March 2017 - tor-commits - lists.torproject.org

[stem/master] Note libffi-dev as a dependency in the faq
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit 665f9d5473a5f35887b3417d45692a05249c3c33 Author: Damian Johnson <atagar(a)torproject.org> Date: Sat Mar 11 15:15:42 2017 -0800 Note libffi-dev as a dependency in the faq Hmmm, getting a new error on my netbook when I try to install pynacl. Unfortunately I can't be positive this is the package I need since apt no longer works on my netbook, but 90% sure it's this. --- docs/faq.rst | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/faq.rst b/docs/faq.rst index 50718be..59dacfd 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -66,12 +66,20 @@ Note that if cryptography installation fails with... compilation terminated. error: command 'gcc' failed with exit status 1 -You need python-dev. For instance on Debian and Ubuntu you can install -cryptography with... +... or... :: - % sudo apt-get install python-dev + No package 'libffi' found + c/_cffi_backend.c:15:17: fatal error: ffi.h: No such file or directory + compilation terminated. + +You need the python-dev and libffi-dev packages. For instance on Debian and +Ubuntu you can install these with... + +:: + + % sudo apt-get install python-dev libffi-dev % sudo pip install cryptography % sudo pip install pynacl

1 0

[stem/master] Working onion-key-crosscert verification
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit ba1796674172f837e931033d8a060e435b768744 Author: Patrick O'Doherty <p(a)trickod.com> Date: Sun Feb 5 17:08:58 2017 -0800 Working onion-key-crosscert verification Compares the digest in the signature block provided with a calculated onion-key-crosscert digest and raises a ValueError if they do not match. --- stem/descriptor/certificate.py | 6 +++++- stem/descriptor/server_descriptor.py | 38 ++++++++++++++++++++++++++---------- 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index e26992f..63ebace 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -162,7 +162,11 @@ class Ed25519KeyCertificate(Certificate): signed_part = descriptor[:descriptor.index('router-sig-ed25519 ') + len('router-sig-ed25519 ')] descriptor_with_prefix = ED25519_ROUTER_SIGNATURE_PREFIX + signed_part descriptor_sha256_digest = hashlib.sha256(descriptor_with_prefix).digest() - verify_key.verify(descriptor_sha256_digest, signature_bytes) + + try: + verify_key.verify(descriptor_sha256_digest, signature_bytes) + except BadSignatureError: + raise ValueError('Descriptor Ed25519 certificate signature invalid') def _verify_signature(self): if self.identity_key: diff --git a/stem/descriptor/server_descriptor.py b/stem/descriptor/server_descriptor.py index c5bcaad..7d134dd 100644 --- a/stem/descriptor/server_descriptor.py +++ b/stem/descriptor/server_descriptor.py @@ -34,6 +34,7 @@ etc). This information is provided from a few sources... import functools import hashlib import re +import base64 import stem.descriptor.extrainfo_descriptor import stem.exit_policy @@ -760,23 +761,22 @@ class RelayDescriptor(ServerDescriptor): if signed_digest != self.digest(): raise ValueError('Decrypted digest does not match local digest (calculated: %s, local: %s)' % (signed_digest, self.digest())) + if self.onion_key_crosscert: + onion_key_crosscert_digest = self._digest_for_signature(self.onion_key, self.onion_key_crosscert) + if onion_key_crosscert_digest != self.onion_key_crosscert_digest(): + raise ValueError('Decrypted onion-key-crosscert digest does not match local digest (calculated: %s, local: %s)' % (onion_key_crosscert_digest, self.onion_key_crosscert_digest())) + if stem.prereq.is_nacl_available() and self.ed25519_certificate: self.certificate = _parse_certificate(_bytes_for_block(self.ed25519_certificate), self.ed25519_master_key, validate) - if self.ed25519_master_key is not None: - if self.certificate.identity_key != self.ed25519_master_key: - raise ValueError("master-key-ed25519 does not match ed25519 certificate identity key") + if self.certificate.identity_key != self.ed25519_master_key: + raise ValueError("master-key-ed25519 does not match ed25519 certificate identity key") - self.certificate.verify_descriptor_signature(stem.util.str_tools._to_unicode(raw_contents), + self.certificate.verify_descriptor_signature(raw_contents, self.ed25519_signature) - onion_key_bytes = _bytes_for_block(self.onion_key) - from Crypto.Util import asn1 - seq = asn1.DerSequence() - seq.decode(onion_key_bytes) - self._digest_for_signature(self.onion_key, self.onion_key_crosscert) @lru_cache() @@ -786,11 +786,29 @@ class RelayDescriptor(ServerDescriptor): :returns: the digest string encoded in uppercase hex - :raises: ValueError if the digest canot be calculated + :raises: ValueError if the digest cannot be calculated """ return self._digest_for_content(b'router ', b'\nrouter-signature\n') + + @lru_cache() + def onion_key_crosscert_digest(self): + """ + Provides the digest of the onion-key-crosscert data consisting of the following: + + 1. SHA1 digest of the RSA identity key + 2. the ed25519 identity key + + :returns: the digest encoded in uppercase hex + + :raises: ValueError if the digest cannot be calculated + """ + signing_key_digest = hashlib.sha1(_bytes_for_block(self.signing_key)).digest() + data = signing_key_digest + base64.b64decode(self.ed25519_master_key + b'=') + return data.encode("hex").upper() + + def _compare(self, other, method): if not isinstance(other, RelayDescriptor): return False

1 0

[stem/master] Make prereq module's is_nacl_available private
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit b9c54575d18fe09834b9f99c1953b50202273957 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Feb 27 15:52:34 2017 -0800 Make prereq module's is_nacl_available private Public methods need to be kept around for backward compatability. Hope is to eventually drop our nacl usage if functionality we need is merged into cryptography... https://github.com/pyca/cryptography/issues/2968 Making this private lets us drop the function later at will. --- stem/descriptor/certificate.py | 4 ++-- stem/descriptor/server_descriptor.py | 9 +++------ stem/prereq.py | 5 ++--- test/unit/descriptor/certificate.py | 2 +- 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index 03b3781..c298e99 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -157,7 +157,7 @@ class Ed25519KeyCertificate(Certificate): raise ValueError('Expired Ed25519KeyCertificate') def verify_descriptor_signature(self, descriptor, signature): - if not stem.prereq.is_nacl_available(): + if not stem.prereq._is_nacl_available(): raise ValueError('Certificate validation requires the nacl module') import nacl.signing @@ -177,7 +177,7 @@ class Ed25519KeyCertificate(Certificate): raise ValueError('Descriptor Ed25519 certificate signature invalid') def _verify_signature(self): - if not stem.prereq.is_nacl_available(): + if not stem.prereq._is_nacl_available(): raise ValueError('Certificate validation requires the nacl module') import nacl.signing diff --git a/stem/descriptor/server_descriptor.py b/stem/descriptor/server_descriptor.py index a8a1ba2..84148d2 100644 --- a/stem/descriptor/server_descriptor.py +++ b/stem/descriptor/server_descriptor.py @@ -766,16 +766,13 @@ class RelayDescriptor(ServerDescriptor): if onion_key_crosscert_digest != self.onion_key_crosscert_digest(): raise ValueError('Decrypted onion-key-crosscert digest does not match local digest (calculated: %s, local: %s)' % (onion_key_crosscert_digest, self.onion_key_crosscert_digest())) - if stem.prereq.is_nacl_available() and self.ed25519_certificate: - self.certificate = _parse_certificate(_bytes_for_block(self.ed25519_certificate), - self.ed25519_master_key, - validate) + if stem.prereq._is_nacl_available() and self.ed25519_certificate: + self.certificate = _parse_certificate(_bytes_for_block(self.ed25519_certificate), self.ed25519_master_key, validate) if self.certificate.identity_key != self.ed25519_master_key: raise ValueError('master-key-ed25519 does not match ed25519 certificate identity key') - self.certificate.verify_descriptor_signature(raw_contents, - self.ed25519_signature) + self.certificate.verify_descriptor_signature(raw_contents, self.ed25519_signature) @lru_cache() def digest(self): diff --git a/stem/prereq.py b/stem/prereq.py index 5d6e80a..9f265e6 100644 --- a/stem/prereq.py +++ b/stem/prereq.py @@ -15,7 +15,6 @@ Checks for stem dependencies. We require python 2.6 or greater (including the check_requirements - checks for minimum requirements for running stem is_python_3 - checks if python 3.0 or later is available is_crypto_available - checks if the cryptography module is available - is_nacl_available - checks if the pynacl module is available """ import inspect @@ -151,7 +150,7 @@ def is_mock_available(): @lru_cache() -def is_nacl_available(): +def _is_nacl_available(): """ Checks if the pynacl functions we use are available. This is used for verifying ed25519 certificates in relay descriptor signatures. @@ -166,5 +165,5 @@ def is_nacl_available(): from nacl import signing return True except ImportError: - log.log_once('stem.prereq.is_nacl_available', log.INFO, NACL_UNAVAILABLE) + log.log_once('stem.prereq._is_nacl_available', log.INFO, NACL_UNAVAILABLE) return False diff --git a/test/unit/descriptor/certificate.py b/test/unit/descriptor/certificate.py index 24a5a7e..160b320 100644 --- a/test/unit/descriptor/certificate.py +++ b/test/unit/descriptor/certificate.py @@ -87,7 +87,7 @@ class TestCertificate(unittest.TestCase): ) def test_certificate_with_invalid_signature(self): - if not stem.prereq.is_nacl_available(): + if not stem.prereq._is_nacl_available(): test.runner.skip(self, '(require nacl module)') return

1 0

[stem/master] Only import nacl module if it's available
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit ba120539ed9d333c85a765156bb80c1336a19f21 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Feb 27 12:11:09 2017 -0800 Only import nacl module if it's available Having a top level import like this puts a strict dependency on nacl. Nobody can use any part of stem without it. Narrowing this dependency to just the new additions. Also fixing our OrderedDict import so we continue to work with python 2.6. Support for python 2.6 won't be dropped until stem 2.x. --- stem/descriptor/__init__.py | 1 + stem/descriptor/certificate.py | 34 ++++++++++++++++++++++++---------- test/unit/descriptor/certificate.py | 13 +++++++++---- 3 files changed, 34 insertions(+), 14 deletions(-) diff --git a/stem/descriptor/__init__.py b/stem/descriptor/__init__.py index 4e90889..97e7699 100644 --- a/stem/descriptor/__init__.py +++ b/stem/descriptor/__init__.py @@ -646,6 +646,7 @@ class Descriptor(object): :returns: the digest string encoded in uppercase hex """ + digest_hash = hashlib.sha1(bytes_to_sign) return stem.util.str_tools._to_unicode(digest_hash.hexdigest().upper()) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index 0c3b2b6..03b3781 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -5,32 +5,34 @@ Parsing for the Tor server descriptor Ed25519 Certificates, which is used to validate the Ed25519 key used to sign the relay descriptor. -Certificates can optionally contain CertificateExtension objects depending on their type and purpose. Currently Ed25519KeyCertificate certificates will contain one SignedWithEd25519KeyCertificateExtension - +Certificates can optionally contain CertificateExtension objects depending on +their type and purpose. Currently Ed25519KeyCertificate certificates will +contain one SignedWithEd25519KeyCertificateExtension. **Module Overview:** :: Certificate - Tor Certificate - |- Ed25519KeyCertificate - Certificate for Ed25519 signing key - +- +- verify_descriptor_signature - verify a relay descriptor against a signature - + +- Ed25519KeyCertificate - Certificate for Ed25519 signing key + +- verify_descriptor_signature - verify a relay descriptor against a signature CertificateExtension - Certificate extension - +- - SignedWithEd25519KeyCertificateExtension - Ed25519 signing key extension + +- SignedWithEd25519KeyCertificateExtension - Ed25519 signing key extension """ import base64 import hashlib import time -from collections import OrderedDict +import stem.prereq import stem.util.str_tools -import nacl.signing -from nacl.exceptions import BadSignatureError - +try: + # added in python 2.7 + from collections import OrderedDict +except ImportError: + from stem.util.ordereddict import OrderedDict SIGNATURE_LENGTH = 64 STANDARD_ATTRIBUTES_LENGTH = 40 @@ -155,6 +157,12 @@ class Ed25519KeyCertificate(Certificate): raise ValueError('Expired Ed25519KeyCertificate') def verify_descriptor_signature(self, descriptor, signature): + if not stem.prereq.is_nacl_available(): + raise ValueError('Certificate validation requires the nacl module') + + import nacl.signing + from nacl.exceptions import BadSignatureError + missing_padding = len(signature) % 4 signature_bytes = base64.b64decode(stem.util.str_tools._to_bytes(signature) + b'=' * missing_padding) verify_key = nacl.signing.VerifyKey(self.certified_key) @@ -169,6 +177,12 @@ class Ed25519KeyCertificate(Certificate): raise ValueError('Descriptor Ed25519 certificate signature invalid') def _verify_signature(self): + if not stem.prereq.is_nacl_available(): + raise ValueError('Certificate validation requires the nacl module') + + import nacl.signing + from nacl.exceptions import BadSignatureError + if self.identity_key: verify_key = nacl.signing.VerifyKey(base64.b64decode(self.identity_key + '=')) else: diff --git a/test/unit/descriptor/certificate.py b/test/unit/descriptor/certificate.py index 450685f..24a5a7e 100644 --- a/test/unit/descriptor/certificate.py +++ b/test/unit/descriptor/certificate.py @@ -5,13 +5,11 @@ Unit tests for stem.descriptor.certificate. import unittest import stem.descriptor.certificate - -import nacl.signing -import nacl.encoding +import stem.prereq +import test.runner class TestCertificate(unittest.TestCase): - def test_with_invalid_version(self): cert_bytes = '\x02\x04' self.assertRaisesRegexp( @@ -89,6 +87,13 @@ class TestCertificate(unittest.TestCase): ) def test_certificate_with_invalid_signature(self): + if not stem.prereq.is_nacl_available(): + test.runner.skip(self, '(require nacl module)') + return + + import nacl.signing + import nacl.encoding + master_key = nacl.signing.SigningKey.generate() master_key_base64 = master_key.encode(nacl.encoding.Base64Encoder)

1 0

[stem/master] Standardize on calling it pynacl
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit 478be70b817c4e74cb322caf1af4b7501d43c954 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Feb 27 16:20:18 2017 -0800 Standardize on calling it pynacl Is it called nacl? PyNaCl? Seems the answer is 'both'. Settling on the name folks can google to get the installation instructions. --- stem/descriptor/certificate.py | 8 ++++---- stem/descriptor/server_descriptor.py | 2 +- stem/prereq.py | 6 +++--- test/unit/descriptor/certificate.py | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index c298e99..8904b58 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -157,8 +157,8 @@ class Ed25519KeyCertificate(Certificate): raise ValueError('Expired Ed25519KeyCertificate') def verify_descriptor_signature(self, descriptor, signature): - if not stem.prereq._is_nacl_available(): - raise ValueError('Certificate validation requires the nacl module') + if not stem.prereq._is_pynacl_available(): + raise ValueError('Certificate validation requires the pynacl module') import nacl.signing from nacl.exceptions import BadSignatureError @@ -177,8 +177,8 @@ class Ed25519KeyCertificate(Certificate): raise ValueError('Descriptor Ed25519 certificate signature invalid') def _verify_signature(self): - if not stem.prereq._is_nacl_available(): - raise ValueError('Certificate validation requires the nacl module') + if not stem.prereq._is_pynacl_available(): + raise ValueError('Certificate validation requires the pynacl module') import nacl.signing from nacl.exceptions import BadSignatureError diff --git a/stem/descriptor/server_descriptor.py b/stem/descriptor/server_descriptor.py index 84148d2..a695966 100644 --- a/stem/descriptor/server_descriptor.py +++ b/stem/descriptor/server_descriptor.py @@ -766,7 +766,7 @@ class RelayDescriptor(ServerDescriptor): if onion_key_crosscert_digest != self.onion_key_crosscert_digest(): raise ValueError('Decrypted onion-key-crosscert digest does not match local digest (calculated: %s, local: %s)' % (onion_key_crosscert_digest, self.onion_key_crosscert_digest())) - if stem.prereq._is_nacl_available() and self.ed25519_certificate: + if stem.prereq._is_pynacl_available() and self.ed25519_certificate: self.certificate = _parse_certificate(_bytes_for_block(self.ed25519_certificate), self.ed25519_master_key, validate) if self.certificate.identity_key != self.ed25519_master_key: diff --git a/stem/prereq.py b/stem/prereq.py index 9f265e6..e3d0051 100644 --- a/stem/prereq.py +++ b/stem/prereq.py @@ -27,7 +27,7 @@ except ImportError: from stem.util.lru_cache import lru_cache CRYPTO_UNAVAILABLE = "Unable to import the cryptography module. Because of this we'll be unable to verify descriptor signature integrity. You can get cryptography from: https://pypi.python.org/pypi/cryptography" -NACL_UNAVAILABLE = "Unable to import the pynacl module. Because of this we'll be unable to verify descriptor ed25519 certificate integrity. You can get pynacl from https://github.com/pyca/pynacl/" +PYNACL_UNAVAILABLE = "Unable to import the pynacl module. Because of this we'll be unable to verify descriptor ed25519 certificate integrity. You can get pynacl from https://pypi.python.org/pypi/PyNaCl/" def check_requirements(): @@ -150,7 +150,7 @@ def is_mock_available(): @lru_cache() -def _is_nacl_available(): +def _is_pynacl_available(): """ Checks if the pynacl functions we use are available. This is used for verifying ed25519 certificates in relay descriptor signatures. @@ -165,5 +165,5 @@ def _is_nacl_available(): from nacl import signing return True except ImportError: - log.log_once('stem.prereq._is_nacl_available', log.INFO, NACL_UNAVAILABLE) + log.log_once('stem.prereq._is_pynacl_available', log.INFO, PYNACL_UNAVAILABLE) return False diff --git a/test/unit/descriptor/certificate.py b/test/unit/descriptor/certificate.py index 160b320..61f6068 100644 --- a/test/unit/descriptor/certificate.py +++ b/test/unit/descriptor/certificate.py @@ -87,8 +87,8 @@ class TestCertificate(unittest.TestCase): ) def test_certificate_with_invalid_signature(self): - if not stem.prereq._is_nacl_available(): - test.runner.skip(self, '(require nacl module)') + if not stem.prereq._is_pynacl_available(): + test.runner.skip(self, '(require pynacl module)') return import nacl.signing

1 0

[stem/master] Fix parentheses indentation
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit 91299f02ee4643e626c50bdb85712a1c6f7e972f Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Mar 12 14:58:15 2017 -0700 Fix parentheses indentation Interesting. Older pycodestyle version on my netbook caught a minor issue my desktop didn't. Oh well, it's minor - parentheses indentation was off a tad. --- stem/descriptor/certificate.py | 4 ++-- test/unit/descriptor/certificate.py | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index 09cf1cf..528d594 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -76,9 +76,9 @@ def _parse_certificate(raw_contents, master_key_bytes, validate = False): # Ed25519 authentication signed with ed25519 signing key pass else: - raise ValueError("Unknown Certificate type %s" % binascii.hexlify(cert_type)) + raise ValueError('Unknown Certificate type %s' % binascii.hexlify(cert_type)) else: - raise ValueError("Unknown Certificate version %s" % binascii.hexlify(version)) + raise ValueError('Unknown Certificate version %s' % binascii.hexlify(version)) def _parse_extensions(raw_contents): diff --git a/test/unit/descriptor/certificate.py b/test/unit/descriptor/certificate.py index 4e71e84..0603a32 100644 --- a/test/unit/descriptor/certificate.py +++ b/test/unit/descriptor/certificate.py @@ -42,7 +42,7 @@ class TestCertificate(unittest.TestCase): 'Certificate contained truncated extension', stem.descriptor.certificate._parse_extensions, stem.util.str_tools._to_bytes(cert_bytes) - ) + ) def test_parse_extensions_invalid_certificate_extension_type(self): cert_bytes = '\x00' * 39 # First 40 bytes are standard fields @@ -56,7 +56,7 @@ class TestCertificate(unittest.TestCase): 'Invalid certificate extension type:', stem.descriptor.certificate._parse_extensions, stem.util.str_tools._to_bytes(cert_bytes) - ) + ) def test_parse_extensions_invalid_n_extensions_count(self): cert_bytes = '\x00' * 39 # First 40 bytes are standard fields @@ -71,7 +71,7 @@ class TestCertificate(unittest.TestCase): 'n_extensions was 2 but parsed 1', stem.descriptor.certificate._parse_extensions, stem.util.str_tools._to_bytes(cert_bytes) - ) + ) def test_ed25519_key_certificate_without_extensions(self): cert_bytes = '\x01\x04' + '\x00' * 37 # First 40 bytes are standard fields @@ -85,7 +85,7 @@ class TestCertificate(unittest.TestCase): stem.util.str_tools._to_bytes(cert_bytes), None, validate = True - ) + ) def test_certificate_with_invalid_signature(self): if not stem.prereq._is_pynacl_available():

1 0

[stem/master] Drop _digest_for_bytes() helper
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit 5345118632c5446fa39d1f4b901c572b0f87067a Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Mar 13 09:17:47 2017 -0700 Drop _digest_for_bytes() helper Branch added this new helper but didn't end up using it, so might as well drop it. --- stem/descriptor/__init__.py | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/stem/descriptor/__init__.py b/stem/descriptor/__init__.py index 97e7699..6e8c5a4 100644 --- a/stem/descriptor/__init__.py +++ b/stem/descriptor/__init__.py @@ -636,18 +636,7 @@ class Descriptor(object): raise ValueError("Digest is for the range ending with '%s' but that isn't in our descriptor" % end) digest_content = raw_descriptor[start_index:end_index + len(end)] - return self._digest_for_bytes(digest_content) - - def _digest_for_bytes(self, bytes_to_sign): - """ - Provides a digest of the provided bytes - - :param bytes bytes_to_sign: the bytes for which we should generate a digest - - :returns: the digest string encoded in uppercase hex - """ - - digest_hash = hashlib.sha1(bytes_to_sign) + digest_hash = hashlib.sha1(stem.util.str_tools._to_bytes(digest_content)) return stem.util.str_tools._to_unicode(digest_hash.hexdigest().upper()) def __getattr__(self, name):

1 0

[stem/master] Use assertRaisesRegexp to check exception messages
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit 2f6544d56a2f46a001a55a639e4fa4b996b0e9f7 Author: Damian Johnson <atagar(a)torproject.org> Date: Sat Mar 11 23:12:55 2017 -0800 Use assertRaisesRegexp to check exception messages Interesting! New tests used assertRaisesRegexp which is a much nicer method of asserting what an exception message is. Using this throughout our codebase. --- test/integ/control/controller.py | 24 +++++-------- test/integ/process.py | 23 ++++++------ test/integ/util/system.py | 6 +--- test/unit/control/controller.py | 15 +++----- test/unit/descriptor/extrainfo_descriptor.py | 10 +++--- test/unit/descriptor/microdescriptor.py | 7 ++-- test/unit/descriptor/networkstatus/document_v3.py | 9 ++--- test/unit/descriptor/server_descriptor.py | 14 +++----- test/unit/manual.py | 43 +++++++---------------- test/unit/response/add_onion.py | 16 +++------ test/unit/util/proc.py | 9 ++--- 11 files changed, 56 insertions(+), 120 deletions(-) diff --git a/test/integ/control/controller.py b/test/integ/control/controller.py index a1f155b..f5c91d7 100644 --- a/test/integ/control/controller.py +++ b/test/integ/control/controller.py @@ -581,13 +581,11 @@ class TestController(unittest.TestCase): runner = test.runner.get_runner() with runner.get_tor_controller() as controller: + # try creating a service with an invalid ports + for ports in (4567890, [4567, 4567890], {4567: '-:4567'}): - try: - # try creating a service with an invalid port - response = controller.create_ephemeral_hidden_service(ports) - self.fail("we should've raised a stem.ProtocolError") - except stem.ProtocolError as exc: - self.assertEqual("ADD_ONION response didn't have an OK status: Invalid VIRTPORT/TARGET", str(exc)) + exc_msg = "ADD_ONION response didn't have an OK status: Invalid VIRTPORT/TARGET" + self.assertRaisesRegexp(stem.ProtocolError, exc_msg, controller.create_ephemeral_hidden_service, ports) response = controller.create_ephemeral_hidden_service(4567) self.assertEqual([response.service_id], controller.list_ephemeral_hidden_services()) @@ -654,11 +652,8 @@ class TestController(unittest.TestCase): runner = test.runner.get_runner() with runner.get_tor_controller() as controller: - try: - controller.create_ephemeral_hidden_service(4567, basic_auth = {}) - self.fail('ADD_ONION should fail when using basic auth without any clients') - except stem.ProtocolError as exc: - self.assertEqual("ADD_ONION response didn't have an OK status: No auth clients specified", str(exc)) + exc_msg = "ADD_ONION response didn't have an OK status: No auth clients specified" + self.assertRaisesRegexp(stem.ProtocolError, exc_msg, controller.create_ephemeral_hidden_service, 4567, basic_auth = {}) @require_controller @require_version(Requirement.ADD_ONION) @@ -1266,11 +1261,8 @@ class TestController(unittest.TestCase): # try to fetch something that doesn't exist - try: - desc = controller.get_hidden_service_descriptor('m4cfuk6qp4lpu2g3') - self.fail("Didn't expect m4cfuk6qp4lpu2g3.onion to exist, but provided: %s" % desc) - except stem.DescriptorUnavailable as exc: - self.assertEqual('No running hidden service at m4cfuk6qp4lpu2g3.onion', str(exc)) + exc_msg = 'No running hidden service at m4cfuk6qp4lpu2g3.onion' + self.assertRaisesRegexp(stem.DescriptorUnavailable, exc_msg, controller.get_hidden_service_descriptor, 'm4cfuk6qp4lpu2g3') # ... but shouldn't fail if we have a default argument or aren't awaiting the descriptor diff --git a/test/integ/process.py b/test/integ/process.py index 19d6750..3f7ac65 100644 --- a/test/integ/process.py +++ b/test/integ/process.py @@ -356,18 +356,17 @@ class TestProcess(unittest.TestCase): # [warn] Failed to parse/validate config: Failed to bind one of the listener ports. # [err] Reading config failed--see warnings above. - try: - stem.process.launch_tor_with_config( - tor_cmd = test.runner.get_runner().get_tor_command(), - config = { - 'SocksPort': '2777', - 'ControlPort': '2777', - 'DataDirectory': self.data_directory, - }, - ) - self.fail("We should abort when there's an identical SocksPort and ControlPort") - except OSError as exc: - self.assertEqual('Process terminated: Failed to bind one of the listener ports.', str(exc)) + self.assertRaisesRegexp( + OSError, + 'Process terminated: Failed to bind one of the listener ports.', + stem.process.launch_tor_with_config, + tor_cmd = test.runner.get_runner().get_tor_command(), + config = { + 'SocksPort': '2777', + 'ControlPort': '2777', + 'DataDirectory': self.data_directory, + }, + ) @only_run_once def test_launch_tor_with_timeout(self): diff --git a/test/integ/util/system.py b/test/integ/util/system.py index b6e66a0..be04393 100644 --- a/test/integ/util/system.py +++ b/test/integ/util/system.py @@ -564,11 +564,7 @@ class TestSystem(unittest.TestCase): self.assertEqual(os.path.join(home_dir, 'foo'), stem.util.system.expand_path('~%s/foo' % username)) def test_call_timeout(self): - try: - stem.util.system.call('sleep 1', timeout = 0.001) - self.fail("sleep should've timed out") - except stem.util.system.CallTimeoutError as exc: - self.assertEqual("Process didn't finish after 0.0 seconds", str(exc)) + self.assertRaisesRegexp(stem.util.system.CallTimeoutError, "Process didn't finish after 0.0 seconds", stem.util.system.call, 'sleep 1', timeout = 0.001) def test_call_time_tracked(self): """ diff --git a/test/unit/control/controller.py b/test/unit/control/controller.py index 0c82a94..47ac9d2 100644 --- a/test/unit/control/controller.py +++ b/test/unit/control/controller.py @@ -442,12 +442,8 @@ class TestControl(unittest.TestCase): get_info_mock.side_effect = ControllerError('nope, too bad') - try: - self.controller.get_network_status() - self.fail("We should've raised an exception") - except ControllerError as exc: - self.assertEqual('Unable to determine our own fingerprint: nope, too bad', str(exc)) - + exc_msg = 'Unable to determine our own fingerprint: nope, too bad' + self.assertRaisesRegexp(ControllerError, exc_msg, self.controller.get_network_status) self.assertEqual('boom', self.controller.get_network_status(default = 'boom')) # successful request @@ -469,11 +465,8 @@ class TestControl(unittest.TestCase): get_info_mock.side_effect = InvalidArguments(None, 'GETINFO request contained unrecognized keywords: ns/id/5AC9C5AA75BA1F18D8459B326B4B8111A856D290') - try: - self.controller.get_network_status('5AC9C5AA75BA1F18D8459B326B4B8111A856D290') - self.fail("We should've raised an exception") - except DescriptorUnavailable as exc: - self.assertEqual("Tor was unable to provide the descriptor for '5AC9C5AA75BA1F18D8459B326B4B8111A856D290'", str(exc)) + exc_msg = "Tor was unable to provide the descriptor for '5AC9C5AA75BA1F18D8459B326B4B8111A856D290'" + self.assertRaisesRegexp(DescriptorUnavailable, exc_msg, self.controller.get_network_status, '5AC9C5AA75BA1F18D8459B326B4B8111A856D290') @patch('stem.control.Controller.get_info') def test_get_network_status(self, get_info_mock): diff --git a/test/unit/descriptor/extrainfo_descriptor.py b/test/unit/descriptor/extrainfo_descriptor.py index 79d0b5c..cab3440 100644 --- a/test/unit/descriptor/extrainfo_descriptor.py +++ b/test/unit/descriptor/extrainfo_descriptor.py @@ -3,6 +3,7 @@ Unit tests for stem.descriptor.extrainfo_descriptor. """ import datetime +import re import unittest import stem.descriptor @@ -172,12 +173,9 @@ k0d2aofcVbHr4fPQOSST0LXDrhFl5Fqo5um296zpJGvRUeO6S44U/EfJAGShtqWw """ with open(get_resource('unparseable/extrainfo_nonascii_v3_reqs'), 'rb') as descriptor_file: - try: - next(stem.descriptor.parse_file(descriptor_file, 'extra-info 1.0', validate = True)) - self.fail("validation should've raised an exception") - except ValueError as exc: - expected = "'dirreq-v3-reqs' line had non-ascii content: S?=4026597208,S?=4026597208,S?=4026597208,S?=4026597208,S?=4026597208,S?=4026597208,??=4026591624,6?=4026537520,6?=4026537520,6?=4026537520,us=8" - self.assertEqual(expected, str(exc)) + desc_generator = stem.descriptor.parse_file(descriptor_file, 'extra-info 1.0', validate = True) + exc_msg = "'dirreq-v3-reqs' line had non-ascii content: S?=4026597208,S?=4026597208,S?=4026597208,S?=4026597208,S?=4026597208,S?=4026597208,??=4026591624,6?=4026537520,6?=4026537520,6?=4026537520,us=8" + self.assertRaisesRegexp(ValueError, re.escape(exc_msg), next, desc_generator) def test_minimal_extrainfo_descriptor(self): """ diff --git a/test/unit/descriptor/microdescriptor.py b/test/unit/descriptor/microdescriptor.py index 9b3fb2d..f9350d2 100644 --- a/test/unit/descriptor/microdescriptor.py +++ b/test/unit/descriptor/microdescriptor.py @@ -204,8 +204,5 @@ class TestMicrodescriptor(unittest.TestCase): desc = Microdescriptor(desc_text) self.assertEqual({}, desc.identifiers) - try: - Microdescriptor(desc_text, validate = True) - self.fail('constructor validation should fail') - except ValueError as exc: - self.assertEqual("There can only be one 'id' line per a key type, but 'rsa1024' appeared multiple times", str(exc)) + exc_msg = "There can only be one 'id' line per a key type, but 'rsa1024' appeared multiple times" + self.assertRaisesRegexp(ValueError, exc_msg, Microdescriptor, desc_text, validate = True) diff --git a/test/unit/descriptor/networkstatus/document_v3.py b/test/unit/descriptor/networkstatus/document_v3.py index e6e5d76..6a2e784 100644 --- a/test/unit/descriptor/networkstatus/document_v3.py +++ b/test/unit/descriptor/networkstatus/document_v3.py @@ -4,6 +4,7 @@ Unit tests for the NetworkStatusDocumentV3 of stem.descriptor.networkstatus. import datetime import io +import re import unittest import stem.descriptor @@ -1239,15 +1240,9 @@ DnN5aFtYKiTc19qIC7Nmo+afPdDEf0MlJvEOP5EWl3w= for attr, expected_exception in test_values: content = get_directory_authority(attr, content = True) - - try: - DirectoryAuthority(content, True) - self.fail("validation should've rejected malformed shared randomness attribute") - except ValueError as exc: - self.assertEqual(expected_exception, str(exc)) + self.assertRaisesRegexp(ValueError, re.escape(expected_exception), DirectoryAuthority, content, True) authority = DirectoryAuthority(content, False) - self.assertEqual([], authority.shared_randomness_commitments) self.assertEqual(None, authority.shared_randomness_previous_reveal_count) self.assertEqual(None, authority.shared_randomness_previous_value) diff --git a/test/unit/descriptor/server_descriptor.py b/test/unit/descriptor/server_descriptor.py index 8170532..b43a6f3 100644 --- a/test/unit/descriptor/server_descriptor.py +++ b/test/unit/descriptor/server_descriptor.py @@ -681,22 +681,16 @@ Qlx9HNCqCY877ztFRC624ja2ql6A2hBcuoYMbkHjcQ4= Checks a 'proto' line when it's not key=value pairs. """ - try: - get_relay_server_descriptor({'proto': 'Desc Link=1-4'}) - self.fail('Did not raise expected exception') - except ValueError as exc: - self.assertEqual("Protocol entires are expected to be a series of 'key=value' pairs but was: proto Desc Link=1-4", str(exc)) + exc_msg = "Protocol entires are expected to be a series of 'key=value' pairs but was: proto Desc Link=1-4" + self.assertRaisesRegexp(ValueError, exc_msg, get_relay_server_descriptor, {'proto': 'Desc Link=1-4'}) def test_parse_with_non_int_version(self): """ Checks a 'proto' line with non-numeric content. """ - try: - get_relay_server_descriptor({'proto': 'Desc=hi Link=1-4'}) - self.fail('Did not raise expected exception') - except ValueError as exc: - self.assertEqual('Protocol values should be a number or number range, but was: proto Desc=hi Link=1-4', str(exc)) + exc_msg = 'Protocol values should be a number or number range, but was: proto Desc=hi Link=1-4' + self.assertRaisesRegexp(ValueError, exc_msg, get_relay_server_descriptor, {'proto': 'Desc=hi Link=1-4'}) def test_ntor_onion_key(self): """ diff --git a/test/unit/manual.py b/test/unit/manual.py index 671ed93..06e0071 100644 --- a/test/unit/manual.py +++ b/test/unit/manual.py @@ -4,6 +4,7 @@ Unit testing for the stem.manual module. import io import os +import re import tempfile import unittest @@ -237,30 +238,21 @@ class TestManual(unittest.TestCase): self.assertTrue(len(manual.config_options) > 200) def test_download_man_page_without_arguments(self): - try: - stem.manual.download_man_page() - self.fail('we should fail without a path or file handler') - except ValueError as exc: - self.assertEqual("Either the path or file_handle we're saving to must be provided", str(exc)) + exc_msg = "Either the path or file_handle we're saving to must be provided" + self.assertRaisesRegexp(ValueError, exc_msg, stem.manual.download_man_page) @patch('stem.util.system.is_available', Mock(return_value = False)) def test_download_man_page_requires_a2x(self): - try: - stem.manual.download_man_page('/tmp/no_such_file') - self.fail('we should require a2x to be available') - except IOError as exc: - self.assertEqual('We require a2x from asciidoc to provide a man page', str(exc)) + exc_msg = 'We require a2x from asciidoc to provide a man page' + self.assertRaisesRegexp(IOError, exc_msg, stem.manual.download_man_page, '/tmp/no_such_file') @patch('tempfile.mkdtemp', Mock(return_value = '/no/such/path')) @patch('shutil.rmtree', Mock()) @patch('stem.manual.open', Mock(side_effect = IOError('unable to write to file')), create = True) @patch('stem.util.system.is_available', Mock(return_value = True)) def test_download_man_page_when_unable_to_write(self): - try: - stem.manual.download_man_page('/tmp/no_such_file') - self.fail("we shouldn't be able to write to /no/such/path") - except IOError as exc: - self.assertEqual("Unable to download tor's manual from https://gitweb.torproject.org/tor.git/plain/doc/tor.1.txt to /no/such/path/tor.1.txt: unable to write to file", str(exc)) + exc_msg = "Unable to download tor's manual from https://gitweb.torproject.org/tor.git/plain/doc/tor.1.txt to /no/such/path/tor.1.txt: unable to write to file" + self.assertRaisesRegexp(IOError, re.escape(exc_msg), stem.manual.download_man_page, '/tmp/no_such_file') @patch('tempfile.mkdtemp', Mock(return_value = '/no/such/path')) @patch('shutil.rmtree', Mock()) @@ -268,11 +260,8 @@ class TestManual(unittest.TestCase): @patch('stem.util.system.is_available', Mock(return_value = True)) @patch(URL_OPEN, Mock(side_effect = urllib.URLError('<urlopen error [Errno -2] Name or service not known>'))) def test_download_man_page_when_download_fails(self): - try: - stem.manual.download_man_page('/tmp/no_such_file', url = 'https://www.atagar.com/foo/bar') - self.fail("downloading from test_invalid_url.org shouldn't work") - except IOError as exc: - self.assertEqual("Unable to download tor's manual from https://www.atagar.com/foo/bar to /no/such/path/tor.1.txt: <urlopen error <urlopen error [Errno -2] Name or service not known>>", str(exc)) + exc_msg = "Unable to download tor's manual from https://www.atagar.com/foo/bar to /no/such/path/tor.1.txt: <urlopen error <urlopen error [Errno -2] Name or service not known>>" + self.assertRaisesRegexp(IOError, re.escape(exc_msg), stem.manual.download_man_page, '/tmp/no_such_file', url = 'https://www.atagar.com/foo/bar') @patch('tempfile.mkdtemp', Mock(return_value = '/no/such/path')) @patch('shutil.rmtree', Mock()) @@ -281,11 +270,8 @@ class TestManual(unittest.TestCase): @patch('stem.util.system.is_available', Mock(return_value = True)) @patch(URL_OPEN, Mock(return_value = io.BytesIO(b'test content'))) def test_download_man_page_when_a2x_fails(self): - try: - stem.manual.download_man_page('/tmp/no_such_file', url = 'https://www.atagar.com/foo/bar') - self.fail("downloading from test_invalid_url.org shouldn't work") - except IOError as exc: - self.assertEqual("Unable to run 'a2x -f manpage /no/such/path/tor.1.txt': call failed", str(exc)) + exc_msg = "Unable to run 'a2x -f manpage /no/such/path/tor.1.txt': call failed" + self.assertRaisesRegexp(IOError, exc_msg, stem.manual.download_man_page, '/tmp/no_such_file', url = 'https://www.atagar.com/foo/bar') @patch('tempfile.mkdtemp', Mock(return_value = '/no/such/path')) @patch('shutil.rmtree', Mock()) @@ -310,11 +296,8 @@ class TestManual(unittest.TestCase): @patch('stem.util.system.is_mac', Mock(return_value = False)) @patch('stem.util.system.call', Mock(side_effect = OSError('man --encoding=ascii -P cat tor returned exit status 16'))) def test_from_man_when_manual_is_unavailable(self): - try: - stem.manual.Manual.from_man() - self.fail("fetching the manual should fail when it's unavailable") - except IOError as exc: - self.assertEqual("Unable to run 'man --encoding=ascii -P cat tor': man --encoding=ascii -P cat tor returned exit status 16", str(exc)) + exc_msg = "Unable to run 'man --encoding=ascii -P cat tor': man --encoding=ascii -P cat tor returned exit status 16" + self.assertRaisesRegexp(IOError, exc_msg, stem.manual.Manual.from_man) @patch('stem.util.system.call', Mock(return_value = [])) def test_when_man_is_empty(self): diff --git a/test/unit/response/add_onion.py b/test/unit/response/add_onion.py index 64e3688..1213f0c 100644 --- a/test/unit/response/add_onion.py +++ b/test/unit/response/add_onion.py @@ -95,21 +95,13 @@ class TestAddOnionResponse(unittest.TestCase): Checks a response that lack an initial service id. """ - try: - response = mocking.get_message(WRONG_FIRST_KEY) - stem.response.convert('ADD_ONION', response) - self.fail("we should've raised a ProtocolError") - except stem.ProtocolError as exc: - self.assertTrue(str(exc).startswith('ADD_ONION response should start with')) + response = mocking.get_message(WRONG_FIRST_KEY) + self.assertRaisesRegexp(stem.ProtocolError, 'ADD_ONION response should start with', stem.response.convert, 'ADD_ONION', response) def test_no_key_type(self): """ Checks a response that's missing the private key type. """ - try: - response = mocking.get_message(MISSING_KEY_TYPE) - stem.response.convert('ADD_ONION', response) - self.fail("we should've raised a ProtocolError") - except stem.ProtocolError as exc: - self.assertTrue(str(exc).startswith('ADD_ONION PrivateKey lines should be of the form')) + response = mocking.get_message(MISSING_KEY_TYPE) + self.assertRaisesRegexp(stem.ProtocolError, 'ADD_ONION PrivateKey lines should be of the form', stem.response.convert, 'ADD_ONION', response) diff --git a/test/unit/util/proc.py b/test/unit/util/proc.py index 72b7131..5f65212 100644 --- a/test/unit/util/proc.py +++ b/test/unit/util/proc.py @@ -3,6 +3,7 @@ Unit testing code for the stem.util.proc functions. """ import io +import re import unittest from stem.util import proc @@ -174,12 +175,8 @@ class TestProc(unittest.TestCase): error_msg = "OSError: [Errno 2] No such file or directory: '/proc/2118/fd'" listdir_mock.side_effect = OSError(error_msg) - try: - proc.file_descriptors_used(2118) - self.fail('We should raise when listdir() fails') - except IOError as exc: - expected = 'Unable to check number of file descriptors used: %s' % error_msg - self.assertEqual(expected, str(exc)) + exc_msg = 'Unable to check number of file descriptors used: %s' % error_msg + self.assertRaisesRegexp(IOError, re.escape(exc_msg), proc.file_descriptors_used, 2118) # successful calls

1 0

[stem/master] Support assertRaisesRegexp with python 2.6
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit 3bb6377b83890c42061ca50b5e91c2b99be56df0 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Mar 13 08:50:39 2017 -0700 Support assertRaisesRegexp with python 2.6 Python 2.7 added assertRaisesRegexp so until we drop support for 2.6 we'll need to provide it. --- stem/util/test_tools.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/stem/util/test_tools.py b/stem/util/test_tools.py index 0d70dc7..b75c4d0 100644 --- a/stem/util/test_tools.py +++ b/stem/util/test_tools.py @@ -27,6 +27,7 @@ import re import time import unittest +import stem.prereq import stem.util.conf import stem.util.system @@ -70,6 +71,17 @@ class TimedTestRunner(unittest.TextTestRunner): TEST_RUNTIMES[self.id()] = time.time() - start_time return result + # TODO: remove when dropping python 2.6 support + + def assertRaisesRegexp(self, exc_type, exc_msg, func, *args, **kwargs): + if stem.prereq._is_python_26(): + try: + func(*args, **kwargs) + except exc_type as exc: + self.assertTrue(re.match(exc_msg, str(exc))) + else: + return super(original_type, self).assertRaisesRegexp(exc_type, exc_msg, func, *args, **kwargs) + def id(self): return '%s.%s.%s' % (original_type.__module__, original_type.__name__, self._testMethodName)

1 0

[stem/master] Initially create test strings as bytes
by atagar＠torproject.org 30 Mar '17

30 Mar '17

commit af3a9fdf7207eb66788ffe5c24971af72d224101 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Mar 13 09:34:28 2017 -0700 Initially create test strings as bytes Might as well construct our test input as bytes, rather than converting to them. --- stem/descriptor/server_descriptor.py | 1 + test/unit/descriptor/certificate.py | 116 ++++++++++++----------------------- 2 files changed, 39 insertions(+), 78 deletions(-) diff --git a/stem/descriptor/server_descriptor.py b/stem/descriptor/server_descriptor.py index dfb1bc5..76173a0 100644 --- a/stem/descriptor/server_descriptor.py +++ b/stem/descriptor/server_descriptor.py @@ -764,6 +764,7 @@ class RelayDescriptor(ServerDescriptor): if self.onion_key_crosscert: onion_key_crosscert_digest = self._digest_for_signature(self.onion_key, self.onion_key_crosscert) + if onion_key_crosscert_digest != self.onion_key_crosscert_digest(): raise ValueError('Decrypted onion-key-crosscert digest does not match local digest (calculated: %s, local: %s)' % (onion_key_crosscert_digest, self.onion_key_crosscert_digest())) diff --git a/test/unit/descriptor/certificate.py b/test/unit/descriptor/certificate.py index 0603a32..2f2f728 100644 --- a/test/unit/descriptor/certificate.py +++ b/test/unit/descriptor/certificate.py @@ -12,84 +12,51 @@ import test.runner class TestCertificate(unittest.TestCase): def test_with_invalid_version(self): cert_bytes = b'\x02\x04' - self.assertRaisesRegexp( - ValueError, - 'Unknown Certificate version', - stem.descriptor.certificate._parse_certificate, - cert_bytes, - None - ) + self.assertRaisesRegexp(ValueError, 'Unknown Certificate version', stem.descriptor.certificate._parse_certificate, cert_bytes, None) def test_with_invalid_type(self): cert_bytes = b'\x01\x07' - self.assertRaisesRegexp( - ValueError, - 'Unknown Certificate type', - stem.descriptor.certificate._parse_certificate, - cert_bytes, - None - ) + self.assertRaisesRegexp(ValueError, 'Unknown Certificate type', stem.descriptor.certificate._parse_certificate, cert_bytes, None) def test_parse_extensions_truncated_extension(self): - cert_bytes = '\x00' * 39 # First 40 bytes are standard fields - cert_bytes += '\x01' # n_extensions = 1 - cert_bytes += '\x00\x08' # extension length = 8 bytes - cert_bytes += '\x04' # ext_type = 0x04 - cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * '\x00' # pad empty signature block - - self.assertRaisesRegexp( - ValueError, - 'Certificate contained truncated extension', - stem.descriptor.certificate._parse_extensions, - stem.util.str_tools._to_bytes(cert_bytes) - ) + cert_bytes = b'\x00' * 39 # First 40 bytes are standard fields + cert_bytes += b'\x01' # n_extensions = 1 + cert_bytes += b'\x00\x08' # extension length = 8 bytes + cert_bytes += b'\x04' # ext_type = 0x04 + cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * b'\x00' # pad empty signature block + + self.assertRaisesRegexp(ValueError, 'Certificate contained truncated extension', stem.descriptor.certificate._parse_extensions, cert_bytes) def test_parse_extensions_invalid_certificate_extension_type(self): - cert_bytes = '\x00' * 39 # First 40 bytes are standard fields - cert_bytes += '\x01' # n_extensions = 1 - cert_bytes += '\x00\x08' # extension length = 8 bytes - cert_bytes += '\x00' * 6 # pad out to 8 bytes - cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * '\x00' # pad empty signature block - - self.assertRaisesRegexp( - ValueError, - 'Invalid certificate extension type:', - stem.descriptor.certificate._parse_extensions, - stem.util.str_tools._to_bytes(cert_bytes) - ) + cert_bytes = b'\x00' * 39 # First 40 bytes are standard fields + cert_bytes += b'\x01' # n_extensions = 1 + cert_bytes += b'\x00\x08' # extension length = 8 bytes + cert_bytes += b'\x00' * 6 # pad out to 8 bytes + cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * b'\x00' # pad empty signature block + + self.assertRaisesRegexp(ValueError, 'Invalid certificate extension type:', stem.descriptor.certificate._parse_extensions, cert_bytes) def test_parse_extensions_invalid_n_extensions_count(self): - cert_bytes = '\x00' * 39 # First 40 bytes are standard fields - cert_bytes += '\x02' # n_extensions = 2 - cert_bytes += '\x00\x08' # extension length = 8 bytes - cert_bytes += '\x04' # certificate type - cert_bytes += '\x00' * 5 # pad out to 8 bytes - cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * '\x00' # pad empty signature block - - self.assertRaisesRegexp( - ValueError, - 'n_extensions was 2 but parsed 1', - stem.descriptor.certificate._parse_extensions, - stem.util.str_tools._to_bytes(cert_bytes) - ) + cert_bytes = b'\x00' * 39 # First 40 bytes are standard fields + cert_bytes += b'\x02' # n_extensions = 2 + cert_bytes += b'\x00\x08' # extension length = 8 bytes + cert_bytes += b'\x04' # certificate type + cert_bytes += b'\x00' * 5 # pad out to 8 bytes + cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * b'\x00' # pad empty signature block + + self.assertRaisesRegexp(ValueError, 'n_extensions was 2 but parsed 1', stem.descriptor.certificate._parse_extensions, cert_bytes) def test_ed25519_key_certificate_without_extensions(self): - cert_bytes = '\x01\x04' + '\x00' * 37 # First 40 bytes are standard fields - cert_bytes += '\x00' # n_extensions = 0 - cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * '\x00' # pad empty signature block - - self.assertRaisesRegexp( - ValueError, - 'Ed25519KeyCertificate missing SignedWithEd25519KeyCertificateExtension extension', - stem.descriptor.certificate._parse_certificate, - stem.util.str_tools._to_bytes(cert_bytes), - None, - validate = True - ) + cert_bytes = b'\x01\x04' + b'\x00' * 37 # First 40 bytes are standard fields + cert_bytes += b'\x00' # n_extensions = 0 + cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * b'\x00' # pad empty signature block + + exc_msg = 'Ed25519KeyCertificate missing SignedWithEd25519KeyCertificateExtension extension' + self.assertRaisesRegexp(ValueError, exc_msg, stem.descriptor.certificate._parse_certificate, cert_bytes, None, validate = True) def test_certificate_with_invalid_signature(self): if not stem.prereq._is_pynacl_available(): - test.runner.skip(self, '(require pynacl module)') + test.runner.skip(self, '(requires pynacl module)') return import nacl.signing @@ -98,17 +65,10 @@ class TestCertificate(unittest.TestCase): master_key = nacl.signing.SigningKey.generate() master_key_base64 = master_key.encode(nacl.encoding.Base64Encoder) - cert_bytes = '\x01\x04' + '\x00' * 37 # 40 byte preamble of standard fields - cert_bytes += '\x01' # n_extensions = 1 - cert_bytes += '\x00\x08' # extentsion length = 8 bytes - cert_bytes += '\x04' + '\x00' * 5 # certificate type + padding out to 8 bytes - cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * '\x00' # empty signature block - - self.assertRaisesRegexp( - ValueError, - 'Ed25519KeyCertificate signature invalid', - stem.descriptor.certificate._parse_certificate, - stem.util.str_tools._to_bytes(cert_bytes), - master_key_base64, - validate = True - ) + cert_bytes = b'\x01\x04' + b'\x00' * 37 # 40 byte preamble of standard fields + cert_bytes += b'\x01' # n_extensions = 1 + cert_bytes += b'\x00\x08' # extentsion length = 8 bytes + cert_bytes += b'\x04' + b'\x00' * 5 # certificate type + padding out to 8 bytes + cert_bytes += stem.descriptor.certificate.SIGNATURE_LENGTH * b'\x00' # empty signature block + + self.assertRaisesRegexp(ValueError, 'Ed25519KeyCertificate signature invalid', stem.descriptor.certificate._parse_certificate, cert_bytes, master_key_base64, validate = True)

1 0