From 643b314ede639c2fa100a5b20740c8827952299b Mon Sep 17 00:00:00 2001 From: Mohammed Attia Date: Fri, 25 Apr 2014 13:31:32 +0200 Subject: Add verification tests --- tests/hazmat/primitives/test_dsa.py | 104 ++++++++++++++++++++++++++++++++++-- 1 file changed, 99 insertions(+), 5 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index bc3b1db6..3e37fdf4 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -18,13 +18,15 @@ import os import pytest -from cryptography.exceptions import _Reasons +from cryptography.exceptions import ( + AlreadyFinalized, InvalidSignature, _Reasons) +from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import dsa from cryptography.utils import bit_length from ...utils import ( - load_fips_dsa_key_pair_vectors, load_vectors_from_file, - raises_unsupported_algorithm + load_fips_dsa_key_pair_vectors, load_fips_dsa_sig_vectors, + load_vectors_from_file, raises_unsupported_algorithm ) @@ -720,12 +722,104 @@ class TestDSA(object): ) +@pytest.mark.dsa +class TestDSAVerification(object): + @pytest.mark.parametrize( + "vector", + load_vectors_from_file( + os.path.join( + "asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"), + load_fips_dsa_sig_vectors + ) + ) + def test_dsa_verification(self, vector, backend): + public_key = dsa.DSAPublicKey(vector['p'], vector['q'], vector['g'], + vector['y']) + + digest_algorithm = vector['digest_algorithm'].replace("-", "") + algorithms_dict = { + 'SHA1': hashes.SHA1, + 'SHA224': hashes.SHA224, + 'SHA256': hashes.SHA256, + 'SHA384': hashes.SHA384, + 'SHA512': hashes.SHA512} + + algorithm = algorithms_dict[digest_algorithm] + + if ( + backend.dsa_parameters_supported(vector['p'], vector['q']) + and backend.dsa_hash_supported(algorithm) + ): + sig_buf = backend.dsa_signature_from_components( + vector['r'], vector['s']) + + verifier = public_key.verifier( + sig_buf, algorithm(), backend) + + verifier.update(vector['msg']) + + if vector['result'] == "F": + with pytest.raises(InvalidSignature): + verifier.verify() + else: + verifier.verify() + with pytest.raises(AlreadyFinalized): + verifier.verify() + with pytest.raises(AlreadyFinalized): + verifier.update(b"more data") + + @pytest.mark.parametrize( + "vector", + load_vectors_from_file( + os.path.join( + "asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"), + load_fips_dsa_sig_vectors + ) + ) + def test_dsa_verifier_invalid_digest_algorithm(self, vector, backend): + public_key = dsa.DSAPublicKey(vector['p'], vector['q'], vector['g'], + vector['y']) + + digest_algorithm = vector['digest_algorithm'].replace("-", "") + algorithms_dict = { + 'SHA1': hashes.SHA1, + 'SHA224': hashes.SHA224, + 'SHA256': hashes.SHA256, + 'SHA384': hashes.SHA384, + 'SHA512': hashes.SHA512} + + algorithm = algorithms_dict[digest_algorithm] + + if ( + backend.dsa_parameters_supported(vector['p'], vector['q']) + and backend.dsa_hash_supported(algorithm) + ): + sig_buf = backend.dsa_signature_from_components( + vector['r'], vector['s']) + + with raises_unsupported_algorithm( + _Reasons.UNSUPPORTED_HASH): + public_key.verifier(sig_buf, hashes.MD5(), backend) + + def test_dsa_verifier_invalid_backend(self, backend): + pretend_backend = object() + params = dsa.DSAParameters.generate(1024, backend) + private_key = dsa.DSAPrivateKey.generate(params, backend) + public_key = private_key.public_key() + + with raises_unsupported_algorithm( + _Reasons.BACKEND_MISSING_INTERFACE): + public_key.verifier(b"sig", hashes.SHA1(), pretend_backend) + + def test_dsa_generate_invalid_backend(): pretend_backend = object() - with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE): + with raises_unsupported_algorithm( + _Reasons.BACKEND_MISSING_INTERFACE): dsa.DSAParameters.generate(1024, pretend_backend) pretend_parameters = object() - with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE): + with raises_unsupported_algorithm( + _Reasons.BACKEND_MISSING_INTERFACE): dsa.DSAPrivateKey.generate(pretend_parameters, pretend_backend) -- cgit v1.2.3 From 244d5fdada17fdc189fbe5f5e213842e27cfa2e3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 30 Apr 2014 16:00:06 -0500 Subject: fix pep8 violation --- tests/hazmat/primitives/test_dsa.py | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 3e37fdf4..5a3c232c 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -746,10 +746,8 @@ class TestDSAVerification(object): algorithm = algorithms_dict[digest_algorithm] - if ( - backend.dsa_parameters_supported(vector['p'], vector['q']) - and backend.dsa_hash_supported(algorithm) - ): + if (backend.dsa_parameters_supported(vector['p'], vector['q']) + and backend.dsa_hash_supported(algorithm)): sig_buf = backend.dsa_signature_from_components( vector['r'], vector['s']) @@ -790,10 +788,8 @@ class TestDSAVerification(object): algorithm = algorithms_dict[digest_algorithm] - if ( - backend.dsa_parameters_supported(vector['p'], vector['q']) - and backend.dsa_hash_supported(algorithm) - ): + if (backend.dsa_parameters_supported(vector['p'], vector['q']) + and backend.dsa_hash_supported(algorithm)): sig_buf = backend.dsa_signature_from_components( vector['r'], vector['s']) -- cgit v1.2.3 From ddc2221de491c16a75a197089b1b35822fe63ef8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 30 Apr 2014 16:20:46 -0500 Subject: restructure some tests, add skip, use der_encode_dsa_signature --- tests/hazmat/primitives/test_dsa.py | 96 +++++++++++++++++-------------------- 1 file changed, 45 insertions(+), 51 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 5a3c232c..e9c9ca24 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -25,8 +25,9 @@ from cryptography.hazmat.primitives.asymmetric import dsa from cryptography.utils import bit_length from ...utils import ( - load_fips_dsa_key_pair_vectors, load_fips_dsa_sig_vectors, - load_vectors_from_file, raises_unsupported_algorithm + der_encode_dsa_signature, load_fips_dsa_key_pair_vectors, + load_fips_dsa_sig_vectors, load_vectors_from_file, + raises_unsupported_algorithm ) @@ -724,6 +725,14 @@ class TestDSA(object): @pytest.mark.dsa class TestDSAVerification(object): + _algorithms_dict = { + 'SHA1': hashes.SHA1, + 'SHA224': hashes.SHA224, + 'SHA256': hashes.SHA256, + 'SHA384': hashes.SHA384, + 'SHA512': hashes.SHA512 + } + @pytest.mark.parametrize( "vector", load_vectors_from_file( @@ -733,38 +742,29 @@ class TestDSAVerification(object): ) ) def test_dsa_verification(self, vector, backend): - public_key = dsa.DSAPublicKey(vector['p'], vector['q'], vector['g'], - vector['y']) - digest_algorithm = vector['digest_algorithm'].replace("-", "") - algorithms_dict = { - 'SHA1': hashes.SHA1, - 'SHA224': hashes.SHA224, - 'SHA256': hashes.SHA256, - 'SHA384': hashes.SHA384, - 'SHA512': hashes.SHA512} - - algorithm = algorithms_dict[digest_algorithm] - - if (backend.dsa_parameters_supported(vector['p'], vector['q']) - and backend.dsa_hash_supported(algorithm)): - sig_buf = backend.dsa_signature_from_components( - vector['r'], vector['s']) - - verifier = public_key.verifier( - sig_buf, algorithm(), backend) - - verifier.update(vector['msg']) + algorithm = self._algorithms_dict[digest_algorithm] + if (not backend.dsa_parameters_supported(vector['p'], vector['q']) + or not backend.dsa_hash_supported(algorithm)): + pytest.skip( + "{0} does not support the provided parameters".format(backend) + ) - if vector['result'] == "F": - with pytest.raises(InvalidSignature): - verifier.verify() - else: + public_key = dsa.DSAPublicKey( + vector['p'], vector['q'], vector['g'], vector['y'] + ) + sig = der_encode_dsa_signature(vector['r'], vector['s']) + verifier = public_key.verifier(sig, algorithm(), backend) + verifier.update(vector['msg']) + if vector['result'] == "F": + with pytest.raises(InvalidSignature): + verifier.verify() + else: + verifier.verify() + with pytest.raises(AlreadyFinalized): verifier.verify() - with pytest.raises(AlreadyFinalized): - verifier.verify() - with pytest.raises(AlreadyFinalized): - verifier.update(b"more data") + with pytest.raises(AlreadyFinalized): + verifier.update(b"more data") @pytest.mark.parametrize( "vector", @@ -775,27 +775,21 @@ class TestDSAVerification(object): ) ) def test_dsa_verifier_invalid_digest_algorithm(self, vector, backend): - public_key = dsa.DSAPublicKey(vector['p'], vector['q'], vector['g'], - vector['y']) - digest_algorithm = vector['digest_algorithm'].replace("-", "") - algorithms_dict = { - 'SHA1': hashes.SHA1, - 'SHA224': hashes.SHA224, - 'SHA256': hashes.SHA256, - 'SHA384': hashes.SHA384, - 'SHA512': hashes.SHA512} - - algorithm = algorithms_dict[digest_algorithm] - - if (backend.dsa_parameters_supported(vector['p'], vector['q']) - and backend.dsa_hash_supported(algorithm)): - sig_buf = backend.dsa_signature_from_components( - vector['r'], vector['s']) - - with raises_unsupported_algorithm( - _Reasons.UNSUPPORTED_HASH): - public_key.verifier(sig_buf, hashes.MD5(), backend) + algorithm = self._algorithms_dict[digest_algorithm] + if (not backend.dsa_parameters_supported(vector['p'], vector['q']) + or not backend.dsa_hash_supported(algorithm)): + pytest.skip( + "{0} does not support the provided parameters".format(backend) + ) + + public_key = dsa.DSAPublicKey( + vector['p'], vector['q'], vector['g'], vector['y'] + ) + sig = der_encode_dsa_signature(vector['r'], vector['s']) + with raises_unsupported_algorithm( + _Reasons.UNSUPPORTED_HASH): + public_key.verifier(sig, hashes.MD5(), backend) def test_dsa_verifier_invalid_backend(self, backend): pretend_backend = object() -- cgit v1.2.3 From 3cbe11a45195a4dcf6f3c385eac2965d1ab1fb72 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 30 Apr 2014 16:28:08 -0500 Subject: remove hash check in verifier as this isn't a proper restriction --- tests/hazmat/primitives/test_dsa.py | 25 ------------------------- 1 file changed, 25 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index e9c9ca24..3f65fd5a 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -766,31 +766,6 @@ class TestDSAVerification(object): with pytest.raises(AlreadyFinalized): verifier.update(b"more data") - @pytest.mark.parametrize( - "vector", - load_vectors_from_file( - os.path.join( - "asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"), - load_fips_dsa_sig_vectors - ) - ) - def test_dsa_verifier_invalid_digest_algorithm(self, vector, backend): - digest_algorithm = vector['digest_algorithm'].replace("-", "") - algorithm = self._algorithms_dict[digest_algorithm] - if (not backend.dsa_parameters_supported(vector['p'], vector['q']) - or not backend.dsa_hash_supported(algorithm)): - pytest.skip( - "{0} does not support the provided parameters".format(backend) - ) - - public_key = dsa.DSAPublicKey( - vector['p'], vector['q'], vector['g'], vector['y'] - ) - sig = der_encode_dsa_signature(vector['r'], vector['s']) - with raises_unsupported_algorithm( - _Reasons.UNSUPPORTED_HASH): - public_key.verifier(sig, hashes.MD5(), backend) - def test_dsa_verifier_invalid_backend(self, backend): pretend_backend = object() params = dsa.DSAParameters.generate(1024, backend) -- cgit v1.2.3 From 7c5f131417049120c968fc047ef63cb25d245d2d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 May 2014 08:27:28 -0500 Subject: move use after finalize to its own test --- tests/hazmat/primitives/test_dsa.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 3f65fd5a..67f90295 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -761,10 +761,19 @@ class TestDSAVerification(object): verifier.verify() else: verifier.verify() - with pytest.raises(AlreadyFinalized): - verifier.verify() - with pytest.raises(AlreadyFinalized): - verifier.update(b"more data") + + def test_use_after_finalize(self, backend): + parameters = dsa.DSAParameters.generate(1024, backend) + private_key = dsa.DSAPrivateKey.generate(parameters, backend) + public_key = private_key.public_key() + verifier = public_key.verifier(b'fakesig', hashes.SHA1(), backend) + verifier.update(b'irrelevant') + with pytest.raises(InvalidSignature): + verifier.verify() + with pytest.raises(AlreadyFinalized): + verifier.verify() + with pytest.raises(AlreadyFinalized): + verifier.update(b"more data") def test_dsa_verifier_invalid_backend(self, backend): pretend_backend = object() -- cgit v1.2.3 From 21babbb5001cd98ed9dfbc458cbf376223ab6588 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 May 2014 11:33:22 -0500 Subject: updates for review feedback --- tests/hazmat/primitives/test_dsa.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index 67f90295..c6642e07 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -744,8 +744,11 @@ class TestDSAVerification(object): def test_dsa_verification(self, vector, backend): digest_algorithm = vector['digest_algorithm'].replace("-", "") algorithm = self._algorithms_dict[digest_algorithm] - if (not backend.dsa_parameters_supported(vector['p'], vector['q']) - or not backend.dsa_hash_supported(algorithm)): + if ( + not backend.dsa_parameters_supported( + vector['p'], vector['q'], vector['g'] + ) or not backend.dsa_hash_supported(algorithm) + ): pytest.skip( "{0} does not support the provided parameters".format(backend) ) -- cgit v1.2.3 From f58d1ab6cf5d90ae06a593fca52ab388d75da068 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 1 May 2014 12:58:16 -0500 Subject: add check to ensure only invalid ASN1 gives InvalidSignature in DSA --- tests/hazmat/primitives/test_dsa.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py index c6642e07..4c3cd58a 100644 --- a/tests/hazmat/primitives/test_dsa.py +++ b/tests/hazmat/primitives/test_dsa.py @@ -765,6 +765,15 @@ class TestDSAVerification(object): else: verifier.verify() + def test_dsa_verify_invalid_asn1(self, backend): + parameters = dsa.DSAParameters.generate(1024, backend) + private_key = dsa.DSAPrivateKey.generate(parameters, backend) + public_key = private_key.public_key() + verifier = public_key.verifier(b'fakesig', hashes.SHA1(), backend) + verifier.update(b'fakesig') + with pytest.raises(InvalidSignature): + verifier.verify() + def test_use_after_finalize(self, backend): parameters = dsa.DSAParameters.generate(1024, backend) private_key = dsa.DSAPrivateKey.generate(parameters, backend) -- cgit v1.2.3