Add more tests

Author: ahmed-farid-dev

python/ql/test/experimental/query-tests/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.py

@@ -5,8 +5,26 @@
 """
 import hashlib
 import hmac
+from cryptography.hazmat.primitives import cmac
+from cryptography.hazmat.primitives.ciphers import algorithms
+from Crypto.Signature import pkcs1_15
+from Crypto.Hash import SHA256
+from Crypto.PublicKey import RSA
 
-key = "e179017a-62b0-4996-8a38-e91aa9f1"
+
+def UnsafeCmacCheck(actualCmac):
+    expected = cmac.CMAC(algorithms.AES(key))
+    expected.update(b"message to authenticate")
+    expected.finalize()
+    return actualCmac == expected 
+
+
+def UnsafeCheckSignature(expected):
+    message = b'To be signed'
+    key = RSA.import_key(open('private_key.der').read())
+    h = SHA256.new(message)
+    signature = pkcs1_15.new(key).sign(h)
+    return expected == signature 
 
 def sign(pre_key, msg, alg):
     return hmac.new(pre_key, msg, alg).digest()
@@ -15,6 +33,7 @@ def verifyGood(msg, sig):
     return constant_time_string_compare(sig, sign(key, msg, hashlib.sha256)) #good
 
 def verifyBad(msg, sig):
+    key = "e179017a-62b0-4996-8a38-e91aa9f1"
     return sig == sign(key, msg, hashlib.sha256) #bad
 
 def constant_time_string_compare(a, b):