Backport three fixes from master to 2.3.x (#4396)

* make a certificate expire a few years in the future, fixes doctests (#4383) * make a certificate expire a few years in the future, fixes doctests 👋 to future alex when this test breaks in two years * short lived certs are a good idea * Fixes #4388 -- when running the aws-encryption-sdk tests only point pytest at one directory (#4391) * Fixes #4388 -- when running the aws-encryption-sdk tests only point pytest at one directory * Drop -l, there's no purpose for how we use these * Updated wycheproof tests for new upstream vectors (#4378) * updated tests for upstream wycheproof changes * Updated AES tests * oops, flake8
author: Paul Kehrer <paul.l.kehrer@gmail.com> 2018-08-14 11:45:29 -0500
committer: Alex Gaynor <alex.gaynor@gmail.com> 2018-08-14 12:45:29 -0400
commit: 1d865a8b78dffd67ba0d8935455b81b2a50e0128 (patch)
tree: 0589f7ae20daa0560797d63d075ad7847c011a02
parent: 0a846e294806478770469219a26cd49dcb5502d7 (diff)
download: cryptography-1d865a8b78dffd67ba0d8935455b81b2a50e0128.tar.gz
4 files changed, 21 insertions, 11 deletions
diff --git a/.travis/run.sh b/.travis/run.sh
index 38b66528d..572b9a4d8 100755
--- a/.travis/run.sh
+++ b/.travis/run.sh
@@ -52,14 +52,14 @@ else
             cd aws-encryption-sdk-python
             pip install -r test/requirements.txt
             pip install -e .
-            pytest -m local -l
+            pytest -m local test/
             ;;
         dynamodb-encryption-sdk)
             git clone --depth=1 https://github.com/awslabs/aws-dynamodb-encryption-python
             cd aws-dynamodb-encryption-python
             pip install -r test/requirements.txt
             pip install -e .
-            pytest -m "local and not slow and not veryslow and not nope" -l
+            pytest -m "local and not slow and not veryslow and not nope"
             ;;
         certbot)
             git clone --depth=1 https://github.com/certbot/certbot
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index bc3dd5566..5fa8471b8 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -615,7 +615,7 @@ X.509 Certificate Builder
         ...     x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
         ... ]))
         >>> builder = builder.not_valid_before(datetime.datetime.today() - one_day)
-        >>> builder = builder.not_valid_after(datetime.datetime(2018, 8, 2))
+        >>> builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30))
         >>> builder = builder.serial_number(x509.random_serial_number())
         >>> builder = builder.public_key(public_key)
         >>> builder = builder.add_extension(
diff --git a/tests/wycheproof/test_aes.py b/tests/wycheproof/test_aes.py
index 929ad8dc9..a3d75123e 100644
--- a/tests/wycheproof/test_aes.py
+++ b/tests/wycheproof/test_aes.py
@@ -8,6 +8,7 @@ import binascii
 
 import pytest
 
+from cryptography.exceptions import InvalidTag
 from cryptography.hazmat.backends.interfaces import CipherBackend
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.primitives.ciphers import (
@@ -67,11 +68,19 @@ def test_aes_gcm(backend, wycheproof):
         dec.authenticate_additional_data(aad)
         computed_msg = dec.update(ct) + dec.finalize()
         assert computed_msg == msg
-    else:
-        # All invalid GCM tests are IV len 0 right now
-        assert len(iv) == 0
+    elif len(iv) == 0:
         with pytest.raises(ValueError):
             Cipher(algorithms.AES(key), modes.GCM(iv), backend)
+    else:
+        dec = Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv, tag, min_tag_length=len(tag)),
+            backend
+        ).decryptor()
+        dec.authenticate_additional_data(aad)
+        dec.update(ct)
+        with pytest.raises(InvalidTag):
+            dec.finalize()
 
 
 @pytest.mark.requires_backend_interface(interface=CipherBackend)
@@ -89,8 +98,9 @@ def test_aes_gcm_aead_api(backend, wycheproof):
         assert computed_ct == ct + tag
         computed_msg = aesgcm.decrypt(iv, ct + tag, aad)
         assert computed_msg == msg
-    else:
-        # All invalid GCM tests are IV len 0 right now
-        assert len(iv) == 0
+    elif len(iv) == 0:
         with pytest.raises(ValueError):
             aesgcm.encrypt(iv, msg, aad)
+    else:
+        with pytest.raises(InvalidTag):
+            aesgcm.decrypt(iv, ct + tag, aad)
diff --git a/tests/wycheproof/test_ecdh.py b/tests/wycheproof/test_ecdh.py
index 0850b627d..55be04eef 100644
--- a/tests/wycheproof/test_ecdh.py
+++ b/tests/wycheproof/test_ecdh.py
@@ -50,10 +50,10 @@ _CURVES = {
     "ecdh_secp521r1_test.json",
 )
 def test_ecdh(backend, wycheproof):
-    curve = _CURVES[wycheproof.testcase["curve"]]
+    curve = _CURVES[wycheproof.testgroup["curve"]]
     if curve is None:
         pytest.skip(
-            "Unsupported curve ({})".format(wycheproof.testcase["curve"])
+            "Unsupported curve ({})".format(wycheproof.testgroup["curve"])
         )
     _skip_exchange_algorithm_unsupported(backend, ec.ECDH(), curve)
author	Paul Kehrer <paul.l.kehrer@gmail.com>	2018-08-14 11:45:29 -0500
committer	Alex Gaynor <alex.gaynor@gmail.com>	2018-08-14 12:45:29 -0400
commit	1d865a8b78dffd67ba0d8935455b81b2a50e0128 (patch)
tree	0589f7ae20daa0560797d63d075ad7847c011a02
parent	0a846e294806478770469219a26cd49dcb5502d7 (diff)
download	cryptography-1d865a8b78dffd67ba0d8935455b81b2a50e0128.tar.gz