def test_already_finalized(self, backend):
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
kdf.derive(self._KEY_MATERIAL)
with pytest.raises(AlreadyFinalized):
kdf.derive(self._KEY_MATERIAL2)
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
key = kdf.derive(self._KEY_MATERIAL)
with pytest.raises(AlreadyFinalized):
kdf.verify(self._KEY_MATERIAL, key)
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
kdf.verify(self._KEY_MATERIAL, key)
with pytest.raises(AlreadyFinalized):
kdf.verify(self._KEY_MATERIAL, key)
def test_wrong_key_material_length(self, backend):
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
with pytest.raises(ValueError):
kdf.derive(b"material")
def test_unicode_error_key_material(self, backend):
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
with pytest.raises(TypeError):
kdf.derive("material") # type: ignore[arg-type]
def test_unsupported_cipher(self, backend):
kdf = KBKDFCMAC(
DummyBlockCipherAlgorithm,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER):
kdf.derive(self._KEY_MATERIAL)
def test_key_length(self, backend):
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
85899345920,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
with pytest.raises(ValueError):
kdf.derive(self._KEY_MATERIAL)
def test_invalid_key(self, backend):
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
key = kdf.derive(self._KEY_MATERIAL)
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
with pytest.raises(InvalidKey):
kdf.verify(self._KEY_MATERIAL2, key)
def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, params):
supported_cipher_algorithms: typing.Dict[
str, typing.Type[BlockCipherAlgorithm]] = {
"cmac_aes128": algorithms.AES,
"cmac_aes192": algorithms.AES,
"cmac_aes256": algorithms.AES,
"cmac_tdes2": algorithms.TripleDES,
"cmac_tdes3": algorithms.TripleDES,
}
algorithm = supported_cipher_algorithms.get(prf)
assert algorithm is not None
# TripleDES is disallowed in FIPS mode.
if backend._fips_enabled and algorithm is algorithms.TripleDES:
pytest.skip("TripleDES is not supported in FIPS mode.")
ctrkdf = KBKDFCMAC(
algorithm,
Mode.CounterMode,
params["l"] // 8,
params["rlen"] // 8,
None,
ctr_loc,
None,
None,
binascii.unhexlify(params["fixedinputdata"]),
backend=backend,
)
ko = ctrkdf.derive(binascii.unhexlify(params["ki"]))
assert binascii.hexlify(ko) == params["ko"]
def test_buffer_protocol(self, backend):
kdf = KBKDFCMAC(
algorithms.AES,
Mode.CounterMode,
10,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
key = kdf.derive(bytearray(self._KEY_MATERIAL))
assert key == b"\x19\xcd\xbe\x17Lb\x115<\xd0"