def test_invalid_key(self):
kdf = KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
key = kdf.derive(b"material")
kdf = KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
with pytest.raises(InvalidKey):
kdf.verify(b"material2", key)
def test_invalid_key(self, backend):
kdf = KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
key = kdf.derive(b"material")
kdf = KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
with pytest.raises(InvalidKey):
kdf.verify(b"material2", key)
def test_already_finalized(self, backend):
kdf = KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
kdf.derive(b"material")
with pytest.raises(AlreadyFinalized):
kdf.derive(b"material2")
kdf = KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
key = kdf.derive(b"material")
with pytest.raises(AlreadyFinalized):
kdf.verify(b"material", key)
kdf = KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
kdf.verify(b"material", key)
with pytest.raises(AlreadyFinalized):
kdf.verify(b"material", key)
def _kbkdf_hmac_counter_mode_test(backend, prf, ctr_loc, params):
supported_hash_algorithms: typing.Dict[
str, typing.Type[hashes.HashAlgorithm]] = {
"hmac_sha1": hashes.SHA1,
"hmac_sha224": hashes.SHA224,
"hmac_sha256": hashes.SHA256,
"hmac_sha384": hashes.SHA384,
"hmac_sha512": hashes.SHA512,
}
algorithm = supported_hash_algorithms.get(prf)
assert algorithm is not None
assert backend.hmac_supported(algorithm())
ctrkdf = KBKDFHMAC(
algorithm(),
Mode.CounterMode,
params["l"] // 8,
params["rlen"] // 8,
None,
ctr_loc,
None,
None,
binascii.unhexlify(params["fixedinputdata"]),
backend=backend,
)
ko = ctrkdf.derive(binascii.unhexlify(params["ki"]))
assert binascii.hexlify(ko) == params["ko"]
def calculate_derived_key(self, sessionkey, context=None):
"""
Calculate the derived key given a session key and optional context using KBKDFHMAC
"""
label = b"AzureAD-SecureConversation"
if not context:
context = os.urandom(32)
else:
context = binascii.unhexlify(context)
backend = default_backend()
kdf = KBKDFHMAC(algorithm=hashes.SHA256(),
mode=Mode.CounterMode,
length=32,
rlen=4,
llen=4,
location=CounterLocation.BeforeFixed,
label=label,
context=context,
fixed=None,
backend=backend)
if len(sessionkey) == 44:
keybytes = base64.b64decode(sessionkey)
else:
keybytes = binascii.unhexlify(sessionkey)
derived_key = kdf.derive(keybytes)
# This is not ideal but further code expects it as hex string
return binascii.hexlify(context).decode('utf-8'), binascii.hexlify(
derived_key).decode('utf-8')
def test_already_finalized(self):
kdf = KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
kdf.derive(b'material')
with pytest.raises(AlreadyFinalized):
kdf.derive(b'material2')
kdf = KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
key = kdf.derive(b'material')
with pytest.raises(AlreadyFinalized):
kdf.verify(b'material', key)
kdf = KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
kdf.verify(b'material', key)
with pytest.raises(AlreadyFinalized):
kdf.verify(b"material", key)
def test_unicode_error_label(self):
with pytest.raises(TypeError):
KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
u'label',
b'context',
backend=default_backend())
def test_l_type(self, backend):
with pytest.raises(TypeError):
KBKDFHMAC(hashes.SHA1(),
Mode.CounterMode,
32,
4,
b'l',
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=backend)
def test_unsupported_algorithm(self):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
KBKDFHMAC(DummyHashAlgorithm(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
def test_unsupported_parameters(self):
with pytest.raises(ValueError):
KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
b'fixed',
backend=default_backend())
def test_unsupported_location(self):
with pytest.raises(TypeError):
KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
None,
b'label',
b'context',
None,
backend=default_backend())
def test_unsupported_mode(self):
with pytest.raises(TypeError):
KBKDFHMAC(hashes.SHA256(),
None,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
def test_l(self):
with pytest.raises(ValueError):
KBKDFHMAC(hashes.SHA1(),
Mode.CounterMode,
32,
4,
None,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
def test_unicode_error_context(self, backend):
with pytest.raises(TypeError):
KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
u'context',
None,
backend=backend)
def test_invalid_backend(self, backend):
with raises_unsupported_algorithm(_Reasons.BACKEND_MISSING_INTERFACE):
KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=object())
def test_unsupported_hash(self, backend):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
KBKDFHMAC(object(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=backend)
def test_rlen(self, backend):
with pytest.raises(ValueError):
KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
5,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=backend)
def test_unicode_error_label(self, backend):
with pytest.raises(TypeError):
KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
"label",
b"context",
backend=backend,
)
def test_unicode_error_key_material(self):
with pytest.raises(TypeError):
kdf = KBKDFHMAC(hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
kdf.derive(u'material')
def __genKey(self):
label = "!There is the sun label"
context = "!There is the sun context"
kdf = KBKDFHMAC(algorithm=hashes.SHA256(),\
mode=Mode.CounterMode,length=32,\
rlen=4,\
llen=4,\
location=CounterLocation.BeforeFixed,\
label=label,\
context=context,\
fixed=None,\
backend=default_backend())
return base64.urlsafe_b64encode(
kdf.derive(self.__getSerialNum(config.SER_N_FILE_LOC)))
def _derive_urlsafe_key(*, label, context):
backend = default_backend()
kdf = KBKDFHMAC(algorithm=hashes.SHA256(),
mode=Mode.CounterMode,
length=32,
rlen=4,
llen=4,
location=CounterLocation.BeforeFixed,
label=label,
context=context,
fixed=None,
backend=backend)
key = kdf.derive(settings.SECRET_KEY.encode())
return urlsafe_b64encode(key)
def test_unicode_error_context(self, backend):
with pytest.raises(TypeError):
KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
"context", # type: ignore[arg-type]
None,
backend=backend,
)
def test_unsupported_algorithm(self, backend):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
KBKDFHMAC(
DummyHashAlgorithm(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
def test_unsupported_hash(self, backend):
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
KBKDFHMAC(
object(), # type: ignore[arg-type]
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
def test_unsupported_parameters(self, backend):
with pytest.raises(ValueError):
KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
b"fixed",
backend=backend,
)
def test_key_length(self):
kdf = KBKDFHMAC(hashes.SHA1(),
Mode.CounterMode,
85899345920,
4,
4,
CounterLocation.BeforeFixed,
b'label',
b'context',
None,
backend=default_backend())
with pytest.raises(ValueError):
kdf.derive(b'material')
def test_unsupported_location(self, backend):
with pytest.raises(TypeError):
KBKDFHMAC(
hashes.SHA256(),
Mode.CounterMode,
32,
4,
4,
None, # type: ignore[arg-type]
b"label",
b"context",
None,
backend=backend,
)
def test_unsupported_mode(self, backend):
with pytest.raises(TypeError):
KBKDFHMAC(
hashes.SHA256(),
None, # type: ignore[arg-type]
32,
4,
4,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
def test_l(self, backend):
with pytest.raises(ValueError):
KBKDFHMAC(
hashes.SHA1(),
Mode.CounterMode,
32,
4,
None,
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)
def test_l_type(self, backend):
with pytest.raises(TypeError):
KBKDFHMAC(
hashes.SHA1(),
Mode.CounterMode,
32,
4,
b"l", # type: ignore[arg-type]
CounterLocation.BeforeFixed,
b"label",
b"context",
None,
backend=backend,
)