Skip to content

Avoid private-key PEM markers in installed self-tests#914

Open
salasebas wants to merge 1 commit into
Legrandin:masterfrom
salasebas:issue-904-selftest-fixtures
Open

Avoid private-key PEM markers in installed self-tests#914
salasebas wants to merge 1 commit into
Legrandin:masterfrom
salasebas:issue-904-selftest-fixtures

Conversation

@salasebas

Copy link
Copy Markdown

Closes #904.

This keeps Crypto.SelfTest installed and runnable, but avoids embedding full PEM private-key markers directly in the installed self-test source files.

Changes:

  • Add a small make_pem() helper for self-test fixtures.
  • Refactor RSA, DSA, ECC, ECDH, PKCS#1, and PSS self-test fixtures to reconstruct PEM blocks at runtime.
  • Preserve the existing self-test coverage and package layout.
  • Add a changelog entry for GH#904.

Validation:

  • rg -n -- '-----BEGIN (RSA |DSA |EC |ENCRYPTED )?PRIVATE KEY-----' lib/Crypto/SelfTest build/.../Crypto/SelfTest
  • PYTHONPYCACHEPREFIX=/private/tmp/pycryptodome-pyc python3 -m compileall -q lib/Crypto/SelfTest
  • PYTHONPYCACHEPREFIX=/private/tmp/pycryptodome-pyc python3 setup.py test -m PublicKey
  • PYTHONPYCACHEPREFIX=/private/tmp/pycryptodome-pyc python3 setup.py test -m Cipher
  • PYTHONPYCACHEPREFIX=/private/tmp/pycryptodome-pyc python3 setup.py test -m Signature
  • PYTHONPYCACHEPREFIX=/private/tmp/pycryptodome-pyc python3 setup.py test -m Protocol
  • PYTHONPYCACHEPREFIX=/private/tmp/pycryptodome-pyc PYTHONPATH=build/lib.macosx-10.9-universal2-3.9 python3 -m Crypto.SelfTest PublicKey

@ShuaiShao93

Copy link
Copy Markdown

Thanks for working on this — we ran into the same scanner class of problem on a downstream container image and tracked it back to Crypto/SelfTest/.

One small note in case it's useful while you're already in there: scanners that look at X.509 specifically also trip on the certificate PEM blocks in the same files, not just the private-key markers. In pycryptodome 3.23.0 our scan flagged these four embedded test certs (all expired in 2017):

Subject CN File notAfter (UTC)
latvia Crypto/SelfTest/PublicKey/test_import_RSA.py 2017-04-06 19:57:24
Test Server Crypto/SelfTest/PublicKey/test_import_RSA.py 2017-04-07 09:35:12
poland Crypto/SelfTest/PublicKey/test_import_DSA.py 2017-04-06 20:38:43
austria Crypto/SelfTest/PublicKey/test_import_DSA.py 2017-04-08 20:53:20

Would it be in scope to extend the same make_pem() reconstruction to -----BEGIN CERTIFICATE----- blocks here too? That would let downstream images keep Crypto/SelfTest/ intact and still satisfy cert-aware scanners. Happy to send a follow-up patch if you'd prefer to keep this PR focused on private-key markers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Artifact Security Scanning Failing due to private keys present

2 participants