-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: port legacy pss max salt compat test #598
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This allows us to add new test cases to the same table. Note: used the following script to patch the tests ``` from cryptography.hazmat.primitives.asymmetric.ec import ECDSA from cryptography.hazmat.primitives.hashes import SHA384 from securesystemslib.interface import ( import_ecdsa_privatekey_from_file, import_ed25519_privatekey_from_file, import_rsa_privatekey_from_file, ) from securesystemslib.signer import SSlibSigner rsa_priv = import_rsa_privatekey_from_file("tests/data/keystore/rsa_key", "password") ed25519_priv = import_ed25519_privatekey_from_file("tests/data/keystore/ed25519_key", "password") ecdsa_priv = import_ecdsa_privatekey_from_file("tests/data/keystore/ecdsa_key", "password") ed25519_keyid = ed25519_priv["keyid"] ed25519_pub = ed25519_priv["keyval"]["public"] rsa_keyid = rsa_priv["keyid"] rsa_pub = repr(rsa_priv["keyval"]["public"]).strip("'") ecdsa_keyid = ecdsa_priv["keyid"] ecdsa_pub = repr(ecdsa_priv["keyval"]["public"]).strip("'") def signature(key, scheme): key["scheme"] = scheme signer = SSlibSigner(key) # Hack requires secure-systems-lab#590 and disabling supported-scheme-check in ECDSASigner if scheme == "ecdsa-sha2-nistp384": signer._crypto_signer._signature_algorithm = ECDSA(SHA384()) signature = signer.sign(b"DATA") return signature.signature print( f""" ed25519_keyid = ( "{ed25519_keyid}" ) ed25519_pub = ( "{ed25519_pub}" ) rsa_keyid = ( "{rsa_keyid}" ) rsa_pub = "{rsa_pub}" ecdsa_keyid = ( "{ecdsa_keyid}" ) ecdsa_pub = "{ecdsa_pub}" key_sig_data = [ ( ed25519_keyid, "ed25519", "ed25519", ed25519_pub, "{signature(ed25519_priv, "ed25519")}", ), ( rsa_keyid, "rsa", "rsassa-pss-sha224", rsa_pub, "{signature(rsa_priv, "rsassa-pss-sha224")}", ), ( rsa_keyid, "rsa", "rsassa-pss-sha256", rsa_pub, "{signature(rsa_priv, "rsassa-pss-sha256")}", ), ( rsa_keyid, "rsa", "rsassa-pss-sha384", rsa_pub, "{signature(rsa_priv, "rsassa-pss-sha384")}", ), ( rsa_keyid, "rsa", "rsassa-pss-sha512", rsa_pub, "{signature(rsa_priv, "rsassa-pss-sha512")}", ), ( rsa_keyid, "rsa", "rsa-pkcs1v15-sha224", rsa_pub, "{signature(rsa_priv, "rsa-pkcs1v15-sha224")}", ), ( rsa_keyid, "rsa", "rsa-pkcs1v15-sha256", rsa_pub, "{signature(rsa_priv, "rsa-pkcs1v15-sha256")}", ), ( rsa_keyid, "rsa", "rsa-pkcs1v15-sha384", rsa_pub, "{signature(rsa_priv, "rsa-pkcs1v15-sha384")}", ), ( rsa_keyid, "rsa", "rsa-pkcs1v15-sha512", rsa_pub, "{signature(rsa_priv, "rsa-pkcs1v15-sha512")}", ), ( ecdsa_keyid, "ecdsa", "ecdsa-sha2-nistp256", ecdsa_pub, "{signature(ecdsa_priv, "ecdsa-sha2-nistp256")}", ), ( ecdsa_keyid, "ecdsa", "ecdsa-sha2-nistp384", ecdsa_pub, "{signature(ecdsa_priv, "ecdsa-sha2-nistp384")}", ), ( ecdsa_keyid, "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp256", ecdsa_pub, "{signature(ecdsa_priv, "ecdsa-sha2-nistp256")}", ), ( ecdsa_keyid, "ecdsa-sha2-nistp384", "ecdsa-sha2-nistp384", ecdsa_pub, "{signature(ecdsa_priv, "ecdsa-sha2-nistp384")}", ), ] """ ) ``` Signed-off-by: Lukas Puehringer <[email protected]>
Since secure-systems-lab#585 SSlibKey no longer uses securesystemslib.keys to verify signatures, and thus no longer is tested via `test_*keys`. Good test coverage of the new SSlibKey implementation is already available in test_signer. This PR ports one missing test from: `test_rsa_keys.TestRSA_keys.test_verify_rsa_pss_different_salt_lengths` Used script to create test table entry (requires secure-systems-lab#590): ``` from cryptography.hazmat.primitives.asymmetric.padding import MGF1, PSS from cryptography.hazmat.primitives.hashes import SHA256 from securesystemslib.interface import import_rsa_privatekey_from_file from securesystemslib.signer import SSlibSigner scheme = "rsassa-pss-sha256" rsa_priv = import_rsa_privatekey_from_file( "tests/data/keystore/rsa_key", password="password", scheme=scheme ) signer = SSlibSigner(rsa_priv) signer._crypto_signer._padding = PSS( mgf=MGF1(SHA256()), salt_length=PSS.MAX_LENGTH ) signature = signer.sign(b"DATA") print( f""" # Test sig with max salt length (briefly available in v0.24.0) ( rsa_keyid, "rsa", "{scheme}", rsa_pub, "{signature.signature}", ), """ ) ``` Signed-off-by: Lukas Puehringer <[email protected]>
jku
approved these changes
Jul 5, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since #585 SSlibKey no longer uses securesystemslib.keys to verify signatures, and thus no longer is tested via
test_*keys
.Good test coverage of the new SSlibKey implementation is already available in test_signer.
This PR ports one missing test from:
test_rsa_keys.TestRSA_keys.test_verify_rsa_pss_different_salt_lengths
NOTE: In order to add the test data (i.e. signature) to an existing test table, I had to change all other data in the table too. Because, apparently the test table was created with on-the-fly generated keys, which made it impossible to add new entries. Now the table is based on test keys in this repository, which allows us to add new entries in the future (see snippet in commit message).