Merge branch 'backend-explicit-tests' into fix-rsa

Author: mattsb42-aws

.travis.yml

@@ -14,7 +14,7 @@ matrix:
     - python: 2.7
       env: TOXENV=py27-base
     - python: 2.7
-      env: TOXENV=py27-cryptography
+      env: TOXENV=py27-cryptography-only
     - python: 2.7
       env: TOXENV=py27-pycryptodome
     - python: 2.7
@@ -25,7 +25,7 @@ matrix:
     - python: 3.4
       env: TOXENV=py34-base
     - python: 3.4
-      env: TOXENV=py34-cryptography
+      env: TOXENV=py34-cryptography-only
     - python: 3.4
       env: TOXENV=py34-pycryptodome
     - python: 3.4
@@ -36,7 +36,7 @@ matrix:
     - python: 3.5
       env: TOXENV=py35-base
     - python: 3.5
-      env: TOXENV=py35-cryptography
+      env: TOXENV=py35-cryptography-only
     - python: 3.5
       env: TOXENV=py35-pycryptodome
     - python: 3.5
@@ -47,7 +47,7 @@ matrix:
     - python: 3.5
       env: TOXENV=py35-base
     - python: 3.5
-      env: TOXENV=py35-cryptography
+      env: TOXENV=py35-cryptography-only
     - python: 3.5
       env: TOXENV=py35-pycryptodome
     - python: 3.5
@@ -58,7 +58,7 @@ matrix:
     - python: pypy-5.3.1
       env: TOXENV=pypy-base
     - python: pypy-5.3.1
-      env: TOXENV=pypy-cryptography
+      env: TOXENV=pypy-cryptography-only
     - python: pypy-5.3.1
       env: TOXENV=pypy-pycryptodome
     - python: pypy-5.3.1

jose/backends/cryptography_backend.py

@@ -1,6 +1,13 @@
+from __future__ import division
+
+import math
+
 import six
-import ecdsa
-from ecdsa.util import sigdecode_string, sigencode_string, sigdecode_der, sigencode_der
+
+try:
+    from ecdsa import SigningKey as EcdsaSigningKey, VerifyingKey as EcdsaVerifyingKey
+except ImportError:
+    EcdsaSigningKey = EcdsaVerifyingKey = None
 
 from jose.backends.base import Key
 from jose.utils import base64_to_long, long_to_base64
@@ -11,7 +18,9 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec, rsa, padding
+from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature, encode_dss_signature
 from cryptography.hazmat.primitives.serialization import load_pem_private_key, load_pem_public_key
+from cryptography.utils import int_from_bytes, int_to_bytes
 from cryptography.x509 import load_pem_x509_certificate
 
 
@@ -37,7 +46,7 @@ def __init__(self, key, algorithm, cryptography_backend=default_backend):
             self.prepared_key = key
             return
 
-        if isinstance(key, (ecdsa.SigningKey, ecdsa.VerifyingKey)):
+        if None not in (EcdsaSigningKey, EcdsaVerifyingKey) and isinstance(key, (EcdsaSigningKey, EcdsaVerifyingKey)):
             # convert to PEM and let cryptography below load it as PEM
             key = key.to_pem().decode('utf-8')
 
@@ -90,19 +99,42 @@ def _process_jwk(self, jwk_dict):
         else:
             return public.public_key(self.cryptography_backend())
 
+    def _sig_component_length(self):
+        """Determine the correct serialization length for an encoded signature component.
+
+        This is the number of bytes required to encode the maximum key value.
+        """
+        return int(math.ceil(self.prepared_key.key_size / 8.0))
+
+    def _der_to_raw(self, der_signature):
+        """Convert signature from DER encoding to RAW encoding."""
+        r, s = decode_dss_signature(der_signature)
+        component_length = self._sig_component_length()
+        return int_to_bytes(r, component_length) + int_to_bytes(s, component_length)
+
+    def _raw_to_der(self, raw_signature):
+        """Convert signature from RAW encoding to DER encoding."""
+        component_length = self._sig_component_length()
+        if len(raw_signature) != int(2 * component_length):
+            raise ValueError("Invalid signature")
+
+        r_bytes = raw_signature[:component_length]
+        s_bytes = raw_signature[component_length:]
+        r = int_from_bytes(r_bytes, "big")
+        s = int_from_bytes(s_bytes, "big")
+        return encode_dss_signature(r, s)
+
     def sign(self, msg):
         if self.hash_alg.digest_size * 8 > self.prepared_key.curve.key_size:
             raise TypeError("this curve (%s) is too short "
                             "for your digest (%d)" % (self.prepared_key.curve.name,
                                                       8 * self.hash_alg.digest_size))
         signature = self.prepared_key.sign(msg, ec.ECDSA(self.hash_alg()))
-        order = (2 ** self.prepared_key.curve.key_size) - 1
-        return sigencode_string(*sigdecode_der(signature, order), order=order)
+        return self._der_to_raw(signature)
 
     def verify(self, msg, sig):
-        order = (2 ** self.prepared_key.curve.key_size) - 1
-        signature = sigencode_der(*sigdecode_string(sig, order), order=order)
         try:
+            signature = self._raw_to_der(sig)
             self.prepared_key.verify(signature, msg, ec.ECDSA(self.hash_alg()))
             return True
         except Exception:

tests/algorithms/test_EC.py

@@ -11,8 +11,10 @@
 
 try:
     from jose.backends.cryptography_backend import CryptographyECKey
+    from cryptography.hazmat.primitives.asymmetric import ec as CryptographyEc
+    from cryptography.hazmat.backends import default_backend as CryptographyBackend
 except ImportError:
-    CryptographyECKey = None
+    CryptographyECKey = CryptographyEc = CryptographyBackend = None
 
 import pytest
 
@@ -31,6 +33,18 @@
 -----END EC PRIVATE KEY-----
 """
 
+# ES256 signatures generated to test conversion logic
+DER_SIGNATURE = (
+    b"0F\x02!\x00\x89yG\x81W\x01\x11\x9b0\x08\xa4\xd0\xe3g([\x07\xb5\x01\xb3"
+    b"\x9d\xdf \xd1\xbc\xedK\x01\x87:}\xf2\x02!\x00\xb2shTA\x00\x1a\x13~\xba"
+    b"J\xdb\xeem\x12\x1e\xfeMO\x04\xb2[\x86A\xbd\xc6hu\x953X\x1e"
+)
+RAW_SIGNATURE = (
+    b"\x89yG\x81W\x01\x11\x9b0\x08\xa4\xd0\xe3g([\x07\xb5\x01\xb3\x9d\xdf "
+    b"\xd1\xbc\xedK\x01\x87:}\xf2\xb2shTA\x00\x1a\x13~\xbaJ\xdb\xeem\x12\x1e"
+    b"\xfeMO\x04\xb2[\x86A\xbd\xc6hu\x953X\x1e"
+)
+
 
 def _backend_exception_types():
     """Build the backend exception types based on available backends."""
@@ -51,6 +65,41 @@ def test_key_from_ecdsa():
     assert not ECKey(key, ALGORITHMS.ES256).is_public()
 
 
+@pytest.mark.cryptography
+@pytest.mark.skipif(CryptographyECKey is None, reason="pyca/cryptography backend not available")
+@pytest.mark.parametrize("algorithm, expected_length", (
+        (ALGORITHMS.ES256, 32),
+        (ALGORITHMS.ES384, 48),
+        (ALGORITHMS.ES512, 66)
+))
+def test_cryptography_sig_component_length(algorithm, expected_length):
+    # Put mapping inside here to avoid more complex handling for test runs that do not have pyca/cryptography
+    mapping = {
+        ALGORITHMS.ES256: CryptographyEc.SECP256R1,
+        ALGORITHMS.ES384: CryptographyEc.SECP384R1,
+        ALGORITHMS.ES512: CryptographyEc.SECP521R1,
+    }
+    key = CryptographyECKey(
+        CryptographyEc.generate_private_key(mapping[algorithm](), backend=CryptographyBackend()),
+        algorithm
+    )
+    assert key._sig_component_length() == expected_length
+
+
+@pytest.mark.cryptography
+@pytest.mark.skipif(CryptographyECKey is None, reason="pyca/cryptography backend not available")
+def test_cryptograhy_der_to_raw():
+    key = CryptographyECKey(private_key, ALGORITHMS.ES256)
+    assert key._der_to_raw(DER_SIGNATURE) == RAW_SIGNATURE
+
+
+@pytest.mark.cryptography
+@pytest.mark.skipif(CryptographyECKey is None, reason="pyca/cryptography backend not available")
+def test_cryptograhy_raw_to_der():
+    key = CryptographyECKey(private_key, ALGORITHMS.ES256)
+    assert key._raw_to_der(RAW_SIGNATURE) == DER_SIGNATURE
+
+
 class TestECAlgorithm:
 
     def test_key_from_pem(self):

tests/algorithms/test_RSA.py

@@ -11,13 +11,14 @@
     from Crypto.PublicKey import RSA as PyCryptoRSA
     from jose.backends.pycrypto_backend import RSAKey as PyCryptoRSAKey
 except ImportError:
-    PyCryptoRSA = None
+    PyCryptoRSA = PyCryptoRSAKey = None
 
 try:
     from cryptography.hazmat.backends import default_backend
-    from cryptography.hazmat.primitives.asymmetric import rsa
+    from cryptography.hazmat.primitives.asymmetric import rsa as pyca_rsa
+    from jose.backends.cryptography_backend import CryptographyRSAKey
 except ImportError:
-    default_backend = rsa = None
+    default_backend = pyca_rsa = CryptographyRSAKey = None
 
 from jose.backends import RSAKey
 from jose.constants import ALGORITHMS
@@ -332,12 +333,12 @@ def test_python_rsa_private_key_pkcs8_to_pkcs1(self):
 
 @pytest.mark.pycrypto
 @pytest.mark.pycryptodome
-@pytest.mark.skipif(PyCryptoRSA is None, reason="Pycrypto/dome backend not available")
+@pytest.mark.skipif(None in (PyCryptoRSA, PyCryptoRSAKey), reason="Pycrypto/dome backend not available")
 def test_pycrypto_RSA_key_instance():
     key = PyCryptoRSA.construct((long(
         26057131595212989515105618545799160306093557851986992545257129318694524535510983041068168825614868056510242030438003863929818932202262132630250203397069801217463517914103389095129323580576852108653940669240896817348477800490303630912852266209307160550655497615975529276169196271699168537716821419779900117025818140018436554173242441334827711966499484119233207097432165756707507563413323850255548329534279691658369466534587631102538061857114141268972476680597988266772849780811214198186940677291891818952682545840788356616771009013059992237747149380197028452160324144544057074406611859615973035412993832273216732343819),
                          long(65537)))
-    RSAKey(key, ALGORITHMS.RS256)
+    PyCryptoRSAKey(key, ALGORITHMS.RS256)
 
 
 # TODO: Unclear why this test was marked as only for pycrypto
@@ -356,17 +357,17 @@ def test_pycrypto_unencoded_cleartext(private_key):
 
 @pytest.mark.cryptography
 @pytest.mark.skipif(
-    None in (default_backend, rsa),
+    None in (default_backend, pyca_rsa, CryptographyRSAKey),
     reason="Cryptography backend not available"
 )
 def test_cryptography_RSA_key_instance():
 
-    key = rsa.RSAPublicNumbers(
+    key = pyca_rsa.RSAPublicNumbers(
         long(65537),
         long(26057131595212989515105618545799160306093557851986992545257129318694524535510983041068168825614868056510242030438003863929818932202262132630250203397069801217463517914103389095129323580576852108653940669240896817348477800490303630912852266209307160550655497615975529276169196271699168537716821419779900117025818140018436554173242441334827711966499484119233207097432165756707507563413323850255548329534279691658369466534587631102538061857114141268972476680597988266772849780811214198186940677291891818952682545840788356616771009013059992237747149380197028452160324144544057074406611859615973035412993832273216732343819),
     ).public_key(default_backend())
 
-    pubkey = RSAKey(key, ALGORITHMS.RS256)
+    pubkey = CryptographyRSAKey(key, ALGORITHMS.RS256)
     assert pubkey.is_public()
 
     pem = pubkey.to_pem()

tests/test_firebase.py

@@ -1,8 +1,16 @@
 
 import json
 
+import pytest
+
 from jose import jwt
 
+from jose.backends import RSAKey
+try:
+    from jose.backends.rsa_backend import RSAKey as RsaRSAKey
+except ImportError:
+    RsaRSAKey = None
+
 firebase_certs = {
     "6f83ab6e516e718fba9ddeb6647fd5fb752a151b": "-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBAgIIP5V2bjX2bXUwDQYJKoZIhvcNAQEFBQAwMTEvMC0GA1UE\nAxMmc2VjdXJldG9rZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wHhcNMTYw\nODMxMDA0NTI2WhcNMTYwOTAzMDExNTI2WjAxMS8wLQYDVQQDEyZzZWN1cmV0b2tl\nbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBAKHHtOMXBD+0YTtZHuzFrERiiwa+D6Ybq4SUHlicgRPV3Uk2\nvnTOqg1EhxshEXqjkAQbbRop9hhHTc+p8rBxgYGuLcZsBhGrnRqU6FnTTiWB1x5V\nvOfCkPE60W07gi8p+HyB8cqw1Tz2LnRUw/15888CrspVeumtNUkhXSRKzeS2BI4l\nkuOMkqmsMSu1yB5IZm5meMyta1uhJnP93jKmdar19RkZXOlFcT+fsSY2FPuqvDvX\nssChgZgNV5qtk0CIzexmFJaUFzpKE/RxqdIJooB1H83fUBGVK+9v3Ko+BI+GEvUc\nxIGAEWu2KrbjwPNzzC3/UV9aSfHEOJxQoutPviECAwEAAaM4MDYwDAYDVR0TAQH/\nBAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJ\nKoZIhvcNAQEFBQADggEBAIHOiqxXm1IcuXE87ELyKYDG0/gZPzCHz98h/x0LExrs\nd0bOYOIA08rt6qllmP24oT3hQt86HmDb932pm/fjaLL68x81TjYq6cFO0JxOzts+\nY+9XxkdP8Qu7UJ8Dx+rRvDN1MUxLTvBVXdamhkhDusx7PB5kK1ixWtf91qrl/J9e\nUYQBnJ4E9wI8U5HVkW3IBWvsFt/+gMO1EcoNBdB2cY/4N3l3oxm5PSNDS4DTEs2f\nAYZDqo6PJt2tTRGSmvLBKSCqcT7eWBbIwBht3Uw8CvOMbVYGBWjbFeua3Q3fe+p7\n7UbFOLIvSGR516kyZqxy9pLoA9+2TvbpYwWu6mLCZtg=\n-----END CERTIFICATE-----\n",
     "fc2da7fa53d92e3bcba8a17e74b34da9dd585065": "-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBAgIINfZYQW9uekMwDQYJKoZIhvcNAQEFBQAwMTEvMC0GA1UE\nAxMmc2VjdXJldG9rZW4uc3lzdGVtLmdzZXJ2aWNlYWNjb3VudC5jb20wHhcNMTYw\nODI5MDA0NTI2WhcNMTYwOTAxMDExNTI2WjAxMS8wLQYDVQQDEyZzZWN1cmV0b2tl\nbi5zeXN0ZW0uZ3NlcnZpY2VhY2NvdW50LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBAMvfJ5DY7lV4txW0zn9ayMxwAp5BzUhyIbuZkmsmMLRrNl+i\nid4lawojB846YtcTPZLD/5QpXRumAAUI5NA023fxaUdriM25zewpSnZWs6eUf0O6\nONES8Xk4WD2fbyPz6cgnsFEfMslNd3NypRiB9fVG6LFj6TFHC64o/YEeQB2dwkJZ\nXknKSEkFJSRC83TiHUlWzaRjmTdGRrvGEWHxr+xJltP8tPPlJUKu2VadgMbGlkKU\n5dBRhvWwZZW0zJupuKzd27O2lPkxfbx9vrUbsfqZcN4OY5Xg+ijQJVTv0/qcplsd\nPZ9Uui0QsBOPbrIO+5/Tq9FIBqxzUlpWwetv6pMCAwEAAaM4MDYwDAYDVR0TAQH/\nBAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwDQYJ\nKoZIhvcNAQEFBQADggEBALqWwzIQSK94hxTmxlA+RoyMvb8fyTcECM2qY+n+PDb5\nMvt8zqM6AwGjK1hvcUg08BEsnqqRqC81dkSEReS9KCoTY/oQ0sCCpwL3QP3puoxp\nfZU9CSwvnrFTJjC2Q/b8BlWta4CSDwpxpy/K3wm6tRn5ED4rPcP4FRqWU5jyHiug\nRrNkKiG7TeBBvQ3ZlF9K4JSx1yn9g7EvPBcmygop5FIKI1uS+URxeyavtlwfnTTs\nDtRVV/x0LDkHoJ2Agy7l2MqT7eoRKh5VNucQONLrcZT1AY02eZi/WVSjgpzC48eP\nV9xlcgIaRbS/JDULYgW5h0uVdRNqSVGJ6yBLXT2uaBA=\n-----END CERTIFICATE-----\n",
@@ -14,6 +22,7 @@
 firebase_token = "eyJhbGciOiJSUzI1NiIsImtpZCI6ImY0YjBhNWM3M2FkODVhNWRhMDlmMGU3Zjc2NDYzNjMxMzM5ZTBiYmYifQ.eyJpc3MiOiJodHRwczovL3NlY3VyZXRva2VuLmdvb2dsZS5jb20vd2Vkb3RyYW5zZmVyLTIwMTYiLCJhdWQiOiJ3ZWRvdHJhbnNmZXItMjAxNiIsImF1dGhfdGltZSI6MTQ2NzM0NjI3MCwidXNlcl9pZCI6IjRjemVXVllIekNNVnN0WEZOYldHVXBKYmJTZzEiLCJzdWIiOiI0Y3plV1ZZSHpDTVZzdFhGTmJXR1VwSmJiU2cxIiwiaWF0IjoxNDY3MzQ2MjcwLCJleHAiOjE0NjczNDk4NzAsImVtYWlsIjoic2V1bkBjbXUuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJmaXJlYmFzZSI6eyJpZGVudGl0aWVzIjp7InBhc3N3b3JkIjpbInNldW5AY211LmNvbSJdLCJlbWFpbCI6WyJzZXVuQGNtdS5jb20iXX19fQ.U-fYjx8rMm5tYV24r0uEcNQtIe3UKULxsHecLdGzTbi1v-VKzKDk_QPL26SPDoU8JUMY3nJQ1hOE9AapBrQck8NVUZSKFMD49XdtsyoN2kKdinpFR1hSxIE0L2dRStS7OZ8sGiX866lNa52Cr6TXSsnMD6N2P0OtVE5EeD1Nf-AiJ-gsaLrP4tBnmj1MNYhEYVHb6sAUrT3nEI9gWmeKcPWPfn76FGTdGWZ2mjdaeAG4RbuFL4cHdOISA_0HVLGJxuNyEHAHybDX8mVdNW_F4yzL3H-SmPFY5Kv3tCdBzpzhUKfNOnFFmf2ggFOJnDsqMp-TZaIPk6ce_ltqhQ0dnQ"
 
 
+@pytest.mark.skipif(RSAKey is RsaRSAKey, reason="python-rsa backend does not support certificates")
 class TestFirebase:
 
     def test_individual_cert(self):

tox.ini

@@ -1,5 +1,8 @@
 [tox]
-envlist = py{27,34,35,36,py}-{base,cryptography,pycryptodome,pycrypto,compatibility},flake8
+minversion = 3.4.0
+envlist =
+    py{27,34,35,36,py}-{base,cryptography-only,pycryptodome,pycrypto,compatibility},
+    flake8
 skip_missing_interpreters = True
 
 [testenv:basecommand]
@@ -19,6 +22,9 @@ deps =
     pytest-cov
     pytest-runner
     compatibility: {[testenv:compatibility]deps}
+commands_pre =
+    # Remove the python-rsa backend
+    only: pip uninstall -y ecdsa rsa
 commands =
     # Test the python-rsa backend
     base: {[testenv:basecommand]commands} -m "not (cryptography or pycryptodome or pycrypto or backend_compatibility)"