1Test vectors 2============ 3 4Testing the correctness of the primitives implemented in each ``cryptography`` 5backend requires trusted test vectors. Where possible these vectors are 6obtained from official sources such as `NIST`_ or `IETF`_ RFCs. When this is 7not possible ``cryptography`` has chosen to create a set of custom vectors 8using an official vector file as input to verify consistency between 9implemented backends. 10 11Vectors are kept in the ``cryptography_vectors`` package rather than within our 12main test suite. 13 14Sources 15------- 16 17Project Wycheproof 18~~~~~~~~~~~~~~~~~~ 19 20We run vectors from `Project Wycheproof`_ -- a collection of known edge-cases 21for various cryptographic algorithms. These are not included in the repository 22(or ``cryptography_vectors`` package), but rather cloned from Git in our 23continuous integration environments. 24 25We have ensured all test vectors are used as of commit 26``c313761979d74b0417230eddd0f87d0cfab2b46b``. 27 28Asymmetric ciphers 29~~~~~~~~~~~~~~~~~~ 30 31* RSA PKCS #1 from the RSA FTP site (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/ 32 and ftp://ftp.rsa.com/pub/rsalabs/tmp/). 33* RSA FIPS 186-2 and PKCS1 v1.5 vulnerability test vectors from `NIST CAVP`_. 34* FIPS 186-2 and FIPS 186-3 DSA test vectors from `NIST CAVP`_. 35* FIPS 186-2 and FIPS 186-3 ECDSA test vectors from `NIST CAVP`_. 36* DH and ECDH and ECDH+KDF(17.4) test vectors from `NIST CAVP`_. 37* Ed25519 test vectors from the `Ed25519 website_`. 38* OpenSSL PEM RSA serialization vectors from the `OpenSSL example key`_ and 39 `GnuTLS key parsing tests`_. 40* OpenSSL PEM DSA serialization vectors from the `GnuTLS example keys`_. 41* PKCS #8 PEM serialization vectors from 42 43 * GnuTLS: `enc-rsa-pkcs8.pem`_, `enc2-rsa-pkcs8.pem`_, 44 `unenc-rsa-pkcs8.pem`_, `pkcs12_s2k_pem.c`_. The encoding error in 45 `unenc-rsa-pkcs8.pem`_ was fixed, and the contents of `enc-rsa-pkcs8.pem`_ 46 was re-encrypted to include it. The contents of `enc2-rsa-pkcs8.pem`_ 47 was re-encrypted using a stronger PKCS#8 cipher. 48 * `Botan's ECC private keys`_. 49* `asymmetric/public/PKCS1/dsa.pub.pem`_ is a PKCS1 DSA public key from the 50 Ruby test suite. 51* X25519 and X448 test vectors from :rfc:`7748`. 52* RSA OAEP with custom label from the `BoringSSL evp tests`_. 53* Ed448 test vectors from :rfc:`8032`. 54 55 56Custom asymmetric vectors 57~~~~~~~~~~~~~~~~~~~~~~~~~ 58 59.. toctree:: 60 :maxdepth: 1 61 62 custom-vectors/secp256k1 63 custom-vectors/rsa-oaep-sha2 64 65* ``asymmetric/PEM_Serialization/ec_private_key.pem`` and 66 ``asymmetric/DER_Serialization/ec_private_key.der`` - Contains an Elliptic 67 Curve key generated by OpenSSL from the curve ``secp256r1``. 68* ``asymmetric/PEM_Serialization/ec_private_key_encrypted.pem`` and 69 ``asymmetric/DER_Serialization/ec_private_key_encrypted.der``- Contains the 70 same Elliptic Curve key as ``ec_private_key.pem``, except that it is 71 encrypted with AES-128 with the password "123456". 72* ``asymmetric/PEM_Serialization/ec_public_key.pem`` and 73 ``asymmetric/DER_Serialization/ec_public_key.der``- Contains the public key 74 corresponding to ``ec_private_key.pem``, generated using OpenSSL. 75* ``asymmetric/PEM_Serialization/rsa_private_key.pem`` - Contains an RSA 2048 76 bit key generated using OpenSSL, protected by the secret "123456" with DES3 77 encryption. 78* ``asymmetric/PEM_Serialization/rsa_public_key.pem`` and 79 ``asymmetric/DER_Serialization/rsa_public_key.der``- Contains an RSA 2048 80 bit public generated using OpenSSL from ``rsa_private_key.pem``. 81* ``asymmetric/PEM_Serialization/dsaparam.pem`` - Contains 2048-bit DSA 82 parameters generated using OpenSSL; contains no keys. 83* ``asymmetric/PEM_Serialization/dsa_private_key.pem`` - Contains a DSA 2048 84 bit key generated using OpenSSL from the parameters in ``dsaparam.pem``, 85 protected by the secret "123456" with DES3 encryption. 86* ``asymmetric/PEM_Serialization/dsa_public_key.pem`` and 87 ``asymmetric/DER_Serialization/dsa_public_key.der`` - Contains a DSA 2048 bit 88 key generated using OpenSSL from ``dsa_private_key.pem``. 89* ``asymmetric/PKCS8/unenc-dsa-pkcs8.pem`` and 90 ``asymmetric/DER_Serialization/unenc-dsa-pkcs8.der`` - Contains a DSA 1024 91 bit key generated using OpenSSL. 92* ``asymmetric/PKCS8/unenc-dsa-pkcs8.pub.pem`` and 93 ``asymmetric/DER_Serialization/unenc-dsa-pkcs8.pub.der`` - Contains a DSA 94 2048 bit public key generated using OpenSSL from ``unenc-dsa-pkcs8.pem``. 95* DER conversions of the `GnuTLS example keys`_ for DSA as well as the 96 `OpenSSL example key`_ for RSA. 97* DER conversions of `enc-rsa-pkcs8.pem`_, `enc2-rsa-pkcs8.pem`_, and 98 `unenc-rsa-pkcs8.pem`_. 99* ``asymmetric/public/PKCS1/rsa.pub.pem`` and 100 ``asymmetric/public/PKCS1/rsa.pub.der`` are PKCS1 conversions of the public 101 key from ``asymmetric/PKCS8/unenc-rsa-pkcs8.pem`` using PEM and DER encoding. 102* ``x509/custom/ca/ca_key.pem`` - An unencrypted PCKS8 ``secp256r1`` key. It is 103 the private key for the certificate ``x509/custom/ca/ca.pem``. This key is 104 encoded in several of the PKCS12 custom vectors. 105* ``asymmetric/EC/compressed_points.txt`` - Contains compressed public points 106 generated using OpenSSL. 107* ``asymmetric/X448/x448-pkcs8-enc.pem`` and 108 ``asymmetric/X448/x448-pkcs8-enc.der`` contain an X448 key encrypted with 109 AES 256 CBC with the password ``password``. 110* ``asymmetric/X448/x448-pkcs8.pem`` and ``asymmetric/X448/x448-pkcs8.der`` 111 contain an unencrypted X448 key. 112* ``asymmetric/X448/x448-pub.pem`` and ``asymmetric/X448/x448-pub.der`` contain 113 an X448 public key. 114* ``asymmetric/X25519/x25519-pkcs8-enc.pem`` and 115 ``asymmetric/X25519/x25519-pkcs8-enc.der`` contain an X25519 key encrypted 116 with AES 256 CBC with the password ``password``. 117* ``asymmetric/X25519/x25519-pkcs8.pem`` and 118 ``asymmetric/X25519/x25519-pkcs8.der`` contain an unencrypted X25519 key. 119* ``asymmetric/X25519/x25519-pub.pem`` and ``asymmetric/X25519/x25519-pub.der`` 120 contain an X25519 public key. 121 122 123Key exchange 124~~~~~~~~~~~~ 125 126* ``vectors/cryptography_vectors/asymmetric/DH/rfc3526.txt`` contains 127 several standardized Diffie-Hellman groups from :rfc:`3526`. 128 129* ``vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt`` contains 130 Diffie-Hellman examples from appendix A.1, A.2 and A.3 of :rfc:`5114`. 131 132* ``vectors/cryptography_vectors/asymmetric/DH/vec.txt`` contains 133 Diffie-Hellman examples from `botan`_. 134 135* ``vectors/cryptography_vectors/asymmetric/DH/bad_exchange.txt`` contains 136 Diffie-Hellman vector pairs that were generated using OpenSSL 137 ``DH_generate_parameters_ex`` and ``DH_generate_key``. 138 139* ``vectors/cryptography_vectors/asymmetric/DH/dhp.pem``, 140 ``vectors/cryptography_vectors/asymmetric/DH/dhkey.pem`` and 141 ``vectors/cryptography_vectors/asymmetric/DH/dhpub.pem`` contains 142 Diffie-Hellman parameters and key respectively. The keys were 143 generated using OpenSSL following `DHKE`_ guide. 144 ``vectors/cryptography_vectors/asymmetric/DH/dhkey.txt`` contains 145 all parameter in text. 146 ``vectors/cryptography_vectors/asymmetric/DH/dhp.der``, 147 ``vectors/cryptography_vectors/asymmetric/DH/dhkey.der`` and 148 ``vectors/cryptography_vectors/asymmetric/DH/dhpub.der`` contains 149 are the above parameters and keys in DER format. 150 151* ``vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.pem``, 152 ``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.pem`` and 153 ``vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.pem`` contains 154 Diffie-Hellman parameters and key respectively. The keys were 155 generated using OpenSSL following `DHKE`_ guide. When creating the 156 parameters we added the `-pkeyopt dh_rfc5114:2` option to use 157 :rfc:`5114` 2048 bit DH parameters with 224 bit subgroup. 158 ``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.txt`` contains 159 all parameter in text. 160 ``vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.der``, 161 ``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.der`` and 162 ``vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.der`` contains 163 are the above parameters and keys in DER format. 164 165* ``vectors/cryptoraphy_vectors/asymmetric/ECDH/brainpool.txt`` contains 166 Brainpool vectors from :rfc:`7027`. 167 168X.509 169~~~~~ 170 171* PKITS test suite from `NIST PKI Testing`_. 172* ``v1_cert.pem`` from the OpenSSL source tree (`testx509.pem`_). 173* ``ecdsa_root.pem`` - `DigiCert Global Root G3`_, a ``secp384r1`` ECDSA root 174 certificate. 175* ``verisign-md2-root.pem`` - A legacy Verisign public root signed using the 176 MD2 algorithm. This is a PEM conversion of the `root data`_ in the NSS source 177 tree. 178* ``cryptography.io.pem`` - A leaf certificate issued by RapidSSL for the 179 cryptography website. 180* ``rapidssl_sha256_ca_g3.pem`` - The intermediate CA that issued the 181 ``cryptography.io.pem`` certificate. 182* ``cryptography.io.precert.pem`` - A pre-certificate with the CT poison 183 extension for the cryptography website. 184* ``cryptography-scts.io.pem`` - A leaf certificate issued by Let's Encrypt for 185 the cryptography website which contains signed certificate timestamps. 186* ``wildcard_san.pem`` - A leaf certificate issued by a public CA for 187 ``langui.sh`` that contains wildcard entries in the SAN extension. 188* ``san_edipartyname.der`` - A DSA certificate from a `Mozilla bug`_ 189 containing a SAN extension with an ``ediPartyName`` general name. 190* ``san_x400address.der`` - A DSA certificate from a `Mozilla bug`_ containing 191 a SAN extension with an ``x400Address`` general name. 192* ``department-of-state-root.pem`` - The intermediary CA for the Department of 193 State, issued by the United States Federal Government's Common Policy CA. 194 Notably has a ``critical`` policy constraints extensions. 195* ``e-trust.ru.der`` - A certificate from a `Russian CA`_ signed using the GOST 196 cipher and containing numerous unusual encodings such as NUMERICSTRING in 197 the subject DN. 198* ``alternate-rsa-sha1-oid.pem`` - A certificate from an 199 `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for 200 RSA with SHA1. 201* ``badssl-sct.pem`` - A certificate with the certificate transparency signed 202 certificate timestamp extension. 203* ``bigoid.pem`` - A certificate with a rather long OID in the 204 Certificate Policies extension. We need to make sure we can parse 205 long OIDs. 206* ``wosign-bc-invalid.pem`` - A certificate issued by WoSign that contains 207 a basic constraints extension with CA set to false and a path length of zero 208 in violation of :rfc:`5280`. 209* ``tls-feature-ocsp-staple.pem`` - A certificate issued by Let's Encrypt that 210 contains a TLS Feature extension with the ``status_request`` feature 211 (commonly known as OCSP Must-Staple). 212* ``unique-identifier.pem`` - A certificate containing 213 a distinguished name with an ``x500UniqueIdentifier``. 214* ``utf8-dnsname.pem`` - A certificate containing non-ASCII characters in the 215 DNS name entries of the SAN extension. 216* ``badasn1time.pem`` - A certificate containing an incorrectly specified 217 UTCTime in its validity->not_after. 218* ``letsencryptx3.pem`` - A subordinate certificate used by Let's Encrypt to 219 issue end entity certificates. 220 221Custom X.509 Vectors 222~~~~~~~~~~~~~~~~~~~~ 223 224* ``invalid_version.pem`` - Contains an RSA 2048 bit certificate with the 225 X.509 version field set to ``0x7``. 226* ``post2000utctime.pem`` - Contains an RSA 2048 bit certificate with the 227 ``notBefore`` and ``notAfter`` fields encoded as post-2000 ``UTCTime``. 228* ``dsa_selfsigned_ca.pem`` - Contains a DSA self-signed CA certificate 229 generated using OpenSSL. 230* ``ec_no_named_curve.pem`` - Contains an ECDSA certificate that does not have 231 an embedded OID defining the curve. 232* ``all_supported_names.pem`` - An RSA 2048 bit certificate generated using 233 OpenSSL that contains a subject and issuer that have two of each supported 234 attribute type from :rfc:`5280`. 235* ``unsupported_subject_name.pem`` - An RSA 2048 bit self-signed CA certificate 236 generated using OpenSSL that contains the unsupported "initials" name. 237* ``utf8_common_name.pem`` - An RSA 2048 bit self-signed CA certificate 238 generated using OpenSSL that contains a UTF8String common name with the value 239 "We heart UTF8!™". 240* ``two_basic_constraints.pem`` - An RSA 2048 bit self-signed certificate 241 containing two basic constraints extensions. 242* ``basic_constraints_not_critical.pem`` - An RSA 2048 bit self-signed 243 certificate containing a basic constraints extension that is not marked as 244 critical. 245* ``bc_path_length_zero.pem`` - An RSA 2048 bit self-signed 246 certificate containing a basic constraints extension with a path length of 247 zero. 248* ``unsupported_extension.pem`` - An RSA 2048 bit self-signed certificate 249 containing an unsupported extension type. The OID was encoded as 250 "1.2.3.4" with an ``extnValue`` of "value". 251* ``unsupported_extension_2.pem`` - A ``secp256r1`` certificate 252 containing two unsupported extensions. The OIDs are ``1.3.6.1.4.1.41482.2`` 253 with an ``extnValue`` of ``1.3.6.1.4.1.41482.1.2`` and 254 ``1.3.6.1.4.1.45724.2.1.1`` with an ``extnValue`` of ``\x03\x02\x040`` 255* ``unsupported_extension_critical.pem`` - An RSA 2048 bit self-signed 256 certificate containing an unsupported extension type marked critical. The OID 257 was encoded as "1.2.3.4" with an ``extnValue`` of "value". 258* ``san_email_dns_ip_dirname_uri.pem`` - An RSA 2048 bit self-signed 259 certificate containing a subject alternative name extension with the 260 following general names: ``rfc822Name``, ``dNSName``, ``iPAddress``, 261 ``directoryName``, and ``uniformResourceIdentifier``. 262* ``san_empty_hostname.pem`` - An RSA 2048 bit self-signed certificate 263 containing a subject alternative extension with an empty ``dNSName`` 264 general name. 265* ``san_other_name.pem`` - An RSA 2048 bit self-signed certificate containing 266 a subject alternative name extension with the ``otherName`` general name. 267* ``san_registered_id.pem`` - An RSA 1024 bit certificate containing a 268 subject alternative name extension with the ``registeredID`` general name. 269* ``all_key_usages.pem`` - An RSA 2048 bit self-signed certificate containing 270 a key usage extension with all nine purposes set to true. 271* ``extended_key_usage.pem`` - An RSA 2048 bit self-signed certificate 272 containing an extended key usage extension with eight usages. 273* ``san_idna_names.pem`` - An RSA 2048 bit self-signed certificate containing 274 a subject alternative name extension with ``rfc822Name``, ``dNSName``, and 275 ``uniformResourceIdentifier`` general names with IDNA (:rfc:`5895`) encoding. 276* ``san_wildcard_idna.pem`` - An RSA 2048 bit self-signed certificate 277 containing a subject alternative name extension with a ``dNSName`` general 278 name with a wildcard IDNA (:rfc:`5895`) domain. 279* ``san_idna2003_dnsname.pem`` - An RSA 2048 bit self-signed certificate 280 containing a subject alternative name extension with an IDNA 2003 281 (:rfc:`3490`) ``dNSName``. 282* ``san_rfc822_names.pem`` - An RSA 2048 bit self-signed certificate containing 283 a subject alternative name extension with various ``rfc822Name`` values. 284* ``san_rfc822_idna.pem`` - An RSA 2048 bit self-signed certificate containing 285 a subject alternative name extension with an IDNA ``rfc822Name``. 286* ``san_uri_with_port.pem`` - An RSA 2048 bit self-signed certificate 287 containing a subject alternative name extension with various 288 ``uniformResourceIdentifier`` values. 289* ``san_ipaddr.pem`` - An RSA 2048 bit self-signed certificate containing a 290 subject alternative name extension with an ``iPAddress`` value. 291* ``san_dirname.pem`` - An RSA 2048 bit self-signed certificate containing a 292 subject alternative name extension with a ``directoryName`` value. 293* ``inhibit_any_policy_5.pem`` - An RSA 2048 bit self-signed certificate 294 containing an inhibit any policy extension with the value 5. 295* ``inhibit_any_policy_negative.pem`` - An RSA 2048 bit self-signed certificate 296 containing an inhibit any policy extension with the value -1. 297* ``authority_key_identifier.pem`` - An RSA 2048 bit self-signed certificate 298 containing an authority key identifier extension with key identifier, 299 authority certificate issuer, and authority certificate serial number fields. 300* ``authority_key_identifier_no_keyid.pem`` - An RSA 2048 bit self-signed 301 certificate containing an authority key identifier extension with authority 302 certificate issuer and authority certificate serial number fields. 303* ``aia_ocsp_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate 304 containing an authority information access extension with two OCSP and one 305 CA issuers entry. 306* ``aia_ocsp.pem`` - An RSA 2048 bit self-signed certificate 307 containing an authority information access extension with an OCSP entry. 308* ``aia_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate 309 containing an authority information access extension with a CA issuers entry. 310* ``cdp_empty_hostname.pem`` - An RSA 2048 bit self-signed certificate 311 containing a CRL distribution point extension with ``fullName`` URI without 312 a hostname. 313* ``cdp_fullname_reasons_crl_issuer.pem`` - An RSA 1024 bit certificate 314 containing a CRL distribution points extension with ``fullName``, 315 ``cRLIssuer``, and ``reasons`` data. 316* ``cdp_crl_issuer.pem`` - An RSA 1024 bit certificate containing a CRL 317 distribution points extension with ``cRLIssuer`` data. 318* ``cdp_all_reasons.pem`` - An RSA 1024 bit certificate containing a CRL 319 distribution points extension with all ``reasons`` bits set. 320* ``cdp_reason_aa_compromise.pem`` - An RSA 1024 bit certificate containing a 321 CRL distribution points extension with the ``AACompromise`` ``reasons`` bit 322 set. 323* ``nc_permitted_excluded.pem`` - An RSA 2048 bit self-signed certificate 324 containing a name constraints extension with both permitted and excluded 325 elements. Contains ``IPv4`` and ``IPv6`` addresses with network mask as well 326 as ``dNSName`` with a leading period. 327* ``nc_permitted_excluded_2.pem`` - An RSA 2048 bit self-signed certificate 328 containing a name constraints extension with both permitted and excluded 329 elements. Unlike ``nc_permitted_excluded.pem``, the general names do not 330 contain any name constraints specific values. 331* ``nc_permitted.pem`` - An RSA 2048 bit self-signed certificate containing a 332 name constraints extension with permitted elements. 333* ``nc_permitted_2.pem`` - An RSA 2048 bit self-signed certificate containing a 334 name constraints extension with permitted elements that do not contain any 335 name constraints specific values. 336* ``nc_excluded.pem`` - An RSA 2048 bit self-signed certificate containing a 337 name constraints extension with excluded elements. 338* ``nc_invalid_ip_netmask.pem`` - An RSA 2048 bit self-signed certificate 339 containing a name constraints extension with a permitted element that has an 340 ``IPv6`` IP and an invalid network mask. 341* ``nc_single_ip_netmask.pem`` - An RSA 2048 bit self-signed certificate 342 containing a name constraints extension with a permitted element that has two 343 IPs with ``/32`` and ``/128`` network masks. 344* ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed 345 certificate containing a certificate policies extension with a 346 notice reference in the user notice. 347* ``cp_user_notice_with_explicit_text.pem`` - An RSA 2048 bit self-signed 348 certificate containing a certificate policies extension with explicit 349 text and no notice reference. 350* ``cp_cps_uri.pem`` - An RSA 2048 bit self-signed certificate containing a 351 certificate policies extension with a CPS URI and no user notice. 352* ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed 353 certificate containing a certificate policies extension with a user notice 354 with no explicit text. 355* ``cp_invalid.pem`` - An RSA 2048 bit self-signed certificate containing a 356 certificate policies extension with invalid data. 357* ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer 358 alternative name extension with a ``URI`` general name. 359* ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing 360 an ``OCSPNoCheck`` extension. 361* ``pc_inhibit_require.pem`` - An RSA 2048 bit self-signed certificate 362 containing a policy constraints extension with both inhibit policy mapping 363 and require explicit policy elements. 364* ``pc_inhibit.pem`` - An RSA 2048 bit self-signed certificate containing a 365 policy constraints extension with an inhibit policy mapping element. 366* ``pc_require.pem`` - An RSA 2048 bit self-signed certificate containing a 367 policy constraints extension with a require explicit policy element. 368* ``unsupported_subject_public_key_info.pem`` - A certificate whose public key 369 is an unknown OID (``1.3.6.1.4.1.8432.1.1.2``). 370* ``policy_constraints_explicit.pem`` - A self-signed certificate containing 371 a ``policyConstraints`` extension with a ``requireExplicitPolicy`` value. 372* ``freshestcrl.pem`` - A self-signed certificate containing a ``freshestCRL`` 373 extension. 374* ``ca/ca.pem`` - A self-signed certificate with ``basicConstraints`` set to 375 true. Its private key is ``ca/ca_key.pem``. This certificate is encoded in 376 several of the PKCS12 custom vectors. 377 378Custom X.509 Request Vectors 379~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 380 381* ``dsa_sha1.pem`` and ``dsa_sha1.der`` - Contain a certificate request using 382 1024-bit DSA parameters and SHA1 generated using OpenSSL. 383* ``rsa_md4.pem`` and ``rsa_md4.der`` - Contain a certificate request using 384 2048 bit RSA and MD4 generated using OpenSSL. 385* ``rsa_sha1.pem`` and ``rsa_sha1.der`` - Contain a certificate request using 386 2048 bit RSA and SHA1 generated using OpenSSL. 387* ``rsa_sha256.pem`` and ``rsa_sha256.der`` - Contain a certificate request 388 using 2048 bit RSA and SHA256 generated using OpenSSL. 389* ``ec_sha256.pem`` and ``ec_sha256.der`` - Contain a certificate request 390 using EC (``secp384r1``) and SHA256 generated using OpenSSL. 391* ``san_rsa_sha1.pem`` and ``san_rsa_sha1.der`` - Contain a certificate 392 request using RSA and SHA1 with a subject alternative name extension 393 generated using OpenSSL. 394* ``two_basic_constraints.pem`` - A certificate signing request 395 for an RSA 2048 bit key containing two basic constraints extensions. 396* ``unsupported_extension.pem`` - A certificate signing request 397 for an RSA 2048 bit key containing containing an unsupported 398 extension type. The OID was encoded as "1.2.3.4" with an 399 ``extnValue`` of "value". 400* ``unsupported_extension_critical.pem`` - A certificate signing 401 request for an RSA 2048 bit key containing containing an unsupported 402 extension type marked critical. The OID was encoded as "1.2.3.4" 403 with an ``extnValue`` of "value". 404* ``basic_constraints.pem`` - A certificate signing request for an RSA 405 2048 bit key containing a basic constraints extension marked as 406 critical. 407* ``invalid_signature.pem`` - A certificate signing request for an RSA 408 1024 bit key containing an invalid signature with correct padding. 409 410Custom X.509 Certificate Revocation List Vectors 411~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 412 413* ``crl_all_reasons.pem`` - Contains a CRL with 12 revoked certificates, whose 414 serials match their list position. It includes one revocation without 415 any entry extensions, 10 revocations with every supported reason code and one 416 revocation with an unsupported, non-critical entry extension with the OID 417 value set to "1.2.3.4". 418* ``crl_dup_entry_ext.pem`` - Contains a CRL with one revocation which has a 419 duplicate entry extension. 420* ``crl_md2_unknown_crit_entry_ext.pem`` - Contains a CRL with one revocation 421 which contains an unsupported critical entry extension with the OID value set 422 to "1.2.3.4". The CRL uses an unsupported MD2 signature algorithm. 423* ``crl_unsupported_reason.pem`` - Contains a CRL with one revocation which has 424 an unsupported reason code. 425* ``crl_inval_cert_issuer_entry_ext.pem`` - Contains a CRL with one revocation 426 which has one entry extension for certificate issuer with an empty value. 427* ``crl_empty.pem`` - Contains a CRL with no revoked certificates. 428* ``crl_ian_aia_aki.pem`` - Contains a CRL with ``IssuerAlternativeName``, 429 ``AuthorityInformationAccess``, ``AuthorityKeyIdentifier`` and ``CRLNumber`` 430 extensions. 431* ``valid_signature.pem`` - Contains a CRL with the public key which was used 432 to generate it. 433* ``invalid_signature.pem`` - Contains a CRL with the last signature byte 434 incremented by 1 to produce an invalid signature, and the public key which 435 was used to generate it. 436* ``crl_delta_crl_indicator.pem`` - Contains a CRL with the 437 ``DeltaCRLIndicator`` extension. 438* ``crl_idp_fullname_only.pem`` - Contains a CRL with an 439 ``IssuingDistributionPoints`` extension with only a ``fullname`` for the 440 distribution point. 441* ``crl_idp_only_ca.pem`` - Contains a CRL with an 442 ``IssuingDistributionPoints`` extension that is only valid for CA certificate 443 revocation. 444* ``crl_idp_fullname_only_aa.pem`` - Contains a CRL with an 445 ``IssuingDistributionPoints`` extension that sets a ``fullname`` and is only 446 valid for attribute certificate revocation. 447* ``crl_idp_fullname_only_user.pem`` - Contains a CRL with an 448 ``IssuingDistributionPoints`` extension that sets a ``fullname`` and is only 449 valid for user certificate revocation. 450* ``crl_idp_fullname_indirect_crl.pem`` - Contains a CRL with an 451 ``IssuingDistributionPoints`` extension that sets a ``fullname`` and the 452 indirect CRL flag. 453* ``crl_idp_reasons_only.pem`` - Contains a CRL with an 454 ``IssuingDistributionPoints`` extension that is only valid for revocations 455 with the ``keyCompromise`` reason. 456* ``crl_idp_relative_user_all_reasons.pem`` - Contains a CRL with an 457 ``IssuingDistributionPoints`` extension that sets all revocation reasons as 458 allowed. 459* ``crl_idp_relativename_only.pem`` - Contains a CRL with an 460 ``IssuingDistributionPoints`` extension with only a ``relativename`` for 461 the distribution point. 462 463X.509 OCSP Test Vectors 464~~~~~~~~~~~~~~~~~~~~~~~ 465* ``x509/ocsp/resp-sha256.der`` - An OCSP response for ``cryptography.io`` with 466 a SHA256 signature. 467* ``x509/ocsp/resp-unauthorized.der`` - An OCSP response with an unauthorized 468 status. 469* ``x509/ocsp/resp-revoked.der`` - An OCSP response for ``revoked.badssl.com`` 470 with a revoked status. 471* ``x509/ocsp/resp-delegate-unknown-cert.der`` - An OCSP response for an 472 unknown cert from ``AC Camerafirma``. This response also contains a delegate 473 certificate. 474* ``x509/ocsp/resp-responder-key-hash.der`` - An OCSP response from the 475 ``DigiCert`` OCSP responder that uses a key hash for the responder ID. 476* ``x509/ocsp/resp-revoked-reason.der`` - An OCSP response from the 477 ``QuoVadis`` OCSP responder that contains a revoked certificate with a 478 revocation reason. 479* ``x509/ocsp/resp-revoked-no-next-update.der`` - An OCSP response that 480 contains a revoked certificate and no ``nextUpdate`` value. 481* ``x509/ocsp/resp-invalid-signature-oid.der`` - An OCSP response that was 482 modified to contain an MD2 signature algorithm object identifier. 483 484Custom X.509 OCSP Test Vectors 485~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 486* ``x509/ocsp/req-sha1.der`` - An OCSP request containing a single request and 487 using SHA1 as the hash algorithm. 488* ``x509/ocsp/req-multi-sha1.der`` - An OCSP request containing multiple 489 requests. 490* ``x509/ocsp/req-invalid-hash-alg.der`` - An OCSP request containing an 491 invalid hash algorithm OID. 492* ``x509/ocsp/req-ext-nonce.der`` - An OCSP request containing a nonce 493 extension. 494 495Custom PKCS12 Test Vectors 496~~~~~~~~~~~~~~~~~~~~~~~~~~ 497* ``pkcs12/cert-key-aes256cbc.p12`` - A PKCS12 file containing a cert 498 (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) 499 both encrypted with AES 256 CBC with the password ``cryptography``. 500* ``pkcs12/cert-none-key-none.p12`` - A PKCS12 file containing a cert 501 (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) 502 with no encryption. The password (used for integrity checking only) is 503 ``cryptography``. 504* ``pkcs12/cert-rc2-key-3des.p12`` - A PKCS12 file containing a cert 505 (``x509/custom/ca/ca.pem``) encrypted with RC2 and key 506 (``x509/custom/ca/ca_key.pem``) encrypted via 3DES with the password 507 ``cryptography``. 508* ``pkcs12/no-password.p12`` - A PKCS12 file containing a cert 509 (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) with no 510 encryption and no password. 511* ``pkcs12/no-cert-key-aes256cbc.p12`` - A PKCS12 file containing a key 512 (``x509/custom/ca/ca_key.pem``) encrypted via AES 256 CBC with the 513 password ``cryptography`` and no certificate. 514* ``pkcs12/cert-aes256cbc-no-key.p12`` - A PKCS12 file containing a cert 515 (``x509/custom/ca/ca.pem``) encrypted via AES 256 CBC with the 516 password ``cryptography`` and no private key. 517 518Hashes 519~~~~~~ 520 521* MD5 from :rfc:`1321`. 522* RIPEMD160 from the `RIPEMD website`_. 523* SHA1 from `NIST CAVP`_. 524* SHA2 (224, 256, 384, 512, 512/224, 512/256) from `NIST CAVP`_. 525* SHA3 (224, 256, 384, 512) from `NIST CAVP`_. 526* SHAKE (128, 256) from `NIST CAVP`_. 527* Blake2s and Blake2b from OpenSSL `test/evptests.txt`_. 528 529HMAC 530~~~~ 531 532* HMAC-MD5 from :rfc:`2202`. 533* HMAC-SHA1 from :rfc:`2202`. 534* HMAC-RIPEMD160 from :rfc:`2286`. 535* HMAC-SHA2 (224, 256, 384, 512) from :rfc:`4231`. 536 537Key derivation functions 538~~~~~~~~~~~~~~~~~~~~~~~~ 539 540* HKDF (SHA1, SHA256) from :rfc:`5869`. 541* PBKDF2 (HMAC-SHA1) from :rfc:`6070`. 542* scrypt from the `draft RFC`_. 543* X9.63 KDF from `NIST CAVP`_. 544* SP 800-108 Counter Mode KDF (HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, 545 HMAC-SHA384, HMAC-SHA512) from `NIST CAVP`_. 546 547Key wrapping 548~~~~~~~~~~~~ 549 550* AES key wrap (AESKW) and 3DES key wrap test vectors from `NIST CAVP`_. 551* AES key wrap with padding vectors from `Botan's key wrap vectors`_. 552 553Recipes 554~~~~~~~ 555 556* Fernet from its `specification repository`_. 557 558Symmetric ciphers 559~~~~~~~~~~~~~~~~~ 560 561* AES (CBC, CFB, ECB, GCM, OFB, CCM) from `NIST CAVP`_. 562* AES CTR from :rfc:`3686`. 563* 3DES (CBC, CFB, ECB, OFB) from `NIST CAVP`_. 564* ARC4 (KEY-LENGTH: 40, 56, 64, 80, 128, 192, 256) from :rfc:`6229`. 565* ARC4 (KEY-LENGTH: 160) generated by this project. 566 See: :doc:`/development/custom-vectors/arc4` 567* Blowfish (CBC, CFB, ECB, OFB) from `Bruce Schneier's vectors`_. 568* Camellia (ECB) from NTT's `Camellia page`_ as linked by `CRYPTREC`_. 569* Camellia (CBC, CFB, OFB) from `OpenSSL's test vectors`_. 570* CAST5 (ECB) from :rfc:`2144`. 571* CAST5 (CBC, CFB, OFB) generated by this project. 572 See: :doc:`/development/custom-vectors/cast5` 573* ChaCha20 from :rfc:`7539`. 574* ChaCha20Poly1305 from :rfc:`7539`, `OpenSSL's evpciph.txt`_, and the 575 `BoringSSL ChaCha20Poly1305 tests`_. 576* IDEA (ECB) from the `NESSIE IDEA vectors`_ created by `NESSIE`_. 577* IDEA (CBC, CFB, OFB) generated by this project. 578 See: :doc:`/development/custom-vectors/idea` 579* SEED (ECB) from :rfc:`4269`. 580* SEED (CBC) from :rfc:`4196`. 581* SEED (CFB, OFB) generated by this project. 582 See: :doc:`/development/custom-vectors/seed` 583 584Two factor authentication 585~~~~~~~~~~~~~~~~~~~~~~~~~ 586 587* HOTP from :rfc:`4226` 588* TOTP from :rfc:`6238` (Note that an `errata`_ for the test vectors in RFC 589 6238 exists) 590 591CMAC 592~~~~ 593 594* AES-128, AES-192, AES-256, 3DES from `NIST SP-800-38B`_ 595 596Creating test vectors 597--------------------- 598 599When official vectors are unavailable ``cryptography`` may choose to build 600its own using existing vectors as source material. 601 602Created Vectors 603~~~~~~~~~~~~~~~ 604 605.. toctree:: 606 :maxdepth: 1 607 608 custom-vectors/arc4 609 custom-vectors/cast5 610 custom-vectors/idea 611 custom-vectors/seed 612 custom-vectors/hkdf 613 614 615If official test vectors appear in the future the custom generated vectors 616should be discarded. 617 618Any vectors generated by this method must also be prefixed with the following 619header format (substituting the correct information): 620 621.. code-block:: python 622 623 # CAST5 CBC vectors built for https://github.com/pyca/cryptography 624 # Derived from the AESVS MMT test data for CBC 625 # Verified against the CommonCrypto and Go crypto packages 626 # Key Length : 128 627 628.. _`NIST`: https://www.nist.gov/ 629.. _`IETF`: https://www.ietf.org/ 630.. _`Project Wycheproof`: https://github.com/google/wycheproof 631.. _`NIST CAVP`: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program 632.. _`Bruce Schneier's vectors`: https://www.schneier.com/code/vectors.txt 633.. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/ 634.. _`CRYPTREC`: https://www.cryptrec.go.jp 635.. _`OpenSSL's test vectors`: https://github.com/openssl/openssl/blob/97cf1f6c2854a3a955fd7dd3a1f113deba00c9ef/crypto/evp/evptests.txt#L232 636.. _`OpenSSL's evpciph.txt`: https://github.com/openssl/openssl/blob/5a7bc0be97dee9ac715897fe8180a08e211bc6ea/test/evpciph.txt#L2362 637.. _`BoringSSL ChaCha20Poly1305 tests`: https://boringssl.googlesource.com/boringssl/+/2e2a226ac9201ac411a84b5e79ac3a7333d8e1c9/crypto/cipher_extra/test/chacha20_poly1305_tests.txt 638.. _`BoringSSL evp tests`: https://boringssl.googlesource.com/boringssl/+/ce3773f9fe25c3b54390bc51d72572f251c7d7e6/crypto/evp/evp_tests.txt 639.. _`RIPEMD website`: https://homes.esat.kuleuven.be/~bosselae/ripemd160.html 640.. _`draft RFC`: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01 641.. _`Specification repository`: https://github.com/fernet/spec 642.. _`errata`: https://www.rfc-editor.org/errata_search.php?rfc=6238 643.. _`OpenSSL example key`: https://github.com/openssl/openssl/blob/d02b48c63a58ea4367a0e905979f140b7d090f86/test/testrsa.pem 644.. _`GnuTLS key parsing tests`: https://gitlab.com/gnutls/gnutls/commit/f16ef39ef0303b02d7fa590a37820440c466ce8d 645.. _`enc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/encpkcs8.pem 646.. _`enc2-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/enc2pkcs8.pem 647.. _`unenc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/unencpkcs8.pem 648.. _`pkcs12_s2k_pem.c`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs12_s2k_pem.c 649.. _`Botan's ECC private keys`: https://github.com/randombit/botan/tree/4917f26a2b154e841cd27c1bcecdd41d2bdeb6ce/src/tests/data/ecc 650.. _`GnuTLS example keys`: https://gitlab.com/gnutls/gnutls/commit/ad2061deafdd7db78fd405f9d143b0a7c579da7b 651.. _`NESSIE IDEA vectors`: https://www.cosic.esat.kuleuven.be/nessie/testvectors/bc/idea/Idea-128-64.verified.test-vectors 652.. _`NESSIE`: https://en.wikipedia.org/wiki/NESSIE 653.. _`Ed25519 website`: https://ed25519.cr.yp.to/software.html 654.. _`NIST SP-800-38B`: https://csrc.nist.gov/publications/detail/sp/800-38b/archive/2005-05-01 655.. _`NIST PKI Testing`: https://csrc.nist.gov/Projects/PKI-Testing 656.. _`testx509.pem`: https://github.com/openssl/openssl/blob/master/test/testx509.pem 657.. _`DigiCert Global Root G3`: https://cacerts.digicert.com/DigiCertGlobalRootG3.crt 658.. _`root data`: https://hg.mozilla.org/projects/nss/file/25b2922cc564/security/nss/lib/ckfw/builtins/certdata.txt#l2053 659.. _`asymmetric/public/PKCS1/dsa.pub.pem`: https://github.com/ruby/ruby/blob/4ccb387f3bc436a08fc6d72c4931994f5de95110/test/openssl/test_pkey_dsa.rb#L53 660.. _`Mozilla bug`: https://bugzilla.mozilla.org/show_bug.cgi?id=233586 661.. _`Russian CA`: https://e-trust.gosuslugi.ru/MainCA 662.. _`test/evptests.txt`: https://github.com/openssl/openssl/blob/2d0b44126763f989a4cbffbffe9d0c7518158bb7/test/evptests.txt 663.. _`unknown signature OID`: https://bugzilla.mozilla.org/show_bug.cgi?id=405966 664.. _`botan`: https://github.com/randombit/botan/blob/57789bdfc55061002b2727d0b32587612829a37c/src/tests/data/pubkey/dh.vec 665.. _`DHKE`: https://sandilands.info/sgordon/diffie-hellman-secret-key-exchange-with-openssl 666.. _`Botan's key wrap vectors`: https://github.com/randombit/botan/blob/737f33c09a18500e044dca3e2ae13bd2c08bafdd/src/tests/data/keywrap/nist_key_wrap.vec 667