def test_does_not_hard_fail_on_invalid_signature(self):
start_date = START_DATE
end_date = END_DATE
digest = {'digestPublicKeyFingerprint': 'a',
'digestS3Bucket': '1',
'digestS3Object': 'abc',
'previousDigestSignature': '...',
'digestStartTime': (end_date - timedelta(hours=1)).strftime(
DATE_FORMAT),
'digestEndTime': end_date.strftime(DATE_FORMAT),
'_signature': '123'}
digest_provider = Mock()
digest_provider.load_digest_keys_in_range.return_value = ['abc']
digest_provider.fetch_digest.return_value = (digest, 'abc')
key_provider = Mock()
public_keys = {'a': {'Fingerprint': 'a', 'Value': 'a'}}
key_provider.get_public_keys.return_value = public_keys
digest_validator = Sha256RSADigestValidator()
on_invalid, calls = collecting_callback()
traverser = DigestTraverser(
digest_provider=digest_provider, starting_bucket='1',
starting_prefix='baz', public_key_provider=key_provider,
digest_validator=digest_validator, on_invalid=on_invalid)
digest_iter = traverser.traverse(start_date, end_date)
next(digest_iter, None)
self.assertEquals('Digest file\ts3://1/abc\tINVALID: Incorrect padding',
calls[0]['message'])
def test_does_not_expose_underlying_validation_error(self):
validator = Sha256RSADigestValidator()
try:
validator.validate('b', 'k', VALID_TEST_KEY, self._digest_data,
'invalid'.encode())
self.fail('Should have failed')
except DigestSignatureError as e:
self.assertEqual(('Digest file\ts3://b/k\tINVALID: signature '
'verification failed'), str(e))
def test_does_not_expose_underlying_key_decoding_error(self):
validator = Sha256RSADigestValidator()
try:
validator.validate('b', 'k', 'YQo=', self._digest_data,
'invalid'.encode())
self.fail('Should have failed')
except DigestError as e:
self.assertEqual(('Digest file\ts3://b/k\tINVALID: Unable to load '
'PKCS #1 key with fingerprint abc'), str(e))
def test_properly_signs_when_no_previous_signature(self):
validator = Sha256RSADigestValidator()
digest_data = {
'digestEndTime': 'a',
'digestS3Bucket': 'b',
'digestS3Object': 'c',
'previousDigestSignature': None}
signed = validator._create_string_to_sign(digest_data, 'abc'.encode())
self.assertEqual(
('a\nb/c\nba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff6'
'1f20015ad\nnull').encode(), signed)
def test_validates_digests(self):
(public_key, private_key) = rsa.newkeys(512)
sha256_hash = hashlib.sha256(self._inflated_digest)
string_to_sign = "%s\n%s/%s\n%s\n%s" % (
self._digest_data['digestEndTime'],
self._digest_data['digestS3Bucket'],
self._digest_data['digestS3Object'], sha256_hash.hexdigest(),
self._digest_data['previousDigestSignature'])
signature = rsa.sign(string_to_sign.encode(), private_key, 'SHA-256')
self._digest_data['_signature'] = binascii.hexlify(signature)
validator = Sha256RSADigestValidator()
public_key_b64 = base64.b64encode(public_key.save_pkcs1(format='DER'))
validator.validate('b', 'k', public_key_b64, self._digest_data,
self._inflated_digest)