From 01ee41a11fa3545b37786092fd88243fa4b9e75e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 17 Jul 2018 17:31:28 +0800 Subject: [PATCH 1/2] add wycheproof tests for AES CMAC --- tests/wycheproof/test_cmac.py | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 tests/wycheproof/test_cmac.py diff --git a/tests/wycheproof/test_cmac.py b/tests/wycheproof/test_cmac.py new file mode 100644 index 000000000000..44ebc34d2eee --- /dev/null +++ b/tests/wycheproof/test_cmac.py @@ -0,0 +1,36 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import binascii + +import pytest + +from cryptography.exceptions import InvalidSignature +from cryptography.hazmat.backends.interfaces import CipherBackend +from cryptography.hazmat.primitives.ciphers.algorithms import AES +from cryptography.hazmat.primitives.cmac import CMAC + + +@pytest.mark.requires_backend_interface(interface=CipherBackend) +@pytest.mark.wycheproof_tests("aes_cmac_test.json") +def test_keywrap_with_padding(backend, wycheproof): + key = binascii.unhexlify(wycheproof.testcase["key"]) + msg = binascii.unhexlify(wycheproof.testcase["msg"]) + tag = binascii.unhexlify(wycheproof.testcase["tag"]) + + # skip truncated tags, which we don't support in the API + if wycheproof.valid and not len(tag) != 16: + ctx = CMAC(AES(key), backend) + ctx.update(msg) + ctx.verify(tag) + elif len(key) not in [16, 24, 32]: + with pytest.raises(ValueError): + CMAC(AES(key), backend) + else: + ctx = CMAC(AES(key), backend) + ctx.update(msg) + with pytest.raises(InvalidSignature): + ctx.verify(tag) From 952e98e794140bf0da5f4cd6311a8c32ca9613d6 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 17 Jul 2018 21:22:02 +0800 Subject: [PATCH 2/2] review feedback --- tests/wycheproof/test_cmac.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/wycheproof/test_cmac.py b/tests/wycheproof/test_cmac.py index 44ebc34d2eee..bef858395c9c 100644 --- a/tests/wycheproof/test_cmac.py +++ b/tests/wycheproof/test_cmac.py @@ -9,20 +9,20 @@ import pytest from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends.interfaces import CipherBackend +from cryptography.hazmat.backends.interfaces import CMACBackend from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.cmac import CMAC -@pytest.mark.requires_backend_interface(interface=CipherBackend) +@pytest.mark.requires_backend_interface(interface=CMACBackend) @pytest.mark.wycheproof_tests("aes_cmac_test.json") -def test_keywrap_with_padding(backend, wycheproof): +def test_aes_cmac(backend, wycheproof): key = binascii.unhexlify(wycheproof.testcase["key"]) msg = binascii.unhexlify(wycheproof.testcase["msg"]) tag = binascii.unhexlify(wycheproof.testcase["tag"]) # skip truncated tags, which we don't support in the API - if wycheproof.valid and not len(tag) != 16: + if wycheproof.valid and len(tag) == 16: ctx = CMAC(AES(key), backend) ctx.update(msg) ctx.verify(tag)