2753bc
From ff80e3a27408657fef599f44ae1a9a875e005685 Mon Sep 17 00:00:00 2001
2753bc
From: Christian Heimes <christian@python.org>
2753bc
Date: Wed, 2 Mar 2022 21:47:04 +0200
2753bc
Subject: [PATCH 2/5] Disable DSA tests in FIPS mode (#6916)
2753bc
2753bc
* Disable DSA tests in FIPS mode
2753bc
2753bc
See: #6880
2753bc
2753bc
* ignore coverage for nested FIPS check
2753bc
2753bc
* Remove if branch
2753bc
2753bc
* Remove skip modulus branch
2753bc
2753bc
* Keep tests that don't use the backend
2753bc
---
2753bc
 .../hazmat/backends/openssl/backend.py        |  7 ++-
2753bc
 tests/hazmat/primitives/test_dsa.py           | 46 +++++++++++--------
2753bc
 tests/hazmat/primitives/test_serialization.py | 24 ++++++++++
2753bc
 tests/x509/test_x509.py                       | 43 ++++++++++++++---
2753bc
 tests/x509/test_x509_ext.py                   |  4 ++
2753bc
 5 files changed, 98 insertions(+), 26 deletions(-)
2753bc
2753bc
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
2753bc
index f38269e26..a6d0e8872 100644
2753bc
--- a/src/cryptography/hazmat/backends/openssl/backend.py
2753bc
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
2753bc
@@ -804,7 +804,12 @@ class Backend(BackendInterface):
2753bc
         self.openssl_assert(res == 1)
2753bc
         return evp_pkey
2753bc
 
2753bc
-    def dsa_hash_supported(self, algorithm):
2753bc
+    def dsa_supported(self) -> bool:
2753bc
+        return not self._fips_enabled
2753bc
+
2753bc
+    def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
2753bc
+        if not self.dsa_supported():
2753bc
+            return False
2753bc
         return self.hash_supported(algorithm)
2753bc
 
2753bc
     def dsa_parameters_supported(self, p, q, g):
2753bc
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
2753bc
index 6028b600d..60681683d 100644
2753bc
--- a/tests/hazmat/primitives/test_dsa.py
2753bc
+++ b/tests/hazmat/primitives/test_dsa.py
2753bc
@@ -59,7 +59,12 @@ def test_skip_if_dsa_not_supported(backend):
2753bc
         _skip_if_dsa_not_supported(backend, DummyHashAlgorithm(), 1, 1, 1)
2753bc
 
2753bc
 
2753bc
-class TestDSA(object):
2753bc
+
2753bc
+@pytest.mark.supported(
2753bc
+    only_if=lambda backend: backend.dsa_supported(),
2753bc
+    skip_message="Does not support DSA.",
2753bc
+)
2753bc
+class TestDSA:
2753bc
     def test_generate_dsa_parameters(self, backend):
2753bc
         parameters = dsa.generate_parameters(2048, backend)
2753bc
         assert isinstance(parameters, dsa.DSAParameters)
2753bc
@@ -76,11 +81,6 @@ class TestDSA(object):
2753bc
         ),
2753bc
     )
2753bc
     def test_generate_dsa_keys(self, vector, backend):
2753bc
-        if (
2753bc
-            backend._fips_enabled
2753bc
-            and vector["p"] < backend._fips_dsa_min_modulus
2753bc
-        ):
2753bc
-            pytest.skip("Small modulus blocked in FIPS mode")
2753bc
         parameters = dsa.DSAParameterNumbers(
2753bc
             p=vector["p"], q=vector["q"], g=vector["g"]
2753bc
         ).parameters(backend)
2753bc
@@ -389,7 +389,12 @@ class TestDSA(object):
2753bc
         ).private_key(backend)
2753bc
 
2753bc
 
2753bc
-class TestDSAVerification(object):
2753bc
+
2753bc
+@pytest.mark.supported(
2753bc
+    only_if=lambda backend: backend.dsa_supported(),
2753bc
+    skip_message="Does not support DSA.",
2753bc
+)
2753bc
+class TestDSAVerification:
2753bc
     def test_dsa_verification(self, backend, subtests):
2753bc
         vectors = load_vectors_from_file(
2753bc
             os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"),
2753bc
@@ -481,17 +486,12 @@ class TestDSAVerification(object):
2753bc
                 Prehashed(hashes.SHA1())  # type: ignore[arg-type]
2753bc
             )
2753bc
 
2753bc
-    def test_prehashed_unsupported_in_verifier_ctx(self, backend):
2753bc
-        public_key = DSA_KEY_1024.private_key(backend).public_key()
2753bc
-        with pytest.raises(TypeError), pytest.warns(
2753bc
-            CryptographyDeprecationWarning
2753bc
-        ):
2753bc
-            public_key.verifier(
2753bc
-                b"0" * 64, Prehashed(hashes.SHA1())  # type: ignore[arg-type]
2753bc
-            )
2753bc
-
2753bc
 
2753bc
-class TestDSASignature(object):
2753bc
+@pytest.mark.supported(
2753bc
+    only_if=lambda backend: backend.dsa_supported(),
2753bc
+    skip_message="Does not support DSA.",
2753bc
+)
2753bc
+class TestDSASignature:
2753bc
     def test_dsa_signing(self, backend, subtests):
2753bc
         vectors = load_vectors_from_file(
2753bc
             os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigGen.txt"),
2753bc
@@ -695,7 +695,11 @@ class TestDSANumberEquality(object):
2753bc
         assert priv != object()
2753bc
 
2753bc
 
2753bc
-class TestDSASerialization(object):
2753bc
+@pytest.mark.supported(
2753bc
+    only_if=lambda backend: backend.dsa_supported(),
2753bc
+    skip_message="Does not support DSA.",
2753bc
+)
2753bc
+class TestDSASerialization:
2753bc
     @pytest.mark.parametrize(
2753bc
         ("fmt", "password"),
2753bc
         itertools.product(
2753bc
@@ -916,7 +920,11 @@ class TestDSASerialization(object):
2753bc
             )
2753bc
 
2753bc
 
2753bc
-class TestDSAPEMPublicKeySerialization(object):
2753bc
+@pytest.mark.supported(
2753bc
+    only_if=lambda backend: backend.dsa_supported(),
2753bc
+    skip_message="Does not support DSA.",
2753bc
+)
2753bc
+class TestDSAPEMPublicKeySerialization:
2753bc
     @pytest.mark.parametrize(
2753bc
         ("key_path", "loader_func", "encoding"),
2753bc
         [
2753bc
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
2753bc
index fb6b753de..5a2b9fba5 100644
2753bc
--- a/tests/hazmat/primitives/test_serialization.py
2753bc
+++ b/tests/hazmat/primitives/test_serialization.py
2753bc
@@ -141,6 +141,10 @@ class TestDERSerialization(object):
2753bc
         assert isinstance(key, rsa.RSAPrivateKey)
2753bc
         _check_rsa_private_numbers(key.private_numbers())
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     @pytest.mark.parametrize(
2753bc
         ("key_path", "password"),
2753bc
         [
2753bc
@@ -341,6 +345,10 @@ class TestDERSerialization(object):
2753bc
         with pytest.raises(ValueError):
2753bc
             load_der_public_key(b"invalid data", backend)
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     @pytest.mark.parametrize(
2753bc
         "key_file",
2753bc
         [
2753bc
@@ -422,6 +430,10 @@ class TestPEMSerialization(object):
2753bc
         assert isinstance(key, rsa.RSAPrivateKey)
2753bc
         _check_rsa_private_numbers(key.private_numbers())
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     @pytest.mark.parametrize(
2753bc
         ("key_path", "password"),
2753bc
         [
2753bc
@@ -490,6 +502,10 @@ class TestPEMSerialization(object):
2753bc
         numbers = key.public_numbers()
2753bc
         assert numbers.e == 65537
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     @pytest.mark.parametrize(
2753bc
         ("key_file"),
2753bc
         [
2753bc
@@ -894,6 +910,10 @@ class TestPEMSerialization(object):
2753bc
             16,
2753bc
         )
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     def test_load_pem_dsa_private_key(self, backend):
2753bc
         key = load_vectors_from_file(
2753bc
             os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"),
2753bc
@@ -2313,6 +2333,10 @@ class TestOpenSSHSerialization(object):
2753bc
                 DummyKeySerializationEncryption(),
2753bc
             )
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     @pytest.mark.parametrize(
2753bc
         ("key_path", "supported"),
2753bc
         [
2753bc
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
2753bc
index 23e97a768..7a7a52977 100644
2753bc
--- a/tests/x509/test_x509.py
2753bc
+++ b/tests/x509/test_x509.py
2753bc
@@ -2561,7 +2561,21 @@ class TestCertificateBuilder(object):
2753bc
         only_if=lambda backend: backend.hash_supported(hashes.MD5()),
2753bc
         skip_message="Requires OpenSSL with MD5 support",
2753bc
     )
2753bc
-    def test_sign_dsa_with_md5(self, backend):
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
+    @pytest.mark.parametrize(
2753bc
+        "hash_algorithm",
2753bc
+        [
2753bc
+            hashes.MD5(),
2753bc
+            hashes.SHA3_224(),
2753bc
+            hashes.SHA3_256(),
2753bc
+            hashes.SHA3_384(),
2753bc
+            hashes.SHA3_512(),
2753bc
+        ],
2753bc
+    )
2753bc
+    def test_sign_dsa_with_unsupported_hash(self, hash_algorithm, backend):
2753bc
         private_key = DSA_KEY_2048.private_key(backend)
2753bc
         builder = x509.CertificateBuilder()
2753bc
         builder = (
2753bc
@@ -2602,6 +2616,10 @@ class TestCertificateBuilder(object):
2753bc
         with pytest.raises(ValueError):
2753bc
             builder.sign(private_key, hashes.MD5(), backend)
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     @pytest.mark.parametrize(
2753bc
         ("hashalg", "hashalg_oid"),
2753bc
         [
2753bc
@@ -2615,9 +2633,6 @@ class TestCertificateBuilder(object):
2753bc
     def test_build_cert_with_dsa_private_key(
2753bc
         self, hashalg, hashalg_oid, backend
2753bc
     ):
2753bc
-        if backend._fips_enabled and hashalg is hashes.SHA1:
2753bc
-            pytest.skip("SHA1 not supported in FIPS mode")
2753bc
-
2753bc
         issuer_private_key = DSA_KEY_2048.private_key(backend)
2753bc
         subject_private_key = DSA_KEY_2048.private_key(backend)
2753bc
 
2753bc
@@ -3646,6 +3661,10 @@ class TestCertificateSigningRequestBuilder(object):
2753bc
         only_if=lambda backend: backend.hash_supported(hashes.MD5()),
2753bc
         skip_message="Requires OpenSSL with MD5 support",
2753bc
     )
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     def test_sign_dsa_with_md5(self, backend):
2753bc
         private_key = DSA_KEY_2048.private_key(backend)
2753bc
         builder = x509.CertificateSigningRequestBuilder().subject_name(
2753bc
@@ -3969,6 +3988,10 @@ class TestCertificateSigningRequestBuilder(object):
2753bc
         assert basic_constraints.value.ca is True
2753bc
         assert basic_constraints.value.path_length == 2
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     def test_build_ca_request_with_dsa(self, backend):
2753bc
         private_key = DSA_KEY_2048.private_key(backend)
2753bc
 
2753bc
@@ -4319,7 +4342,11 @@ class TestCertificateSigningRequestBuilder(object):
2753bc
             builder.sign(private_key, hashes.SHA512(), backend)
2753bc
 
2753bc
 
2753bc
-class TestDSACertificate(object):
2753bc
+@pytest.mark.supported(
2753bc
+    only_if=lambda backend: backend.dsa_supported(),
2753bc
+    skip_message="Does not support DSA.",
2753bc
+)
2753bc
+class TestDSACertificate:
2753bc
     def test_load_dsa_cert(self, backend):
2753bc
         cert = _load_cert(
2753bc
             os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2753bc
@@ -4444,7 +4471,11 @@ class TestDSACertificate(object):
2753bc
         )
2753bc
 
2753bc
 
2753bc
-class TestDSACertificateRequest(object):
2753bc
+@pytest.mark.supported(
2753bc
+    only_if=lambda backend: backend.dsa_supported(),
2753bc
+    skip_message="Does not support DSA.",
2753bc
+)
2753bc
+class TestDSACertificateRequest:
2753bc
     @pytest.mark.parametrize(
2753bc
         ("path", "loader_func"),
2753bc
         [
2753bc
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
2753bc
index 4173dece6..66ac43d95 100644
2753bc
--- a/tests/x509/test_x509_ext.py
2753bc
+++ b/tests/x509/test_x509_ext.py
2753bc
@@ -1712,6 +1712,10 @@ class TestSubjectKeyIdentifierExtension(object):
2753bc
         ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
2753bc
         assert ext.value == ski
2753bc
 
2753bc
+    @pytest.mark.supported(
2753bc
+        only_if=lambda backend: backend.dsa_supported(),
2753bc
+        skip_message="Does not support DSA.",
2753bc
+    )
2753bc
     def test_from_dsa_public_key(self, backend):
2753bc
         cert = _load_cert(
2753bc
             os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
2753bc
-- 
2753bc
2.35.1
2753bc