1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
"""Test AWSSigner"""
import unittest
from securesystemslib.exceptions import UnverifiedSignatureError
from securesystemslib.signer import AWSSigner, Signer
class TestAWSSigner(unittest.TestCase):
"""Test AWSSigner"""
def test_aws_import_sign_verify(self):
# Test full signer flow with localstack
# - see tests/scripts/init-aws-kms.sh for how keys are created
# - see tox.ini for how credentials etc. are passed via env vars
keys_and_schemes = [
(
"alias/rsa",
"rsassa-pss-sha256",
[
"rsassa-pss-sha256",
"rsassa-pss-sha384",
"rsassa-pss-sha512",
"rsa-pkcs1v15-sha256",
"rsa-pkcs1v15-sha384",
"rsa-pkcs1v15-sha512",
],
),
(
"alias/ecdsa_nistp256",
"ecdsa-sha2-nistp256",
["ecdsa-sha2-nistp256"],
),
(
"alias/ecdsa_nistp384",
"ecdsa-sha2-nistp384",
["ecdsa-sha2-nistp384"],
),
]
for aws_keyid, default_scheme, schemes in keys_and_schemes:
for scheme in schemes:
# Test import
uri, public_key = AWSSigner.import_(aws_keyid, scheme)
self.assertEqual(uri, f"{AWSSigner.SCHEME}:{aws_keyid}")
self.assertEqual(scheme, public_key.scheme)
# Test import with default_scheme
if scheme == default_scheme:
uri2, public_key2 = AWSSigner.import_(aws_keyid)
self.assertEqual(uri, uri2)
self.assertEqual(public_key, public_key2)
# Test load
signer = Signer.from_priv_key_uri(uri, public_key)
self.assertIsInstance(signer, AWSSigner)
# Test sign and verify
signature = signer.sign(b"DATA")
self.assertIsNone(public_key.verify_signature(signature, b"DATA"))
with self.assertRaises(UnverifiedSignatureError):
public_key.verify_signature(signature, b"NOT DATA")
if __name__ == "__main__":
unittest.main(verbosity=1)
|
