From 0e8cdf1023f6e2045de444b1c7e09f40cccf019e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 13 Dec 2016 21:05:35 -0500 Subject: Drop 1.0.0 (#3312) * delete the 1.0.0 support * drop the version check * drop the AES-CTR stuff * Update the example * openssl truncates for us now * delete unused test * unused imports * Remove a bunch of conditional bindings for NPN * no more 1.0.0 builders * libressl fix * update the docs * remove dead branches * oops * this is a word, damnit * spelling * try removing this * this test is not needed * unused import --- tests/hazmat/backends/test_openssl.py | 152 +--------------------------------- tests/hazmat/bindings/test_openssl.py | 17 ++-- tests/test_x509.py | 12 --- tests/test_x509_crlbuilder.py | 4 - 4 files changed, 8 insertions(+), 177 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 47c46065..6d6f3452 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -4,7 +4,6 @@ from __future__ import absolute_import, division, print_function -import datetime import itertools import os import subprocess @@ -26,11 +25,9 @@ from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.ciphers.algorithms import AES -from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR +from cryptography.hazmat.primitives.ciphers.modes import CBC -from ..primitives.fixtures_dsa import DSA_KEY_2048 from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 -from ..primitives.test_ec import _skip_curve_unsupported from ...doubles import ( DummyAsymmetricPadding, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode ) @@ -77,11 +74,6 @@ class TestOpenSSL(object): def test_supports_cipher(self): assert backend.cipher_supported(None, None) is False - def test_aes_ctr_always_available(self): - # AES CTR should always be available, even in 1.0.0. - assert backend.cipher_supported(AES(b"\x00" * 16), - CTR(b"\x00" * 16)) is True - def test_register_duplicate_cipher_adapter(self): with pytest.raises(ValueError): backend.register_cipher_adapter(AES, CBC, None) @@ -325,35 +317,6 @@ class TestOpenSSLRSA(object): backend.generate_rsa_private_key(public_exponent=65537, key_size=256) - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_non_sha1_pss_mgf1_hash_algorithm_on_old_openssl(self): - private_key = RSA_KEY_512.private_key(backend) - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): - private_key.signer( - padding.PSS( - mgf=padding.MGF1( - algorithm=hashes.SHA256(), - ), - salt_length=padding.PSS.MAX_LENGTH - ), - hashes.SHA1() - ) - public_key = private_key.public_key() - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): - public_key.verifier( - b"sig", - padding.PSS( - mgf=padding.MGF1( - algorithm=hashes.SHA256(), - ), - salt_length=padding.PSS.MAX_LENGTH - ), - hashes.SHA1() - ) - def test_rsa_padding_unsupported_pss_mgf1_hash(self): assert backend.rsa_padding_supported( padding.PSS(mgf=padding.MGF1(DummyHashAlgorithm()), salt_length=0) @@ -500,39 +463,12 @@ class TestOpenSSLRSA(object): ) -@pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101, - reason="Requires an OpenSSL version >= 1.0.1" -) class TestOpenSSLCMAC(object): def test_unsupported_cipher(self): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): backend.create_cmac_ctx(DummyCipherAlgorithm()) -class TestOpenSSLCreateX509CSR(object): - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_unsupported_dsa_keys(self): - private_key = DSA_KEY_2048.private_key(backend) - - with pytest.raises(NotImplementedError): - backend.create_x509_csr(object(), private_key, hashes.SHA1()) - - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_unsupported_ec_keys(self): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - - with pytest.raises(NotImplementedError): - backend.create_x509_csr(object(), private_key, hashes.SHA1()) - - class TestOpenSSLSignX509Certificate(object): def test_requires_certificate_builder(self): private_key = RSA_KEY_2048.private_key(backend) @@ -542,55 +478,6 @@ class TestOpenSSLSignX509Certificate(object): object(), private_key, DummyHashAlgorithm() ) - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_dsa_private_key_is_unsupported(self): - private_key = DSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA512(), backend) - - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_ec_private_key_is_unsupported(self): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA512(), backend) - class TestOpenSSLSignX509CertificateRevocationList(object): def test_invalid_builder(self): @@ -599,43 +486,6 @@ class TestOpenSSLSignX509CertificateRevocationList(object): with pytest.raises(TypeError): backend.create_x509_crl(object(), private_key, hashes.SHA256()) - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_dsa_private_key_is_unsupported(self): - private_key = DSA_KEY_2048.private_key(backend) - builder = x509.CertificateRevocationListBuilder() - builder = builder.issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).last_update( - datetime.datetime(2002, 1, 1, 12, 1) - ).next_update( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA1(), backend) - - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_ec_private_key_is_unsupported(self): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - builder = x509.CertificateRevocationListBuilder() - builder = builder.issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).last_update( - datetime.datetime(2002, 1, 1, 12, 1) - ).next_update( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA512(), backend) - class TestOpenSSLCreateRevokedCertificate(object): def test_invalid_builder(self): diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 3e01717c..85b51725 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,7 @@ import pytest from cryptography.exceptions import InternalError from cryptography.hazmat.bindings.openssl.binding import ( - Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version + Binding, _OpenSSLErrorWithText, _openssl_assert ) @@ -79,11 +79,14 @@ class TestOpenSSL(object): def test_conditional_removal(self): b = Binding() - if b.lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER: - assert b.lib.CMAC_Init + if ( + b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and + not b.lib.CRYPTOGRAPHY_IS_LIBRESSL + ): + assert b.lib.TLS_ST_OK else: with pytest.raises(AttributeError): - b.lib.CMAC_Init + b.lib.TLS_ST_OK def test_openssl_assert_error_on_stack(self): b = Binding() @@ -107,9 +110,3 @@ class TestOpenSSL(object): b'ex:data not multiple of block length' ) )] - - def test_verify_openssl_version(self, monkeypatch): - monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_100", raising=False) - with pytest.raises(RuntimeError): - # OpenSSL 1.0.0 - _verify_openssl_version(0x100000F) diff --git a/tests/test_x509.py b/tests/test_x509.py index 966cba6f..1ecf6b6a 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -2082,9 +2082,6 @@ class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_dsa_private_key(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - issuer_private_key = DSA_KEY_2048.private_key(backend) subject_private_key = DSA_KEY_2048.private_key(backend) @@ -2130,9 +2127,6 @@ class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_ec_private_key(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - _skip_curve_unsupported(backend, ec.SECP256R1()) issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend) subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend) @@ -2734,9 +2728,6 @@ class TestCertificateSigningRequestBuilder(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) def test_build_ca_request_with_ec(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - _skip_curve_unsupported(backend, ec.SECP256R1()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) @@ -2764,9 +2755,6 @@ class TestCertificateSigningRequestBuilder(object): @pytest.mark.requires_backend_interface(interface=DSABackend) def test_build_ca_request_with_dsa(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - private_key = DSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py index 0d29a3ea..f0306ef0 100644 --- a/tests/test_x509_crlbuilder.py +++ b/tests/test_x509_crlbuilder.py @@ -347,8 +347,6 @@ class TestCertificateRevocationListBuilder(object): @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_sign_dsa_key(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") private_key = DSA_KEY_2048.private_key(backend) invalidity_date = x509.InvalidityDate( datetime.datetime(2002, 1, 1, 0, 0) @@ -393,8 +391,6 @@ class TestCertificateRevocationListBuilder(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_sign_ec_key_unsupported(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") _skip_curve_unsupported(backend, ec.SECP256R1()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) invalidity_date = x509.InvalidityDate( -- cgit v1.2.3