1 # Copyright 2016 Google Inc. All rights reserved.
2 #
3 # Licensed under the Apache License, Version 2.0 (the "License");
4 # you may not use this file except in compliance with the License.
5 # You may obtain a copy of the License at
6 #
7 #      http://www.apache.org/licenses/LICENSE-2.0
8 #
9 # Unless required by applicable law or agreed to in writing, software
10 # distributed under the License is distributed on an "AS IS" BASIS,
11 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 # See the License for the specific language governing permissions and
13 # limitations under the License.
14 
15 """Unit tests for oauth2client._pure_python_crypt."""
16 
17 import os
18 
19 import mock
20 from pyasn1_modules import pem
21 import rsa
22 import six
23 import unittest2
24 
25 from oauth2client import _helpers
26 from oauth2client import _pure_python_crypt
27 from oauth2client import crypt
28 
29 
30 class TestRsaVerifier(unittest2.TestCase):
31 
32     PUBLIC_KEY_FILENAME = os.path.join(os.path.dirname(__file__),
33                                        'data', 'privatekey.pub')
34     PUBLIC_CERT_FILENAME = os.path.join(os.path.dirname(__file__),
35                                         'data', 'public_cert.pem')
36     PRIVATE_KEY_FILENAME = os.path.join(os.path.dirname(__file__),
37                                         'data', 'privatekey.pem')
38 
39     def _load_public_key_bytes(self):
40         with open(self.PUBLIC_KEY_FILENAME, 'rb') as fh:
41             return fh.read()
42 
43     def _load_public_cert_bytes(self):
44         with open(self.PUBLIC_CERT_FILENAME, 'rb') as fh:
45             return fh.read()
46 
47     def _load_private_key_bytes(self):
48         with open(self.PRIVATE_KEY_FILENAME, 'rb') as fh:
49             return fh.read()
50 
51     def test_verify_success(self):
52         to_sign = b'foo'
53         signer = crypt.RsaSigner.from_string(self._load_private_key_bytes())
54         actual_signature = signer.sign(to_sign)
55 
56         verifier = crypt.RsaVerifier.from_string(
57             self._load_public_key_bytes(), is_x509_cert=False)
58         self.assertTrue(verifier.verify(to_sign, actual_signature))
59 
60     def test_verify_unicode_success(self):
61         to_sign = u'foo'
62         signer = crypt.RsaSigner.from_string(self._load_private_key_bytes())
63         actual_signature = signer.sign(to_sign)
64 
65         verifier = crypt.RsaVerifier.from_string(
66             self._load_public_key_bytes(), is_x509_cert=False)
67         self.assertTrue(verifier.verify(to_sign, actual_signature))
68 
69     def test_verify_failure(self):
70         verifier = crypt.RsaVerifier.from_string(
71             self._load_public_key_bytes(), is_x509_cert=False)
72         bad_signature1 = b''
73         self.assertFalse(verifier.verify(b'foo', bad_signature1))
74         bad_signature2 = b'a'
75         self.assertFalse(verifier.verify(b'foo', bad_signature2))
76 
77     def test_from_string_pub_key(self):
78         public_key = self._load_public_key_bytes()
79         verifier = crypt.RsaVerifier.from_string(
80             public_key, is_x509_cert=False)
81         self.assertIsInstance(verifier, crypt.RsaVerifier)
82         self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey)
83 
84     def test_from_string_pub_key_unicode(self):
85         public_key = _helpers._from_bytes(self._load_public_key_bytes())
86         verifier = crypt.RsaVerifier.from_string(
87             public_key, is_x509_cert=False)
88         self.assertIsInstance(verifier, crypt.RsaVerifier)
89         self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey)
90 
91     def test_from_string_pub_cert(self):
92         public_cert = self._load_public_cert_bytes()
93         verifier = crypt.RsaVerifier.from_string(
94             public_cert, is_x509_cert=True)
95         self.assertIsInstance(verifier, crypt.RsaVerifier)
96         self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey)
97 
98     def test_from_string_pub_cert_unicode(self):
99         public_cert = _helpers._from_bytes(self._load_public_cert_bytes())
100         verifier = crypt.RsaVerifier.from_string(
101             public_cert, is_x509_cert=True)
102         self.assertIsInstance(verifier, crypt.RsaVerifier)
103         self.assertIsInstance(verifier._pubkey, rsa.key.PublicKey)
104 
105     def test_from_string_pub_cert_failure(self):
106         cert_bytes = self._load_public_cert_bytes()
107         true_der = rsa.pem.load_pem(cert_bytes, 'CERTIFICATE')
108         with mock.patch('rsa.pem.load_pem',
109                         return_value=true_der + b'extra') as load_pem:
110             with self.assertRaises(ValueError):
111                 crypt.RsaVerifier.from_string(cert_bytes, is_x509_cert=True)
112             load_pem.assert_called_once_with(cert_bytes, 'CERTIFICATE')
113 
114 
115 class TestRsaSigner(unittest2.TestCase):
116 
117     PKCS1_KEY_FILENAME = os.path.join(os.path.dirname(__file__),
118                                       'data', 'privatekey.pem')
119     PKCS8_KEY_FILENAME = os.path.join(os.path.dirname(__file__),
120                                       'data', 'pem_from_pkcs12.pem')
121     PKCS12_KEY_FILENAME = os.path.join(os.path.dirname(__file__),
122                                        'data', 'privatekey.p12')
123 
124     def _load_pkcs1_key_bytes(self):
125         with open(self.PKCS1_KEY_FILENAME, 'rb') as fh:
126             return fh.read()
127 
128     def _load_pkcs8_key_bytes(self):
129         with open(self.PKCS8_KEY_FILENAME, 'rb') as fh:
130             return fh.read()
131 
132     def _load_pkcs12_key_bytes(self):
133         with open(self.PKCS12_KEY_FILENAME, 'rb') as fh:
134             return fh.read()
135 
136     def test_from_string_pkcs1(self):
137         key_bytes = self._load_pkcs1_key_bytes()
138         signer = crypt.RsaSigner.from_string(key_bytes)
139         self.assertIsInstance(signer, crypt.RsaSigner)
140         self.assertIsInstance(signer._key, rsa.key.PrivateKey)
141 
142     def test_from_string_pkcs1_unicode(self):
143         key_bytes = _helpers._from_bytes(self._load_pkcs1_key_bytes())
144         signer = crypt.RsaSigner.from_string(key_bytes)
145         self.assertIsInstance(signer, crypt.RsaSigner)
146         self.assertIsInstance(signer._key, rsa.key.PrivateKey)
147 
148     def test_from_string_pkcs8(self):
149         key_bytes = self._load_pkcs8_key_bytes()
150         signer = crypt.RsaSigner.from_string(key_bytes)
151         self.assertIsInstance(signer, crypt.RsaSigner)
152         self.assertIsInstance(signer._key, rsa.key.PrivateKey)
153 
154     def test_from_string_pkcs8_extra_bytes(self):
155         key_bytes = self._load_pkcs8_key_bytes()
156         _, pem_bytes = pem.readPemBlocksFromFile(
157             six.StringIO(_helpers._from_bytes(key_bytes)),
158             _pure_python_crypt._PKCS8_MARKER)
159 
160         with mock.patch('pyasn1.codec.der.decoder.decode') as mock_decode:
161             key_info, remaining = None, 'extra'
162             mock_decode.return_value = (key_info, remaining)
163             with self.assertRaises(ValueError):
164                 crypt.RsaSigner.from_string(key_bytes)
165             # Verify mock was called.
166             mock_decode.assert_called_once_with(
167                 pem_bytes, asn1Spec=_pure_python_crypt._PKCS8_SPEC)
168 
169     def test_from_string_pkcs8_unicode(self):
170         key_bytes = _helpers._from_bytes(self._load_pkcs8_key_bytes())
171         signer = crypt.RsaSigner.from_string(key_bytes)
172         self.assertIsInstance(signer, crypt.RsaSigner)
173         self.assertIsInstance(signer._key, rsa.key.PrivateKey)
174 
175     def test_from_string_pkcs12(self):
176         key_bytes = self._load_pkcs12_key_bytes()
177         with self.assertRaises(ValueError):
178             crypt.RsaSigner.from_string(key_bytes)
179 
180     def test_from_string_bogus_key(self):
181         key_bytes = 'bogus-key'
182         with self.assertRaises(ValueError):
183             crypt.RsaSigner.from_string(key_bytes)
184