Yasuke/moto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve test coverage of KMS sign and verify (#5251)

Browse Source
This commit is contained in:
José Coelho 2022-06-23 21:45:07 +12:00 committed by GitHub
parent 6d68a5176b
commit 727bc2ba0a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 155 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
moto/kms/models.py
View File

@ -547,7 +547,6 @@ class KmsBackend(BaseBackend):
NOTES: NOTES:
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256 - signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
- message_type DIGEST is not implemented
- grant_tokens are not implemented - grant_tokens are not implemented
""" """
key = self.describe_key(key_id) key = self.describe_key(key_id)
@ -571,7 +570,6 @@ class KmsBackend(BaseBackend):
NOTES: NOTES:
- signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256 - signing_algorithm is ignored and hardcoded to RSASSA_PSS_SHA_256
- message_type DIGEST is not implemented
- grant_tokens are not implemented - grant_tokens are not implemented
""" """
key = self.describe_key(key_id) key = self.describe_key(key_id)

5
moto/kms/responses.py
View File

@ -617,11 +617,6 @@ class KmsResponse(BaseResponse):
"The GrantTokens-parameter is not yet implemented for client.sign()" "The GrantTokens-parameter is not yet implemented for client.sign()"
) )
if message_type == "DIGEST":
warnings.warn(
"The MessageType-parameter DIGEST is not yet implemented for client.sign()"
)
if signing_algorithm != "RSASSA_PSS_SHA_256": if signing_algorithm != "RSASSA_PSS_SHA_256":
warnings.warn( warnings.warn(
"The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.sign()" "The SigningAlgorithm-parameter is ignored hardcoded to RSASSA_PSS_SHA_256 for client.sign()"

155
tests/test_kms/test_kms_boto3.py
View File

@ -1,5 +1,6 @@
import json import json
from datetime import datetime from datetime import datetime
from cryptography.hazmat.primitives import hashes
from dateutil.tz import tzutc from dateutil.tz import tzutc
import base64 import base64
import os import os
@ -1161,6 +1162,66 @@ def test_sign_invalid_signing_algorithm():
) )
@mock_kms
def test_sign_and_verify_ignoring_grant_tokens():
client = boto3.client("kms", region_name="us-west-2")
key = client.create_key(Description="sign-key", KeyUsage="SIGN_VERIFY")
key_id = key["KeyMetadata"]["KeyId"]
message = "My message"
signing_algorithm = "RSASSA_PSS_SHA_256"
sign_response = client.sign(
KeyId=key_id,
Message=message,
SigningAlgorithm=signing_algorithm,
GrantTokens=["my-ignored-grant-token"],
)
sign_response["Signature"].should_not.equal(message)
verify_response = client.verify(
KeyId=key_id,
Message=message,
Signature=sign_response["Signature"],
SigningAlgorithm=signing_algorithm,
GrantTokens=["my-ignored-grant-token"],
)
verify_response["SignatureValid"].should.equal(True)
@mock_kms
def test_sign_and_verify_digest_message_type_256():
client = boto3.client("kms", region_name="us-west-2")
key = client.create_key(Description="sign-key", KeyUsage="SIGN_VERIFY")
key_id = key["KeyMetadata"]["KeyId"]
digest = hashes.Hash(hashes.SHA256())
digest.update(b"this works")
digest.update(b"as well")
message = digest.finalize()
signing_algorithm = "RSASSA_PSS_SHA_256"
sign_response = client.sign(
KeyId=key_id,
Message=message,
SigningAlgorithm=signing_algorithm,
MessageType="DIGEST",
)
verify_response = client.verify(
KeyId=key_id,
Message=message,
Signature=sign_response["Signature"],
SigningAlgorithm=signing_algorithm,
)
verify_response["SignatureValid"].should.equal(True)
@mock_kms @mock_kms
def test_sign_invalid_key_usage(): def test_sign_invalid_key_usage():
client = boto3.client("kms", region_name="us-west-2") client = boto3.client("kms", region_name="us-west-2")
@ -1225,3 +1286,97 @@ def test_verify_happy(plaintext):
verify_response["SigningAlgorithm"].should.equal(signing_algorithm) verify_response["SigningAlgorithm"].should.equal(signing_algorithm)
verify_response["KeyId"].should.equal(key_arn) verify_response["KeyId"].should.equal(key_arn)
verify_response["SignatureValid"].should.equal(True) verify_response["SignatureValid"].should.equal(True)
@mock_kms
def test_verify_happy_with_invalid_signature():
client = boto3.client("kms", region_name="us-west-2")
key = client.create_key(Description="sign-key", KeyUsage="SIGN_VERIFY")
key_id = key["KeyMetadata"]["KeyId"]
key_arn = key["KeyMetadata"]["Arn"]
signing_algorithm = "RSASSA_PSS_SHA_256"
verify_response = client.verify(
KeyId=key_id,
Message="my test",
Signature="invalid signature",
SigningAlgorithm=signing_algorithm,
)
verify_response["SigningAlgorithm"].should.equal(signing_algorithm)
verify_response["KeyId"].should.equal(key_arn)
verify_response["SignatureValid"].should.equal(False)
@mock_kms
def test_verify_invalid_signing_algorithm():
client = boto3.client("kms", region_name="us-west-2")
key = client.create_key(Description="sign-key", KeyUsage="SIGN_VERIFY")
key_id = key["KeyMetadata"]["KeyId"]
message = "My message"
signature = "any"
signing_algorithm = "INVALID"
with pytest.raises(ClientError) as ex:
client.verify(
KeyId=key_id,
Message=message,
Signature=signature,
SigningAlgorithm=signing_algorithm,
)
err = ex.value.response["Error"]
err["Code"].should.equal("ValidationException")
err["Message"].should.equal(
"1 validation error detected: Value 'INVALID' at 'SigningAlgorithm' failed to satisfy constraint: Member must satisfy enum value set: ['RSASSA_PKCS1_V1_5_SHA_256', 'RSASSA_PKCS1_V1_5_SHA_384', 'RSASSA_PKCS1_V1_5_SHA_512', 'RSASSA_PSS_SHA_256', 'RSASSA_PSS_SHA_384', 'RSASSA_PSS_SHA_512']"
)
@mock_kms
def test_verify_invalid_message():
client = boto3.client("kms", region_name="us-west-2")
key = client.create_key(Description="sign-key", KeyUsage="SIGN_VERIFY")
key_id = key["KeyMetadata"]["KeyId"]
signing_algorithm = "RSASSA_PSS_SHA_256"
with pytest.raises(ClientError) as ex:
client.verify(
KeyId=key_id,
Message="",
Signature="a signature",
SigningAlgorithm=signing_algorithm,
)
err = ex.value.response["Error"]
err["Code"].should.equal("ValidationException")
err["Message"].should.equal(
"1 validation error detected: Value at 'Message' failed to satisfy constraint: Member must have length greater than or equal to 1"
)
@mock_kms
def test_verify_empty_signature():
client = boto3.client("kms", region_name="us-west-2")
key = client.create_key(Description="sign-key", KeyUsage="SIGN_VERIFY")
key_id = key["KeyMetadata"]["KeyId"]
message = "My message"
signing_algorithm = "RSASSA_PSS_SHA_256"
signature = ""
with pytest.raises(ClientError) as ex:
client.verify(
KeyId=key_id,
Message=message,
Signature=signature,
SigningAlgorithm=signing_algorithm,
)
err = ex.value.response["Error"]
err["Code"].should.equal("ValidationException")
err["Message"].should.equal(
"1 validation error detected: Value at 'Signature' failed to satisfy constraint: Member must have length greater than or equal to 1"
)