# Copyright 2016 Google Inc. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Unit tests for oauth2client._pure_python_crypt.""" import os import mock from pyasn1_modules import pem import rsa import six import unittest2 from oauth2client._helpers import _from_bytes from oauth2client import _pure_python_crypt from oauth2client.crypt import RsaSigner from oauth2client.crypt import RsaVerifier class TestRsaVerifier(unittest2.TestCase): PUBLIC_KEY_FILENAME = os.path.join(os.path.dirname(__file__), 'data', 'privatekey.pub') PUBLIC_CERT_FILENAME = os.path.join(os.path.dirname(__file__), 'data', 'public_cert.pem') PRIVATE_KEY_FILENAME = os.path.join(os.path.dirname(__file__), 'data', 'privatekey.pem') def _load_public_key_bytes(self): with open(self.PUBLIC_KEY_FILENAME, 'rb') as fh: return fh.read() def _load_public_cert_bytes(self): with open(self.PUBLIC_CERT_FILENAME, 'rb') as fh: return fh.read() def _load_private_key_bytes(self): with open(self.PRIVATE_KEY_FILENAME, 'rb') as fh: return fh.read() def test_verify_success(self): to_sign = b'foo' signer = RsaSigner.from_string(self._load_private_key_bytes()) actual_signature = signer.sign(to_sign) verifier = RsaVerifier.from_string(self._load_public_key_bytes(), is_x509_cert=False) self.assertTrue(verifier.verify(to_sign, actual_signature)) def test_verify_unicode_success(self): to_sign = u'foo' signer = RsaSigner.from_string(self._load_private_key_bytes()) actual_signature = signer.sign(to_sign) verifier = RsaVerifier.from_string(self._load_public_key_bytes(), is_x509_cert=False) self.assertTrue(verifier.verify(to_sign, actual_signature)) def test_verify_failure(self): verifier = RsaVerifier.from_string(self._load_public_key_bytes(), is_x509_cert=False) bad_signature1 = b'' self.assertFalse(verifier.verify(b'foo', bad_signature1)) bad_signature2 = b'a' self.assertFalse(verifier.verify(b'foo', bad_signature2)) def test_from_string_pub_key(self): public_key = self._load_public_key_bytes() verifier = RsaVerifier.from_string(public_key, is_x509_cert=False) self.assertIsInstance(verifier, RsaVerifier) self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_key_unicode(self): public_key = _from_bytes(self._load_public_key_bytes()) verifier = RsaVerifier.from_string(public_key, is_x509_cert=False) self.assertIsInstance(verifier, RsaVerifier) self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_cert(self): public_cert = self._load_public_cert_bytes() verifier = RsaVerifier.from_string(public_cert, is_x509_cert=True) self.assertIsInstance(verifier, RsaVerifier) self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_cert_unicode(self): public_cert = _from_bytes(self._load_public_cert_bytes()) verifier = RsaVerifier.from_string(public_cert, is_x509_cert=True) self.assertIsInstance(verifier, RsaVerifier) self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey) def test_from_string_pub_cert_failure(self): cert_bytes = self._load_public_cert_bytes() true_der = rsa.pem.load_pem(cert_bytes, 'CERTIFICATE') with mock.patch('rsa.pem.load_pem', return_value=true_der + b'extra') as load_pem: with self.assertRaises(ValueError): RsaVerifier.from_string(cert_bytes, is_x509_cert=True) load_pem.assert_called_once_with(cert_bytes, 'CERTIFICATE') class TestRsaSigner(unittest2.TestCase): PKCS1_KEY_FILENAME = os.path.join(os.path.dirname(__file__), 'data', 'privatekey.pem') PKCS8_KEY_FILENAME = os.path.join(os.path.dirname(__file__), 'data', 'pem_from_pkcs12.pem') PKCS12_KEY_FILENAME = os.path.join(os.path.dirname(__file__), 'data', 'privatekey.p12') def _load_pkcs1_key_bytes(self): with open(self.PKCS1_KEY_FILENAME, 'rb') as fh: return fh.read() def _load_pkcs8_key_bytes(self): with open(self.PKCS8_KEY_FILENAME, 'rb') as fh: return fh.read() def _load_pkcs12_key_bytes(self): with open(self.PKCS12_KEY_FILENAME, 'rb') as fh: return fh.read() def test_from_string_pkcs1(self): key_bytes = self._load_pkcs1_key_bytes() signer = RsaSigner.from_string(key_bytes) self.assertIsInstance(signer, RsaSigner) self.assertIsInstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs1_unicode(self): key_bytes = _from_bytes(self._load_pkcs1_key_bytes()) signer = RsaSigner.from_string(key_bytes) self.assertIsInstance(signer, RsaSigner) self.assertIsInstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs8(self): key_bytes = self._load_pkcs8_key_bytes() signer = RsaSigner.from_string(key_bytes) self.assertIsInstance(signer, RsaSigner) self.assertIsInstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs8_extra_bytes(self): key_bytes = self._load_pkcs8_key_bytes() _, pem_bytes = pem.readPemBlocksFromFile( six.StringIO(_from_bytes(key_bytes)), _pure_python_crypt._PKCS8_MARKER) with mock.patch('pyasn1.codec.der.decoder.decode') as mock_decode: key_info, remaining = None, 'extra' mock_decode.return_value = (key_info, remaining) with self.assertRaises(ValueError): RsaSigner.from_string(key_bytes) # Verify mock was called. mock_decode.assert_called_once_with( pem_bytes, asn1Spec=_pure_python_crypt._PKCS8_SPEC) def test_from_string_pkcs8_unicode(self): key_bytes = _from_bytes(self._load_pkcs8_key_bytes()) signer = RsaSigner.from_string(key_bytes) self.assertIsInstance(signer, RsaSigner) self.assertIsInstance(signer._key, rsa.key.PrivateKey) def test_from_string_pkcs12(self): key_bytes = self._load_pkcs12_key_bytes() with self.assertRaises(ValueError): RsaSigner.from_string(key_bytes) def test_from_string_bogus_key(self): key_bytes = 'bogus-key' with self.assertRaises(ValueError): RsaSigner.from_string(key_bytes) if __name__ == '__main__': # pragma: NO COVER unittest2.main()