From b5b6bd13a22ee48eec55817867a2c8737addeee0 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 7 Sep 2019 11:22:51 +0800
Subject: fix coverage by adding two artificial DSA public keys (#4984)

* fix coverage by adding two artificial DSA public keys

One key removes the optional parameters from the structure to cover a
branch conditional, and the other key has its BITSTRING padding value
set to a non-zero value.

* lexicographic? never heard of it
---
 docs/development/test-vectors.rst                  |   5 ++++
 tests/x509/test_x509_ext.py                        |  32 +++++++++++++++++++++
 .../dsa_public_key_invalid_bit_string.der          | Bin 0 -> 830 bytes
 .../DER_Serialization/dsa_public_key_no_params.der | Bin 0 -> 280 bytes
 4 files changed, 37 insertions(+)
 create mode 100644 vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_invalid_bit_string.der
 create mode 100644 vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_no_params.der

diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index f4387215..7584881a 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -86,6 +86,11 @@ Custom asymmetric vectors
 * ``asymmetric/PEM_Serialization/dsa_public_key.pem`` and
   ``asymmetric/DER_Serialization/dsa_public_key.der`` - Contains a DSA 2048 bit
   key generated using OpenSSL from ``dsa_private_key.pem``.
+* ``asymmetric/DER_Serialization/dsa_public_key_no_params.der`` - Contains a
+  DSA public key with the optional parameters removed.
+* ``asymmetric/DER_Serialization/dsa_public_key_invalid_bit_string.der`` -
+  Contains a DSA public key with the bit string padding value set to 2 rather
+  than the required 0.
 * ``asymmetric/PKCS8/unenc-dsa-pkcs8.pem`` and
   ``asymmetric/DER_Serialization/unenc-dsa-pkcs8.der`` - Contains a DSA 1024
   bit key generated using OpenSSL.
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 11e35207..cf757abd 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -9,6 +9,8 @@ import datetime
 import ipaddress
 import os
 
+import pretend
+
 import pytest
 
 import six
@@ -20,6 +22,7 @@ from cryptography.hazmat.backends.interfaces import (
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.x509 import DNSName, NameConstraints, SubjectAlternativeName
+from cryptography.x509.extensions import _key_identifier_from_public_key
 from cryptography.x509.general_name import _lazy_import_idna
 from cryptography.x509.oid import (
     AuthorityInformationAccessOID, ExtendedKeyUsageOID, ExtensionOID,
@@ -29,6 +32,7 @@ from cryptography.x509.oid import (
 from .test_x509 import _load_cert
 from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048
 from ..hazmat.primitives.test_ec import _skip_curve_unsupported
+from ..utils import load_vectors_from_file
 
 
 def _make_certbuilder(private_key):
@@ -1591,6 +1595,34 @@ class TestSubjectKeyIdentifierExtension(object):
         )
         assert ext.value == ski
 
+    @pytest.mark.requires_backend_interface(interface=DSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_invalid_bit_string_padding_from_public_key(self, backend):
+        data = load_vectors_from_file(
+            filename=os.path.join(
+                "asymmetric", "DER_Serialization",
+                "dsa_public_key_invalid_bit_string.der"
+            ), loader=lambda data: data.read(), mode="rb"
+        )
+        pretend_key = pretend.stub(public_bytes=lambda x, y: data)
+        with pytest.raises(ValueError):
+            _key_identifier_from_public_key(pretend_key)
+
+    @pytest.mark.requires_backend_interface(interface=DSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_no_optional_params_allowed_from_public_key(self, backend):
+        data = load_vectors_from_file(
+            filename=os.path.join(
+                "asymmetric", "DER_Serialization",
+                "dsa_public_key_no_params.der"
+            ), loader=lambda data: data.read(), mode="rb"
+        )
+        pretend_key = pretend.stub(public_bytes=lambda x, y: data)
+        key_identifier = _key_identifier_from_public_key(pretend_key)
+        assert key_identifier == binascii.unhexlify(
+            b"24c0133a6a492f2c48a18c7648e515db5ac76749"
+        )
+
     @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_from_ec_public_key(self, backend):
diff --git a/vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_invalid_bit_string.der b/vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_invalid_bit_string.der
new file mode 100644
index 00000000..7358bc1d
Binary files /dev/null and b/vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_invalid_bit_string.der differ
diff --git a/vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_no_params.der b/vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_no_params.der
new file mode 100644
index 00000000..0270ac15
Binary files /dev/null and b/vectors/cryptography_vectors/asymmetric/DER_Serialization/dsa_public_key_no_params.der differ
-- 
cgit v1.2.3