Skip to content

Commit

Permalink
Fixed DH tests for latest CentOS FIPS OpenSSL (#5604)
Browse files Browse the repository at this point in the history
* Fixed DH tests for latest CentOS FIPS OpenSSL (1.1.1g)
  • Loading branch information
alex authored Dec 8, 2020
1 parent 6693d55 commit b5278c9
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 14 deletions.
14 changes: 7 additions & 7 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ jobs:
IMAGE:
- {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py27"}
- {IMAGE: "pyca/cryptography-runner-centos8", TOXENV: "py36"}
- {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", ENV: "OPENSSL_FORCE_FIPS_MODE=1"}
- {IMAGE: "pyca/cryptography-runner-centos8-fips", TOXENV: "py36", FIPS: true}
- {IMAGE: "pyca/cryptography-runner-stretch", TOXENV: "py27"}
- {IMAGE: "pyca/cryptography-runner-buster", TOXENV: "py37"}
- {IMAGE: "pyca/cryptography-runner-bullseye", TOXENV: "py38"}
Expand All @@ -100,20 +100,20 @@ jobs:
- {IMAGE: "pyca/cryptography-runner-ubuntu-rolling", TOXENV: "py38-randomorder"}
- {IMAGE: "pyca/cryptography-runner-fedora", TOXENV: "py39"}
- {IMAGE: "pyca/cryptography-runner-alpine", TOXENV: "py38"}
name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}"
name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
steps:
- uses: actions/checkout@v2
- run: 'git clone --depth=1 https://github.com/google/wycheproof "$HOME/wycheproof"'
- run: 'echo "$ENV_VAR" >> $GITHUB_ENV'
if: matrix.IMAGE.ENV
env:
ENV_VAR: ${{ matrix.IMAGE.ENV }}
- run: |
echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV
echo "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING" >> $GITHUB_ENV
if: matrix.IMAGE.FIPS
- run: 'tox -- --wycheproof-root="$HOME/wycheproof"'
env:
TOXENV: ${{ matrix.IMAGE.TOXENV }}
- uses: ./.github/actions/upload-coverage
with:
name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }} ${{ matrix.IMAGE.ENV }}"
name: "tox -e ${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"

macos:
runs-on: macos-latest
Expand Down
12 changes: 12 additions & 0 deletions tests/hazmat/primitives/test_dh.py
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,7 @@ def test_unsupported_generator_generate_dh(self, backend):
with pytest.raises(ValueError):
dh.generate_parameters(7, 512, backend)

@pytest.mark.skip_fips(reason="non-FIPS parameters")
def test_dh_parameters_supported(self, backend):
valid_p = int(
b"907c7211ae61aaaba1825ff53b6cb71ac6df9f1a424c033f4a0a41ac42fad3a9"
Expand All @@ -171,6 +172,12 @@ def test_dh_parameters_supported(self, backend):
)
def test_dh_parameters_allows_rfc3526_groups(self, backend, vector):
p = int_from_bytes(binascii.unhexlify(vector["p"]), "big")
if (
backend._fips_enabled
and p.bit_length() < backend._fips_dh_min_modulus
):
pytest.skip("modulus too small for FIPS mode")

params = dh.DHParameterNumbers(p, int(vector["g"]))
param = params.parameters(backend)
key = param.generate_private_key()
Expand All @@ -180,6 +187,7 @@ def test_dh_parameters_allows_rfc3526_groups(self, backend, vector):
roundtripped_key = key.private_numbers().private_key(backend)
assert key.private_numbers() == roundtripped_key.private_numbers()

@pytest.mark.skip_fips(reason="non-FIPS parameters")
@pytest.mark.parametrize(
"vector",
load_vectors_from_file(
Expand Down Expand Up @@ -227,6 +235,7 @@ def test_convert_to_numbers(self, backend, with_q):
deserialized_private, dh.DHPrivateKeyWithSerialization
)

@pytest.mark.skip_fips(reason="FIPS requires specific parameters")
def test_numbers_unsupported_parameters(self, backend):
# p is set to P_1536 + 1 because when calling private_key we want it to
# fail the DH_check call OpenSSL does, but we specifically want it to
Expand Down Expand Up @@ -415,6 +424,7 @@ def test_dh_vectors(self, backend, vector):

assert int_from_bytes(symkey, "big") == int(vector["k"], 16)

@pytest.mark.skip_fips(reason="non-FIPS parameters")
@pytest.mark.parametrize(
"vector",
load_vectors_from_file(
Expand Down Expand Up @@ -477,6 +487,7 @@ def test_private_bytes_rejects_invalid(self, encoding, fmt, backend):
with pytest.raises(ValueError):
key.private_bytes(encoding, fmt, serialization.NoEncryption())

@pytest.mark.skip_fips(reason="non-FIPS parameters")
@pytest.mark.parametrize(
("key_path", "loader_func", "encoding", "is_dhx"),
[
Expand Down Expand Up @@ -521,6 +532,7 @@ def test_private_bytes_match(
)
assert serialized == key_bytes

@pytest.mark.skip_fips(reason="non-FIPS parameters")
@pytest.mark.parametrize(
("key_path", "loader_func", "vec_path", "is_dhx"),
[
Expand Down
2 changes: 2 additions & 0 deletions tests/hazmat/primitives/test_serialization.py
Original file line number Diff line number Diff line change
Expand Up @@ -1757,6 +1757,7 @@ def test_openssh_serialization_unsupported(self, backend):
class TestDHSerialization(object):
"""Test all options with least-supported key type."""

@pytest.mark.skip_fips(reason="non-FIPS parameters")
def test_dh_public_key(self, backend):
data = load_vectors_from_file(
os.path.join("asymmetric", "DH", "dhkey.pem"),
Expand Down Expand Up @@ -1788,6 +1789,7 @@ def test_dh_public_key(self, backend):
with pytest.raises(ValueError):
public_key.public_bytes(enc, fmt)

@pytest.mark.skip_fips(reason="non-FIPS parameters")
def test_dh_private_key(self, backend):
data = load_vectors_from_file(
os.path.join("asymmetric", "DH", "dhkey.pem"),
Expand Down
18 changes: 11 additions & 7 deletions tests/x509/test_x509.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
)
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import (
dh,
dsa,
ec,
ed25519,
Expand All @@ -51,6 +52,7 @@
from cryptography.hazmat.primitives.asymmetric.utils import (
decode_dss_signature,
)
from cryptography.utils import int_from_bytes
from cryptography.x509.name import _ASN1Type
from cryptography.x509.oid import (
AuthorityInformationAccessOID,
Expand All @@ -65,7 +67,7 @@
from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
from ..hazmat.primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
from ..hazmat.primitives.test_ec import _skip_curve_unsupported
from ..utils import load_vectors_from_file
from ..utils import load_nist_vectors, load_vectors_from_file


@utils.register_interface(x509.ExtensionType)
Expand Down Expand Up @@ -5237,12 +5239,14 @@ class TestSignatureRejection(object):
"""Test if signing rejects DH keys properly."""

def load_key(self, backend):
data = load_vectors_from_file(
os.path.join("asymmetric", "DH", "dhkey.pem"),
lambda pemfile: pemfile.read(),
mode="rb",
)
return serialization.load_pem_private_key(data, None, backend)
vector = load_vectors_from_file(
os.path.join("asymmetric", "DH", "rfc3526.txt"),
load_nist_vectors,
)[1]
p = int_from_bytes(binascii.unhexlify(vector["p"]), "big")
params = dh.DHParameterNumbers(p, int(vector["g"]))
param = params.parameters(backend)
return param.generate_private_key()

def test_crt_signing_check(self, backend):
issuer_private_key = self.load_key(backend)
Expand Down

0 comments on commit b5278c9

Please sign in to comment.