def test_fail_on_illegal_keyops_verifying(ops):
msg = Sign1Message(phdr={'ALG': 'ES256'},
payload="signed message".encode('utf-8'))
ec2_key = EC2Key.generate_key(crv='P_256')
msg.key = ec2_key
msg = msg.encode()
msg = CoseMessage.decode(msg)
# set an illegal key op
if ops in {
'ENCRYPT', 'DECRYPT', 'WRAP', 'UNWRAP', 'MAC_CREATE', 'MAC_VERIFY'
}:
with pytest.raises(CoseIllegalKeyOps) as excinfo:
ec2_key.key_ops = [ops]
assert "Invalid COSE key operation" in str(excinfo.value)
return
else:
ec2_key.key_ops = [ops]
msg.key = ec2_key
with pytest.raises(CoseIllegalKeyOps) as excinfo:
msg.verify_signature()
assert "Illegal key operations specified." in str(excinfo.value)
def test_fail_on_non_matching_algorithms_phdr(alg):
msg = Sign1Message(phdr={'ALG': 'ES256'},
payload="signed message".encode('utf-8'))
ec2_key = EC2Key.generate_key(crv='P_256', optional_params={'ALG': alg})
msg.key = ec2_key
with pytest.raises(CoseIllegalAlgorithm) as excinfo:
msg.encode()
assert "Conflicting algorithms" in str(excinfo.value)
def test_fail_on_illegal_keyops_signing(ops):
msg = Sign1Message(phdr={'ALG': 'ES256'},
payload="signed message".encode('utf-8'))
ec2_key = EC2Key.generate_key(crv='P_256',
optional_params={'KEY_OPS': [ops]})
msg.key = ec2_key
with pytest.raises(CoseIllegalKeyOps) as excinfo:
msg.encode()
assert "Illegal key operations specified." in str(excinfo.value)
def sign(
self,
private_key: CoseKey,
alg: cose.algorithms.CoseAlgorithm,
kid_protected: bool = True,
sign1: bool = True,
) -> bytes:
self.protected_header.update({
cose.headers.Algorithm:
alg,
cose.headers.ContentType:
CoseContentTypes.CWT.value,
})
if kid_protected:
self.protected_header[cose.headers.KID] = private_key.kid
else:
self.unprotected_header[cose.headers.KID] = private_key.kid
if sign1:
cose_msg = Sign1Message(
phdr=self.protected_header
if len(self.protected_header) else None,
uhdr=self.unprotected_header
if len(self.unprotected_header) else None,
payload=cbor2.dumps(self.claims),
)
cose_msg.key = private_key
else:
signers = [
CoseSignature(
phdr=self.protected_header
if len(self.protected_header) else None,
uhdr=self.unprotected_header
if len(self.unprotected_header) else None,
key=private_key,
)
]
cose_msg = SignMessage(
phdr={cose.headers.ContentType: CoseContentTypes.CWT.value},
uhdr=self.unprotected_header
if len(self.unprotected_header) else None,
payload=cbor2.dumps(self.claims),
signers=signers,
)
return cose_msg.encode()
def test_ec2sign1_encoding(setup_ec2sign1_tests) -> None:
_, test_input, test_output, test_intermediate, fail = setup_ec2sign1_tests
sign1 = Sign1Message(phdr=test_input['sign0'].get('protected', {}),
uhdr=test_input['sign0'].get('unprotected', {}),
payload=test_input.get('plaintext',
'').encode('utf-8'),
external_aad=unhexlify(test_input['sign0'].get(
"external", b'')))
assert sign1._sig_structure == unhexlify(test_intermediate["ToBeSign_hex"])
private_key = create_cose_key(EC2,
test_input['sign0']['key'],
usage=KeyOps.SIGN,
alg=extract_alg(test_input["sign0"]))
if fail:
assert sign1.encode(private_key) != unhexlify(test_output)
else:
assert sign1.encode(private_key) == unhexlify(test_output)
def test_sign1_encoding(test_sign1):
test_input = test_sign1['input']
test_output = test_sign1['output']
msg = Sign1Message(phdr=test_input['protected'],
uhdr=test_input['unprotected'],
payload=test_input['plaintext'],
external_aad=test_input['external_aad'])
assert msg.phdr_encoded == test_output['protected']
assert msg.uhdr_encoded == test_output['unprotected']
assert msg._sig_structure == test_output['structure']
key = CoseKey.from_dict(test_sign1["cek"])
key.key_ops = [SignOp, VerifyOp]
msg.key = key
assert msg.compute_signature() == test_output['signature']
assert cbor2.loads(
msg.encode(tag=test_sign1['cbor_tag'])) == test_output['result']