signature_utils: handle ECC curve unavailability

Some ECC curves are unavailable on some platforms (like Fedora, RHEL, and CentOS) because of legal concerns. See the bug report for more details and history. The cryptography backend has a elliptic_curve_supported() method which we can use to avoid curves which are unavailable on the current platform. If an image signature uses one of these curves, we will return an "Invalid signature key type" error. Use the warnings module in the unit tests to avoid silently ignoring this issue during testing. This warning will be captured from the test's stderr and reported by testr. Closes-Bug: #1528393 Change-Id: Ie25311c48b276f300fadaf1815fc4df4cb89cf8d Signed-off-by: Mark McLoughlin <markmc@redhat.com>
author: Mark McLoughlin <markmc@redhat.com> 2015-12-21 23:54:17 +0000
committer: Mark McLoughlin <markmc@redhat.com> 2015-12-23 07:06:30 +0000
commit: 291e71990a0866836d1becea6d519df9abaaa186 (patch)
tree: df92ee8fede615bbbc5def5729726d22d56fcafa /nova/tests/unit/test_signature_utils.py
parent: 7bba58d0ad86e4c66b96eb08402c44c3678ec83b (diff)
download: nova-291e71990a0866836d1becea6d519df9abaaa186.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/nova/tests/unit/test_signature_utils.py b/nova/tests/unit/test_signature_utils.py
index fb6b51406b..510ed70e04 100644
--- a/nova/tests/unit/test_signature_utils.py
+++ b/nova/tests/unit/test_signature_utils.py
@@ -34,6 +34,7 @@ TEST_RSA_PRIVATE_KEY = rsa.generate_private_key(public_exponent=3,
                                                 key_size=1024,
                                                 backend=default_backend())
 
+# secp521r1 is assumed to be available on all supported platforms
 TEST_ECC_PRIVATE_KEY = ec.generate_private_key(ec.SECP521R1(),
                                                default_backend())
 
@@ -163,6 +164,14 @@ class TestSignatureUtils(test.NoDBTestCase):
         data = b'224626ae19824466f2a7f39ab7b80f7f'
         # test every ECC curve
         for curve in signature_utils.ECC_CURVES:
+            key_type_name = 'ECC_' + curve.name.upper()
+            try:
+                signature_utils.SignatureKeyType.lookup(key_type_name)
+            except exception.SignatureVerificationError:
+                import warnings
+                warnings.warn("ECC curve '%s' not supported" % curve.name)
+                continue
+
             # Create a private key to use
             private_key = ec.generate_private_key(curve,
                                                   default_backend())
@@ -176,7 +185,7 @@ class TestSignatureUtils(test.NoDBTestCase):
                 image_props = {CERT_UUID:
                                'fea14bc2-d75f-4ba5-bccc-b5c924ad0693',
                                HASH_METHOD: hash_name,
-                               KEY_TYPE: 'ECC_' + curve.name.upper(),
+                               KEY_TYPE: key_type_name,
                                SIGNATURE: signature}
                 verifier = signature_utils.get_verifier(None, image_props)
                 verifier.update(data)
author	Mark McLoughlin <markmc@redhat.com>	2015-12-21 23:54:17 +0000
committer	Mark McLoughlin <markmc@redhat.com>	2015-12-23 07:06:30 +0000
commit	291e71990a0866836d1becea6d519df9abaaa186 (patch)
tree	df92ee8fede615bbbc5def5729726d22d56fcafa /nova/tests/unit/test_signature_utils.py
parent	7bba58d0ad86e4c66b96eb08402c44c3678ec83b (diff)
download	nova-291e71990a0866836d1becea6d519df9abaaa186.tar.gz