Merge pull request #621 from dajiaji/ajitomi-add-alg-validation-for-fully-specified-algs

Add alg validation for fully-specified algs.

Author: dajiaji

cwt/algs/ec2.py

@@ -82,6 +82,17 @@ def __init__(self, params: Dict[int, Any]):
             else:
                 self._key_ops = [2]
         if self._alg:
+            # Validate alg for EC2 curve.
+            if self._crv == 1 and self._alg not in ([-7, -9, 35, 36] + list(COSE_ALGORITHMS_CKDM_KEY_AGREEMENT.values())):
+                raise ValueError(f"Unsupported or unknown alg used with P-256: {self._alg}.")
+            elif self._crv == 2 and self._alg not in ([-35, -51, 37, 38] + list(COSE_ALGORITHMS_CKDM_KEY_AGREEMENT.values())):
+                raise ValueError(f"Unsupported or unknown alg used with P-384: {self._alg}.")
+            elif self._crv == 3 and self._alg not in ([-36, -52, 39, 40] + list(COSE_ALGORITHMS_CKDM_KEY_AGREEMENT.values())):
+                raise ValueError(f"Unsupported or unknown alg used with P-521: {self._alg}.")
+            elif self._crv == 8 and self._alg != -47:
+                raise ValueError(f"Unsupported or unknown alg used with secp256k1: {self._alg}.")
+
+            # Validate alg for key_ops.
             if self._alg in COSE_ALGORITHMS_SIG_EC2.values():
                 if self._key_ops:
                     if -4 in params:

cwt/algs/okp.py

@@ -75,9 +75,12 @@ def __init__(self, params: Dict[int, Any]):
                 self._hash_alg = hashes.SHA256 if self._crv == 4 else hashes.SHA512
             elif self._alg is not None:
                 raise ValueError(f"Unsupported or unknown alg used with X25519/X448: {self._alg}.")
-        elif self._crv in [6, 7]:
-            if self._alg is not None and self._alg not in COSE_ALGORITHMS_SIG_OKP.values():
-                raise ValueError(f"Unsupported or unknown alg used with Ed25519/Ed448: {self._alg}.")
+        elif self._crv == 6:
+            if self._alg is not None and self._alg not in [-8, -19]:
+                raise ValueError(f"Unsupported or unknown alg used with Ed25519: {self._alg}.")
+        elif self._crv == 7:
+            if self._alg is not None and self._alg not in [-8, -53]:
+                raise ValueError(f"Unsupported or unknown alg used with Ed448: {self._alg}.")
         else:
             raise ValueError(f"Unsupported or unknown crv(-1) for OKP: {self._crv}.")
 

tests/test_algs_ec2.py

@@ -306,7 +306,7 @@ def test_cose_key_constructor_without_cose_key(self):
                     -3: b"\xe2\xdb\xef\xfe\xb8\x8a\x12\xf27\xcb\x15:\x8a\xb9\x1a90B\x1a\x19^\xbc\xdc\xde\r\xb9s\xc1P\xf3\xaa\xdd",
                     3: -8,
                 },
-                "Unsupported or unknown alg(3) for EC2: -8.",
+                "Unsupported or unknown alg used with P-256: -8",
             ),
             (
                 {
@@ -325,7 +325,7 @@ def test_cose_key_constructor_without_cose_key(self):
                     -1: 2,
                     3: -8,
                 },
-                "Unsupported or unknown alg(3) for EC2: -8.",
+                "Unsupported or unknown alg used with P-384: -8",
             ),
             (
                 {
@@ -344,7 +344,7 @@ def test_cose_key_constructor_without_cose_key(self):
                     -1: 3,
                     3: -8,
                 },
-                "Unsupported or unknown alg(3) for EC2: -8.",
+                "Unsupported or unknown alg used with P-521: -8",
             ),
             (
                 {
@@ -363,7 +363,7 @@ def test_cose_key_constructor_without_cose_key(self):
                     -1: 8,
                     3: -8,
                 },
-                "Unsupported or unknown alg(3) for EC2: -8.",
+                "Unsupported or unknown alg used with secp256k1: -8",
             ),
             (
                 {

tests/test_algs_okp.py

@@ -362,7 +362,7 @@ def test_okp_key_derive_bytes_with_raw_context(self):
                     COSEKeyParams.ALG: -999,
                     COSEKeyParams.X: b"\x18Es\xe0\x9a\x83\xfd\x0e\xe9K\xa8n\xf39i\x17\xfe\n2+|\xd1q\xcc\x87\xd2\xe9\xa9\xe8 \x9b\xd9",
                 },
-                "Unsupported or unknown alg used with Ed25519/Ed448: -999.",
+                "Unsupported or unknown alg used with Ed25519: -999.",
             ),
             (
                 {
@@ -371,7 +371,7 @@ def test_okp_key_derive_bytes_with_raw_context(self):
                     COSEKeyParams.ALG: 35,
                     COSEKeyParams.X: b"\x18Es\xe0\x9a\x83\xfd\x0e\xe9K\xa8n\xf39i\x17\xfe\n2+|\xd1q\xcc\x87\xd2\xe9\xa9\xe8 \x9b\xd9",
                 },
-                "Unsupported or unknown alg used with Ed25519/Ed448: 35.",
+                "Unsupported or unknown alg used with Ed25519: 35.",
             ),
             (
                 {

tests/test_cose_key.py

@@ -139,9 +139,9 @@ def test_key_builder_from_pem_with_alg(self, private_key_path, public_key_path):
             "ECDH-SS+HKDF-256",
             "ECDH-ES+HKDF-512",
             "ECDH-ES+HKDF-256",
-            "ES256K",
-            "ES512",
-            "ES384",
+            # "ES256K",
+            # "ES512",
+            # "ES384",
             "ES256",
         ],
     )
@@ -630,3 +630,89 @@ def test_cose_key_interface(self):
             ki.crv
             pytest.fail("crv should fail.")
         assert "" == str(err.value)
+
+    @pytest.mark.parametrize(
+        "invalid, msg",
+        [
+            ("Ed25519", "Unsupported or unknown alg used with P-256:"),
+            ("Ed448", "Unsupported or unknown alg used with P-256:"),
+            # ("ES256", "Unsupported or unknown alg used with P-256:"),
+            ("ES384", "Unsupported or unknown alg used with P-256:"),
+            ("ES512", "Unsupported or unknown alg used with P-256:"),
+            # ("ESP256", "Unsupported or unknown alg used with P-256:"),
+            ("ESP384", "Unsupported or unknown alg used with P-256:"),
+            ("ESP512", "Unsupported or unknown alg used with P-256:"),
+        ],
+    )
+    def test_key_builder_from_jwk_with_invalid_fully_specified_ec2_p256_alg(self, invalid, msg):
+        with pytest.raises(ValueError) as err:
+            COSEKey.from_jwk(
+                {
+                    "kty": "EC",
+                    "use": "sig",
+                    "crv": "P-256",
+                    "kid": "P-256-01",
+                    "x": "usWxHK2PmfnHKwXPS54m0kTcGJ90UiglWiGahtagnv8",
+                    "y": "IBOL-C3BttVivg-lSreASjpkttcsz-1rb7btKLv8EX4",
+                    "d": "V8kgd2ZBRuh2dgyVINBUqpPDr7BOMGcF22CQMIUHtNM",
+                    "alg": invalid,
+                }
+            )
+            pytest.fail("from_jwk should fail.")
+        assert msg in str(err.value)
+
+    @pytest.mark.parametrize(
+        "invalid, msg",
+        [
+            ("Ed448", "Unsupported or unknown alg used with Ed25519:"),
+            ("ES256", "Unsupported or unknown alg used with Ed25519:"),
+            ("ESP256", "Unsupported or unknown alg used with Ed25519:"),
+            ("ES384", "Unsupported or unknown alg used with Ed25519:"),
+            ("ES512", "Unsupported or unknown alg used with Ed25519:"),
+            ("ESP384", "Unsupported or unknown alg used with Ed25519:"),
+            ("ESP512", "Unsupported or unknown alg used with Ed25519:"),
+        ],
+    )
+    def test_key_builder_from_jwk_with_invalid_fully_specified_okp_ed25519_alg(self, invalid, msg):
+        with pytest.raises(ValueError) as err:
+            COSEKey.from_jwk(
+                {
+                    "kty": "OKP",
+                    "use": "sig",
+                    "crv": "Ed25519",
+                    "kid": "Ed25519-01",
+                    "x": "2E6dX83gqD_D0eAmqnaHe1TC1xuld6iAKXfw2OVATr0",
+                    "d": "L8JS08VsFZoZxGa9JvzYmCWOwg7zaKcei3KZmYsj7dc",
+                    "alg": invalid,
+                }
+            )
+            pytest.fail("from_jwk should fail.")
+        assert msg in str(err.value)
+
+    @pytest.mark.parametrize(
+        "invalid, msg",
+        [
+            ("Ed25519", "Unsupported or unknown alg used with Ed448:"),
+            ("ES256", "Unsupported or unknown alg used with Ed448:"),
+            ("ESP256", "Unsupported or unknown alg used with Ed448:"),
+            ("ES384", "Unsupported or unknown alg used with Ed448:"),
+            ("ES512", "Unsupported or unknown alg used with Ed448:"),
+            ("ESP384", "Unsupported or unknown alg used with Ed448:"),
+            ("ESP512", "Unsupported or unknown alg used with Ed448:"),
+        ],
+    )
+    def test_key_builder_from_jwk_with_invalid_fully_specified_okp_ed448_alg(self, invalid, msg):
+        with pytest.raises(ValueError) as err:
+            COSEKey.from_jwk(
+                {
+                    "kty": "OKP",
+                    "use": "sig",
+                    "crv": "Ed448",
+                    "kid": "Ed448-01",
+                    "x": "25isUWIosUkM2ynOPFP5t7BbwM1_iFQmKBpHvA0hgXpRX6yyu-nq6BBmpS3J0DYTlZIoA4qwgSqA",
+                    "d": "vOHg3x9AXEBRDnzM5b68bLFswieywpJzTOkxafU5fiDxyKowuetnBgjQsgTRWoc067X9xvZWE0Sd",
+                    "alg": invalid,
+                }
+            )
+            pytest.fail("from_jwk should fail.")
+        assert msg in str(err.value)

tests/test_signer.py

@@ -248,6 +248,58 @@ def test_signer_esp256(self):
         except Exception:
             pytest.fail("signer.sign and verify should not fail.")
 
+    def test_signer_esp384(self):
+        signer = Signer.new(
+            cose_key=COSEKey.from_jwk(
+                {
+                    "kty": "EC",
+                    "kid": "P-384-01",
+                    "crv": "P-384",
+                    "x": "_XyN9woHaS0mPimSW-etwJMEDSzxIMjp4PjezavU8SHJoClz1bQrcmPb1ZJxHxhI",
+                    "y": "GCNfc32p9sRotx7u2oDGJ3Eqz6q5zPHLdizNn83oRsUTN31eCWfGLHWRury3xF50",
+                    "d": "1pImEKbrr771-RKi8Tb7tou_WjiR7kwui_nMu16449rk3lzAqf9buUhTkJ-pogkb",
+                    "alg": "ESP384",
+                }
+            ),
+            protected={"alg": "ESP384"},
+            unprotected={"kid": "P-384-01"},
+        )
+        assert signer.unprotected[4] == b"P-384-01"
+        assert cbor2.loads(signer.protected)[1] == -51
+        assert signer.cose_key.alg == -51
+        assert signer.cose_key.kid == b"P-384-01"
+        try:
+            signer.sign(b"Hello world!")
+            signer.verify(b"Hello world!")
+        except Exception:
+            pytest.fail("signer.sign and verify should not fail.")
+
+    def test_signer_esp512(self):
+        signer = Signer.new(
+            cose_key=COSEKey.from_jwk(
+                {
+                    "kty": "EC",
+                    "kid": "P-521-01",
+                    "crv": "P-521",
+                    "x": "APkZitSJMJUMB-iPCt47sWu_CrnUHg6IAR4qjmHON-2u41Rjg6DNOS0LZYJJt-AVH5NgGVi8ElIfjo71b9HXCTOc",
+                    "y": "ASx-Cb--149HJ-e1KlSaY-1BOhwOdcTkxSt8BGbW7_hnGfzHsoXM3ywwNcp1Yad-FHUKwmCyMelMQEn2Rh4V2l3I",
+                    "d": "ADYyo73ZKicOjwGDYQ_ybZKnVzdAcxGm9OVAxQjzgVM4jaS-Iwtkz90oLdDz3shgKlDgtRK2Aa9lMhqR94hBo4IE",
+                    "alg": "ESP512",
+                }
+            ),
+            protected={"alg": "ESP512"},
+            unprotected={"kid": "P-521-01"},
+        )
+        assert signer.unprotected[4] == b"P-521-01"
+        assert cbor2.loads(signer.protected)[1] == -52
+        assert signer.cose_key.alg == -52
+        assert signer.cose_key.kid == b"P-521-01"
+        try:
+            signer.sign(b"Hello world!")
+            signer.verify(b"Hello world!")
+        except Exception:
+            pytest.fail("signer.sign and verify should not fail.")
+
     def test_signer_ed25519(self):
         signer = Signer.new(
             cose_key=COSEKey.from_jwk(
@@ -273,3 +325,29 @@ def test_signer_ed25519(self):
             signer.verify(b"Hello world!")
         except Exception:
             pytest.fail("signer.sign and verify should not fail.")
+
+    def test_signer_ed448(self):
+        signer = Signer.new(
+            cose_key=COSEKey.from_jwk(
+                {
+                    "kty": "OKP",
+                    "d": "vOHg3x9AXEBRDnzM5b68bLFswieywpJzTOkxafU5fiDxyKowuetnBgjQsgTRWoc067X9xvZWE0Sd",
+                    "use": "sig",
+                    "crv": "Ed448",
+                    "kid": "Ed448-01",
+                    "x": "25isUWIosUkM2ynOPFP5t7BbwM1_iFQmKBpHvA0hgXpRX6yyu-nq6BBmpS3J0DYTlZIoA4qwgSqA",
+                    "alg": "Ed448",
+                }
+            ),
+            protected={"alg": "Ed448"},
+            unprotected={"kid": "Ed448-01"},
+        )
+        assert signer.unprotected[4] == b"Ed448-01"
+        assert cbor2.loads(signer.protected)[1] == -53
+        assert signer.cose_key.alg == -53
+        assert signer.cose_key.kid == b"Ed448-01"
+        try:
+            signer.sign(b"Hello world!")
+            signer.verify(b"Hello world!")
+        except Exception:
+            pytest.fail("signer.sign and verify should not fail.")