# Copyright (c) 2016 The Johns Hopkins University/Applied Physics Laboratory # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import mock import pytest import testtools from cryptography.hazmat import backends from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives.ciphers import algorithms from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import serialization from kmip.core import enums from kmip.core import exceptions from kmip.services.server import crypto class TestCryptographyEngine(testtools.TestCase): """ Test suite for the CryptographyEngine. """ def setUp(self): super(TestCryptographyEngine, self).setUp() def tearDown(self): super(TestCryptographyEngine, self).tearDown() def test_init(self): """ Test that a CryptographyEngine can be constructed. """ crypto.CryptographyEngine() def test_create_symmetric_key(self): """ Test that a symmetric key can be created with valid arguments. """ engine = crypto.CryptographyEngine() key = engine.create_symmetric_key( enums.CryptographicAlgorithm.AES, 256 ) self.assertIn('value', key) self.assertIn('format', key) self.assertEqual(enums.KeyFormatType.RAW, key.get('format')) def test_create_symmetric_key_with_invalid_algorithm(self): """ Test that an InvalidField error is raised when creating a symmetric key with an invalid algorithm. """ engine = crypto.CryptographyEngine() args = ['invalid', 256] self.assertRaises( exceptions.InvalidField, engine.create_symmetric_key, *args ) def test_create_symmetric_key_with_invalid_length(self): """ Test that an InvalidField error is raised when creating a symmetric key with an invalid length. """ engine = crypto.CryptographyEngine() args = [enums.CryptographicAlgorithm.AES, 'invalid'] self.assertRaises( exceptions.InvalidField, engine.create_symmetric_key, *args ) def test_create_symmetric_key_with_cryptographic_failure(self): """ Test that a CryptographicFailure error is raised when the symmetric key generation process fails. """ # Create a dummy algorithm that always fails on instantiation. class DummyAlgorithm(object): key_sizes = [0] def __init__(self, key_bytes): raise Exception() engine = crypto.CryptographyEngine() engine._symmetric_key_algorithms.update([( enums.CryptographicAlgorithm.AES, DummyAlgorithm )]) args = [enums.CryptographicAlgorithm.AES, 0] self.assertRaises( exceptions.CryptographicFailure, engine.create_symmetric_key, *args ) def test_create_asymmetric_key(self): """ Test that an asymmetric key pair can be created with valid arguments. """ engine = crypto.CryptographyEngine() public_key, private_key = engine.create_asymmetric_key_pair( enums.CryptographicAlgorithm.RSA, 2048 ) self.assertIn('value', public_key) self.assertIn('format', public_key) self.assertIn('value', private_key) self.assertIn('format', private_key) def test_create_asymmetric_key_with_invalid_algorithm(self): """ Test that an InvalidField error is raised when creating an asymmetric key pair with an invalid algorithm. """ engine = crypto.CryptographyEngine() args = ['invalid', 2048] self.assertRaises( exceptions.InvalidField, engine.create_asymmetric_key_pair, *args ) def test_create_asymmetric_key_with_invalid_length(self): """ Test that an CryptographicFailure error is raised when creating an asymmetric key pair with an invalid length. """ engine = crypto.CryptographyEngine() args = [enums.CryptographicAlgorithm.RSA, 0] self.assertRaises( exceptions.CryptographicFailure, engine.create_asymmetric_key_pair, *args ) def test_mac(self): """ Test that MAC operation can be done with valid arguments. """ key1 = (b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00') key2 = (b'\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00') key3 = (b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00') data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B' b'\x0C\x0D\x0E\x0F') engine = crypto.CryptographyEngine() # test cmac mac_data1 = engine.mac( enums.CryptographicAlgorithm.AES, key1, data ) mac_data2 = engine.mac( enums.CryptographicAlgorithm.AES, key2, data ) mac_data3 = engine.mac( enums.CryptographicAlgorithm.AES, key3, data ) self.assertNotEqual(mac_data1, mac_data2) self.assertEqual(mac_data1, mac_data3) # test hmac mac_data1 = engine.mac( enums.CryptographicAlgorithm.HMAC_SHA256, key1, data ) mac_data2 = engine.mac( enums.CryptographicAlgorithm.HMAC_SHA256, key2, data ) mac_data3 = engine.mac( enums.CryptographicAlgorithm.HMAC_SHA256, key3, data ) self.assertNotEqual(mac_data1, mac_data2) self.assertEqual(mac_data1, mac_data3) def test_mac_with_invalid_algorithm(self): """ Test that an InvalidField error is raised when doing the MAC with an invalid algorithm. """ engine = crypto.CryptographyEngine() key = (b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00') data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B' b'\x0C\x0D\x0E\x0F') args = ['invalid', key, data] self.assertRaises( exceptions.InvalidField, engine.mac, *args ) def test_mac_with_cryptographic_failure(self): """ Test that an CryptographicFailure error is raised when the MAC process fails. """ # Create dummy hash algorithm that always fails on instantiation. class DummyHashAlgorithm(object): def __init__(self): raise Exception() key = (b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00') data = (b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B' b'\x0C\x0D\x0E\x0F') engine = crypto.CryptographyEngine() # IDEA is not block cipher so cmac should raise exception args = [enums.CryptographicAlgorithm.IDEA, key, data] self.assertRaises( exceptions.CryptographicFailure, engine.mac, *args ) engine._hash_algorithms.update([( enums.CryptographicAlgorithm.HMAC_SHA256, DummyHashAlgorithm )]) args = [enums.CryptographicAlgorithm.HMAC_SHA256, key, data] self.assertRaises( exceptions.CryptographicFailure, engine.mac, *args ) def test_encrypt_symmetric_invalid_algorithm(self): """ Test that the right errors are raised when invalid symmetric encryption algorithms are used. """ engine = crypto.CryptographyEngine() args = (None, b'', b'') self.assertRaisesRegexp( exceptions.InvalidField, "Encryption algorithm is required.", engine.encrypt, *args ) args = ('invalid', b'', b'') self.assertRaisesRegexp( exceptions.InvalidField, "Encryption algorithm 'invalid' is not a supported symmetric " "encryption algorithm.", engine.encrypt, *args ) def test_encrypt_symmetric_invalid_algorithm_key(self): """ Test that the right error is raised when an invalid key is used with a symmetric encryption algorithm. """ engine = crypto.CryptographyEngine() args = (enums.CryptographicAlgorithm.AES, b'', b'') self.assertRaisesRegexp( exceptions.CryptographicFailure, "Invalid key bytes for the specified encryption algorithm.", engine.encrypt, *args ) def test_encrypt_symmetric_no_mode_needed(self): """ Test that data can be symmetrically encrypted for certain inputs without a cipher mode. """ engine = crypto.CryptographyEngine() engine.encrypt( enums.CryptographicAlgorithm.RC4, b'\x00\x01\x02\x03\x04\x05\x06\x07', b'\x0F\x0E\x0D\x0C\x0B\x0A\x09\x08' ) def test_encrypt_symmetric_invalid_cipher_mode(self): """ Test that the right errors are raised when invalid cipher modes are used with symmetric encryption. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.AES, b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F', b'\x0F\x0E\x0D\x0C\x0B\x0A\x09\x08' b'\x07\x06\x05\x04\x03\x02\x01\x00' ) self.assertRaisesRegexp( exceptions.InvalidField, "Cipher mode is required.", engine.encrypt, *args ) kwargs = {'cipher_mode': 'invalid'} self.assertRaisesRegexp( exceptions.InvalidField, "Cipher mode 'invalid' is not a supported mode.", engine.encrypt, *args, **kwargs ) def test_encrypt_symmetric_generate_iv(self): """ Test that the initialization vector is correctly generated and returned for an appropriate set of symmetric encryption inputs. """ engine = crypto.CryptographyEngine() result = engine.encrypt( enums.CryptographicAlgorithm.AES, b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F', b'\x0F\x0E\x0D\x0C\x0B\x0A\x09\x08' b'\x07\x06\x05\x04\x03\x02\x01\x00', cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5 ) self.assertIn('iv_nonce', result.keys()) self.assertIsNotNone(result.get('iv_nonce')) result = engine.encrypt( enums.CryptographicAlgorithm.AES, b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F', b'\x0F\x0E\x0D\x0C\x0B\x0A\x09\x08' b'\x07\x06\x05\x04\x03\x02\x01\x00', cipher_mode=enums.BlockCipherMode.CBC, padding_method=enums.PaddingMethod.PKCS5, iv_nonce=( b'\x00\x10\x20\x30\x40\x50\x60\x70' b'\x80\x90\xA0\xB0\xC0\xD0\xE0\xF0' ) ) self.assertNotIn('iv_nonce', result.keys()) def test_encrypt_asymmetric_invalid_encryption_algorithm(self): """ Test that the right error is raised when an invalid asymmetric encryption algorithm is specified. """ engine = crypto.CryptographyEngine() args = ('invalid', b'', b'', None, None) self.assertRaisesRegexp( exceptions.InvalidField, "The cryptographic algorithm 'invalid' is not supported for " "asymmetric encryption.", engine._encrypt_asymmetric, *args ) def test_encrypt_asymmetric_invalid_hashing_algorithm(self): """ Test that the right error is raised when an invalid hashing algorithm is specified. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.RSA, b'', b'' ) kwargs = { 'padding_method': enums.PaddingMethod.OAEP, 'hashing_algorithm': 'invalid' } self.assertRaisesRegexp( exceptions.InvalidField, "The hashing algorithm 'invalid' is not supported for asymmetric " "encryption.", engine.encrypt, *args, **kwargs ) def test_encrypt_asymmetric_invalid_padding_method(self): """ Test that the right error is raised when an invalid padding method is specified. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.RSA, b'', b'' ) kwargs = { 'padding_method': 'invalid', 'hashing_algorithm': enums.HashingAlgorithm.SHA_1 } self.assertRaisesRegexp( exceptions.InvalidField, "The padding method 'invalid' is not supported for asymmetric " "encryption.", engine.encrypt, *args, **kwargs ) def test_encrypt_asymmetric_invalid_public_key(self): """ Test that the right error is raised when an invalid public key is specified. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.RSA, 'invalid', b'' ) kwargs = { 'padding_method': enums.PaddingMethod.OAEP, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1 } self.assertRaisesRegexp( exceptions.CryptographicFailure, "The public key bytes could not be loaded.", engine.encrypt, *args, **kwargs ) def test_decrypt_asymmetric_invalid_encryption_algorithm(self): """ Test that the right error is raised when an invalid asymmetric decryption algorithm is specified. """ engine = crypto.CryptographyEngine() args = ('invalid', b'', b'', None, None) self.assertRaisesRegexp( exceptions.InvalidField, "The cryptographic algorithm 'invalid' is not supported for " "asymmetric decryption.", engine._decrypt_asymmetric, *args ) def test_decrypt_asymmetric_invalid_hashing_algorithm(self): """ Test that the right error is raised when an invalid hashing algorithm is specified. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.RSA, b'', b'' ) kwargs = { 'padding_method': enums.PaddingMethod.OAEP, 'hashing_algorithm': 'invalid' } self.assertRaisesRegexp( exceptions.InvalidField, "The hashing algorithm 'invalid' is not supported for asymmetric " "decryption.", engine.decrypt, *args, **kwargs ) def test_decrypt_asymmetric_invalid_padding_method(self): """ Test that the right error is raised when an invalid padding method is specified. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.RSA, b'', b'' ) kwargs = { 'padding_method': 'invalid', 'hashing_algorithm': enums.HashingAlgorithm.SHA_1 } self.assertRaisesRegexp( exceptions.InvalidField, "The padding method 'invalid' is not supported for asymmetric " "decryption.", engine.decrypt, *args, **kwargs ) def test_decrypt_asymmetric_invalid_private_key(self): """ Test that the right error is raised when an invalid private key is specified. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.RSA, 'invalid', b'' ) kwargs = { 'padding_method': enums.PaddingMethod.OAEP, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1 } self.assertRaisesRegexp( exceptions.CryptographicFailure, "The private key bytes could not be loaded.", engine.decrypt, *args, **kwargs ) def test_decrypt_symmetric_invalid_algorithm(self): """ Test that the right errors are raised when invalid symmetric decryption algorithms are used. """ engine = crypto.CryptographyEngine() args = (None, b'', b'') self.assertRaisesRegexp( exceptions.InvalidField, "Decryption algorithm is required.", engine.decrypt, *args ) args = ('invalid', b'', b'') self.assertRaisesRegexp( exceptions.InvalidField, "Decryption algorithm 'invalid' is not a supported symmetric " "decryption algorithm.", engine.decrypt, *args ) def test_decrypt_symmetric_invalid_algorithm_key(self): """ Test that the right error is raised when an invalid key is used with a symmetric decryption algorithm. """ engine = crypto.CryptographyEngine() args = (enums.CryptographicAlgorithm.AES, b'', b'') self.assertRaisesRegexp( exceptions.CryptographicFailure, "Invalid key bytes for the specified decryption algorithm.", engine.decrypt, *args ) def test_decrypt_symmetric_invalid_cipher_mode(self): """ Test that the right errors are raised when invalid cipher modes are used with symmetric decryption. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.AES, b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F', b'\x0F\x0E\x0D\x0C\x0B\x0A\x09\x08' b'\x07\x06\x05\x04\x03\x02\x01\x00' ) self.assertRaisesRegexp( exceptions.InvalidField, "Cipher mode is required.", engine.decrypt, *args ) kwargs = {'cipher_mode': 'invalid'} self.assertRaisesRegexp( exceptions.InvalidField, "Cipher mode 'invalid' is not a supported mode.", engine.decrypt, *args, **kwargs ) def test_decrypt_symmetric_missing_iv_nonce(self): """ Test that the right error is raised when an IV/nonce is not provided for the symmetric decryption algorithm. """ engine = crypto.CryptographyEngine() args = ( enums.CryptographicAlgorithm.AES, b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F', b'\x0F\x0E\x0D\x0C\x0B\x0A\x09\x08' b'\x07\x06\x05\x04\x03\x02\x01\x00' ) kwargs = { 'cipher_mode': enums.BlockCipherMode.CBC, 'padding_method': enums.PaddingMethod.PKCS5 } self.assertRaisesRegexp( exceptions.InvalidField, "IV/nonce is required.", engine.decrypt, *args, **kwargs ) def test_handle_symmetric_padding_invalid(self): """ Test that the right errors are raised when invalid padding methods are used. """ engine = crypto.CryptographyEngine() args = ( algorithms.AES, b'\x01\x02\x03\x04', None ) self.assertRaisesRegexp( exceptions.InvalidField, "Padding method is required.", engine._handle_symmetric_padding, *args ) args = ( algorithms.AES, b'\x01\x02\x03\x04', 'invalid' ) self.assertRaisesRegexp( exceptions.InvalidField, "Padding method 'invalid' is not supported.", engine._handle_symmetric_padding, *args ) def test_derive_key_missing_hash_algorithm(self): """ Test that the right error is raised when the hash algorithm is not provided for key derivation. """ engine = crypto.CryptographyEngine() args = ( enums.DerivationMethod.HASH, 16 ) self.assertRaisesRegexp( exceptions.InvalidField, "Hash algorithm is required.", engine.derive_key, *args ) def test_derive_key_invalid_hash_algorithm(self): """ Test that the right error is raised when an invalid hash algorithm is provided for key derivation. """ engine = crypto.CryptographyEngine() args = ( enums.DerivationMethod.HASH, 16 ) kwargs = { 'hash_algorithm': 'invalid' } self.assertRaisesRegexp( exceptions.InvalidField, "Hash algorithm 'invalid' is not a supported hashing algorithm.", engine.derive_key, *args, **kwargs ) def test_derive_key_both_derivation_data_and_key_material(self): """ Test that the right error is raised when both derivation data and key material are provided for hash-based key derivation. """ engine = crypto.CryptographyEngine() args = ( enums.DerivationMethod.HASH, 16 ) kwargs = { 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'derivation_data': b'\x01\x02\x03\x04', 'key_material': b'\x0A\x0B\x0C\x0D' } self.assertRaisesRegexp( exceptions.InvalidField, "For hash-based key derivation, specify only derivation data or " "key material, not both.", engine.derive_key, *args, **kwargs ) def test_derive_key_missing_derivation_data_and_key_material(self): """ Test that the right error is raised when neither derivation data nor key material are provided for hash-based key derivation. """ engine = crypto.CryptographyEngine() args = ( enums.DerivationMethod.HASH, 16 ) kwargs = { 'hash_algorithm': enums.HashingAlgorithm.SHA_256 } self.assertRaisesRegexp( exceptions.InvalidField, "For hash-based key derivation, derivation data or key material " "must be specified.", engine.derive_key, *args, **kwargs ) def test_derive_key_missing_salt(self): """ Test that the right error is raised when the salt is not provided for PBKDF2-based key derivation. """ engine = crypto.CryptographyEngine() args = ( enums.DerivationMethod.PBKDF2, 16 ) kwargs = { 'hash_algorithm': enums.HashingAlgorithm.SHA_256 } self.assertRaisesRegexp( exceptions.InvalidField, "For PBKDF2 key derivation, salt must be specified.", engine.derive_key, *args, **kwargs ) def test_derive_key_missing_iteration_count(self): """ Test that the right error is raised when the iteration count is not provided for PBKDF2-based key derivation. """ engine = crypto.CryptographyEngine() args = ( enums.DerivationMethod.PBKDF2, 16 ) kwargs = { 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'salt': b'\x11\x22\x33\x44' } self.assertRaisesRegexp( exceptions.InvalidField, "For PBKDF2 key derivation, iteration count must be specified.", engine.derive_key, *args, **kwargs ) def test_derive_key_invalid_derivation_method(self): """ Test that the right error is raised when an invalid derivation method is specified for key derivation. """ engine = crypto.CryptographyEngine() args = ( 'invalid', 16 ) kwargs = { 'hash_algorithm': enums.HashingAlgorithm.SHA_256 } self.assertRaisesRegexp( exceptions.InvalidField, "Derivation method 'invalid' is not a supported key derivation " "method.", engine.derive_key, *args, **kwargs ) def test_wrap_key_invalid_wrapping_method(self): """ Test that the right error is raised when an invalid wrapping method is specified for key wrapping. """ engine = crypto.CryptographyEngine() args = (b'', 'invalid', enums.BlockCipherMode.NIST_KEY_WRAP, b'') self.assertRaisesRegexp( exceptions.InvalidField, "Wrapping method 'invalid' is not a supported key wrapping " "method.", engine.wrap_key, *args ) def test_wrap_key_invalid_encryption_algorithm(self): """ Test that the right error is raised when an invalid encryption algorithm is specified for encryption-based key wrapping. """ engine = crypto.CryptographyEngine() args = (b'', enums.WrappingMethod.ENCRYPT, 'invalid', b'') self.assertRaisesRegexp( exceptions.InvalidField, "Encryption algorithm 'invalid' is not a supported key wrapping " "algorithm.", engine.wrap_key, *args ) def test_wrap_key_cryptographic_error(self): """ Test that the right error is raised when an error occurs during the key wrapping process. """ engine = crypto.CryptographyEngine() args = ( b'', enums.WrappingMethod.ENCRYPT, enums.BlockCipherMode.NIST_KEY_WRAP, b'' ) self.assertRaises( exceptions.CryptographicFailure, engine.wrap_key, *args ) def test_sign_no_alg(self): """ Test that an InvalidField exception is raised when sign is called without sufficient crypto parameters. """ engine = crypto.CryptographyEngine() args = (None, None, None, None, None, None) self.assertRaisesRegexp( exceptions.InvalidField, 'For signing, either a digital signature algorithm or a hash' ' algorithm and a cryptographic algorithm must be specified.', engine.sign, *args ) def test_sign_non_RSA(self): """ Test that an InvalidField exception is raised when sign is called with a crypto algorithm other than RSA. """ engine = crypto.CryptographyEngine() args = ( None, enums.CryptographicAlgorithm.TRIPLE_DES, enums.HashingAlgorithm.MD5, None, None, None ) self.assertRaisesRegexp( exceptions.InvalidField, 'For signing, an RSA key must be used.', engine.sign, *args ) def test_sign_invalid_padding(self): """ Test that an InvalidField exception is raised when sign is called with an unsupported padding algorithm. """ engine = crypto.CryptographyEngine() args = ( None, enums.CryptographicAlgorithm.RSA, enums.HashingAlgorithm.MD5, enums.PaddingMethod.OAEP, DER_RSA_KEY, None ) self.assertRaisesRegexp( exceptions.InvalidField, "Padding method 'PaddingMethod.OAEP' is not a supported" " signature padding method.", engine.sign, *args ) def test_sign_no_padding(self): """ Test that an InvalidField exception is raised when sign is called without a padding algorithm. """ engine = crypto.CryptographyEngine() args = ( None, enums.CryptographicAlgorithm.RSA, enums.HashingAlgorithm.MD5, None, DER_RSA_KEY, None ) self.assertRaisesRegexp( exceptions.InvalidField, 'For signing, a padding method must be specified.', engine.sign, *args ) def test_sign_invalid_key_bytes(self): """ Test that an InvalidField exception is raised when sign is called with invalid key bytes. """ engine = crypto.CryptographyEngine() args = ( None, enums.CryptographicAlgorithm.RSA, enums.HashingAlgorithm.MD5, enums.PaddingMethod.PKCS1v15, 'thisisnotavalidkey', None ) self.assertRaisesRegexp( exceptions.InvalidField, 'Unable to deserialize key ' 'bytes, unknown format.', engine.sign, *args ) def test_verify_signature_mismatching_signing_algorithms(self): """ Test that the right error is raised when both the signing algorithm and the digital signature algorithm are provided and do not match. """ engine = crypto.CryptographyEngine() args = ( b'', b'', b'', enums.PaddingMethod.PSS ) kwargs = { 'signing_algorithm': enums.CryptographicAlgorithm.ECDSA, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1, 'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.SHA1_WITH_RSA_ENCRYPTION } self.assertRaisesRegexp( exceptions.InvalidField, "The signing algorithm does not match the digital signature " "algorithm.", engine.verify_signature, *args, **kwargs ) def test_verify_signature_mismatching_hashing_algorithms(self): """ Test that the right error is raised when both the hashing algorithm and the digital signature algorithm are provided and do not match. """ engine = crypto.CryptographyEngine() args = ( b'', b'', b'', enums.PaddingMethod.PSS ) kwargs = { 'signing_algorithm': enums.CryptographicAlgorithm.RSA, 'hashing_algorithm': enums.HashingAlgorithm.SHA_256, 'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.SHA1_WITH_RSA_ENCRYPTION } self.assertRaisesRegexp( exceptions.InvalidField, "The hashing algorithm does not match the digital signature " "algorithm.", engine.verify_signature, *args, **kwargs ) def test_verify_signature_pss_missing_hashing_algorithm(self): """ Test that the right error is raised when PSS padding is used and no hashing algorithm is provided. """ engine = crypto.CryptographyEngine() args = ( b'', b'', b'', enums.PaddingMethod.PSS ) kwargs = { 'signing_algorithm': enums.CryptographicAlgorithm.RSA, 'hashing_algorithm': None, 'digital_signature_algorithm': None } self.assertRaisesRegexp( exceptions.InvalidField, "A hashing algorithm must be specified for PSS padding.", engine.verify_signature, *args, **kwargs ) def test_verify_signature_invalid_padding_method(self): """ Test that the right error is raised when an invalid padding method is used. """ engine = crypto.CryptographyEngine() args = ( b'', b'', b'', 'invalid' ) kwargs = { 'signing_algorithm': enums.CryptographicAlgorithm.RSA, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1, 'digital_signature_algorithm': None } self.assertRaisesRegexp( exceptions.InvalidField, "The padding method 'invalid' is not supported for signature " "verification.", engine.verify_signature, *args, **kwargs ) def test_verify_signature_invalid_signing_key(self): """ Test that the right error is raised when an invalid signing key is used. """ engine = crypto.CryptographyEngine() args = ( 'invalid', b'', b'', enums.PaddingMethod.PSS ) kwargs = { 'signing_algorithm': enums.CryptographicAlgorithm.RSA, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1, 'digital_signature_algorithm': None } self.assertRaisesRegexp( exceptions.CryptographicFailure, "The signing key bytes could not be loaded.", engine.verify_signature, *args, **kwargs ) def test_verify_signature_invalid_signature(self): """ Test that verifying an invalid signature returns the right value. """ engine = crypto.CryptographyEngine() backend = backends.default_backend() public_key_numbers = rsa.RSAPublicNumbers( int('010001', 16), int( 'ac13d9fdae7b7335b69cd98567e9647d99bf373a9e05ce3435d66465f328' 'b7f7334b792aee7efa044ebc4c7a30b21a5d7a89cdb3a30dfcd9fee9995e' '09415edc0bf9e5b4c3f74ff53fb4d29441bf1b7ed6cbdd4a47f9252269e1' '646f6c1aee0514e93f6cb9df71d06c060a2104b47b7260ac37c106861dc7' '8ca5a25faa9cb2e3', 16) ) public_key = public_key_numbers.public_key(backend) public_bytes = public_key.public_bytes( serialization.Encoding.PEM, serialization.PublicFormat.PKCS1 ) args = ( public_bytes, b'', b'', enums.PaddingMethod.PSS ) kwargs = { 'signing_algorithm': enums.CryptographicAlgorithm.RSA, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1, 'digital_signature_algorithm': None } self.assertFalse( engine.verify_signature(*args, **kwargs) ) def test_verify_signature_unexpected_verification_error(self): """ Test that the right error is raised when an unexpected error occurs during signature verification. """ engine = crypto.CryptographyEngine() backend = backends.default_backend() public_key_numbers = rsa.RSAPublicNumbers( int('010001', 16), int( 'ac13d9fdae7b7335b69cd98567e9647d99bf373a9e05ce3435d66465f328' 'b7f7334b792aee7efa044ebc4c7a30b21a5d7a89cdb3a30dfcd9fee9995e' '09415edc0bf9e5b4c3f74ff53fb4d29441bf1b7ed6cbdd4a47f9252269e1' '646f6c1aee0514e93f6cb9df71d06c060a2104b47b7260ac37c106861dc7' '8ca5a25faa9cb2e3', 16) ) public_key = public_key_numbers.public_key(backend) public_bytes = public_key.public_bytes( serialization.Encoding.PEM, serialization.PublicFormat.PKCS1 ) args = ( public_bytes, b'', b'', enums.PaddingMethod.PKCS1v15 ) kwargs = { 'signing_algorithm': enums.CryptographicAlgorithm.RSA, 'hashing_algorithm': None, 'digital_signature_algorithm': None } self.assertRaisesRegexp( exceptions.CryptographicFailure, "The signature verification process failed.", engine.verify_signature, *args, **kwargs ) def test_verify_signature_invalid_signing_algorithm(self): """ Test that the right error is raised when an invalid signing algorithm is used. """ engine = crypto.CryptographyEngine() args = ( b'', b'', b'', enums.PaddingMethod.PSS ) kwargs = { 'signing_algorithm': 'invalid', 'hashing_algorithm': enums.HashingAlgorithm.SHA_1, 'digital_signature_algorithm': None } self.assertRaisesRegexp( exceptions.InvalidField, "The signing algorithm 'invalid' is not supported for signature " "verification.", engine.verify_signature, *args, **kwargs ) # TODO(peter-hamilton): Replace this with actual fixture files from NIST CAPV. # Most of these test vectors were obtained from the pyca/cryptography test # suite. @pytest.fixture( scope='function', params=[ {'algorithm': enums.CryptographicAlgorithm.TRIPLE_DES, 'cipher_mode': enums.BlockCipherMode.ECB, 'key': ( b'\x01\x01\x01\x01\x01\x01\x01\x01' b'\x01\x01\x01\x01\x01\x01\x01\x01' b'\x01\x01\x01\x01\x01\x01\x01\x01' ), 'plain_text': ( b'\x01\x02\x03\x04\x05\x06\x07\x08' ), 'cipher_text': ( b'\xCE\xAD\x37\x3D\xB8\x0E\xAB\xF8' ), 'iv_nonce': None}, {'algorithm': enums.CryptographicAlgorithm.AES, 'cipher_mode': enums.BlockCipherMode.ECB, 'key': ( b'\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00\x00\x00\x00' ), 'plain_text': ( b'\xf3\x44\x81\xec\x3c\xc6\x27\xba' b'\xcd\x5d\xc3\xfb\x08\xf2\x73\xe6' ), 'cipher_text': ( b'\x03\x36\x76\x3e\x96\x6d\x92\x59' b'\x5a\x56\x7c\xc9\xce\x53\x7f\x5e' ), 'iv_nonce': None}, {'algorithm': enums.CryptographicAlgorithm.AES, 'cipher_mode': enums.BlockCipherMode.CBC, 'key': ( b'\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00\x00\x00\x00' ), 'iv_nonce': ( b'\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00\x00\x00\x00' ), 'plain_text': ( b'\xf3\x44\x81\xec\x3c\xc6\x27\xba' b'\xcd\x5d\xc3\xfb\x08\xf2\x73\xe6' ), 'cipher_text': ( b'\x03\x36\x76\x3e\x96\x6d\x92\x59' b'\x5a\x56\x7c\xc9\xce\x53\x7f\x5e' )}, {'algorithm': enums.CryptographicAlgorithm.AES, 'cipher_mode': enums.BlockCipherMode.CBC, 'key': ( b'\x6e\xd7\x6d\x2d\x97\xc6\x9f\xd1' b'\x33\x95\x89\x52\x39\x31\xf2\xa6' b'\xcf\xf5\x54\xb1\x5f\x73\x8f\x21' b'\xec\x72\xdd\x97\xa7\x33\x09\x07' ), 'iv_nonce': ( b'\x85\x1e\x87\x64\x77\x6e\x67\x96' b'\xaa\xb7\x22\xdb\xb6\x44\xac\xe8' ), 'plain_text': ( b'\x62\x82\xb8\xc0\x5c\x5c\x15\x30' b'\xb9\x7d\x48\x16\xca\x43\x47\x62' ), 'cipher_text': ( b'\x6a\xcc\x04\x14\x2e\x10\x0a\x65' b'\xf5\x1b\x97\xad\xf5\x17\x2c\x41' )}, {'algorithm': enums.CryptographicAlgorithm.BLOWFISH, 'cipher_mode': enums.BlockCipherMode.OFB, 'key': ( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), 'iv_nonce': b'\xFE\xDC\xBA\x98\x76\x54\x32\x10', 'plain_text': ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ), 'cipher_text': ( b'\xE7\x32\x14\xA2\x82\x21\x39\xCA' b'\x62\xB3\x43\xCC\x5B\x65\x58\x73' b'\x10\xDD\x90\x8D\x0C\x24\x1B\x22' b'\x63\xC2\xCF\x80\xDA' )}, {'algorithm': enums.CryptographicAlgorithm.CAST5, 'cipher_mode': enums.BlockCipherMode.CFB, 'key': ( b'\xb9\xba\x9f\xa3\x2c\xc4\x91\xd8' b'\xac\x2b\xeb\x5f\x99\x19\x3d\x57' ), 'iv_nonce': b'\x95\x51\x14\x52\xb7\x1e\x53\xe9', 'plain_text': ( b'\xb4\x03\x82\x70\x5a\xae\xea\x41' b'\x09\x7c\x30\x9d\xa6\xcd\x06\x01' b'\x0f\x15\xe0\x9c\x01\x30\xfa\x4b' b'\x3a\xf6\x9c\xc8\xda\x10\x9d\x1f' b'\x0f\x0a\x26\x61\xf1\xa8\xb8\x9b' b'\xab\x7e\x70\x09\xdc\xbb\x8a\x88' b'\x3d\x46\x25\x4a\x83\x0c\x45\xcd' b'\x87\x98\x1e\x0e\xa4\xe4\x90\xfa' ), 'cipher_text': ( b'\x67\x74\xad\xe6\x98\x43\x92\xea' b'\xf6\x70\xdc\x2f\x8c\x23\x97\xe8' b'\x7a\xf5\xc8\x50\x32\x53\x76\xd9' b'\x23\x0c\xf6\x22\xd7\xf0\xa0\xfd' b'\x0a\x4a\x0c\x68\x56\x5c\x9e\xfd' b'\xaf\x58\xc2\xae\xc1\x8e\x35\x2a' b'\x31\x5a\x0f\x9c\xa6\xbe\xeb\x8e' b'\x1b\xf4\xdf\xb6\x73\x76\x8f\x0e' )}, {'algorithm': enums.CryptographicAlgorithm.CAMELLIA, 'cipher_mode': enums.BlockCipherMode.OFB, 'key': ( b'\x2B\x7E\x15\x16\x28\xAE\xD2\xA6' b'\xAB\xF7\x15\x88\x09\xCF\x4F\x3C' ), 'iv_nonce': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), 'plain_text': ( b'\x6B\xC1\xBE\xE2\x2E\x40\x9F\x96' b'\xE9\x3D\x7E\x11\x73\x93\x17\x2A' ), 'cipher_text': ( b'\x14\xF7\x64\x61\x87\x81\x7E\xB5' b'\x86\x59\x91\x46\xB8\x2B\xD7\x19' )}, {'algorithm': enums.CryptographicAlgorithm.RC4, 'cipher_mode': None, 'key': ( b'\x01\x02\x03\x04\x05\x06\x07\x08' b'\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10' b'\x11\x12\x13\x14\x15\x16\x17\x18' b'\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20' ), 'iv_nonce': None, 'plain_text': ( b'\x00\x00\x00\x00\x00\x00\x00\x00' b'\x00\x00\x00\x00\x00\x00\x00\x00' ), 'cipher_text': ( b'\xea\xa6\xbd\x25\x88\x0b\xf9\x3d' b'\x3f\x5d\x1e\x4c\xa2\x61\x1d\x91' )}, {'algorithm': enums.CryptographicAlgorithm.TRIPLE_DES, 'cipher_mode': enums.BlockCipherMode.ECB, 'key': b'\x01\x01\x01\x01\x01\x01\x01\x01', 'plain_text': b'\x80\x00\x00\x00\x00\x00\x00\x00', 'cipher_text': b'\x95\xF8\xA5\xE5\xDD\x31\xD9\x00', 'iv_nonce': None} ] ) def symmetric_parameters(request): return request.param def test_encrypt_symmetric(symmetric_parameters): """ Test that various encryption algorithms and block cipher modes can be used to correctly symmetrically encrypt data. """ engine = crypto.CryptographyEngine() engine._handle_symmetric_padding = mock.MagicMock( return_value=symmetric_parameters.get('plain_text') ) result = engine.encrypt( symmetric_parameters.get('algorithm'), symmetric_parameters.get('key'), symmetric_parameters.get('plain_text'), cipher_mode=symmetric_parameters.get('cipher_mode'), iv_nonce=symmetric_parameters.get('iv_nonce') ) if engine._handle_symmetric_padding.called: engine._handle_symmetric_padding.assert_called_once_with( engine._symmetric_key_algorithms.get( symmetric_parameters.get('algorithm') ), symmetric_parameters.get('plain_text'), None ) assert symmetric_parameters.get('cipher_text') == result.get('cipher_text') def test_decrypt_symmetric(symmetric_parameters): """ Test that various decryption algorithms and block cipher modes can be used to correctly symmetrically decrypt data. """ engine = crypto.CryptographyEngine() engine._handle_symmetric_padding = mock.MagicMock( return_value=symmetric_parameters.get('plain_text') ) result = engine.decrypt( symmetric_parameters.get('algorithm'), symmetric_parameters.get('key'), symmetric_parameters.get('cipher_text'), cipher_mode=symmetric_parameters.get('cipher_mode'), iv_nonce=symmetric_parameters.get('iv_nonce') ) if engine._handle_symmetric_padding.called: engine._handle_symmetric_padding.assert_called_once_with( engine._symmetric_key_algorithms.get( symmetric_parameters.get('algorithm') ), symmetric_parameters.get('plain_text'), None, undo_padding=True ) assert symmetric_parameters.get('plain_text') == result # Most of these test vectors were obtained from the pyca/cryptography test # suite: # # cryptography_vectors/asymmetric/RSA/pkcs-1v2-1d2-vec/oaep-vect.txt # cryptography_vectors/asymmetric/RSA/pkcs1v15crypt-vectors.txt @pytest.fixture( scope='function', params=[ {'algorithm': enums.CryptographicAlgorithm.RSA, 'padding_method': enums.PaddingMethod.OAEP, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1, 'encoding': serialization.Encoding.DER, 'public_key': { 'n': int( 'a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a' '1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630' 'f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c' '4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10' 'd4cfd226de88d39f16fb', 16 ), 'e': int('010001', 16) }, 'private_key': { 'd': int( '53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf119517ef4f5' '2e8fd8e258df93fee180fa0e4ab29693cd83b152a553d4ac4d1812b8b9f' 'a5af0e7f55fe7304df41570926f3311f15c4d65a732c483116ee3d3d2d0' 'af3549ad9bf7cbfb78ad884f84d5beb04724dc7369b31def37d0cf539e9' 'cfcdd3de653729ead5d1', 16 ), 'p': int( 'd32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262864a9cb' '9f30af38be448598d413a172efb802c21acf1c11c520c2f26a471dcad21' '2eac7ca39d', 16 ), 'q': int( 'cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb33d3e3d5' 'cc93c4765703d1dd791642f1f116a0dd852be2419b2af72bfe9a030e860' 'b0288b5d77', 16 ), 'dmp1': int( '0e12bf1718e9cef5599ba1c3882fe8046a90874eefce8f2ccc20e4f2741' 'fb0a33a3848aec9c9305fbecbd2d76819967d4671acc6431e4037968db3' '7878e695c1', 16 ), 'dmq1': int( '95297b0f95a2fa67d00707d609dfd4fc05c89dafc2ef6d6ea55bec771ea' '333734d9251e79082ecda866efef13c459e1a631386b7e354c899f5f112' 'ca85d71583', 16 ), 'iqmp': int( '4f456c502493bdc0ed2ab756a3a6ed4d67352a697d4216e93212b127a63' 'd5411ce6fa98d5dbefd73263e3728142743818166ed7dd63687dd2a8ca1' 'd2f4fbd8e1', 16 ) }, 'plain_text': ( b'\x66\x28\x19\x4e\x12\x07\x3d\xb0' b'\x3b\xa9\x4c\xda\x9e\xf9\x53\x23' b'\x97\xd5\x0d\xba\x79\xb9\x87\x00' b'\x4a\xfe\xfe\x34' )}, {'algorithm': enums.CryptographicAlgorithm.RSA, 'padding_method': enums.PaddingMethod.PKCS1v15, 'encoding': serialization.Encoding.PEM, 'public_key': { 'n': int( '98b70582ca808fd1d3509562a0ef305af6d9875443b35bdf24d536353e3' 'f1228dcd12a78568356c6ff323abf72ac1cdbfe712fb49fe594a5a2175d' '48b6732538d8df37cb970be4a5b562c3f298db9ddf75607877918cced1d' '0d1f377338c0d3d3207797e862c65d11439e588177527a7ded91971adcf' '91e2e834e37f05a73655', 16 ), 'e': int('010001', 16) }, 'private_key': { 'd': int( '0614a786052d284cd906a8e413f7622c050f3549c026589ea27750e0bed' '9410e5a7883a1e603f5c517ad36d49faac5bd66bcb8030fa8d309e351dd' 'd782d843df975680ae73eea9aab289b757205dadb8fdfb989ec8db8e709' '5f51f24529f5637aa669331e2569f8b854abecec99aa264c3da7cc6866f' '0c0e1fb8469848581c73', 16 ), 'p': int( 'cb61a88c8c305ad9a8fbec2ba4c86cccc2028024aa1690c29bc8264d2fe' 'be87e4f86e912ef0f5c1853d71cbc9b14baed3c37cef6c7a3598b6fbe06' '4810905b57', 16 ), 'q': int( 'c0399f0b9380faba38ff80d2fff6ede79cfdabf658972077a5e2b295693' 'ea51072268b91746eea9be04ad66100ebed733db4cd0147a18d6de8c0cd' '8fbf249c33', 16 ), 'dmp1': int( '944c3a6579574cf7873362ab14359cb7d50393c2a84f59f0bd3cbd48ed1' '77c6895be8eb6e29ff58c3b9e0ff32ab57bf3be440762848184aa9aa919' 'd574567e73', 16 ), 'dmq1': int( '45ebefd58727308cd2b4e6085a8158d29a418feec114e00385bceb96fbb' 'c84d071a561b95c30087900e2580edb05f6cea7907fcdca5f92917b4bbe' 'ba5e1e140f', 16 ), 'iqmp': int( 'c52468c8fd15e5da2f6c8eba4e97baebe995b67a1a7ad719dd9fff366b1' '84d5ab455075909292044ecb345cf2cdd26228e21f85183255f4a9e69f4' 'c7152ebb0f', 16 ) }, 'plain_text': ( b'\xe9\xa7\x71\xe0\xa6\x5f\x28\x70' b'\x8e\x83\xd5\xe6\xcc\x89\x8a\x41' b'\xd7' )} ] ) def asymmetric_parameters(request): return request.param def test_encrypt_decrypt_asymmetric(asymmetric_parameters): """ Test that various encryption/decryption algorithms can be used to correctly asymmetrically encrypt data. """ # NOTE (peter-hamilton) Randomness included in RSA padding schemes # makes it impossible to unit test just encryption; it's not possible # to predict the cipher text. Instead, we test the encrypt/decrypt # cycle to ensure that they correctly mirror each other. backend = backends.default_backend() public_key_numbers = rsa.RSAPublicNumbers( asymmetric_parameters.get('public_key').get('e'), asymmetric_parameters.get('public_key').get('n') ) public_key = public_key_numbers.public_key(backend) public_bytes = public_key.public_bytes( asymmetric_parameters.get('encoding'), serialization.PublicFormat.PKCS1 ) private_key_numbers = rsa.RSAPrivateNumbers( p=asymmetric_parameters.get('private_key').get('p'), q=asymmetric_parameters.get('private_key').get('q'), d=asymmetric_parameters.get('private_key').get('d'), dmp1=asymmetric_parameters.get('private_key').get('dmp1'), dmq1=asymmetric_parameters.get('private_key').get('dmq1'), iqmp=asymmetric_parameters.get('private_key').get('iqmp'), public_numbers=public_key_numbers ) private_key = private_key_numbers.private_key(backend) private_bytes = private_key.private_bytes( asymmetric_parameters.get('encoding'), serialization.PrivateFormat.PKCS8, serialization.NoEncryption() ) engine = crypto.CryptographyEngine() result = engine.encrypt( asymmetric_parameters.get('algorithm'), public_bytes, asymmetric_parameters.get('plain_text'), padding_method=asymmetric_parameters.get('padding_method'), hashing_algorithm=asymmetric_parameters.get('hashing_algorithm') ) result = engine.decrypt( asymmetric_parameters.get('algorithm'), private_bytes, result.get('cipher_text'), padding_method=asymmetric_parameters.get('padding_method'), hashing_algorithm=asymmetric_parameters.get('hashing_algorithm') ) assert asymmetric_parameters.get('plain_text') == result @pytest.fixture( scope='function', params=[ {'algorithm': algorithms.AES, 'plain_text': b'\x48\x65\x6C\x6C\x6F', 'padding_method': enums.PaddingMethod.PKCS5, 'padded_text': ( b'\x48\x65\x6C\x6C\x6F\x0B\x0B\x0B' b'\x0B\x0B\x0B\x0B\x0B\x0B\x0B\x0B' )}, {'algorithm': algorithms.TripleDES, 'plain_text': b'\x48\x65\x6C\x6C\x6F', 'padding_method': enums.PaddingMethod.ANSI_X923, 'padded_text': b'\x48\x65\x6C\x6C\x6F\x00\x00\x03'} ] ) def symmetric_padding_parameters(request): return request.param def test_handle_symmetric_padding(symmetric_padding_parameters): """ Test that data of various lengths can be padded correctly using different padding schemes. """ engine = crypto.CryptographyEngine() result = engine._handle_symmetric_padding( symmetric_padding_parameters.get('algorithm'), symmetric_padding_parameters.get('plain_text'), symmetric_padding_parameters.get('padding_method') ) assert result == symmetric_padding_parameters.get('padded_text') def test_handle_symmetric_padding_undo(symmetric_padding_parameters): """ Test that data of various lengths can be unpadded correctly using different padding schemes. """ engine = crypto.CryptographyEngine() result = engine._handle_symmetric_padding( symmetric_padding_parameters.get('algorithm'), symmetric_padding_parameters.get('padded_text'), symmetric_padding_parameters.get('padding_method'), undo_padding=True ) assert result == symmetric_padding_parameters.get('plain_text') # PBKDF2 test vectors were obtained from IETF RFC 6070: # # https://www.ietf.org/rfc/rfc6070.txt # # HMAC test vectors were obtained from IETF RFC 5869: # # https://tools.ietf.org/html/rfc5869 # # HASH test vectors for SHA1/SHA224/SHA256/SHA384/SHA512 # were obtained from the NIST CAVP test suite. Test vectors for MD5 were # obtained from NIST NSRL: # # http://csrc.nist.gov/groups/STM/cavp/documents/shs/shabytetestvectors.zip # https://www.nsrl.nist.gov/testdata/ # # NIST 800-108 Counter Mode test vectors were obtained from the NIST CAVP # test suite: # # http://csrc.nist.gov/groups/STM/cavp/documents/KBKDF800-108/kbkdfvs.pdf # http://csrc.nist.gov/groups/STM/cavp/documents/KBKDF800-108/CounterMode.zip @pytest.fixture( scope='function', params=[ {'derivation_method': enums.DerivationMethod.PBKDF2, 'derivation_length': 20, 'key_material': b'password', 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': b'salt', 'iteration_count': 1, 'derived_data': ( b'\x0c\x60\xc8\x0f\x96\x1f\x0e\x71' b'\xf3\xa9\xb5\x24\xaf\x60\x12\x06' b'\x2f\xe0\x37\xa6' )}, {'derivation_method': enums.DerivationMethod.PBKDF2, 'derivation_length': 20, 'key_material': b'password', 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': b'salt', 'iteration_count': 4096, 'derived_data': ( b'\x4b\x00\x79\x01\xb7\x65\x48\x9a' b'\xbe\xad\x49\xd9\x26\xf7\x21\xd0' b'\x65\xa4\x29\xc1' )}, {'derivation_method': enums.DerivationMethod.PBKDF2, 'derivation_length': 25, 'key_material': b'passwordPASSWORDpassword', 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': b'saltSALTsaltSALTsaltSALTsaltSALTsalt', 'iteration_count': 4096, 'derived_data': ( b'\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b' b'\x80\xc8\xd8\x36\x62\xc0\xe4\x4a' b'\x8b\x29\x1a\x96\x4c\xf2\xf0\x70' b'\x38' )}, {'derivation_method': enums.DerivationMethod.PBKDF2, 'derivation_length': 16, 'key_material': b'pass\x00word', 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': b'sa\x00lt', 'iteration_count': 4096, 'derived_data': ( b'\x56\xfa\x6a\xa7\x55\x48\x09\x9d' b'\xcc\x37\xd7\xf0\x34\x25\xe0\xc3' )}, {'derivation_method': enums.DerivationMethod.HMAC, 'derivation_length': 42, 'derivation_data': ( b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7' b'\xf8\xf9' ), 'key_material': ( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'salt': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0a\x0b\x0c' ), 'derived_data': ( b'\x3c\xb2\x5f\x25\xfa\xac\xd5\x7a' b'\x90\x43\x4f\x64\xd0\x36\x2f\x2a' b'\x2d\x2d\x0a\x90\xcf\x1a\x5a\x4c' b'\x5d\xb0\x2d\x56\xec\xc4\xc5\xbf' b'\x34\x00\x72\x08\xd5\xb8\x87\x18' b'\x58\x65' )}, {'derivation_method': enums.DerivationMethod.HMAC, 'derivation_length': 82, 'derivation_data': ( b'\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7' b'\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf' b'\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7' b'\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf' b'\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7' b'\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf' b'\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7' b'\xe8\xe9\xea\xeb\xec\xed\xee\xef' b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7' b'\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' ), 'key_material': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' b'\x10\x11\x12\x13\x14\x15\x16\x17' b'\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f' b'\x20\x21\x22\x23\x24\x25\x26\x27' b'\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f' b'\x30\x31\x32\x33\x34\x35\x36\x37' b'\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f' b'\x40\x41\x42\x43\x44\x45\x46\x47' b'\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'salt': ( b'\x60\x61\x62\x63\x64\x65\x66\x67' b'\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f' b'\x70\x71\x72\x73\x74\x75\x76\x77' b'\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f' b'\x80\x81\x82\x83\x84\x85\x86\x87' b'\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f' b'\x90\x91\x92\x93\x94\x95\x96\x97' b'\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f' b'\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7' b'\xa8\xa9\xaa\xab\xac\xad\xae\xaf' ), 'derived_data': ( b'\xb1\x1e\x39\x8d\xc8\x03\x27\xa1' b'\xc8\xe7\xf7\x8c\x59\x6a\x49\x34' b'\x4f\x01\x2e\xda\x2d\x4e\xfa\xd8' b'\xa0\x50\xcc\x4c\x19\xaf\xa9\x7c' b'\x59\x04\x5a\x99\xca\xc7\x82\x72' b'\x71\xcb\x41\xc6\x5e\x59\x0e\x09' b'\xda\x32\x75\x60\x0c\x2f\x09\xb8' b'\x36\x77\x93\xa9\xac\xa3\xdb\x71' b'\xcc\x30\xc5\x81\x79\xec\x3e\x87' b'\xc1\x4c\x01\xd5\xc1\xf3\x43\x4f' b'\x1d\x87' )}, {'derivation_method': enums.DerivationMethod.HMAC, 'derivation_length': 42, 'derivation_data': b'', 'key_material': ( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'salt': b'', 'derived_data': ( b'\x8d\xa4\xe7\x75\xa5\x63\xc1\x8f' b'\x71\x5f\x80\x2a\x06\x3c\x5a\x31' b'\xb8\xa1\x1f\x5c\x5e\xe1\x87\x9e' b'\xc3\x45\x4e\x5f\x3c\x73\x8d\x2d' b'\x9d\x20\x13\x95\xfa\xa4\xb6\x1a' b'\x96\xc8' )}, {'derivation_method': enums.DerivationMethod.HMAC, 'derivation_length': 42, 'derivation_data': ( b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7' b'\xf8\xf9' ), 'key_material': ( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0a\x0b\x0c' ), 'derived_data': ( b'\x08\x5a\x01\xea\x1b\x10\xf3\x69' b'\x33\x06\x8b\x56\xef\xa5\xad\x81' b'\xa4\xf1\x4b\x82\x2f\x5b\x09\x15' b'\x68\xa9\xcd\xd4\xf1\x55\xfd\xa2' b'\xc2\x2e\x42\x24\x78\xd3\x05\xf3' b'\xf8\x96' )}, {'derivation_method': enums.DerivationMethod.HMAC, 'derivation_length': 82, 'derivation_data': ( b'\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7' b'\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf' b'\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7' b'\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf' b'\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7' b'\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf' b'\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7' b'\xe8\xe9\xea\xeb\xec\xed\xee\xef' b'\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7' b'\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' ), 'key_material': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' b'\x10\x11\x12\x13\x14\x15\x16\x17' b'\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f' b'\x20\x21\x22\x23\x24\x25\x26\x27' b'\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f' b'\x30\x31\x32\x33\x34\x35\x36\x37' b'\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f' b'\x40\x41\x42\x43\x44\x45\x46\x47' b'\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': ( b'\x60\x61\x62\x63\x64\x65\x66\x67' b'\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f' b'\x70\x71\x72\x73\x74\x75\x76\x77' b'\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f' b'\x80\x81\x82\x83\x84\x85\x86\x87' b'\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f' b'\x90\x91\x92\x93\x94\x95\x96\x97' b'\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f' b'\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7' b'\xa8\xa9\xaa\xab\xac\xad\xae\xaf' ), 'derived_data': ( b'\x0b\xd7\x70\xa7\x4d\x11\x60\xf7' b'\xc9\xf1\x2c\xd5\x91\x2a\x06\xeb' b'\xff\x6a\xdc\xae\x89\x9d\x92\x19' b'\x1f\xe4\x30\x56\x73\xba\x2f\xfe' b'\x8f\xa3\xf1\xa4\xe5\xad\x79\xf3' b'\xf3\x34\xb3\xb2\x02\xb2\x17\x3c' b'\x48\x6e\xa3\x7c\xe3\xd3\x97\xed' b'\x03\x4c\x7f\x9d\xfe\xb1\x5c\x5e' b'\x92\x73\x36\xd0\x44\x1f\x4c\x43' b'\x00\xe2\xcf\xf0\xd0\x90\x0b\x52' b'\xd3\xb4' )}, {'derivation_method': enums.DerivationMethod.HMAC, 'derivation_length': 42, 'derivation_data': b'', 'key_material': ( b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b' b'\x0b\x0b\x0b\x0b\x0b\x0b' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': b'', 'derived_data': ( b'\x0a\xc1\xaf\x70\x02\xb3\xd7\x61' b'\xd1\xe5\x52\x98\xda\x9d\x05\x06' b'\xb9\xae\x52\x05\x72\x20\xa3\x06' b'\xe0\x7b\x6b\x87\xe8\xdf\x21\xd0' b'\xea\x00\x03\x3d\xe0\x39\x84\xd3' b'\x49\x18' )}, {'derivation_method': enums.DerivationMethod.HMAC, 'derivation_length': 42, 'derivation_data': b'', 'key_material': ( b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c' b'\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c' b'\x0c\x0c\x0c\x0c\x0c\x0c' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'salt': b'', 'derived_data': ( b'\x2c\x91\x11\x72\x04\xd7\x45\xf3' b'\x50\x0d\x63\x6a\x62\xf6\x4f\x0a' b'\xb3\xba\xe5\x48\xaa\x53\xd4\x23' b'\xb0\xd1\xf2\x7e\xbb\xa6\xf5\xe5' b'\x67\x3a\x08\x1d\x70\xcc\xe7\xac' b'\xfc\x48' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 16, 'derivation_data': ( b'abc' ), 'hash_algorithm': enums.HashingAlgorithm.MD5, 'derived_data': ( b'\x90\x01\x50\x98\x3C\xD2\x4F\xB0' b'\xD6\x96\x3F\x7D\x28\xE1\x7F\x72' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 16, 'derivation_data': ( b'abcdbcdecdefdefgefghfghighijhijk' b'ijkljklmklmnlmnomnopnopq' ), 'hash_algorithm': enums.HashingAlgorithm.MD5, 'derived_data': ( b'\x82\x15\xEF\x07\x96\xA2\x0B\xCA' b'\xAA\xE1\x16\xD3\x87\x6C\x66\x4A' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 20, 'derivation_data': b'', 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'derived_data': ( b'\xda\x39\xa3\xee\x5e\x6b\x4b\x0d' b'\x32\x55\xbf\xef\x95\x60\x18\x90' b'\xaf\xd8\x07\x09' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 20, 'derivation_data': ( b'\x03\x21\x79\x4b\x73\x94\x18\xc2' b'\x4e\x7c\x2e\x56\x52\x74\x79\x1c' b'\x4b\xe7\x49\x75\x2a\xd2\x34\xed' b'\x56\xcb\x0a\x63\x47\x43\x0c\x6b' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'derived_data': ( b'\xb8\x99\x62\xc9\x4d\x60\xf6\xa3' b'\x32\xfd\x60\xf6\xf0\x7d\x4f\x03' b'\x2a\x58\x6b\x76' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 28, 'derivation_data': b'', 'hash_algorithm': enums.HashingAlgorithm.SHA_224, 'derived_data': ( b'\xd1\x4a\x02\x8c\x2a\x3a\x2b\xc9' b'\x47\x61\x02\xbb\x28\x82\x34\xc4' b'\x15\xa2\xb0\x1f\x82\x8e\xa6\x2a' b'\xc5\xb3\xe4\x2f' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 28, 'derivation_data': ( b'\xa3\x31\x0b\xa0\x64\xbe\x2e\x14' b'\xad\x32\x27\x6e\x18\xcd\x03\x10' b'\xc9\x33\xa6\xe6\x50\xc3\xc7\x54' b'\xd0\x24\x3c\x6c\x61\x20\x78\x65' b'\xb4\xb6\x52\x48\xf6\x6a\x08\xed' b'\xf6\xe0\x83\x26\x89\xa9\xdc\x3a' b'\x2e\x5d\x20\x95\xee\xea\x50\xbd' b'\x86\x2b\xac\x88\xc8\xbd\x31\x8d' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_224, 'derived_data': ( b'\xb2\xa5\x58\x6d\x9c\xbf\x0b\xaa' b'\x99\x91\x57\xb4\xaf\x06\xd8\x8a' b'\xe0\x8d\x7c\x9f\xaa\xb4\xbc\x1a' b'\x96\x82\x9d\x65' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 32, 'derivation_data': b'', 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'derived_data': ( b'\xe3\xb0\xc4\x42\x98\xfc\x1c\x14' b'\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24' b'\x27\xae\x41\xe4\x64\x9b\x93\x4c' b'\xa4\x95\x99\x1b\x78\x52\xb8\x55' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 32, 'derivation_data': ( b'\xf4\x99\xcc\x3f\x6e\x3c\xf7\xc3' b'\x12\xff\xdf\xba\x61\xb1\x26\x0c' b'\x37\x12\x9c\x1a\xfb\x39\x10\x47' b'\x19\x33\x67\xb7\xb2\xed\xeb\x57' b'\x92\x53\xe5\x1d\x62\xba\x6d\x91' b'\x1e\x7b\x81\x8c\xca\xe1\x55\x3f' b'\x61\x46\xea\x78\x0f\x78\xe2\x21' b'\x9f\x62\x93\x09' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'derived_data': ( b'\x0b\x66\xc8\xb4\xfe\xfe\xbc\x8d' b'\xc7\xda\x0b\xbe\xdc\x11\x14\xf2' b'\x28\xaa\x63\xc3\x7d\x5c\x30\xe9' b'\x1a\xb5\x00\xf3\xea\xdf\xce\xc5' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 48, 'derivation_data': b'', 'hash_algorithm': enums.HashingAlgorithm.SHA_384, 'derived_data': ( b'\x38\xb0\x60\xa7\x51\xac\x96\x38' b'\x4c\xd9\x32\x7e\xb1\xb1\xe3\x6a' b'\x21\xfd\xb7\x11\x14\xbe\x07\x43' b'\x4c\x0c\xc7\xbf\x63\xf6\xe1\xda' b'\x27\x4e\xde\xbf\xe7\x6f\x65\xfb' b'\xd5\x1a\xd2\xf1\x48\x98\xb9\x5b' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 48, 'derivation_data': ( b'\x3b\xf5\x2c\xc5\xee\x86\xb9\xa0' b'\x19\x0f\x39\x0a\x5c\x03\x66\xa5' b'\x60\xb5\x57\x00\x0d\xbe\x51\x15' b'\xfd\x9e\xe1\x16\x30\xa6\x27\x69' b'\x01\x15\x75\xf1\x58\x81\x19\x8f' b'\x22\x78\x76\xe8\xfe\x68\x5a\x69' b'\x39\xbc\x8b\x89\xfd\x48\xa3\x4e' b'\xc5\xe7\x1e\x13\x14\x62\xb2\x88' b'\x67\x94\xdf\xfa\x68\xcc\xc6\xd5' b'\x64\x73\x3e\x67\xff\xef\x25\xe6' b'\x27\xc6\xf4\xb5\x46\x07\x96\xe3' b'\xbc\xe6\x7b\xf5\x8c\xa6\xe8\xe5' b'\x55\xbc\x91\x6a\x85\x31\x69\x7a' b'\xc9\x48\xb9\x0d\xc8\x61\x6f\x25' b'\x10\x1d\xb9\x0b\x50\xc3\xd3\xdb' b'\xc9\xe2\x1e\x42\xff\x38\x71\x87' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_384, 'derived_data': ( b'\x12\xb6\xcb\x35\xed\xa9\x2e\xe3' b'\x73\x56\xdd\xee\x77\x78\x1a\x17' b'\xb3\xd9\x0e\x56\x38\x24\xa9\x84' b'\xfa\xff\xc6\xfd\xd1\x69\x3b\xd7' b'\x62\x60\x39\x63\x55\x63\xcf\xc3' b'\xb9\xa2\xb0\x0f\x9c\x65\xee\xfd' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 64, 'key_material': b'', 'hash_algorithm': enums.HashingAlgorithm.SHA_512, 'derived_data': ( b'\xcf\x83\xe1\x35\x7e\xef\xb8\xbd' b'\xf1\x54\x28\x50\xd6\x6d\x80\x07' b'\xd6\x20\xe4\x05\x0b\x57\x15\xdc' b'\x83\xf4\xa9\x21\xd3\x6c\xe9\xce' b'\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0' b'\xff\x83\x18\xd2\x87\x7e\xec\x2f' b'\x63\xb9\x31\xbd\x47\x41\x7a\x81' b'\xa5\x38\x32\x7a\xf9\x27\xda\x3e' )}, {'derivation_method': enums.DerivationMethod.HASH, 'derivation_length': 64, 'derivation_data': ( b'\xa7\x66\xb2\xa7\xef\x91\x67\x21' b'\xf4\x67\x7b\x67\xdb\xc6\x5e\xf9' b'\xb4\xd1\xbd\xa1\xad\x4e\x53\xfc' b'\x85\x4b\x02\x36\x44\x08\x22\x15' b'\x2a\x11\x19\x39\xe5\xab\x2b\xa2' b'\x07\x71\x94\x72\xb6\x3f\xd4\xf4' b'\xa5\x4f\x4b\xde\x44\xa2\x05\xd3' b'\x34\xa2\xd7\x2c\xfe\x05\xab\xf8' b'\x04\xf4\x18\x41\xb8\x6d\x36\x92' b'\x0b\xe6\xb0\xb5\x29\x33\x1a\xc1' b'\x63\xa9\x85\x55\x6c\x84\x51\x1e' b'\xc9\x86\x43\x9f\x83\xe1\xd7\x31' b'\x1f\x57\xd8\x48\xcf\xa0\x2d\xf9' b'\xea\x0c\xf6\xb9\x9a' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_512, 'derived_data': ( b'\xdd\xd6\x0f\x93\xa3\xba\xbc\x78' b'\x29\x9c\xf7\x63\xe7\x91\x9d\x45' b'\xac\x6f\x47\x97\x00\xe1\xad\xb0' b'\x5a\xb1\x37\xac\xdf\x89\xc1\x52' b'\x1e\xcb\x9d\xfe\xac\xd0\x91\xe5' b'\x8c\xa5\x7a\x1d\xb9\x64\xa9\xc3' b'\xcd\x1f\xa3\x91\x92\xcc\x1e\x9f' b'\x73\x4c\xaa\x1c\x5f\xa6\x29\x75' )}, {'derivation_method': enums.DerivationMethod.NIST800_108_C, 'derivation_length': 16, 'derivation_data': ( b'\x8e\x34\x7e\xf5\x5d\x5f\x5e\x99' b'\xea\xb6\xde\x70\x6b\x51\xde\x7c' b'\xe0\x04\xf3\x88\x28\x89\xe2\x59' b'\xff\x4e\x5c\xff\x10\x21\x67\xa5' b'\xa4\xbd\x71\x15\x78\xd4\xce\x17' b'\xdd\x9a\xbe\x56\xe5\x1c\x1f\x2d' b'\xf9\x50\xe2\xfc\x81\x2e\xc1\xb2' b'\x17\xca\x08\xd6' ), 'key_material': ( b'\xf7\x59\x17\x33\xc8\x56\x59\x35' b'\x65\x13\x09\x75\x35\x19\x54\xd0' b'\x15\x5a\xbf\x3c' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_1, 'derived_data': ( b'\x34\xfe\x44\xb0\xd8\xc4\x1b\x93' b'\xf5\xfa\x64\xfb\x96\xf0\x0e\x5b' )}, {'derivation_method': enums.DerivationMethod.NIST800_108_C, 'derivation_length': 16, 'derivation_data': ( b'\x4e\x5a\xc7\x53\x98\x03\xda\x89' b'\x58\x1e\xe0\x88\xc7\xd1\x02\x35' b'\xa1\x05\x36\x36\x00\x54\xb7\x2b' b'\x8e\x9f\x18\xf7\x7c\x25\xaf\x01' b'\x01\x9b\x29\x06\x56\xb6\x04\x28' b'\x02\x4c\xe0\x1f\xcc\xf4\x90\x22' b'\xd8\x31\x94\x14\x07\xe6\xbd\x27' b'\xff\x9e\x2d\x28' ), 'key_material': ( b'\xf5\xcb\x7c\xc6\x20\x7f\x59\x20' b'\xdd\x60\x15\x5d\xdb\x68\xc3\xfb' b'\xbd\xf5\x10\x43\x65\x30\x5d\x2c' b'\x1a\xbc\xd3\x11' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_224, 'derived_data': ( b'\x0a\xdb\xaa\xb4\x3e\xdd\x53\x2b' b'\x56\x0a\x32\x2c\x84\xac\x54\x0e' )}, {'derivation_method': enums.DerivationMethod.NIST800_108_C, 'derivation_length': 16, 'derivation_data': ( b'\x01\x32\x2b\x96\xb3\x0a\xcd\x19' b'\x79\x79\x44\x4e\x46\x8e\x1c\x5c' b'\x68\x59\xbf\x1b\x1c\xf9\x51\xb7' b'\xe7\x25\x30\x3e\x23\x7e\x46\xb8' b'\x64\xa1\x45\xfa\xb2\x5e\x51\x7b' b'\x08\xf8\x68\x3d\x03\x15\xbb\x29' b'\x11\xd8\x0a\x0e\x8a\xba\x17\xf3' b'\xb4\x13\xfa\xac' ), 'key_material': ( b'\xdd\x1d\x91\xb7\xd9\x0b\x2b\xd3' b'\x13\x85\x33\xce\x92\xb2\x72\xfb' b'\xf8\xa3\x69\x31\x6a\xef\xe2\x42' b'\xe6\x59\xcc\x0a\xe2\x38\xaf\xe0' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_256, 'derived_data': ( b'\x10\x62\x13\x42\xbf\xb0\xfd\x40' b'\x04\x6c\x0e\x29\xf2\xcf\xdb\xf0' )}, {'derivation_method': enums.DerivationMethod.NIST800_108_C, 'derivation_length': 16, 'derivation_data': ( b'\x63\x8e\x95\x06\xa2\xc7\xbe\x69' b'\xea\x34\x6b\x84\x62\x9a\x01\x0c' b'\x0e\x22\x5b\x75\x48\xf5\x08\x16' b'\x2c\x89\xf2\x9c\x1d\xdb\xfd\x70' b'\x47\x2c\x2b\x58\xe7\xdc\x8a\xa6' b'\xa5\xb0\x66\x02\xf1\xc8\xed\x49' b'\x48\xcd\xa7\x9c\x62\x70\x82\x18' b'\xe2\x6a\xc0\xe2' ), 'key_material': ( b'\x21\x6e\xd0\x44\x76\x9c\x4c\x39' b'\x08\x18\x8e\xce\x61\x60\x1a\xf8' b'\x81\x9c\x30\xf5\x01\xd1\x29\x95' b'\xdf\x60\x8e\x06\xf5\xe0\xe6\x07' b'\xab\x54\xf5\x42\xee\x2d\xa4\x19' b'\x06\xdf\xdb\x49\x71\xf2\x0f\x9d' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_384, 'derived_data': ( b'\xd4\xb1\x44\xbb\x40\xc7\xca\xbe' b'\xd1\x39\x63\xd7\xd4\x31\x8e\x72' )}, {'derivation_method': enums.DerivationMethod.NIST800_108_C, 'derivation_length': 16, 'derivation_data': ( b'\xb5\x0b\x0c\x96\x3c\x6b\x30\x34' b'\xb8\xcf\x19\xcd\x3f\x5c\x4e\xbe' b'\x4f\x49\x85\xaf\x0c\x03\xe5\x75' b'\xdb\x62\xe6\xfd\xf1\xec\xfe\x4f' b'\x28\xb9\x5d\x7c\xe1\x6d\xf8\x58' b'\x43\x24\x6e\x15\x57\xce\x95\xbb' b'\x26\xcc\x9a\x21\x97\x4b\xbd\x2e' b'\xb6\x9e\x83\x55' ), 'key_material': ( b'\xdd\x5d\xbd\x45\x59\x3e\xe2\xac' b'\x13\x97\x48\xe7\x64\x5b\x45\x0f' b'\x22\x3d\x2f\xf2\x97\xb7\x3f\xd7' b'\x1c\xbc\xeb\xe7\x1d\x41\x65\x3c' b'\x95\x0b\x88\x50\x0d\xe5\x32\x2d' b'\x99\xef\x18\xdf\xdd\x30\x42\x82' b'\x94\xc4\xb3\x09\x4f\x4c\x95\x43' b'\x34\xe5\x93\xbd\x98\x2e\xc6\x14' ), 'hash_algorithm': enums.HashingAlgorithm.SHA_512, 'derived_data': ( b'\xe5\x99\x3b\xf9\xbd\x2a\xa1\xc4' b'\x57\x46\x04\x2e\x12\x59\x81\x55' )}, {'derivation_method': enums.DerivationMethod.ENCRYPT, 'derivation_data': ( b'\x37\x36\x35\x34\x33\x32\x31\x20' b'\x4E\x6F\x77\x20\x69\x73\x20\x74' b'\x68\x65\x20\x74\x69\x6D\x65\x20' b'\x66\x6F\x72\x20\x00' ), 'key_material': ( b'\x01\x23\x45\x67\x89\xAB\xCD\xEF' b'\xF0\xE1\xD2\xC3\xB4\xA5\x96\x87' ), 'encryption_algorithm': enums.CryptographicAlgorithm.BLOWFISH, 'cipher_mode': enums.BlockCipherMode.CBC, 'padding_method': enums.PaddingMethod.PKCS5, 'iv_nonce': b'\xFE\xDC\xBA\x98\x76\x54\x32\x10', 'derived_data': ( b'\x6B\x77\xB4\xD6\x30\x06\xDE\xE6' b'\x05\xB1\x56\xE2\x74\x03\x97\x93' b'\x58\xDE\xB9\xE7\x15\x46\x16\xD9' b'\x74\x9D\xEC\xBE\xC0\x5D\x26\x4B' )} ] ) def derivation_parameters(request): return request.param def test_derive_key(derivation_parameters): """ Test that various derivation methods and settings can be used to correctly derive key data. """ engine = crypto.CryptographyEngine() result = engine.derive_key( derivation_parameters.get('derivation_method'), derivation_parameters.get('derivation_length'), derivation_data=derivation_parameters.get('derivation_data'), key_material=derivation_parameters.get('key_material'), hash_algorithm=derivation_parameters.get('hash_algorithm'), salt=derivation_parameters.get('salt'), iteration_count=derivation_parameters.get('iteration_count'), encryption_algorithm=derivation_parameters.get('encryption_algorithm'), padding_method=derivation_parameters.get('padding_method'), cipher_mode=derivation_parameters.get('cipher_mode'), iv_nonce=derivation_parameters.get('iv_nonce') ) assert derivation_parameters.get('derived_data') == result # AES Key Wrap test vectors were obtained from IETF RFC 3394: # # https://www.ietf.org/rfc/rfc3394.txt @pytest.fixture( scope='function', params=[ {'key_material': ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), 'wrapping_method': enums.WrappingMethod.ENCRYPT, 'key_wrap_algorithm': enums.BlockCipherMode.NIST_KEY_WRAP, 'encryption_key': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), 'wrapped_data': ( b'\x1F\xA6\x8B\x0A\x81\x12\xB4\x47' b'\xAE\xF3\x4B\xD8\xFB\x5A\x7B\x82' b'\x9D\x3E\x86\x23\x71\xD2\xCF\xE5' )}, {'key_material': ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), 'wrapping_method': enums.WrappingMethod.ENCRYPT, 'key_wrap_algorithm': enums.BlockCipherMode.NIST_KEY_WRAP, 'encryption_key': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' b'\x10\x11\x12\x13\x14\x15\x16\x17' ), 'wrapped_data': ( b'\x96\x77\x8B\x25\xAE\x6C\xA4\x35' b'\xF9\x2B\x5B\x97\xC0\x50\xAE\xD2' b'\x46\x8A\xB8\xA1\x7A\xD8\x4E\x5D' )}, {'key_material': ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' ), 'wrapping_method': enums.WrappingMethod.ENCRYPT, 'key_wrap_algorithm': enums.BlockCipherMode.NIST_KEY_WRAP, 'encryption_key': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' b'\x10\x11\x12\x13\x14\x15\x16\x17' b'\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F' ), 'wrapped_data': ( b'\x64\xE8\xC3\xF9\xCE\x0F\x5B\xA2' b'\x63\xE9\x77\x79\x05\x81\x8A\x2A' b'\x93\xC8\x19\x1E\x7D\x6E\x8A\xE7' )}, {'key_material': ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' b'\x00\x01\x02\x03\x04\x05\x06\x07' ), 'wrapping_method': enums.WrappingMethod.ENCRYPT, 'key_wrap_algorithm': enums.BlockCipherMode.NIST_KEY_WRAP, 'encryption_key': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' b'\x10\x11\x12\x13\x14\x15\x16\x17' ), 'wrapped_data': ( b'\x03\x1D\x33\x26\x4E\x15\xD3\x32' b'\x68\xF2\x4E\xC2\x60\x74\x3E\xDC' b'\xE1\xC6\xC7\xDD\xEE\x72\x5A\x93' b'\x6B\xA8\x14\x91\x5C\x67\x62\xD2' )}, {'key_material': ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' b'\x00\x01\x02\x03\x04\x05\x06\x07' ), 'wrapping_method': enums.WrappingMethod.ENCRYPT, 'key_wrap_algorithm': enums.BlockCipherMode.NIST_KEY_WRAP, 'encryption_key': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' b'\x10\x11\x12\x13\x14\x15\x16\x17' b'\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F' ), 'wrapped_data': ( b'\xA8\xF9\xBC\x16\x12\xC6\x8B\x3F' b'\xF6\xE6\xF4\xFB\xE3\x0E\x71\xE4' b'\x76\x9C\x8B\x80\xA3\x2C\xB8\x95' b'\x8C\xD5\xD1\x7D\x6B\x25\x4D\xA1' )}, {'key_material': ( b'\x00\x11\x22\x33\x44\x55\x66\x77' b'\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF' b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' ), 'wrapping_method': enums.WrappingMethod.ENCRYPT, 'key_wrap_algorithm': enums.BlockCipherMode.NIST_KEY_WRAP, 'encryption_key': ( b'\x00\x01\x02\x03\x04\x05\x06\x07' b'\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F' b'\x10\x11\x12\x13\x14\x15\x16\x17' b'\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F' ), 'wrapped_data': ( b'\x28\xC9\xF4\x04\xC4\xB8\x10\xF4' b'\xCB\xCC\xB3\x5C\xFB\x87\xF8\x26' b'\x3F\x57\x86\xE2\xD8\x0E\xD3\x26' b'\xCB\xC7\xF0\xE7\x1A\x99\xF4\x3B' b'\xFB\x98\x8B\x9B\x7A\x02\xDD\x21' )} ] ) def wrapping_parameters(request): return request.param def test_wrap_key(wrapping_parameters): """ Test that various wrapping methods and settings can be used to correctly wrap key data. """ engine = crypto.CryptographyEngine() result = engine.wrap_key( wrapping_parameters.get('key_material'), wrapping_parameters.get('wrapping_method'), wrapping_parameters.get('key_wrap_algorithm'), wrapping_parameters.get('encryption_key') ) assert wrapping_parameters.get('wrapped_data') == result # Test vectors obtained from pyca/cryptography # https://cryptography.io/en/latest/ DER_RSA_KEY = ( b'\x30\x82\x02\x5e\x02\x01\x00\x02\x81\x81\x00\xae\xba\xc1\xb9\xa1\x74\x31' b'\x5d\x27\xcc\x3c\x20\x1e\x21\x57\x89\x43\x72\xd6\x45\x0d\x4c\xf8\x0c\xe0' b'\xeb\xcf\x51\x69\x51\x9b\x9e\x85\x50\x03\x6f\x4a\xbe\x0f\xe4\xf9\x4f\xbf' b'\x9c\xca\x60\x6f\x39\x74\x33\x65\x49\x96\x11\xba\x3f\x25\xa9\xa4\x71\x58' b'\xba\x05\x21\x4b\x65\x5f\x42\x58\xa4\xc2\x95\x16\xbe\xca\xa5\x83\xf2\xd2' b'\x66\x50\x69\x6a\xd6\xfc\x03\xd5\xb4\x7d\x3a\xba\x9c\x54\x79\xfd\xb0\x47' b'\x7d\x29\x51\x33\x99\xcb\x19\x28\x3c\xcd\xc2\x8d\xbb\x23\xb7\xc7\xee\xe4' b'\xb3\x5d\xc9\x40\xda\xca\x00\x55\xdc\xd2\x8f\x50\x3b\x02\x03\x01\x00\x01' b'\x02\x81\x81\x00\x92\x89\x09\x42\xd6\xc6\x8d\x47\xa4\xc2\xc1\x81\xe6\x02' b'\xec\x58\xaf\x7a\x35\x7c\x7f\xa5\x17\x3a\x25\xbf\x5d\x84\xd7\x20\x9b\xb4' b'\x1b\xf5\x78\x8b\xf3\x50\xe6\x1f\x8f\x7e\x74\x21\xd8\x0f\x7b\xf7\xe1\x1d' b'\xe1\x4a\x0f\x53\x1a\xb1\x2e\xb2\xd0\xb8\x46\x42\xeb\x5d\x18\x11\x70\xc2' b'\xc5\x8a\xab\xbd\x67\x54\x84\x2f\xaf\xee\x57\xfe\xf2\xf5\x45\xd0\x9f\xdc' b'\x66\x49\x02\xe5\x5b\xac\xed\x5a\x3c\x6d\x26\xf3\x46\x58\x59\xd3\x3a\x33' b'\xa5\x55\x53\x7d\xaf\x22\x63\xaa\xef\x28\x35\x4c\x8b\x53\x51\x31\x45\xa7' b'\xe2\x28\x82\x4d\xab\xb1\x02\x41\x00\xd3\xaa\x23\x7e\x89\x42\xb9\x3d\x56' b'\xa6\x81\x25\x4c\x27\xbe\x1f\x4a\x49\x6c\xa4\xa8\x7f\xc0\x60\x4b\x0c\xff' b'\x8f\x98\x0e\x74\x2d\x2b\xbb\x91\xb8\x8a\x24\x7b\x6e\xbb\xed\x01\x45\x8c' b'\x4a\xfd\xb6\x8c\x0f\x8c\x6d\x4a\x37\xe0\x28\xc5\xfc\xb3\xa6\xa3\x9c\xa6' b'\x4f\x02\x41\x00\xd3\x54\x16\x8c\x61\x9c\x83\x6e\x85\x97\xfe\xf5\x01\x93' b'\xa6\xf4\x26\x07\x95\x2a\x1c\x87\xeb\xae\x91\xdb\x50\x43\xb8\x85\x50\x72' b'\xb4\xe9\x2a\xf5\xdc\xed\xb2\x14\x87\x73\xdf\xbd\x21\x7b\xaf\xc8\xdc\x9d' b'\xa8\xae\x8e\x75\x7e\x72\x48\xc1\xe5\x13\xa1\x44\x68\x55\x02\x41\x00\x90' b'\xfd\xa2\x14\xc2\xb7\xb7\x26\x82\x5d\xca\x67\x9f\x34\x36\x33\x3e\xf2\xee' b'\xfe\x18\x02\x72\xe8\x43\x60\xe3\x0b\x1d\x11\x01\x9a\x13\xb4\x08\x0d\x0e' b'\x6c\x11\x35\x78\x7b\xd0\x7c\x30\xaf\x09\xfe\xeb\x10\x97\x94\x21\xdc\x06' b'\xac\x47\x7b\x64\x20\xc9\x40\xbc\x57\x02\x40\x16\x4d\xe8\xb7\x56\x52\x13' b'\x99\x25\xa6\x7e\x35\x53\xbe\x46\xbf\xbc\x07\xce\xd9\x8b\xfb\x58\x87\xab' b'\x43\x4f\x7c\x66\x4c\x43\xca\x67\x87\xb8\x8e\x0c\x8c\x55\xe0\x4e\xcf\x8f' b'\x0c\xc2\x2c\xf0\xc7\xad\x69\x42\x75\x71\xf9\xba\xa7\xcb\x40\x13\xb2\x77' b'\xb1\xe5\xa5\x02\x41\x00\xca\xe1\x50\xf5\xfa\x55\x9b\x2e\x2c\x39\x44\x4e' b'\x0f\x5c\x65\x10\x34\x09\x2a\xc9\x7b\xac\x10\xd5\x28\xdd\x15\xdf\xda\x25' b'\x4c\xb0\x6b\xef\x41\xe3\x98\x81\xf7\xe7\x49\x69\x10\xb4\x65\x56\x59\xdc' b'\x84\x2d\x30\xb9\xae\x27\x59\xf3\xc2\xcd\x41\xc7\x9a\x36\x84\xec' ) PEM_RSA_KEY = ( b'\x2d\x2d\x2d\x2d\x2d\x42\x45\x47\x49\x4e\x20\x50\x52\x49\x56\x41\x54\x45' b'\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a\x4d\x49\x49\x43\x64\x67\x49\x42' b'\x41\x44\x41\x4e\x42\x67\x6b\x71\x68\x6b\x69\x47\x39\x77\x30\x42\x41\x51' b'\x45\x46\x41\x41\x53\x43\x41\x6d\x41\x77\x67\x67\x4a\x63\x41\x67\x45\x41' b'\x41\x6f\x47\x42\x41\x4e\x37\x66\x45\x45\x4f\x66\x4a\x2f\x2b\x4e\x65\x6a' b'\x50\x58\x0a\x6e\x79\x4f\x46\x44\x61\x37\x42\x33\x65\x63\x71\x4c\x4f\x4f' b'\x39\x2f\x6c\x58\x62\x53\x31\x6c\x65\x2b\x70\x5a\x30\x6b\x6d\x38\x33\x39' b'\x4c\x48\x59\x31\x2f\x42\x70\x56\x6a\x45\x5a\x2f\x45\x4d\x4a\x4f\x76\x59' b'\x52\x61\x34\x36\x67\x54\x32\x37\x55\x49\x37\x76\x41\x0a\x30\x55\x73\x57' b'\x67\x77\x63\x4c\x36\x42\x67\x41\x58\x50\x46\x79\x67\x42\x41\x4a\x39\x69' b'\x35\x76\x2b\x5a\x31\x44\x30\x38\x58\x4c\x5a\x67\x79\x37\x46\x39\x32\x4d' b'\x33\x35\x52\x53\x69\x63\x43\x68\x65\x58\x56\x4b\x43\x35\x78\x71\x6a\x5a' b'\x5a\x39\x34\x46\x56\x57\x0a\x5a\x57\x57\x4e\x69\x6e\x31\x33\x77\x46\x71' b'\x4c\x63\x64\x33\x34\x43\x47\x61\x6d\x45\x79\x39\x48\x38\x33\x55\x5a\x41' b'\x67\x4d\x42\x41\x41\x45\x43\x67\x59\x45\x41\x30\x41\x77\x32\x36\x49\x6b' b'\x59\x45\x34\x30\x45\x4f\x49\x54\x64\x2f\x35\x42\x6a\x46\x33\x48\x4f\x0a' b'\x4c\x63\x37\x48\x48\x4d\x6e\x74\x4e\x45\x53\x44\x38\x43\x65\x6a\x6b\x50' b'\x4f\x39\x42\x71\x6d\x62\x65\x4c\x48\x4e\x30\x70\x54\x69\x61\x75\x2b\x77' b'\x39\x76\x73\x55\x32\x55\x4f\x6c\x76\x66\x79\x55\x61\x67\x63\x4b\x58\x47' b'\x68\x41\x64\x2f\x48\x4a\x32\x50\x6f\x4b\x0a\x37\x50\x62\x73\x53\x68\x34' b'\x33\x75\x63\x4f\x49\x64\x50\x68\x6a\x6e\x50\x34\x63\x47\x79\x44\x43\x75' b'\x69\x38\x78\x51\x6f\x30\x58\x6e\x69\x54\x43\x71\x34\x59\x43\x77\x4f\x6b' b'\x45\x42\x44\x61\x42\x78\x55\x54\x56\x4c\x68\x4d\x4a\x41\x2b\x68\x32\x66' b'\x46\x56\x4a\x0a\x4a\x4b\x36\x5a\x75\x44\x43\x75\x53\x54\x32\x48\x37\x56' b'\x61\x6a\x4f\x79\x45\x43\x51\x51\x44\x30\x46\x46\x50\x41\x62\x6c\x37\x47' b'\x32\x35\x39\x63\x43\x77\x56\x52\x34\x63\x49\x44\x71\x49\x78\x45\x53\x4e' b'\x47\x6d\x34\x39\x4a\x46\x59\x7a\x57\x74\x4f\x66\x61\x39\x0a\x4d\x53\x43' b'\x69\x62\x6b\x32\x66\x46\x30\x38\x62\x39\x6a\x64\x67\x4f\x62\x63\x42\x49' b'\x56\x61\x42\x38\x50\x6c\x45\x6f\x47\x53\x6e\x4a\x58\x38\x34\x75\x56\x4d' b'\x54\x73\x2f\x58\x74\x41\x6b\x45\x41\x36\x63\x47\x54\x6c\x61\x4a\x43\x68' b'\x4b\x73\x67\x69\x45\x67\x39\x0a\x48\x39\x54\x64\x63\x63\x72\x6b\x59\x4c' b'\x4e\x7a\x5a\x50\x64\x34\x58\x41\x35\x67\x2f\x4d\x78\x4c\x47\x30\x68\x58' b'\x38\x2f\x36\x69\x5a\x69\x76\x38\x36\x37\x65\x4b\x43\x2b\x38\x54\x36\x6f' b'\x2b\x44\x4d\x42\x47\x72\x7a\x2b\x30\x66\x4d\x44\x51\x4d\x35\x57\x49\x4d' b'\x0a\x77\x42\x76\x57\x58\x51\x4a\x41\x47\x78\x6b\x57\x6f\x30\x71\x64\x6f' b'\x78\x35\x47\x39\x77\x55\x53\x4e\x69\x45\x47\x56\x54\x6d\x6c\x4f\x50\x2b' b'\x4d\x70\x79\x61\x72\x39\x61\x41\x71\x47\x57\x31\x53\x41\x33\x63\x73\x31' b'\x46\x76\x43\x71\x6d\x4d\x41\x47\x57\x36\x67\x0a\x66\x30\x4a\x70\x47\x75' b'\x73\x45\x6d\x37\x43\x52\x50\x42\x6c\x43\x6b\x33\x77\x4b\x50\x39\x58\x7a' b'\x62\x30\x43\x50\x6b\x51\x4a\x41\x50\x34\x52\x71\x4a\x65\x37\x42\x52\x47' b'\x74\x37\x6d\x34\x79\x46\x6a\x33\x43\x33\x2b\x34\x4f\x32\x4b\x74\x43\x59' b'\x4f\x6f\x64\x45\x0a\x48\x54\x2b\x4b\x2b\x79\x5a\x49\x41\x6c\x48\x57\x46' b'\x47\x62\x4d\x6d\x68\x61\x35\x30\x78\x4d\x38\x58\x36\x48\x48\x4e\x36\x56' b'\x6e\x63\x46\x68\x63\x35\x31\x4c\x33\x64\x70\x47\x75\x4c\x32\x5a\x46\x4d' b'\x4b\x35\x66\x77\x51\x4a\x41\x50\x6c\x6c\x42\x5a\x43\x5a\x37\x0a\x67\x33' b'\x74\x78\x52\x56\x4b\x57\x53\x6b\x76\x38\x4b\x6b\x43\x2f\x33\x7a\x79\x6e' b'\x56\x32\x56\x6d\x73\x43\x33\x35\x36\x34\x5a\x43\x57\x6b\x5a\x37\x79\x68' b'\x4a\x49\x39\x4e\x79\x6e\x62\x76\x7a\x4d\x67\x6c\x41\x44\x67\x69\x2b\x4f' b'\x6e\x53\x6f\x7a\x46\x68\x73\x45\x0a\x38\x32\x55\x74\x38\x58\x64\x42\x68' b'\x30\x30\x76\x75\x51\x3d\x3d\x0a\x2d\x2d\x2d\x2d\x2d\x45\x4e\x44\x20\x50' b'\x52\x49\x56\x41\x54\x45\x20\x4b\x45\x59\x2d\x2d\x2d\x2d\x2d\x0a' ) SIGN_TEST_DATA = (b'\x01\x02\x03\x04\x05\x06\x07\x08' b'\x09\x10\x11\x12\x13\x14\x15\x16') @pytest.fixture( scope='function', params=[ {'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.MD5_WITH_RSA_ENCRYPTION, 'crypto_alg': None, 'hash_algorithm': None, 'padding': enums.PaddingMethod.PSS, 'key': DER_RSA_KEY, 'verify_args': (padding.PSS( mgf=padding.MGF1(hashes.MD5()), salt_length=padding.PSS.MAX_LENGTH ), hashes.MD5())}, {'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.SHA1_WITH_RSA_ENCRYPTION, 'crypto_alg': None, 'hash_algorithm': None, 'padding': enums.PaddingMethod.PKCS1v15, 'key': PEM_RSA_KEY, 'verify_args': (padding.PKCS1v15(), hashes.SHA1())}, {'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.SHA224_WITH_RSA_ENCRYPTION, 'crypto_alg': None, 'hash_algorithm': None, 'padding': enums.PaddingMethod.PSS, 'key': DER_RSA_KEY, 'verify_args': (padding.PSS( mgf=padding.MGF1(hashes.SHA224()), salt_length=padding.PSS.MAX_LENGTH ), hashes.SHA224())}, {'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.SHA256_WITH_RSA_ENCRYPTION, 'crypto_alg': None, 'hash_algorithm': None, 'padding': enums.PaddingMethod.PKCS1v15, 'key': PEM_RSA_KEY, 'verify_args': (padding.PKCS1v15(), hashes.SHA256())}, {'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.SHA384_WITH_RSA_ENCRYPTION, 'crypto_alg': None, 'hash_algorithm': None, 'padding': enums.PaddingMethod.PSS, 'key': DER_RSA_KEY, 'verify_args': (padding.PSS( mgf=padding.MGF1(hashes.SHA384()), salt_length=padding.PSS.MAX_LENGTH ), hashes.SHA384())}, {'digital_signature_algorithm': None, 'crypto_alg': enums.CryptographicAlgorithm.RSA, 'hash_algorithm': enums.HashingAlgorithm.SHA_512, 'padding': enums.PaddingMethod.PKCS1v15, 'key': PEM_RSA_KEY, 'verify_args': (padding.PKCS1v15(), hashes.SHA512())} ] ) def signing_parameters(request): return request.param def load_private_key(key): try: return serialization.load_der_private_key( key, password=None, backend=default_backend() ) except Exception: return serialization.load_pem_private_key( key, password=None, backend=default_backend() ) def test_sign(signing_parameters): engine = crypto.CryptographyEngine() result = engine.sign( signing_parameters.get('digital_signature_algorithm'), signing_parameters.get('crypto_alg'), signing_parameters.get('hash_algorithm'), signing_parameters.get('padding'), signing_parameters.get('key'), SIGN_TEST_DATA ) private_key = load_private_key(signing_parameters.get('key')) public_key = private_key.public_key() public_key.verify( result, SIGN_TEST_DATA, signing_parameters.get('verify_args')[0], signing_parameters.get('verify_args')[1] ) # RSA signing test vectors were obtained from pyca/cryptography: # # https://github.com/pyca/cryptography/blob/master/vectors/ # cryptography_vectors/asymmetric/RSA/pkcs1v15sign-vectors.txt @pytest.fixture( scope='function', params=[ {'signing_algorithm': enums.CryptographicAlgorithm.RSA, 'padding_method': enums.PaddingMethod.PKCS1v15, 'hashing_algorithm': enums.HashingAlgorithm.SHA_1, 'digital_signature_algorithm': None, 'encoding': serialization.Encoding.DER, 'public_key': { 'n': int( 'a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7' 'ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ce' 'abfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e' '2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d' '0ce8cffb2249bd9a2137', 16 ), 'e': int('010001', 16) }, 'message': ( b'\xcd\xc8\x7d\xa2\x23\xd7\x86\xdf' b'\x3b\x45\xe0\xbb\xbc\x72\x13\x26' b'\xd1\xee\x2a\xf8\x06\xcc\x31\x54' b'\x75\xcc\x6f\x0d\x9c\x66\xe1\xb6' b'\x23\x71\xd4\x5c\xe2\x39\x2e\x1a' b'\xc9\x28\x44\xc3\x10\x10\x2f\x15' b'\x6a\x0d\x8d\x52\xc1\xf4\xc4\x0b' b'\xa3\xaa\x65\x09\x57\x86\xcb\x76' b'\x97\x57\xa6\x56\x3b\xa9\x58\xfe' b'\xd0\xbc\xc9\x84\xe8\xb5\x17\xa3' b'\xd5\xf5\x15\xb2\x3b\x8a\x41\xe7' b'\x4a\xa8\x67\x69\x3f\x90\xdf\xb0' b'\x61\xa6\xe8\x6d\xfa\xae\xe6\x44' b'\x72\xc0\x0e\x5f\x20\x94\x57\x29' b'\xcb\xeb\xe7\x7f\x06\xce\x78\xe0' b'\x8f\x40\x98\xfb\xa4\x1f\x9d\x61' b'\x93\xc0\x31\x7e\x8b\x60\xd4\xb6' b'\x08\x4a\xcb\x42\xd2\x9e\x38\x08' b'\xa3\xbc\x37\x2d\x85\xe3\x31\x17' b'\x0f\xcb\xf7\xcc\x72\xd0\xb7\x1c' b'\x29\x66\x48\xb3\xa4\xd1\x0f\x41' b'\x62\x95\xd0\x80\x7a\xa6\x25\xca' b'\xb2\x74\x4f\xd9\xea\x8f\xd2\x23' b'\xc4\x25\x37\x02\x98\x28\xbd\x16' b'\xbe\x02\x54\x6f\x13\x0f\xd2\xe3' b'\x3b\x93\x6d\x26\x76\xe0\x8a\xed' b'\x1b\x73\x31\x8b\x75\x0a\x01\x67' b'\xd0' ), 'signature': ( b'\x6b\xc3\xa0\x66\x56\x84\x29\x30' b'\xa2\x47\xe3\x0d\x58\x64\xb4\xd8' b'\x19\x23\x6b\xa7\xc6\x89\x65\x86' b'\x2a\xd7\xdb\xc4\xe2\x4a\xf2\x8e' b'\x86\xbb\x53\x1f\x03\x35\x8b\xe5' b'\xfb\x74\x77\x7c\x60\x86\xf8\x50' b'\xca\xef\x89\x3f\x0d\x6f\xcc\x2d' b'\x0c\x91\xec\x01\x36\x93\xb4\xea' b'\x00\xb8\x0c\xd4\x9a\xac\x4e\xcb' b'\x5f\x89\x11\xaf\xe5\x39\xad\xa4' b'\xa8\xf3\x82\x3d\x1d\x13\xe4\x72' b'\xd1\x49\x05\x47\xc6\x59\xc7\x61' b'\x7f\x3d\x24\x08\x7d\xdb\x6f\x2b' b'\x72\x09\x61\x67\xfc\x09\x7c\xab' b'\x18\xe9\xa4\x58\xfc\xb6\x34\xcd' b'\xce\x8e\xe3\x58\x94\xc4\x84\xd7' )}, {'signing_algorithm': None, 'padding_method': enums.PaddingMethod.PSS, 'hashing_algorithm': None, 'digital_signature_algorithm': enums.DigitalSignatureAlgorithm.SHA1_WITH_RSA_ENCRYPTION, 'encoding': serialization.Encoding.PEM, 'public_key': { 'n': int( 'ac13d9fdae7b7335b69cd98567e9647d99bf373a9e05ce3435d66465f32' '8b7f7334b792aee7efa044ebc4c7a30b21a5d7a89cdb3a30dfcd9fee999' '5e09415edc0bf9e5b4c3f74ff53fb4d29441bf1b7ed6cbdd4a47f925226' '9e1646f6c1aee0514e93f6cb9df71d06c060a2104b47b7260ac37c10686' '1dc78ca5a25faa9cb2e3', 16 ), 'e': int('010001', 16) }, 'message': ( b'\xe1\xc0\xf9\x8d\x53\xf8\xf8\xb1' b'\x41\x90\x57\xd5\xb9\xb1\x0b\x07' b'\xfe\xea\xec\x32\xc0\x46\x3a\x4d' b'\x68\x38\x2f\x53\x1b\xa1\xd6\xcf' b'\xe4\xed\x38\xa2\x69\x4a\x34\xb9' b'\xc8\x05\xad\xf0\x72\xff\xbc\xeb' b'\xe2\x1d\x8d\x4b\x5c\x0e\x8c\x33' b'\x45\x2d\xd8\xf9\xc9\xbf\x45\xd1' b'\xe6\x33\x75\x11\x33\x58\x82\x29' b'\xd2\x93\xc6\x49\x6b\x7c\x98\x3c' b'\x2c\x72\xbd\x21\xd3\x39\x27\x2d' b'\x78\x28\xb0\xd0\x9d\x01\x0b\xba' b'\xd3\x18\xd9\x98\xf7\x04\x79\x67' b'\x33\x8a\xce\xfd\x01\xe8\x74\xac' b'\xe5\xf8\x6d\x2a\x60\xf3\xb3\xca' b'\xe1\x3f\xc5\xc6\x65\x08\xcf\xb7' b'\x23\x78\xfd\xd6\xc8\xde\x24\x97' b'\x65\x10\x3c\xe8\xfe\x7c\xd3\x3a' b'\xd0\xef\x16\x86\xfe\xb2\x5e\x6a' b'\x35\xfb\x64\xe0\x96\xa4' ), 'signature': ( b'\x01\xf6\xe5\xff\x04\x22\x1a\xdc' b'\x6c\x2f\x22\xa7\x61\x05\x3b\xc4' b'\x73\x27\x65\xdd\xdc\x3f\x76\x56' b'\xd0\xd1\x22\xad\x3b\x8a\x4e\x4f' b'\x8f\xe5\x5b\xd0\xc0\x9e\xb1\x07' b'\x80\xa1\x39\xcd\xa9\x32\x34\xef' b'\x98\x8f\xe2\x50\x20\x1e\xb2\xfe' b'\xbd\x08\xb6\xee\x85\xd7\x0d\x16' b'\x05\xa5\xba\x56\x85\x21\x52\x99' b'\xf0\x74\xc8\x0b\xaf\xf8\x1e\x2c' b'\xa3\x10\x7d\xa9\x17\x5c\x2f\x5a' b'\x7c\x6b\x60\xea\xa2\x8a\x75\x8c' b'\xa9\x34\xf2\xff\x16\x98\x8f\xe8' b'\x5f\xf8\x41\x57\xd9\x51\x44\x8a' b'\x85\xec\x1e\xd1\x71\xf9\xef\x8b' b'\xb8\xa1\x0c\xfa\x14\x7b\x7e\xf8' )} ] ) def signature_parameters(request): return request.param def test_verify_signature(signature_parameters): """ Test that various signature verification methods and settings can be used to correctly verify signatures. """ engine = crypto.CryptographyEngine() backend = backends.default_backend() public_key_numbers = rsa.RSAPublicNumbers( signature_parameters.get('public_key').get('e'), signature_parameters.get('public_key').get('n') ) public_key = public_key_numbers.public_key(backend) public_bytes = public_key.public_bytes( signature_parameters.get('encoding'), serialization.PublicFormat.PKCS1 ) result = engine.verify_signature( signing_key=public_bytes, message=signature_parameters.get('message'), signature=signature_parameters.get('signature'), padding_method=signature_parameters.get('padding_method'), signing_algorithm=signature_parameters.get('signing_algorithm'), hashing_algorithm=signature_parameters.get('hashing_algorithm'), digital_signature_algorithm=signature_parameters.get( 'digital_signature_algorithm' ) ) assert result