diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2018-08-14 11:45:29 -0500 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2018-08-14 12:45:29 -0400 |
commit | 1d865a8b78dffd67ba0d8935455b81b2a50e0128 (patch) | |
tree | 0589f7ae20daa0560797d63d075ad7847c011a02 | |
parent | 0a846e294806478770469219a26cd49dcb5502d7 (diff) | |
download | cryptography-1d865a8b78dffd67ba0d8935455b81b2a50e0128.tar.gz |
Backport three fixes from master to 2.3.x (#4396)
* make a certificate expire a few years in the future, fixes doctests (#4383)
* make a certificate expire a few years in the future, fixes doctests
👋 to future alex when this test breaks in two years
* short lived certs are a good idea
* Fixes #4388 -- when running the aws-encryption-sdk tests only point pytest at one directory (#4391)
* Fixes #4388 -- when running the aws-encryption-sdk tests only point pytest at one directory
* Drop -l, there's no purpose for how we use these
* Updated wycheproof tests for new upstream vectors (#4378)
* updated tests for upstream wycheproof changes
* Updated AES tests
* oops, flake8
-rwxr-xr-x | .travis/run.sh | 4 | ||||
-rw-r--r-- | docs/x509/reference.rst | 2 | ||||
-rw-r--r-- | tests/wycheproof/test_aes.py | 22 | ||||
-rw-r--r-- | tests/wycheproof/test_ecdh.py | 4 |
4 files changed, 21 insertions, 11 deletions
diff --git a/.travis/run.sh b/.travis/run.sh index 38b66528d..572b9a4d8 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -52,14 +52,14 @@ else cd aws-encryption-sdk-python pip install -r test/requirements.txt pip install -e . - pytest -m local -l + pytest -m local test/ ;; dynamodb-encryption-sdk) git clone --depth=1 https://github.com/awslabs/aws-dynamodb-encryption-python cd aws-dynamodb-encryption-python pip install -r test/requirements.txt pip install -e . - pytest -m "local and not slow and not veryslow and not nope" -l + pytest -m "local and not slow and not veryslow and not nope" ;; certbot) git clone --depth=1 https://github.com/certbot/certbot diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index bc3dd5566..5fa8471b8 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -615,7 +615,7 @@ X.509 Certificate Builder ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'), ... ])) >>> builder = builder.not_valid_before(datetime.datetime.today() - one_day) - >>> builder = builder.not_valid_after(datetime.datetime(2018, 8, 2)) + >>> builder = builder.not_valid_after(datetime.datetime.today() + (one_day * 30)) >>> builder = builder.serial_number(x509.random_serial_number()) >>> builder = builder.public_key(public_key) >>> builder = builder.add_extension( diff --git a/tests/wycheproof/test_aes.py b/tests/wycheproof/test_aes.py index 929ad8dc9..a3d75123e 100644 --- a/tests/wycheproof/test_aes.py +++ b/tests/wycheproof/test_aes.py @@ -8,6 +8,7 @@ import binascii import pytest +from cryptography.exceptions import InvalidTag from cryptography.hazmat.backends.interfaces import CipherBackend from cryptography.hazmat.primitives import padding from cryptography.hazmat.primitives.ciphers import ( @@ -67,11 +68,19 @@ def test_aes_gcm(backend, wycheproof): dec.authenticate_additional_data(aad) computed_msg = dec.update(ct) + dec.finalize() assert computed_msg == msg - else: - # All invalid GCM tests are IV len 0 right now - assert len(iv) == 0 + elif len(iv) == 0: with pytest.raises(ValueError): Cipher(algorithms.AES(key), modes.GCM(iv), backend) + else: + dec = Cipher( + algorithms.AES(key), + modes.GCM(iv, tag, min_tag_length=len(tag)), + backend + ).decryptor() + dec.authenticate_additional_data(aad) + dec.update(ct) + with pytest.raises(InvalidTag): + dec.finalize() @pytest.mark.requires_backend_interface(interface=CipherBackend) @@ -89,8 +98,9 @@ def test_aes_gcm_aead_api(backend, wycheproof): assert computed_ct == ct + tag computed_msg = aesgcm.decrypt(iv, ct + tag, aad) assert computed_msg == msg - else: - # All invalid GCM tests are IV len 0 right now - assert len(iv) == 0 + elif len(iv) == 0: with pytest.raises(ValueError): aesgcm.encrypt(iv, msg, aad) + else: + with pytest.raises(InvalidTag): + aesgcm.decrypt(iv, ct + tag, aad) diff --git a/tests/wycheproof/test_ecdh.py b/tests/wycheproof/test_ecdh.py index 0850b627d..55be04eef 100644 --- a/tests/wycheproof/test_ecdh.py +++ b/tests/wycheproof/test_ecdh.py @@ -50,10 +50,10 @@ _CURVES = { "ecdh_secp521r1_test.json", ) def test_ecdh(backend, wycheproof): - curve = _CURVES[wycheproof.testcase["curve"]] + curve = _CURVES[wycheproof.testgroup["curve"]] if curve is None: pytest.skip( - "Unsupported curve ({})".format(wycheproof.testcase["curve"]) + "Unsupported curve ({})".format(wycheproof.testgroup["curve"]) ) _skip_exchange_algorithm_unsupported(backend, ec.ECDH(), curve) |