From 00f94097219d14036d7172994e54dc6a6d2fa8f3 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sat, 10 Oct 2015 15:42:17 -0400 Subject: Catch Invalid X or Y points and raise a ValueError Signed-off-by: Simo Sorce --- tests/hazmat/primitives/test_ec.py | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 59bdc525..5467464a 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -285,6 +285,35 @@ class TestECDSAVectors(object): with pytest.raises(ValueError): numbers.private_key(backend) + def test_load_invalid_public_ec_key_from_numbers(self, backend): + _skip_curve_unsupported(backend, ec.SECP521R1()) + + # Bad X coordinate + numbers = ec.EllipticCurvePublicNumbers( + int("000003647356b91f8ace114c7247ecf4f4a622553fc025e04a178f179ef27" + "9090c184af678a4c78f635483bdd8aa544851c6ef291c1f0d6a241ebfd145" + "77d1d30d9903ce", 16), + int("000001499bc7e079322ea0fcfbd6b40103fa6a1536c2257b182db0df4b369" + "6ec643adf100eb4f2025d1b873f82e5a475d6e4400ba777090eeb4563a115" + "09e4c87319dc26", 16), + ec.SECP521R1() + ) + with pytest.raises(ValueError): + numbers.public_key(backend) + + # Bad Y coordinate + numbers = ec.EllipticCurvePublicNumbers( + int("0000019aadc221cc0525118ab6d5aa1f64720603de0be128cbfea0b381ad8" + "02a2facc6370bb58cf88b3f0c692bc654ee19d6cad198f10d4b681b396f20" + "d2e40603fa945b", 16), + int("0000025da392803a320717a08d4cb3dea932039badff363b71bdb8064e726" + "6c7f4f4b748d4d425347fc33e3885d34b750fa7fcd5691f4d90c89522ce33" + "feff5db10088a5", 16), + ec.SECP521R1() + ) + with pytest.raises(ValueError): + numbers.public_key(backend) + @pytest.mark.parametrize( "vector", itertools.chain( -- cgit v1.2.3 From 6e3b155bb684bb036fba277756a0ca47ce551443 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 13 Oct 2015 14:45:21 -0400 Subject: Fix load_kasvs_ecdh_vectors() COUNT sourcing COUNT is a decimal number in test files, but was erroneously read and converted as if the source was a hexadecimal number. Fix the loader and test the fix. Signed-off-by: Simo Sorce --- tests/test_utils.py | 4 ++-- tests/utils.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'tests') diff --git a/tests/test_utils.py b/tests/test_utils.py index 04182a06..72e20725 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -3363,7 +3363,7 @@ def test_load_kasvs_ecdh_kdf_vectors(): [EB - SHA224] - COUNT = 0 + COUNT = 50 dsCAVS = 540904b67b3716823dd621ed72ad3dbc615887b4f56f910b78a57199 QsCAVSx = 28e5f3a72d8f6b8499dd1bcdfceafcecec68a0d715789bcf4b55fe15 QsCAVSy = 8c8006a7da7c1a19f5328d7e865522b0c0dfb9a29b2c46dc96590d2a @@ -3385,7 +3385,7 @@ ffdfa60dd7 expected = [ {'errno': 12, 'fail': True, - 'COUNT': 0, + 'COUNT': 50, 'CAVS': { 'd': int("540904b67b3716823dd621ed72ad3dbc615887b4f56f910b" "78a57199", 16), diff --git a/tests/utils.py b/tests/utils.py index cc3f9fcc..3970109e 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -722,7 +722,7 @@ def load_kasvs_ecdh_vectors(vector_data): if line.startswith("["): tag = line.split()[0][1:] elif line.startswith("COUNT = "): - data["COUNT"] = int(line.split("=")[1], 16) + data["COUNT"] = int(line.split("=")[1]) elif line.startswith("dsCAVS = "): data["CAVS"]["d"] = int(line.split("=")[1], 16) elif line.startswith("QsCAVSx = "): -- cgit v1.2.3 From 9aaeee0dc62189204f38097c815a0913fabe006c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 30 Apr 2015 14:06:47 -0400 Subject: Add an Elliptic Curve Key Exchange Algorithm(ECDH) The ECDH Key Exchange algorithm as standardized in NIST publication 800-56A Revision 2 Includes tests with vectors from NIST. Signed-off-by: Simo Sorce --- tests/hazmat/backends/test_multibackend.py | 12 +++- tests/hazmat/backends/test_openssl.py | 14 +++++ tests/hazmat/primitives/test_ec.py | 94 +++++++++++++++++++++++++++++- 3 files changed, 117 insertions(+), 3 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py index 4d17cdb0..57aa7f44 100644 --- a/tests/hazmat/backends/test_multibackend.py +++ b/tests/hazmat/backends/test_multibackend.py @@ -138,8 +138,9 @@ class DummyCMACBackend(object): @utils.register_interface(EllipticCurveBackend) class DummyEllipticCurveBackend(object): - def __init__(self, supported_curves): + def __init__(self, supported_curves, exchange_supported): self._curves = supported_curves + self.exchange_supported = exchange_supported def elliptic_curve_supported(self, curve): return any( @@ -170,6 +171,9 @@ class DummyEllipticCurveBackend(object): if not self.elliptic_curve_supported(numbers.curve): raise UnsupportedAlgorithm(_Reasons.UNSUPPORTED_ELLIPTIC_CURVE) + def elliptic_curve_exchange_algorithm_supported(self): + return self.exchange_supported + @utils.register_interface(PEMSerializationBackend) class DummyPEMSerializationBackend(object): @@ -400,7 +404,7 @@ class TestMultiBackend(object): backend = MultiBackend([ DummyEllipticCurveBackend([ ec.SECT283K1 - ]) + ], True) ]) assert backend.elliptic_curve_supported(ec.SECT283K1()) is True @@ -462,6 +466,10 @@ class TestMultiBackend(object): ) ) + assert backend.elliptic_curve_exchange_algorithm_supported() is True + backend2 = MultiBackend([DummyEllipticCurveBackend([], False)]) + assert backend2.elliptic_curve_exchange_algorithm_supported() is False + def test_pem_serialization_backend(self): backend = MultiBackend([DummyPEMSerializationBackend()]) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 8fd0d711..13162046 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -534,6 +534,11 @@ class DummyLibrary(object): Cryptography_HAS_EC = 0 +class DummyLibraryECDH(object): + Cryptography_HAS_EC = 1 + Cryptography_HAS_ECDH = 0 + + class TestOpenSSLEllipticCurve(object): def test_elliptic_curve_supported(self, monkeypatch): monkeypatch.setattr(backend, "_lib", DummyLibrary()) @@ -551,6 +556,15 @@ class TestOpenSSLEllipticCurve(object): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_ELLIPTIC_CURVE): _sn_to_elliptic_curve(backend, b"fake") + def test_elliptic_curve_exchange_algorithm_supported(self, monkeypatch): + monkeypatch.setattr(backend, "_lib", DummyLibrary()) + + assert backend.elliptic_curve_exchange_algorithm_supported() is False + + monkeypatch.setattr(backend, "_lib", DummyLibraryECDH()) + + assert backend.elliptic_curve_exchange_algorithm_supported() is False + @pytest.mark.requires_backend_interface(interface=RSABackend) class TestRSAPEMSerialization(object): diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 5467464a..c3a99e5d 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -7,6 +7,8 @@ from __future__ import absolute_import, division, print_function import itertools import os +from binascii import hexlify + import pytest from cryptography import exceptions, utils @@ -21,7 +23,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import ( from ...utils import ( load_fips_ecdsa_key_pair_vectors, load_fips_ecdsa_signing_vectors, - load_vectors_from_file, raises_unsupported_algorithm + load_kasvs_ecdh_vectors, load_vectors_from_file, + raises_unsupported_algorithm ) _HASH_TYPES = { @@ -54,6 +57,15 @@ def _skip_curve_unsupported(backend, curve): ) +def _skip_exchange_algorithm_unsupported(backend): + if not backend.elliptic_curve_exchange_algorithm_supported(): + pytest.skip( + "Exchange algorithm is not supported by this backend {0}".format( + backend + ) + ) + + @utils.register_interface(ec.EllipticCurve) class DummyCurve(object): name = "dummy-curve" @@ -749,3 +761,83 @@ class TestECDSAVerification(object): public_key = key.public_key() with pytest.raises(TypeError): public_key.verifier(1234, ec.ECDSA(hashes.SHA256())) + + +class DummyECDHBackend(object): + @classmethod + def elliptic_curve_exchange_algorithm_supported(cls): + return False + + +@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) +class TestECDHVectors(object): + + def test_unsupported_ecdh_arguments(self, backend): + with pytest.raises(TypeError): + ec.ECDH(None) + curve = ec.SECP521R1 + _skip_curve_unsupported(backend, curve) + prikey = ec.generate_private_key(curve, backend) + ecdh = ec.ECDH(prikey) + ecdh.compute_key(ecdh.public_key()) + with pytest.raises(TypeError): + ecdh.compute_key(None) + with pytest.raises(exceptions.UnsupportedAlgorithm): + prikey._backend = DummyECDHBackend() + ecdh = ec.ECDH(prikey) + _skip_exchange_algorithm_unsupported(DummyECDHBackend()) + + def key_exchange(self, backend, vector): + key_numbers = vector['IUT'] + peer_numbers = vector['CAVS'] + + prikey = ec.EllipticCurvePrivateNumbers( + key_numbers['d'], + ec.EllipticCurvePublicNumbers( + key_numbers['x'], + key_numbers['y'], + ec._CURVE_TYPES[vector['curve']]() + ) + ).private_key(backend) + + peerkey = ec.EllipticCurvePrivateNumbers( + peer_numbers['d'], + ec.EllipticCurvePublicNumbers( + peer_numbers['x'], + peer_numbers['y'], + ec._CURVE_TYPES[vector['curve']]() + ) + ).private_key(backend) + peerpubkey = peerkey.public_key() + + ecdh = ec.ECDH(prikey) + z = ecdh.compute_key(peerpubkey) + + return int(hexlify(z).decode('ascii'), 16) + + @pytest.mark.parametrize( + "vector", + load_vectors_from_file( + os.path.join( + "asymmetric", "ECDH", + "KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax"), + load_kasvs_ecdh_vectors + ) + ) + def test_key_exchange_with_vectors(self, backend, vector): + _skip_curve_unsupported(backend, ec._CURVE_TYPES[vector['curve']]) + _skip_exchange_algorithm_unsupported(backend) + + try: + z = self.key_exchange(backend, vector) + except ValueError: + assert vector['fail'] is True + + if vector['fail']: + # Errno 7 denotes a changed private key. Errno 8 denotes a changed + # shared key. Both these errors will not cause a failure in the + # exchange but should lead to a non-matching derived shared key. + if vector['errno'] in [7, 8]: + assert z != vector['Z'] + else: + assert z == vector['Z'] -- cgit v1.2.3 From 5cdfba5c8d06ed10510310de03e1df0265a89bcc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Oct 2015 16:33:04 -0400 Subject: a refactor to the API --- tests/hazmat/backends/test_multibackend.py | 27 +++++---- tests/hazmat/backends/test_openssl.py | 14 +---- tests/hazmat/primitives/test_ec.py | 94 +++++++++++++----------------- 3 files changed, 59 insertions(+), 76 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py index 57aa7f44..2a533750 100644 --- a/tests/hazmat/backends/test_multibackend.py +++ b/tests/hazmat/backends/test_multibackend.py @@ -138,9 +138,8 @@ class DummyCMACBackend(object): @utils.register_interface(EllipticCurveBackend) class DummyEllipticCurveBackend(object): - def __init__(self, supported_curves, exchange_supported): + def __init__(self, supported_curves): self._curves = supported_curves - self.exchange_supported = exchange_supported def elliptic_curve_supported(self, curve): return any( @@ -153,10 +152,7 @@ class DummyEllipticCurveBackend(object): ): return ( isinstance(signature_algorithm, ec.ECDSA) and - any( - isinstance(curve, curve_type) - for curve_type in self._curves - ) + self.elliptic_curve_supported(curve) ) def generate_elliptic_curve_private_key(self, curve): @@ -171,8 +167,11 @@ class DummyEllipticCurveBackend(object): if not self.elliptic_curve_supported(numbers.curve): raise UnsupportedAlgorithm(_Reasons.UNSUPPORTED_ELLIPTIC_CURVE) - def elliptic_curve_exchange_algorithm_supported(self): - return self.exchange_supported + def elliptic_curve_exchange_algorithm_supported(self, algorithm, curve): + return ( + isinstance(algorithm, ec.ECDH) and + self.elliptic_curve_supported(curve) + ) @utils.register_interface(PEMSerializationBackend) @@ -404,7 +403,7 @@ class TestMultiBackend(object): backend = MultiBackend([ DummyEllipticCurveBackend([ ec.SECT283K1 - ], True) + ]) ]) assert backend.elliptic_curve_supported(ec.SECT283K1()) is True @@ -466,9 +465,13 @@ class TestMultiBackend(object): ) ) - assert backend.elliptic_curve_exchange_algorithm_supported() is True - backend2 = MultiBackend([DummyEllipticCurveBackend([], False)]) - assert backend2.elliptic_curve_exchange_algorithm_supported() is False + assert backend.elliptic_curve_exchange_algorithm_supported( + ec.ECDH(), ec.SECT283K1() + ) + backend2 = MultiBackend([DummyEllipticCurveBackend([])]) + assert not backend2.elliptic_curve_exchange_algorithm_supported( + ec.ECDH(), ec.SECT163K1() + ) def test_pem_serialization_backend(self): backend = MultiBackend([DummyPEMSerializationBackend()]) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 13162046..85331595 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -534,11 +534,6 @@ class DummyLibrary(object): Cryptography_HAS_EC = 0 -class DummyLibraryECDH(object): - Cryptography_HAS_EC = 1 - Cryptography_HAS_ECDH = 0 - - class TestOpenSSLEllipticCurve(object): def test_elliptic_curve_supported(self, monkeypatch): monkeypatch.setattr(backend, "_lib", DummyLibrary()) @@ -558,12 +553,9 @@ class TestOpenSSLEllipticCurve(object): def test_elliptic_curve_exchange_algorithm_supported(self, monkeypatch): monkeypatch.setattr(backend, "_lib", DummyLibrary()) - - assert backend.elliptic_curve_exchange_algorithm_supported() is False - - monkeypatch.setattr(backend, "_lib", DummyLibraryECDH()) - - assert backend.elliptic_curve_exchange_algorithm_supported() is False + assert not backend.elliptic_curve_exchange_algorithm_supported( + ec.ECDH(), ec.SECP256R1() + ) @pytest.mark.requires_backend_interface(interface=RSABackend) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index c3a99e5d..2594d5db 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -57,8 +57,10 @@ def _skip_curve_unsupported(backend, curve): ) -def _skip_exchange_algorithm_unsupported(backend): - if not backend.elliptic_curve_exchange_algorithm_supported(): +def _skip_exchange_algorithm_unsupported(backend, algorithm, curve): + if not backend.elliptic_curve_exchange_algorithm_supported( + algorithm, curve + ): pytest.skip( "Exchange algorithm is not supported by this backend {0}".format( backend @@ -771,50 +773,6 @@ class DummyECDHBackend(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) class TestECDHVectors(object): - - def test_unsupported_ecdh_arguments(self, backend): - with pytest.raises(TypeError): - ec.ECDH(None) - curve = ec.SECP521R1 - _skip_curve_unsupported(backend, curve) - prikey = ec.generate_private_key(curve, backend) - ecdh = ec.ECDH(prikey) - ecdh.compute_key(ecdh.public_key()) - with pytest.raises(TypeError): - ecdh.compute_key(None) - with pytest.raises(exceptions.UnsupportedAlgorithm): - prikey._backend = DummyECDHBackend() - ecdh = ec.ECDH(prikey) - _skip_exchange_algorithm_unsupported(DummyECDHBackend()) - - def key_exchange(self, backend, vector): - key_numbers = vector['IUT'] - peer_numbers = vector['CAVS'] - - prikey = ec.EllipticCurvePrivateNumbers( - key_numbers['d'], - ec.EllipticCurvePublicNumbers( - key_numbers['x'], - key_numbers['y'], - ec._CURVE_TYPES[vector['curve']]() - ) - ).private_key(backend) - - peerkey = ec.EllipticCurvePrivateNumbers( - peer_numbers['d'], - ec.EllipticCurvePublicNumbers( - peer_numbers['x'], - peer_numbers['y'], - ec._CURVE_TYPES[vector['curve']]() - ) - ).private_key(backend) - peerpubkey = peerkey.public_key() - - ecdh = ec.ECDH(prikey) - z = ecdh.compute_key(peerpubkey) - - return int(hexlify(z).decode('ascii'), 16) - @pytest.mark.parametrize( "vector", load_vectors_from_file( @@ -825,19 +783,49 @@ class TestECDHVectors(object): ) ) def test_key_exchange_with_vectors(self, backend, vector): - _skip_curve_unsupported(backend, ec._CURVE_TYPES[vector['curve']]) - _skip_exchange_algorithm_unsupported(backend) + _skip_exchange_algorithm_unsupported( + backend, ec.ECDH(), ec._CURVE_TYPES[vector['curve']] + ) + key_numbers = vector['IUT'] try: - z = self.key_exchange(backend, vector) + private_key = ec.EllipticCurvePrivateNumbers( + key_numbers['d'], + ec.EllipticCurvePublicNumbers( + key_numbers['x'], + key_numbers['y'], + ec._CURVE_TYPES[vector['curve']]() + ) + ).private_key(backend) except ValueError: - assert vector['fail'] is True + # Errno 5 and 6 indicates a bad public key, this doesn't test the + # ECDH code at all + assert vector['fail'] and vector['errno'] in [5, 6] + return - if vector['fail']: + peer_numbers = vector['CAVS'] + try: + peer_pubkey = ec.EllipticCurvePublicNumbers( + peer_numbers['x'], + peer_numbers['y'], + ec._CURVE_TYPES[vector['curve']]() + ).public_key(backend) + except ValueError: + # Errno 1 and 2 indicates a bad public key, this doesn't test the + # ECDH code at all + assert vector['fail'] and vector['errno'] in [1, 2] + return + + if vector['fail'] and vector['errno'] not in [7, 8]: + with pytest.raises(ValueError): + private_key.exchange(ec.ECDH(), peer_pubkey) + else: + z = private_key.exchange(ec.ECDH(), peer_pubkey) + z = int(hexlify(z).decode('ascii'), 16) # Errno 7 denotes a changed private key. Errno 8 denotes a changed # shared key. Both these errors will not cause a failure in the # exchange but should lead to a non-matching derived shared key. if vector['errno'] in [7, 8]: assert z != vector['Z'] - else: - assert z == vector['Z'] + else: + assert z == vector['Z'] -- cgit v1.2.3 From 4c081ad1fb54dae846a1ade2b15fe15e9ff31b0d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 17 Oct 2015 16:34:33 -0400 Subject: unused --- tests/hazmat/primitives/test_ec.py | 6 ------ 1 file changed, 6 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 2594d5db..13bc11c9 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -765,12 +765,6 @@ class TestECDSAVerification(object): public_key.verifier(1234, ec.ECDSA(hashes.SHA256())) -class DummyECDHBackend(object): - @classmethod - def elliptic_curve_exchange_algorithm_supported(cls): - return False - - @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) class TestECDHVectors(object): @pytest.mark.parametrize( -- cgit v1.2.3 From 799b33f69a8bfd1aaf7f90a81b6ee3fdebc777a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 18 Oct 2015 16:59:08 -0400 Subject: be more pro-active in handling invalid keys --- tests/hazmat/primitives/test_ec.py | 50 ++++++++++++++++++++------------------ 1 file changed, 27 insertions(+), 23 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 13bc11c9..a634afe8 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -782,33 +782,37 @@ class TestECDHVectors(object): ) key_numbers = vector['IUT'] - try: - private_key = ec.EllipticCurvePrivateNumbers( - key_numbers['d'], - ec.EllipticCurvePublicNumbers( - key_numbers['x'], - key_numbers['y'], - ec._CURVE_TYPES[vector['curve']]() - ) - ).private_key(backend) - except ValueError: - # Errno 5 and 6 indicates a bad public key, this doesn't test the - # ECDH code at all - assert vector['fail'] and vector['errno'] in [5, 6] + private_numbers = ec.EllipticCurvePrivateNumbers( + key_numbers['d'], + ec.EllipticCurvePublicNumbers( + key_numbers['x'], + key_numbers['y'], + ec._CURVE_TYPES[vector['curve']]() + ) + ) + # Errno 5 and 6 indicates a bad public key, this doesn't test the ECDH + # code at all + if vector['fail'] and vector['errno'] in [5, 6]: + with pytest.raises(ValueError): + private_numbers.private_key(backend) return + else: + private_key = private_numbers.private_key(backend) peer_numbers = vector['CAVS'] - try: - peer_pubkey = ec.EllipticCurvePublicNumbers( - peer_numbers['x'], - peer_numbers['y'], - ec._CURVE_TYPES[vector['curve']]() - ).public_key(backend) - except ValueError: - # Errno 1 and 2 indicates a bad public key, this doesn't test the - # ECDH code at all - assert vector['fail'] and vector['errno'] in [1, 2] + public_numbers = ec.EllipticCurvePublicNumbers( + peer_numbers['x'], + peer_numbers['y'], + ec._CURVE_TYPES[vector['curve']]() + ) + # Errno 1 and 2 indicates a bad public key, this doesn't test the ECDH + # code at all + if vector['fail'] and vector['errno'] in [1, 2]: + with pytest.raises(ValueError): + public_numbers.public_key(backend) return + else: + peer_pubkey = public_numbers.public_key(backend) if vector['fail'] and vector['errno'] not in [7, 8]: with pytest.raises(ValueError): -- cgit v1.2.3 From 7c60ffc621320349f88cf36b12cd087d8bd9b6a3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Oct 2015 08:04:17 -0400 Subject: removed unused code, and added a test --- tests/hazmat/primitives/test_ec.py | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index a634afe8..6c184522 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -90,6 +90,12 @@ def test_skip_curve_unsupported(backend): _skip_curve_unsupported(backend, DummyCurve()) +@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) +def test_skip_exchange_algorithm_unsupported(backend): + with pytest.raises(pytest.skip.Exception): + _skip_exchange_algorithm_unsupported(backend, ec.ECDH(), DummyCurve()) + + def test_ec_numbers(): numbers = ec.EllipticCurvePrivateNumbers( 1, @@ -814,16 +820,11 @@ class TestECDHVectors(object): else: peer_pubkey = public_numbers.public_key(backend) - if vector['fail'] and vector['errno'] not in [7, 8]: - with pytest.raises(ValueError): - private_key.exchange(ec.ECDH(), peer_pubkey) + z = private_key.exchange(ec.ECDH(), peer_pubkey) + z = int(hexlify(z).decode('ascii'), 16) + # At this point fail indicates that one of the underlying keys was + # changed. This results in a non-matching derived key. + if vector['fail']: + assert z != vector['Z'] else: - z = private_key.exchange(ec.ECDH(), peer_pubkey) - z = int(hexlify(z).decode('ascii'), 16) - # Errno 7 denotes a changed private key. Errno 8 denotes a changed - # shared key. Both these errors will not cause a failure in the - # exchange but should lead to a non-matching derived shared key. - if vector['errno'] in [7, 8]: - assert z != vector['Z'] - else: - assert z == vector['Z'] + assert z == vector['Z'] -- cgit v1.2.3 From aaf4e8bccd9cac827b5f740371feaa7faeebcb93 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Oct 2015 08:07:43 -0400 Subject: another test --- tests/hazmat/backends/test_openssl.py | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 85331595..3ccc54c8 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -557,6 +557,13 @@ class TestOpenSSLEllipticCurve(object): ec.ECDH(), ec.SECP256R1() ) + def test_elliptic_curve_exchange_unsupported_algorithm(self): + key = ec.generate_private_key(ec.SECP256R1(), backend=backend) + with raises_unsupported_algorithm( + _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM + ): + key.exchange(None, key.public_key()) + @pytest.mark.requires_backend_interface(interface=RSABackend) class TestRSAPEMSerialization(object): -- cgit v1.2.3 From 7a40209a64c800be1b964a0eded2ab1f40accf50 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 19 Oct 2015 08:26:27 -0400 Subject: better place for this test --- tests/hazmat/backends/test_openssl.py | 7 ------- tests/hazmat/primitives/test_ec.py | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 7 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 3ccc54c8..85331595 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -557,13 +557,6 @@ class TestOpenSSLEllipticCurve(object): ec.ECDH(), ec.SECP256R1() ) - def test_elliptic_curve_exchange_unsupported_algorithm(self): - key = ec.generate_private_key(ec.SECP256R1(), backend=backend) - with raises_unsupported_algorithm( - _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM - ): - key.exchange(None, key.public_key()) - @pytest.mark.requires_backend_interface(interface=RSABackend) class TestRSAPEMSerialization(object): diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 6c184522..4c4d5b90 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -828,3 +828,19 @@ class TestECDHVectors(object): assert z != vector['Z'] else: assert z == vector['Z'] + + def test_exchange_unsupported_algorithm(self, backend): + _skip_curve_unsupported(backend, ec.SECP256R1()) + + key = load_vectors_from_file( + os.path.join( + "asymmetric", "PKCS8", "ec_private_key.pem"), + lambda pemfile: serialization.load_pem_private_key( + pemfile.read().encode(), None, backend + ) + ) + + with raises_unsupported_algorithm( + exceptions._Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM + ): + key.exchange(None, key.public_key()) -- cgit v1.2.3 From afbe75bf4fb6c288a7e25b2c58a72ec7049f3f64 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 20 Oct 2015 08:08:43 -0500 Subject: add __repr__ to x509.Extensions fix #2434 --- tests/test_x509_ext.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'tests') diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py index 1bc14620..8f469366 100644 --- a/tests/test_x509_ext.py +++ b/tests/test_x509_ext.py @@ -857,6 +857,20 @@ class TestExtensions(object): assert ext is not None assert isinstance(ext.value, x509.BasicConstraints) + def test_repr(self, backend): + cert = _load_cert( + os.path.join( + "x509", "custom", "basic_constraints_not_critical.pem" + ), + x509.load_pem_x509_certificate, + backend + ) + assert repr(cert.extensions) == ( + ", critical=False, value=)>])>" + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) -- cgit v1.2.3