Added new test cases for invalid EC keys (#12309)

pyca · Jan 19, 2025 · 17119de · 17119de
1 parent af76c1f
commit 17119de
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 0 deletions.
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
@@ -199,6 +199,13 @@ Custom asymmetric vectors
 * ``asymmetric/Traditional_OpenSSL_Serialization/dsa-wrong-version.pem`` - A
   DSA key, encoded as a "traditional" ``DSA PRIVATE KEY`` PEM block, with an
   invalid version number.
+* ``asymmetric/PKCS8/ec-inconsistent-curve.pem`` - A PKCS8 encoded EC key where
+  the the curve OID in the parameters does not match the curve OID in the key.
+* ``asymmetric/PKCS8/ec-inconsistent-curve2.pem`` - A PKCS8 encoded EC key
+  where the the curve OID in the parameters does not match the curve OID in
+  the key (the OIDs are reversed from ``ec-inconsistent-curve.pem``).
+* ``asymmetric/EC/ec-missing-curve.pem`` - A PKCS#1 encoded EC key where the
+  curve OID is missing.
 
 
 Key exchange

diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
@@ -1127,6 +1127,35 @@ def test_load_public_keys(self, key_file, curve, backend):
         assert isinstance(key, ec.EllipticCurvePublicKey)
         assert isinstance(key.curve, curve)
 
+    @pytest.mark.xfail
+    def test_pkcs8_inconsistent_curve(self):
+        # The curve can appear twice in a PKCS8 EC key, error if they're not
+        # consistent
+        data = load_vectors_from_file(
+            os.path.join("asymmetric", "PKCS8", "ec-inconsistent-curve.pem"),
+            lambda f: f.read(),
+            mode="rb",
+        )
+        with pytest.raises(ValueError):
+            serialization.load_pem_private_key(data, password=None)
+
+        data = load_vectors_from_file(
+            os.path.join("asymmetric", "PKCS8", "ec-inconsistent-curve2.pem"),
+            lambda f: f.read(),
+            mode="rb",
+        )
+        with pytest.raises(ValueError):
+            serialization.load_pem_private_key(data, password=None)
+
+    def test_load_private_key_missing_curve(self):
+        data = load_vectors_from_file(
+            os.path.join("asymmetric", "EC", "ec-missing-curve.pem"),
+            lambda f: f.read(),
+            mode="rb",
+        )
+        with pytest.raises(ValueError):
+            serialization.load_pem_private_key(data, password=None)
+
 
 class TestEllipticCurvePEMPublicKeySerialization:
     @pytest.mark.parametrize(

diff --git a/vectors/cryptography_vectors/asymmetric/EC/ec-missing-curve.pem b/vectors/cryptography_vectors/asymmetric/EC/ec-missing-curve.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MGsCAQEEIGIq02UsfuTvGOrZRnJGulum7SYqHHa3aJX3LpEqExJPoUQDQgAEJLzz
+buz2tRnLFlOL+6bTX6giVavAsc6NDFFT0IMCd2ibTTNUDDkFGsgq0cH5JYPg/6xU
+lMBFKrWYe3yQ4has9w==
+-----END EC PRIVATE KEY-----
diff --git a/vectors/cryptography_vectors/asymmetric/PKCS8/ec-inconsistent-curve.pem b/vectors/cryptography_vectors/asymmetric/PKCS8/ec-inconsistent-curve.pem
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIGQAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBHYwdAIBAQQgYirTZSx+5O8Y6tlG
+cka6W6btJiocdrdolfcukSoTEk+gBwYFK4EEACKhRANCAAQkvPNu7Pa1GcsWU4v7
+ptNfqCJVq8Cxzo0MUVPQgwJ3aJtNM1QMOQUayCrRwfklg+D/rFSUwEUqtZh7fJDi
+Fqz3
+-----END PRIVATE KEY-----
diff --git a/vectors/cryptography_vectors/asymmetric/PKCS8/ec-inconsistent-curve2.pem b/vectors/cryptography_vectors/asymmetric/PKCS8/ec-inconsistent-curve2.pem
@@ -0,0 +1,6 @@
+-----BEGIN PRIVATE KEY-----
+MIGQAgEAMBAGByqGSM49AgEGBSuBBAAiBHkwdwIBAQQgYirTZSx+5O8Y6tlGcka6
+W6btJiocdrdolfcukSoTEk+gCgYIKoZIzj0DAQehRANCAAQkvPNu7Pa1GcsWU4v7
+ptNfqCJVq8Cxzo0MUVPQgwJ3aJtNM1QMOQUayCrRwfklg+D/rFSUwEUqtZh7fJDi
+Fqz3
+-----END PRIVATE KEY-----