diff options
author | Mark McLoughlin <markmc@redhat.com> | 2015-12-21 23:54:17 +0000 |
---|---|---|
committer | Mark McLoughlin <markmc@redhat.com> | 2015-12-23 07:06:30 +0000 |
commit | 291e71990a0866836d1becea6d519df9abaaa186 (patch) | |
tree | df92ee8fede615bbbc5def5729726d22d56fcafa /nova/tests/unit/test_signature_utils.py | |
parent | 7bba58d0ad86e4c66b96eb08402c44c3678ec83b (diff) | |
download | nova-291e71990a0866836d1becea6d519df9abaaa186.tar.gz |
signature_utils: handle ECC curve unavailability
Some ECC curves are unavailable on some platforms (like Fedora, RHEL,
and CentOS) because of legal concerns. See the bug report for more
details and history.
The cryptography backend has a elliptic_curve_supported() method
which we can use to avoid curves which are unavailable on the current
platform.
If an image signature uses one of these curves, we will return an
"Invalid signature key type" error.
Use the warnings module in the unit tests to avoid silently ignoring
this issue during testing. This warning will be captured from the
test's stderr and reported by testr.
Closes-Bug: #1528393
Change-Id: Ie25311c48b276f300fadaf1815fc4df4cb89cf8d
Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Diffstat (limited to 'nova/tests/unit/test_signature_utils.py')
-rw-r--r-- | nova/tests/unit/test_signature_utils.py | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/nova/tests/unit/test_signature_utils.py b/nova/tests/unit/test_signature_utils.py index fb6b51406b..510ed70e04 100644 --- a/nova/tests/unit/test_signature_utils.py +++ b/nova/tests/unit/test_signature_utils.py @@ -34,6 +34,7 @@ TEST_RSA_PRIVATE_KEY = rsa.generate_private_key(public_exponent=3, key_size=1024, backend=default_backend()) +# secp521r1 is assumed to be available on all supported platforms TEST_ECC_PRIVATE_KEY = ec.generate_private_key(ec.SECP521R1(), default_backend()) @@ -163,6 +164,14 @@ class TestSignatureUtils(test.NoDBTestCase): data = b'224626ae19824466f2a7f39ab7b80f7f' # test every ECC curve for curve in signature_utils.ECC_CURVES: + key_type_name = 'ECC_' + curve.name.upper() + try: + signature_utils.SignatureKeyType.lookup(key_type_name) + except exception.SignatureVerificationError: + import warnings + warnings.warn("ECC curve '%s' not supported" % curve.name) + continue + # Create a private key to use private_key = ec.generate_private_key(curve, default_backend()) @@ -176,7 +185,7 @@ class TestSignatureUtils(test.NoDBTestCase): image_props = {CERT_UUID: 'fea14bc2-d75f-4ba5-bccc-b5c924ad0693', HASH_METHOD: hash_name, - KEY_TYPE: 'ECC_' + curve.name.upper(), + KEY_TYPE: key_type_name, SIGNATURE: signature} verifier = signature_utils.get_verifier(None, image_props) verifier.update(data) |