Skip to content

Commit

Permalink
Reduce MD5 and SHA1 dependency in tests (#1074)
Browse files Browse the repository at this point in the history 
* Reduce MD5 and SHA1 dependency in tests

Most of the tests aren't specifically testing MD5 or SHA1. Switch those
to a modern hash.

* Fix line length
  • Loading branch information
@davidben
davidben authored Jan 10, 2022
1 parent d184fbb commit fb26edd
Showing 1 changed file with 23 additions and 23 deletions.
46 changes: 23 additions & 23 deletions tests/test_crypto.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ def normalize_privatekey_pem(pem):
GOOD_CIPHER = "blowfish"
BAD_CIPHER = "zippers"

GOOD_DIGEST = "SHA1"
GOOD_DIGEST = "SHA256"
BAD_DIGEST = "monkeys"

old_root_cert_pem = b"""-----BEGIN CERTIFICATE-----
Expand Down Expand Up @@ -914,7 +914,7 @@ def test_unused_subject(self, x509_data):
b"basicConstraints", False, b"CA:TRUE", subject=x509
)
x509.add_extensions([ext1])
x509.sign(pkey, "sha1")
x509.sign(pkey, "sha256")
# This is a little lame. Can we think of a better way?
text = dump_certificate(FILETYPE_TEXT, x509)
assert b"X509v3 Basic Constraints:" in text
Expand All @@ -930,7 +930,7 @@ def test_subject(self, x509_data):
b"subjectKeyIdentifier", False, b"hash", subject=x509
)
x509.add_extensions([ext3])
x509.sign(pkey, "sha1")
x509.sign(pkey, "sha256")
text = dump_certificate(FILETYPE_TEXT, x509)
assert b"X509v3 Subject Key Identifier:" in text

Expand Down Expand Up @@ -963,7 +963,7 @@ def test_unused_issuer(self, x509_data):
b"basicConstraints", False, b"CA:TRUE", issuer=x509
)
x509.add_extensions([ext1])
x509.sign(pkey, "sha1")
x509.sign(pkey, "sha256")
text = dump_certificate(FILETYPE_TEXT, x509)
assert b"X509v3 Basic Constraints:" in text
assert b"CA:TRUE" in text
Expand All @@ -978,7 +978,7 @@ def test_issuer(self, x509_data):
b"authorityKeyIdentifier", False, b"issuer:always", issuer=x509
)
x509.add_extensions([ext2])
x509.sign(pkey, "sha1")
x509.sign(pkey, "sha256")
text = dump_certificate(FILETYPE_TEXT, x509)
assert b"X509v3 Authority Key Identifier:" in text
assert b"DirName:/CN=Yoda root CA" in text
Expand Down Expand Up @@ -1935,13 +1935,13 @@ def test_digest(self):
"""
cert = load_certificate(FILETYPE_PEM, old_root_cert_pem)
assert (
# This is MD5 instead of GOOD_DIGEST because the digest algorithm
# actually matters to the assertion (ie, another arbitrary, good
# digest will not product the same digest).
# Digest verified with the command:
# openssl x509 -in root_cert.pem -noout -fingerprint -md5
cert.digest("MD5")
== b"19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75"
# openssl x509 -in root_cert.pem -noout -fingerprint -sha256
cert.digest("SHA256")
== (
b"3E:0F:16:39:6B:B1:3E:4F:08:85:C6:5F:10:0D:CB:2C:"
b"25:C2:91:4E:D0:4A:C2:29:06:BD:55:E3:A7:B3:B7:06"
)
)

def _extcert(self, pkey, extensions):
Expand All @@ -1957,7 +1957,7 @@ def _extcert(self, pkey, extensions):
cert.set_notAfter(when)

cert.add_extensions(extensions)
cert.sign(pkey, "sha1")
cert.sign(pkey, "sha256")
return load_certificate(
FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert)
)
Expand Down Expand Up @@ -3573,7 +3573,7 @@ def test_export_der(self):

# DER format
dumped_crl = self._get_crl().export(
self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
self.cert, self.pkey, FILETYPE_ASN1, digest=b"sha256"
)
crl = x509.load_der_x509_crl(dumped_crl, backend)
revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
Expand All @@ -3600,7 +3600,7 @@ def test_export_text(self):

# text format
dumped_text = crl.export(
self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5"
self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"sha256"
)
assert len(dumped_text) > 500

Expand All @@ -3610,9 +3610,9 @@ def test_export_custom_digest(self):
signature algorithm based on that digest function.
"""
crl = self._get_crl()
dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha1")
dumped_crl = crl.export(self.cert, self.pkey, digest=b"sha384")
text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
text.index(b"Signature Algorithm: sha1")
text.index(b"Signature Algorithm: sha384")

def test_export_md5_digest(self):
"""
Expand Down Expand Up @@ -4250,7 +4250,7 @@ def test_sign_verify(self):
# certificate unrelated to priv_key, used to trigger an error
bad_cert = load_certificate(FILETYPE_PEM, server_cert_pem)

for digest in ["md5", "sha1"]:
for digest in ["md5", "sha1", "sha256"]:
sig = sign(priv_key, content, digest)

# Verify the signature of content, will throw an exception if
Expand Down Expand Up @@ -4289,7 +4289,7 @@ def test_sign_verify_with_text(self):

priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
cert = load_certificate(FILETYPE_PEM, root_cert_pem)
for digest in ["md5", "sha1"]:
for digest in ["md5", "sha1", "sha256"]:
with pytest.warns(DeprecationWarning) as w:
simplefilter("always")
sig = sign(priv_key, content, digest)
Expand Down Expand Up @@ -4319,8 +4319,8 @@ def test_sign_verify_ecdsa(self):
)
priv_key = load_privatekey(FILETYPE_PEM, ec_root_key_pem)
cert = load_certificate(FILETYPE_PEM, ec_root_cert_pem)
sig = sign(priv_key, content, "sha1")
verify(cert, sig, content, "sha1")
sig = sign(priv_key, content, "sha256")
verify(cert, sig, content, "sha256")

def test_sign_nulls(self):
"""
Expand All @@ -4329,8 +4329,8 @@ def test_sign_nulls(self):
content = b"Watch out! \0 Did you see it?"
priv_key = load_privatekey(FILETYPE_PEM, root_key_pem)
good_cert = load_certificate(FILETYPE_PEM, root_cert_pem)
sig = sign(priv_key, content, "sha1")
verify(good_cert, sig, content, "sha1")
sig = sign(priv_key, content, "sha256")
verify(good_cert, sig, content, "sha256")

def test_sign_with_large_key(self):
"""
Expand All @@ -4345,7 +4345,7 @@ def test_sign_with_large_key(self):
)

priv_key = load_privatekey(FILETYPE_PEM, large_key_pem)
sign(priv_key, content, "sha1")
sign(priv_key, content, "sha256")


class TestEllipticCurve(object):
Expand Down

0 comments on commit fb26edd

Please sign in to comment.