Add CustomerMasterKeySpec parameter handling

2020-02-06 17:57:00 +01:00 · 2020-02-06 17:57:00 +01:00 · 5d05044491
commit 5d05044491
parent 40bd4f1603
4 changed files with 90 additions and 11 deletions
--- a/tests/test_kms/test_kms.py
+++ b/tests/test_kms/test_kms.py
@ -64,6 +64,53 @@ def test_create_key():
        key["KeyMetadata"]["Origin"].should.equal("AWS_KMS")
        key["KeyMetadata"].should_not.have.key("SigningAlgorithms")

+        key = conn.create_key(
+            KeyUsage = "ENCRYPT_DECRYPT",
+            CustomerMasterKeySpec = 'RSA_2048',
+        )
+
+        sorted(key["KeyMetadata"]["EncryptionAlgorithms"]).should.equal(["RSAES_OAEP_SHA_1", "RSAES_OAEP_SHA_256"])
+        key["KeyMetadata"].should_not.have.key("SigningAlgorithms")
+
+        key = conn.create_key(
+            KeyUsage = "SIGN_VERIFY",
+            CustomerMasterKeySpec = 'RSA_2048',
+        )
+
+        key["KeyMetadata"].should_not.have.key("EncryptionAlgorithms")
+        sorted(key["KeyMetadata"]["SigningAlgorithms"]).should.equal([
+            "RSASSA_PKCS1_V1_5_SHA_256",
+            "RSASSA_PKCS1_V1_5_SHA_384",
+            "RSASSA_PKCS1_V1_5_SHA_512",
+            "RSASSA_PSS_SHA_256",
+            "RSASSA_PSS_SHA_384",
+            "RSASSA_PSS_SHA_512"
+        ])
+
+        key = conn.create_key(
+            KeyUsage = "SIGN_VERIFY",
+            CustomerMasterKeySpec = 'ECC_SECG_P256K1',
+        )
+
+        key["KeyMetadata"].should_not.have.key("EncryptionAlgorithms")
+        key["KeyMetadata"]["SigningAlgorithms"].should.equal(["ECDSA_SHA_256"])
+
+        key = conn.create_key(
+            KeyUsage = "SIGN_VERIFY",
+            CustomerMasterKeySpec = 'ECC_NIST_P384',
+        )
+
+        key["KeyMetadata"].should_not.have.key("EncryptionAlgorithms")
+        key["KeyMetadata"]["SigningAlgorithms"].should.equal(["ECDSA_SHA_384"])
+
+        key = conn.create_key(
+            KeyUsage = "SIGN_VERIFY",
+            CustomerMasterKeySpec = 'ECC_NIST_P521',
+        )
+
+        key["KeyMetadata"].should_not.have.key("EncryptionAlgorithms")
+        key["KeyMetadata"]["SigningAlgorithms"].should.equal(["ECDSA_SHA_512"])
+

@mock_kms_deprecated
 def test_describe_key():
--- a/tests/test_kms/test_utils.py
+++ b/tests/test_kms/test_utils.py
@ -102,7 +102,7 @@ def test_deserialize_ciphertext_blob(raw, serialized):
@parameterized(((ec[0],) for ec in ENCRYPTION_CONTEXT_VECTORS))
 def test_encrypt_decrypt_cycle(encryption_context):
    plaintext = b"some secret plaintext"
-    master_key = Key("nop", "nop", "nop", [], "nop")
+    master_key = Key("nop", "nop", "nop", "nop", [], "nop")
    master_key_map = {master_key.id: master_key}

    ciphertext_blob = encrypt(
@ -133,7 +133,7 @@ def test_encrypt_unknown_key_id():


 def test_decrypt_invalid_ciphertext_format():
-    master_key = Key("nop", "nop", "nop", [], "nop")
+    master_key = Key("nop", "nop", "nop", "nop", [], "nop")
    master_key_map = {master_key.id: master_key}

    with assert_raises(InvalidCiphertextException):
@ -153,7 +153,7 @@ def test_decrypt_unknwown_key_id():


 def test_decrypt_invalid_ciphertext():
-    master_key = Key("nop", "nop", "nop", [], "nop")
+    master_key = Key("nop", "nop", "nop", "nop", [], "nop")
    master_key_map = {master_key.id: master_key}
    ciphertext_blob = (
        master_key.id.encode("utf-8") + b"123456789012"
@ -171,7 +171,7 @@ def test_decrypt_invalid_ciphertext():

 def test_decrypt_invalid_encryption_context():
    plaintext = b"some secret plaintext"
-    master_key = Key("nop", "nop", "nop", [], "nop")
+    master_key = Key("nop", "nop", "nop", "nop", [], "nop")
    master_key_map = {master_key.id: master_key}

    ciphertext_blob = encrypt(