a241ebfd145"
+                "77d1d30d9903ce", 16),
+            int("000001499bc7e079322ea0fcfbd6b40103fa6a1536c2257b182db0df4b369"
+                "6ec643adf100eb4f2025d1b873f82e5a475d6e4400ba777090eeb4563a115"
+                "09e4c87319dc26", 16),
+            ec.SECP521R1()
+        )
+        with pytest.raises(ValueError):
+            numbers.public_key(backend)
+
+        # Bad Y coordinate
+        numbers = ec.EllipticCurvePublicNumbers(
+            int("0000019aadc221cc0525118ab6d5aa1f64720603de0be128cbfea0b381ad8"
+                "02a2facc6370bb58cf88b3f0c692bc654ee19d6cad198f10d4b681b396f20"
+                "d2e40603fa945b", 16),
+            int("0000025da392803a320717a08d4cb3dea932039badff363b71bdb8064e726"
+                "6c7f4f4b748d4d425347fc33e3885d34b750fa7fcd5691f4d90c89522ce33"
+                "feff5db10088a5", 16),
+            ec.SECP521R1()
+        )
+        with pytest.raises(ValueError):
+            numbers.public_key(backend)
+
     @pytest.mark.parametrize(
         "vector",
         itertools.chain(
@@ -720,3 +769,78 @@ class TestECDSAVerification(object):
         public_key = key.public_key()
         with pytest.raises(TypeError):
             public_key.verifier(1234, ec.ECDSA(hashes.SHA256()))
+
+
+@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
+class TestECDHVectors(object):
+    @pytest.mark.parametrize(
+        "vector",
+        load_vectors_from_file(
+            os.path.join(
+                "asymmetric", "ECDH",
+                "KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax"),
+            load_kasvs_ecdh_vectors
+        )
+    )
+    def test_key_exchange_with_vectors(self, backend, vector):
+        _skip_exchange_algorithm_unsupported(
+            backend, ec.ECDH(), ec._CURVE_TYPES[vector['curve']]
+        )
+
+        key_numbers = vector['IUT']
+        private_numbers = ec.EllipticCurvePrivateNumbers(
+            key_numbers['d'],
+            ec.EllipticCurvePublicNumbers(
+                key_numbers['x'],
+                key_numbers['y'],
+                ec._CURVE_TYPES[vector['curve']]()
+            )
+        )
+        # Errno 5 and 6 indicates a bad public key, this doesn't test the ECDH
+        # code at all
+        if vector['fail'] and vector['errno'] in [5, 6]:
+            with pytest.raises(ValueError):
+                private_numbers.private_key(backend)
+            return
+        else:
+            private_key = private_numbers.private_key(backend)
+
+        peer_numbers = vector['CAVS']
+        public_numbers = ec.EllipticCurvePublicNumbers(
+            peer_numbers['x'],
+            peer_numbers['y'],
+            ec._CURVE_TYPES[vector['curve']]()
+        )
+        # Errno 1 and 2 indicates a bad public key, this doesn't test the ECDH
+        # code at all
+        if vector['fail'] and vector['errno'] in [1, 2]:
+            with pytest.raises(ValueError):
+                public_numbers.public_key(backend)
+            return
+        else:
+            peer_pubkey = public_numbers.public_key(backend)
+
+        z = private_key.exchange(ec.ECDH(), peer_pubkey)
+        z = int(hexlify(z).decode('ascii'), 16)
+        # At this point fail indicates that one of the underlying keys was
+        # changed. This results in a non-matching derived key.
+        if vector['fail']:
+            assert z != vector['Z']
+        else:
+            assert z == vector['Z']
+
+    def test_exchange_unsupported_algorithm(self, backend):
+        _skip_curve_unsupported(backend, ec.SECP256R1())
+
+        key = load_vectors_from_file(
+            os.path.join(
+                "asymmetric", "PKCS8", "ec_private_key.pem"),
+            lambda pemfile: serialization.load_pem_private_key(
+                pemfile.read().encode(), None, backend
+            )
+        )
+
+        with raises_unsupported_algorithm(
+            exceptions._Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
+        ):
+            key.exchange(None, key.public_key())
diff --git a/tests/test_utils.py b/tests/test_utils.py
index 04182a06..72e20725 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -3363,7 +3363,7 @@ def test_load_kasvs_ecdh_kdf_vectors():
     [EB - SHA224]
 
 
-    COUNT = 0
+    COUNT = 50
     dsCAVS = 540904b67b3716823dd621ed72ad3dbc615887b4f56f910b78a57199
     QsCAVSx = 28e5f3a72d8f6b8499dd1bcdfceafcecec68a0d715789bcf4b55fe15
     QsCAVSy = 8c8006a7da7c1a19f5328d7e865522b0c0dfb9a29b2c46dc96590d2a
@@ -3385,7 +3385,7 @@ ffdfa60dd7
     expected = [
         {'errno': 12,
          'fail': True,
-         'COUNT': 0,
+         'COUNT': 50,
          'CAVS': {
              'd': int("540904b67b3716823dd621ed72ad3dbc615887b4f56f910b"
                       "78a57199", 16),
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 1bc14620..8f469366 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -857,6 +857,20 @@ class TestExtensions(object):
         assert ext is not None
         assert isinstance(ext.value, x509.BasicConstraints)
 
+    def test_repr(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "basic_constraints_not_critical.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+        assert repr(cert.extensions) == (
+            "<Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name"
+            "=basicConstraints)>, critical=False, value=<BasicConstraints(ca=F"
+            "alse, path_length=None)>)>])>"
+        )
+
 
 @pytest.mark.requires_backend_interface(interface=RSABackend)
 @pytest.mark.requires_backend_interface(interface=X509Backend)
diff --git a/tests/utils.py b/tests/utils.py
index cc3f9fcc..3970109e 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -722,7 +722,7 @@ def load_kasvs_ecdh_vectors(vector_data):
         if line.startswith("["):
             tag = line.split()[0][1:]
         elif line.startswith("COUNT = "):
-            data["COUNT"] = int(line.split("=")[1], 16)
+            data["COUNT"] = int(line.split("=")[1])
         elif line.startswith("dsCAVS = "):
             data["CAVS"]["d"] = int(line.split("=")[1], 16)
         elif line.startswith("QsCAVSx = "):
author	Erik Trauschke <erik.trauschke@gmail.com>	2015-10-20 08:18:00 -0700
committer	Erik Trauschke <erik.trauschke@gmail.com>	2015-10-20 08:18:00 -0700
commit	c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8 (patch)
tree	d3ed0f8b77f4f978ee847585e5b1ae1a9994270b /tests
parent	c219b962f8f02f85edf2a3452fe4136b1211f807 (diff)
parent	018a9659924c5ffe548d716295a4292c6929c341 (diff)
download	cryptography-c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8.tar.gz cryptography-c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8.tar.bz2 cryptography-c8ab2ea92fe43d1ff64d7463c61fa9ef34cce7d8.zip