From 8da0d92f44787d41f498efb47b08bd3cb9b1763c Mon Sep 17 00:00:00 2001 From: Vladimir Diaz Date: Wed, 16 Nov 2016 11:08:22 -0500 Subject: [PATCH] Update ssl_crypto submodule and propogate changes to TUF --- tests/test_keys.py | 38 +++++--- tests/test_pyca_crypto_keys.py | 161 ++++++++----------------------- tests/test_pycrypto_keys.py | 168 ++++++++++++++++----------------- tuf/repository_lib.py | 7 +- tuf/ssl_crypto | 2 +- 5 files changed, 150 insertions(+), 226 deletions(-) diff --git a/tests/test_keys.py b/tests/test_keys.py index 54e77487..1d835c93 100755 --- a/tests/test_keys.py +++ b/tests/test_keys.py @@ -65,10 +65,12 @@ def test_generate_rsa_key(self): # Passing a bit value that is <2048 to generate() - should raise # 'tuf.ssl_commons.exceptions.FormatError'. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.generate_rsa_key, 555) + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.generate_rsa_key, 555) # Passing a string instead of integer for a bit value. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.generate_rsa_key, 'bits') + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.generate_rsa_key, 'bits') # NOTE if random bit value >=2048 (not 4096) is passed generate(bits) # does not raise any errors and returns a valid key. @@ -97,20 +99,23 @@ def test_format_keyval_to_metadata(self): FORMAT_ERROR_MSG) # Supplying a 'bad' keyvalue. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.format_keyval_to_metadata, + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.format_keyval_to_metadata, 'bad_keytype', keyvalue) # Test for missing 'public' entry. public = keyvalue['public'] del keyvalue['public'] - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.format_keyval_to_metadata, + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.format_keyval_to_metadata, keytype, keyvalue) keyvalue['public'] = public # Test for missing 'private' entry. private = keyvalue['private'] del keyvalue['private'] - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.format_keyval_to_metadata, + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.format_keyval_to_metadata, keytype, keyvalue, private=True) keyvalue['private'] = private @@ -128,7 +133,8 @@ def test_format_rsakey_from_pem(self): self.assertEqual(rsa_key, KEYS.format_rsakey_from_pem(pem + '\n')) # Supplying a 'bad_pem' argument. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.format_rsakey_from_pem, 'bad_pem') + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.format_rsakey_from_pem, 'bad_pem') # Supplying an improperly formatted PEM. # Strip the PEM header and footer. @@ -236,7 +242,8 @@ def test_verify_signature(self): self.assertTrue(verified, "Incorrect signature.") # Verifying the 'ed25519_signature' of 'DATA'. - verified = KEYS.verify_signature(self.ed25519key_dict, ed25519_signature, DATA) + verified = KEYS.verify_signature(self.ed25519key_dict, ed25519_signature, + DATA) self.assertTrue(verified, "Incorrect signature.") # Testing an invalid 'rsa_signature'. Same 'rsa_signature' is passed, with @@ -256,7 +263,8 @@ def test_verify_signature(self): rsa_signature['method'] = 'Biff' args = (self.rsakey_dict, rsa_signature, DATA) - self.assertRaises(tuf.ssl_commons.exceptions.UnknownMethodError, KEYS.verify_signature, *args) + self.assertRaises(tuf.ssl_commons.exceptions.UnknownMethodError, + KEYS.verify_signature, *args) # Passing incorrect number of arguments. self.assertRaises(TypeError, KEYS.verify_signature) @@ -288,19 +296,22 @@ def test_create_rsa_encrypted_pem(self): self.assertTrue(tuf.ssl_crypto.formats.PEMRSA_SCHEMA.matches(encrypted_pem)) # Try to import the encryped PEM file. - rsakey = KEYS.import_rsakey_from_encrypted_pem(encrypted_pem, passphrase) + rsakey = KEYS.import_rsakey_from_pem(encrypted_pem, passphrase) self.assertTrue(tuf.ssl_crypto.formats.RSAKEY_SCHEMA.matches(rsakey)) # Test improperly formatted arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.create_rsa_encrypted_pem, + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.create_rsa_encrypted_pem, 8, passphrase) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, KEYS.create_rsa_encrypted_pem, + self.assertRaises(tuf.ssl_commons.exceptions.FormatError, + KEYS.create_rsa_encrypted_pem, private, 8) # Test for missing required library. KEYS._RSA_CRYPTO_LIBRARY = 'invalid' - self.assertRaises(tuf.ssl_commons.exceptions.UnsupportedLibraryError, KEYS.create_rsa_encrypted_pem, + self.assertRaises(tuf.ssl_commons.exceptions.UnsupportedLibraryError, + KEYS.create_rsa_encrypted_pem, private, passphrase) KEYS._RSA_CRYPTO_LIBRARY = 'pycrypto' @@ -329,7 +340,8 @@ def test_decrypt_key(self): # Test for missing required library. KEYS._GENERAL_CRYPTO_LIBRARY = 'invalid' - self.assertRaises(tuf.ssl_commons.exceptions.UnsupportedLibraryError, KEYS.decrypt_key, + self.assertRaises(tuf.ssl_commons.exceptions.UnsupportedLibraryError, + KEYS.decrypt_key, encrypted_key, passphrase) KEYS._GENERAL_CRYPTO_LIBRARY = 'pycrypto' diff --git a/tests/test_pyca_crypto_keys.py b/tests/test_pyca_crypto_keys.py index 57521357..c0244f84 100755 --- a/tests/test_pyca_crypto_keys.py +++ b/tests/test_pyca_crypto_keys.py @@ -28,16 +28,14 @@ import unittest import logging -import tuf -import tuf.log -import tuf.ssl_crypto.formats -import tuf.ssl_crypto.pyca_crypto_keys as crypto_keys +import tuf.ssl_commons.exceptions as ssl_commons_exceptions +import tuf.ssl_crypto.formats as ssl_crypto_formats +import tuf.ssl_crypto.pyca_crypto_keys as ssl_crypto_pyca_crypto_keys -logger = logging.getLogger('tuf.test_pyca_crypto_keys') +logger = logging.getLogger('ssl_crypto_test_pyca_crypto_keys') -public_rsa, private_rsa = crypto_keys.generate_rsa_public_and_private() -FORMAT_ERROR_MSG = 'tuf.ssl_commons.exceptions.FormatError raised.' + \ - ' Check object\'s format.' +public_rsa, private_rsa = ssl_crypto_pyca_crypto_keys.generate_rsa_public_and_private() +FORMAT_ERROR_MSG = 'ssl_commons_exceptions.FormatError raised. Check object\'s format.' class TestPyca_crypto_keys(unittest.TestCase): @@ -46,20 +44,20 @@ def setUp(self): def test_generate_rsa_public_and_private(self): - pub, priv = crypto_keys.generate_rsa_public_and_private() + pub, priv = ssl_crypto_pyca_crypto_keys.generate_rsa_public_and_private() # Check format of 'pub' and 'priv'. - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(pub), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(pub), FORMAT_ERROR_MSG) - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(priv), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(priv), FORMAT_ERROR_MSG) # Check for an invalid "bits" argument. bits >= 2048. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - crypto_keys.generate_rsa_public_and_private, 1024) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pyca_crypto_keys.generate_rsa_public_and_private, 1024) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - crypto_keys.generate_rsa_public_and_private, '2048') + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pyca_crypto_keys.generate_rsa_public_and_private, '2048') @@ -67,31 +65,31 @@ def test_create_rsa_signature(self): global private_rsa global public_rsa data = 'The quick brown fox jumps over the lazy dog'.encode('utf-8') - signature, method = crypto_keys.create_rsa_signature(private_rsa, data) + signature, method = ssl_crypto_pyca_crypto_keys.create_rsa_signature(private_rsa, data) # Verify format of returned values. self.assertNotEqual(None, signature) - self.assertEqual(None, tuf.ssl_crypto.formats.NAME_SCHEMA.check_match(method), + self.assertEqual(None, ssl_crypto_formats.NAME_SCHEMA.check_match(method), FORMAT_ERROR_MSG) self.assertEqual('RSASSA-PSS', method) # Check for improperly formatted arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - crypto_keys.create_rsa_signature, 123, data) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pyca_crypto_keys.create_rsa_signature, 123, data) self.assertRaises(ValueError, - crypto_keys.create_rsa_signature, '', data) + ssl_crypto_pyca_crypto_keys.create_rsa_signature, '', data) # Check for invalid 'data'. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - crypto_keys.create_rsa_signature, private_rsa, '') + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pyca_crypto_keys.create_rsa_signature, private_rsa, '') - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - crypto_keys.create_rsa_signature, private_rsa, 123) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pyca_crypto_keys.create_rsa_signature, private_rsa, 123) # Check for missing private key. - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, - crypto_keys.create_rsa_signature, public_rsa, data) + self.assertRaises(ssl_commons_exceptions.CryptoError, + ssl_crypto_pyca_crypto_keys.create_rsa_signature, public_rsa, data) @@ -99,119 +97,42 @@ def test_verify_rsa_signature(self): global public_rsa global private_rsa data = 'The quick brown fox jumps over the lazy dog'.encode('utf-8') - signature, method = crypto_keys.create_rsa_signature(private_rsa, data) + signature, method = ssl_crypto_pyca_crypto_keys.create_rsa_signature(private_rsa, data) - valid_signature = crypto_keys.verify_rsa_signature(signature, method, public_rsa, + valid_signature = ssl_crypto_pyca_crypto_keys.verify_rsa_signature(signature, method, public_rsa, data) self.assertEqual(True, valid_signature) # Check for improperly formatted arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, crypto_keys.verify_rsa_signature, 123, method, - public_rsa, data) - - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, crypto_keys.verify_rsa_signature, signature, + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pyca_crypto_keys.verify_rsa_signature, signature, 123, public_rsa, data) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, crypto_keys.verify_rsa_signature, signature, + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pyca_crypto_keys.verify_rsa_signature, signature, method, 123, data) + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pyca_crypto_keys.verify_rsa_signature, 123, method, + public_rsa, data) - self.assertRaises(tuf.ssl_commons.exceptions.UnknownMethodError, crypto_keys.verify_rsa_signature, - signature, - 'invalid_method', - public_rsa, data) + self.assertRaises(ssl_commons_exceptions.UnknownMethodError, + ssl_crypto_pyca_crypto_keys.verify_rsa_signature, + signature, + 'invalid_method', + public_rsa, data) - # Check for invalid 'signature', 'public_key', and 'data' arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, crypto_keys.verify_rsa_signature, + # Check for invalid 'signature' and 'data' arguments. + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pyca_crypto_keys.verify_rsa_signature, signature, method, public_rsa, 123) - - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, crypto_keys.verify_rsa_signature, - signature, method, 'bad_key', data) - - self.assertEqual(False, crypto_keys.verify_rsa_signature(signature, method, + + self.assertEqual(False, ssl_crypto_pyca_crypto_keys.verify_rsa_signature(signature, method, public_rsa, b'mismatched data')) - mismatched_signature, method = crypto_keys.create_rsa_signature(private_rsa, + mismatched_signature, method = ssl_crypto_pyca_crypto_keys.create_rsa_signature(private_rsa, b'mismatched data') - self.assertEqual(False, crypto_keys.verify_rsa_signature(mismatched_signature, + self.assertEqual(False, ssl_crypto_pyca_crypto_keys.verify_rsa_signature(mismatched_signature, method, public_rsa, data)) - - def test__decrypt(self): - # Verify that invalid encrypted file is detected. - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, crypto_keys._decrypt, - 'bad encrypted file', 'password') - - - - def test_encrypt_key(self): - # Normal case. - ed25519_key = {'keytype': 'ed25519', - 'keyid': 'd62247f817883f593cf6c66a5a55292488d457bcf638ae03207dbbba9dbe457d', - 'keyval': {'public': '74addb5ad544a4306b34741bc1175a3613a8d7dc69ff64724243efdec0e301ad', - 'private': '1f26964cc8d4f7ee5f3c5da2fbb7ab35811169573ac367b860a537e47789f8c4'}} - - crypto_keys.encrypt_key(ed25519_key, 'password') - - # Verify that a key with a missing 'private' key is rejected. - del ed25519_key['keyval']['private'] - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, crypto_keys.encrypt_key, - ed25519_key, 'password') - - - - def test__decrypt_key(self): - ed25519_key = {'keytype': 'ed25519', - 'keyid': 'd62247f817883f593cf6c66a5a55292488d457bcf638ae03207dbbba9dbe457d', - 'keyval': {'public': '74addb5ad544a4306b34741bc1175a3613a8d7dc69ff64724243efdec0e301ad', - 'private': '1f26964cc8d4f7ee5f3c5da2fbb7ab35811169573ac367b860a537e47789f8c4'}} - - encrypted_key = crypto_keys.encrypt_key(ed25519_key, 'password') - crypto_keys.encrypt_key(ed25519_key, 'password') - - salt, iterations, hmac, iv, ciphertext = \ - encrypted_key.split(crypto_keys._ENCRYPTION_DELIMITER) - - encrypted_key_invalid_hmac = encrypted_key.replace(hmac, '123abc') - - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, crypto_keys._decrypt, - encrypted_key_invalid_hmac, 'password') - - - - def test_create_rsa_public_and_private_from_encrypted_pem(self): - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, - crypto_keys.create_rsa_public_and_private_from_encrypted_pem, - 'bad_encrypted_key', 'password') - - - - def test_create_rsa_encrypted_pem(self): - global private_rsa - passphrase = 'password' - - # Verify normal case. - encrypted_pem = crypto_keys.create_rsa_encrypted_pem(private_rsa, passphrase) - - self.assertTrue(tuf.ssl_crypto.formats.PEMRSA_SCHEMA.matches(encrypted_pem)) - - # Test for invalid arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, crypto_keys.create_rsa_encrypted_pem, - 1, passphrase) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, crypto_keys.create_rsa_encrypted_pem, - private_rsa, 2) - - self.assertRaises(TypeError, crypto_keys.create_rsa_encrypted_pem, - '', passphrase) - - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, crypto_keys.create_rsa_encrypted_pem, - 'bad_private_pem', passphrase) - - - - # Run the unit tests. if __name__ == '__main__': unittest.main() diff --git a/tests/test_pycrypto_keys.py b/tests/test_pycrypto_keys.py index 6b571d57..6683320a 100755 --- a/tests/test_pycrypto_keys.py +++ b/tests/test_pycrypto_keys.py @@ -28,15 +28,14 @@ import unittest import logging -import tuf -import tuf.log -import tuf.ssl_crypto.formats -import tuf.ssl_crypto.pycrypto_keys as pycrypto +import tuf.ssl_commons.exceptions as ssl_commons_exceptions +import tuf.ssl_crypto.formats as ssl_crypto_formats +import tuf.ssl_crypto.pycrypto_keys as ssl_crypto_pycrypto_keys -logger = logging.getLogger('tuf.test_pycrypto_keys') +logger = logging.getLogger('ssl_crypto_test_pycrypto_keys') -public_rsa, private_rsa = pycrypto.generate_rsa_public_and_private() -FORMAT_ERROR_MSG = 'tuf.ssl_commons.exceptions.FormatError raised. Check object\'s format.' +public_rsa, private_rsa = ssl_crypto_pycrypto_keys.generate_rsa_public_and_private() +FORMAT_ERROR_MSG = 'ssl_commons_exceptions.FormatError raised. Check object\'s format.' class TestPycrypto_keys(unittest.TestCase): @@ -45,104 +44,95 @@ def setUp(self): def test_generate_rsa_public_and_private(self): - pub, priv = pycrypto.generate_rsa_public_and_private() + pub, priv = ssl_crypto_pycrypto_keys.generate_rsa_public_and_private() # Check format of 'pub' and 'priv'. - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(pub), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(pub), FORMAT_ERROR_MSG) - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(priv), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(priv), FORMAT_ERROR_MSG) # Check for invalid bits argument. bit >= 2048 and a multiple of 256. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.generate_rsa_public_and_private, 1024) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.generate_rsa_public_and_private, 1024) self.assertRaises(ValueError, - pycrypto.generate_rsa_public_and_private, 2049) + ssl_crypto_pycrypto_keys.generate_rsa_public_and_private, 2049) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.generate_rsa_public_and_private, '2048') + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.generate_rsa_public_and_private, '2048') def test_create_rsa_signature(self): global private_rsa global public_rsa - data = 'The quick brown fox jumps over the lazy dog'.encode('utf-8') - signature, method = pycrypto.create_rsa_signature(private_rsa, data) + signature, method = ssl_crypto_pycrypto_keys.create_rsa_signature(private_rsa, data) # Verify format of returned values. self.assertNotEqual(None, signature) - self.assertEqual(None, tuf.ssl_crypto.formats.NAME_SCHEMA.check_match(method), + self.assertEqual(None, ssl_crypto_formats.NAME_SCHEMA.check_match(method), FORMAT_ERROR_MSG) self.assertEqual('RSASSA-PSS', method) # Check for improperly formatted arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.create_rsa_signature, 123, data) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.create_rsa_signature, 123, data) self.assertRaises(ValueError, - pycrypto.create_rsa_signature, '', data) + ssl_crypto_pycrypto_keys.create_rsa_signature, '', data) # Check for invalid 'data'. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.create_rsa_signature, private_rsa, '') + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.create_rsa_signature, private_rsa, '') # create_rsa_signature should reject non-string data. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.create_rsa_signature, private_rsa, 123) - - # Verify that a valid private key is needed. - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, - pycrypto.create_rsa_signature, 'bad_key', data) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.create_rsa_signature, private_rsa, 123) # Check for missing private key. - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, - pycrypto.create_rsa_signature, public_rsa, data) + self.assertRaises(ssl_commons_exceptions.CryptoError, + ssl_crypto_pycrypto_keys.create_rsa_signature, public_rsa, data) def test_verify_rsa_signature(self): global public_rsa global private_rsa data = 'The quick brown fox jumps over the lazy dog'.encode('utf-8') - signature, method = pycrypto.create_rsa_signature(private_rsa, data) + signature, method = ssl_crypto_pycrypto_keys.create_rsa_signature(private_rsa, data) - valid_signature = pycrypto.verify_rsa_signature(signature, method, public_rsa, + valid_signature = ssl_crypto_pycrypto_keys.verify_rsa_signature(signature, method, public_rsa, data) self.assertEqual(True, valid_signature) # Check for improperly formatted arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, pycrypto.verify_rsa_signature, signature, + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pycrypto_keys.verify_rsa_signature, signature, 123, public_rsa, data) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, pycrypto.verify_rsa_signature, signature, + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pycrypto_keys.verify_rsa_signature, signature, method, 123, data) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, pycrypto.verify_rsa_signature, 123, method, + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pycrypto_keys.verify_rsa_signature, 123, method, public_rsa, data) - self.assertRaises(tuf.ssl_commons.exceptions.UnknownMethodError, pycrypto.verify_rsa_signature, + self.assertRaises(ssl_commons_exceptions.UnknownMethodError, ssl_crypto_pycrypto_keys.verify_rsa_signature, signature, 'invalid_method', public_rsa, data) - + # Check for invalid signature and data. # Verify_rsa_signature should reject non-string data. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, pycrypto.verify_rsa_signature, signature, + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pycrypto_keys.verify_rsa_signature, signature, method, public_rsa, 123) - self.assertEqual(False, pycrypto.verify_rsa_signature(signature, method, + self.assertEqual(False, ssl_crypto_pycrypto_keys.verify_rsa_signature(signature, method, public_rsa, b'mismatched data')) - mismatched_signature, method = pycrypto.create_rsa_signature(private_rsa, + mismatched_signature, method = ssl_crypto_pycrypto_keys.create_rsa_signature(private_rsa, b'mismatched data') - self.assertEqual(False, pycrypto.verify_rsa_signature(mismatched_signature, + self.assertEqual(False, ssl_crypto_pycrypto_keys.verify_rsa_signature(mismatched_signature, method, public_rsa, data)) - - # Verify that a valid public key is needed. - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, pycrypto.verify_rsa_signature, - signature, method, 'bad_public_key', data) def test_create_rsa_encrypted_pem(self): @@ -151,54 +141,54 @@ def test_create_rsa_encrypted_pem(self): passphrase = 'pw' # Check format of 'public_rsa'. - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(public_rsa), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(public_rsa), FORMAT_ERROR_MSG) # Check format of 'passphrase'. - self.assertEqual(None, tuf.ssl_crypto.formats.PASSWORD_SCHEMA.check_match(passphrase), + self.assertEqual(None, ssl_crypto_formats.PASSWORD_SCHEMA.check_match(passphrase), FORMAT_ERROR_MSG) # Generate the encrypted PEM string of 'public_rsa'. - pem_rsakey = pycrypto.create_rsa_encrypted_pem(private_rsa, passphrase) + pem_rsakey = ssl_crypto_pycrypto_keys.create_rsa_encrypted_pem(private_rsa, passphrase) # Check format of 'pem_rsakey'. - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(pem_rsakey), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(pem_rsakey), FORMAT_ERROR_MSG) # Check for invalid arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.create_rsa_encrypted_pem, 1, passphrase) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.create_rsa_encrypted_pem, private_rsa, ['pw']) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.create_rsa_encrypted_pem, 1, passphrase) + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.create_rsa_encrypted_pem, private_rsa, ['pw']) - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, pycrypto.create_rsa_encrypted_pem, + self.assertRaises(ssl_commons_exceptions.CryptoError, ssl_crypto_pycrypto_keys.create_rsa_encrypted_pem, 'abc', passphrase) - self.assertRaises(TypeError, pycrypto.create_rsa_encrypted_pem, '', passphrase) + self.assertRaises(TypeError, ssl_crypto_pycrypto_keys.create_rsa_encrypted_pem, '', passphrase) - def test_create_rsa_public_and_private_from_encrypted_pem(self): + def test_create_rsa_public_and_private_from_pem(self): global private_rsa passphrase = 'pw' # Generate the encrypted PEM string of 'private_rsa'. - pem_rsakey = pycrypto.create_rsa_encrypted_pem(private_rsa, passphrase) + pem_rsakey = ssl_crypto_pycrypto_keys.create_rsa_encrypted_pem(private_rsa, passphrase) # Check format of 'passphrase'. - self.assertEqual(None, tuf.ssl_crypto.formats.PASSWORD_SCHEMA.check_match(passphrase), + self.assertEqual(None, ssl_crypto_formats.PASSWORD_SCHEMA.check_match(passphrase), FORMAT_ERROR_MSG) # Decrypt 'pem_rsakey' and verify the decrypted object is properly # formatted. public_decrypted, private_decrypted = \ - pycrypto.create_rsa_public_and_private_from_encrypted_pem(pem_rsakey, + ssl_crypto_pycrypto_keys.create_rsa_public_and_private_from_pem(pem_rsakey, passphrase) self.assertEqual(None, - tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(public_decrypted), + ssl_crypto_formats.PEMRSA_SCHEMA.check_match(public_decrypted), FORMAT_ERROR_MSG) self.assertEqual(None, - tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(private_decrypted), + ssl_crypto_formats.PEMRSA_SCHEMA.check_match(private_decrypted), FORMAT_ERROR_MSG) # Does 'public_decrypted' and 'private_decrypted' match the originals? @@ -206,31 +196,31 @@ def test_create_rsa_public_and_private_from_encrypted_pem(self): self.assertEqual(private_rsa, private_decrypted) # Attempt decryption of 'pem_rsakey' using an incorrect passphrase. - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, - pycrypto.create_rsa_public_and_private_from_encrypted_pem, + self.assertRaises(ssl_commons_exceptions.CryptoError, + ssl_crypto_pycrypto_keys.create_rsa_public_and_private_from_pem, pem_rsakey, 'bad_pw') # Check for non-encrypted PEM strings. - # create_rsa_public_and_private_from_encrypted_pem() - # returns a tuple of tuf.ssl_crypto.formats.PEMRSA_SCHEMA objects if the PEM formatted - # string is not actually encrypted but still a valid PEM string. - pub, priv = pycrypto.create_rsa_public_and_private_from_encrypted_pem( + # create_rsa_public_and_private_from_pem() returns a tuple of + # ssl_crypto_formats.PEMRSA_SCHEMA objects if the PEM formatted string is + # not actually encrypted but still a valid PEM string. + pub, priv = ssl_crypto_pycrypto_keys.create_rsa_public_and_private_from_pem( private_rsa, passphrase) - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(pub), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(pub), FORMAT_ERROR_MSG) - self.assertEqual(None, tuf.ssl_crypto.formats.PEMRSA_SCHEMA.check_match(priv), + self.assertEqual(None, ssl_crypto_formats.PEMRSA_SCHEMA.check_match(priv), FORMAT_ERROR_MSG) # Check for invalid arguments. - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.create_rsa_public_and_private_from_encrypted_pem, + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.create_rsa_public_and_private_from_pem, 123, passphrase) - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, - pycrypto.create_rsa_public_and_private_from_encrypted_pem, + self.assertRaises(ssl_commons_exceptions.FormatError, + ssl_crypto_pycrypto_keys.create_rsa_public_and_private_from_pem, pem_rsakey, ['pw']) - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, - pycrypto.create_rsa_public_and_private_from_encrypted_pem, + self.assertRaises(ssl_commons_exceptions.CryptoError, + ssl_crypto_pycrypto_keys.create_rsa_public_and_private_from_pem, 'invalid_pem', passphrase) @@ -245,11 +235,11 @@ def test_encrypt_key(self): 'keyid': 'd62247f817883f593cf6c66a5a55292488d457bcf638ae03207dbbba9dbe457d', 'keyval': {'public': public_rsa, 'private': private_rsa}} - encrypted_rsa_key = tuf.ssl_crypto.pycrypto_keys.encrypt_key(rsa_key, passphrase) + encrypted_rsa_key = ssl_crypto_pycrypto_keys.encrypt_key(rsa_key, passphrase) # Test for invalid arguments. rsa_key['keyval']['private'] = '' - self.assertRaises(tuf.ssl_commons.exceptions.FormatError, tuf.ssl_crypto.pycrypto_keys.encrypt_key, rsa_key, + self.assertRaises(ssl_commons_exceptions.FormatError, ssl_crypto_pycrypto_keys.encrypt_key, rsa_key, 'passphrase') @@ -263,29 +253,29 @@ def test_decrypt_key(self): 'keyid': 'd62247f817883f593cf6c66a5a55292488d457bcf638ae03207dbbba9dbe457d', 'keyval': {'public': public_rsa, 'private': private_rsa}} - encrypted_rsa_key = tuf.ssl_crypto.pycrypto_keys.encrypt_key(rsa_key, passphrase).encode('utf-8') + encrypted_rsa_key = ssl_crypto_pycrypto_keys.encrypt_key(rsa_key, passphrase).encode('utf-8') - decrypted_rsa_key = tuf.ssl_crypto.pycrypto_keys.decrypt_key(encrypted_rsa_key, passphrase) + decrypted_rsa_key = ssl_crypto_pycrypto_keys.decrypt_key(encrypted_rsa_key, passphrase) # Test for invalid arguments. - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, tuf.ssl_crypto.pycrypto_keys.decrypt_key, b'bad', + self.assertRaises(ssl_commons_exceptions.CryptoError, ssl_crypto_pycrypto_keys.decrypt_key, b'bad', passphrase) # Test for invalid encrypted content (i.e., invalid hmac and ciphertext.) - encryption_delimiter = tuf.ssl_crypto.pycrypto_keys._ENCRYPTION_DELIMITER + encryption_delimiter = ssl_crypto_pycrypto_keys._ENCRYPTION_DELIMITER salt, iterations, hmac, iv, ciphertext = \ encrypted_rsa_key.decode('utf-8').split(encryption_delimiter) - # Set an invalid hmac. The decryption routine sould raise a tuf.ssl_commons.exceptions.CryptoError - # exception because 'hmac' does not match the hmac calculated by the - # decryption routine. + # Set an invalid hmac. The decryption routine sould raise a + # ssl_commons_exceptions.CryptoError exception because 'hmac' does not + # match the hmac calculated by the decryption routine. bad_hmac = '12345abcd' invalid_encrypted_rsa_key = \ salt + encryption_delimiter + iterations + encryption_delimiter + \ bad_hmac + encryption_delimiter + iv + encryption_delimiter + ciphertext - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, tuf.ssl_crypto.pycrypto_keys.decrypt_key, + self.assertRaises(ssl_commons_exceptions.CryptoError, ssl_crypto_pycrypto_keys.decrypt_key, invalid_encrypted_rsa_key.encode('utf-8'), passphrase) # Test for invalid 'ciphertext' @@ -294,18 +284,18 @@ def test_decrypt_key(self): salt + encryption_delimiter + iterations + encryption_delimiter + \ hmac + encryption_delimiter + iv + encryption_delimiter + bad_ciphertext - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, tuf.ssl_crypto.pycrypto_keys.decrypt_key, + self.assertRaises(ssl_commons_exceptions.CryptoError, ssl_crypto_pycrypto_keys.decrypt_key, invalid_encrypted_rsa_key.encode('utf-8'), passphrase) def test__decrypt_key(self): # Test for invalid arguments. - salt, iterations, derived_key = tuf.ssl_crypto.pycrypto_keys._generate_derived_key('pw') + salt, iterations, derived_key = ssl_crypto_pycrypto_keys._generate_derived_key('pw') derived_key_information = {'salt': salt, 'derived_key': derived_key, 'iterations': iterations} - self.assertRaises(tuf.ssl_commons.exceptions.CryptoError, tuf.ssl_crypto.pycrypto_keys._encrypt, + self.assertRaises(ssl_commons_exceptions.CryptoError, ssl_crypto_pycrypto_keys._encrypt, 8, derived_key_information) diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index c31729db..9760622b 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -960,9 +960,10 @@ def import_rsa_privatekey_from_file(filepath, password=None): with open(filepath, 'rb') as file_object: encrypted_pem = file_object.read().decode('utf-8') - # Convert 'encrypted_pem' to 'tuf.ssl_crypto.formats.RSAKEY_SCHEMA' format. Raise - # 'tuf.ssl_commons.exceptions.CryptoError' if 'encrypted_pem' is invalid. - rsa_key = tuf.ssl_crypto.keys.import_rsakey_from_encrypted_pem(encrypted_pem, password) + # Convert 'encrypted_pem' to 'tuf.ssl_crypto.formats.RSAKEY_SCHEMA' format. + # Raise 'tuf.ssl_commons.exceptions.CryptoError' if 'encrypted_pem' is + # invalid. + rsa_key = tuf.ssl_crypto.keys.import_rsakey_from_pem(encrypted_pem, password) return rsa_key diff --git a/tuf/ssl_crypto b/tuf/ssl_crypto index 22461440..ff19a508 160000 --- a/tuf/ssl_crypto +++ b/tuf/ssl_crypto @@ -1 +1 @@ -Subproject commit 22461440fa4e0521bdf584490733a130ed02550f +Subproject commit ff19a508023cec859a3e2bc3a897030075743792