• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Test vectors
2============
3
4Testing the correctness of the primitives implemented in each ``cryptography``
5backend requires trusted test vectors. Where possible these vectors are
6obtained from official sources such as `NIST`_ or `IETF`_ RFCs. When this is
7not possible ``cryptography`` has chosen to create a set of custom vectors
8using an official vector file as input to verify consistency between
9implemented backends.
10
11Vectors are kept in the ``cryptography_vectors`` package rather than within our
12main test suite.
13
14Sources
15-------
16
17Project Wycheproof
18~~~~~~~~~~~~~~~~~~
19
20We run vectors from `Project Wycheproof`_ -- a collection of known edge-cases
21for various cryptographic algorithms. These are not included in the repository
22(or ``cryptography_vectors`` package), but rather cloned from Git in our
23continuous integration environments.
24
25We have ensured all test vectors are used as of commit
26``c313761979d74b0417230eddd0f87d0cfab2b46b``.
27
28Asymmetric ciphers
29~~~~~~~~~~~~~~~~~~
30
31* RSA PKCS #1 from the RSA FTP site (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/
32  and ftp://ftp.rsa.com/pub/rsalabs/tmp/).
33* RSA FIPS 186-2 and PKCS1 v1.5 vulnerability test vectors from `NIST CAVP`_.
34* FIPS 186-2 and FIPS 186-3 DSA test vectors from `NIST CAVP`_.
35* FIPS 186-2 and FIPS 186-3 ECDSA test vectors from `NIST CAVP`_.
36* DH and ECDH and ECDH+KDF(17.4) test vectors from `NIST CAVP`_.
37* Ed25519 test vectors from the `Ed25519 website_`.
38* OpenSSL PEM RSA serialization vectors from the `OpenSSL example key`_ and
39  `GnuTLS key parsing tests`_.
40* OpenSSL PEM DSA serialization vectors from the `GnuTLS example keys`_.
41* PKCS #8 PEM serialization vectors from
42
43  * GnuTLS: `enc-rsa-pkcs8.pem`_, `enc2-rsa-pkcs8.pem`_,
44    `unenc-rsa-pkcs8.pem`_, `pkcs12_s2k_pem.c`_. The encoding error in
45    `unenc-rsa-pkcs8.pem`_ was fixed, and the contents of `enc-rsa-pkcs8.pem`_
46    was re-encrypted to include it. The contents of `enc2-rsa-pkcs8.pem`_
47    was re-encrypted using a stronger PKCS#8 cipher.
48  * `Botan's ECC private keys`_.
49* `asymmetric/public/PKCS1/dsa.pub.pem`_ is a PKCS1 DSA public key from the
50  Ruby test suite.
51* X25519 and X448 test vectors from :rfc:`7748`.
52* RSA OAEP with custom label from the `BoringSSL evp tests`_.
53* Ed448 test vectors from :rfc:`8032`.
54
55
56Custom asymmetric vectors
57~~~~~~~~~~~~~~~~~~~~~~~~~
58
59.. toctree::
60    :maxdepth: 1
61
62    custom-vectors/secp256k1
63    custom-vectors/rsa-oaep-sha2
64
65* ``asymmetric/PEM_Serialization/ec_private_key.pem`` and
66  ``asymmetric/DER_Serialization/ec_private_key.der`` - Contains an Elliptic
67  Curve key generated by OpenSSL from the curve ``secp256r1``.
68* ``asymmetric/PEM_Serialization/ec_private_key_encrypted.pem`` and
69  ``asymmetric/DER_Serialization/ec_private_key_encrypted.der``- Contains the
70  same Elliptic Curve key as ``ec_private_key.pem``, except that it is
71  encrypted with AES-128 with the password "123456".
72* ``asymmetric/PEM_Serialization/ec_public_key.pem`` and
73  ``asymmetric/DER_Serialization/ec_public_key.der``- Contains the public key
74  corresponding to ``ec_private_key.pem``, generated using OpenSSL.
75* ``asymmetric/PEM_Serialization/rsa_private_key.pem`` - Contains an RSA 2048
76  bit key generated using OpenSSL, protected by the secret "123456" with DES3
77  encryption.
78* ``asymmetric/PEM_Serialization/rsa_public_key.pem`` and
79  ``asymmetric/DER_Serialization/rsa_public_key.der``- Contains an RSA 2048
80  bit public generated using OpenSSL from ``rsa_private_key.pem``.
81* ``asymmetric/PEM_Serialization/dsaparam.pem`` - Contains 2048-bit DSA
82  parameters generated using OpenSSL; contains no keys.
83* ``asymmetric/PEM_Serialization/dsa_private_key.pem`` - Contains a DSA 2048
84  bit key generated using OpenSSL from the parameters in ``dsaparam.pem``,
85  protected by the secret "123456" with DES3 encryption.
86* ``asymmetric/PEM_Serialization/dsa_public_key.pem`` and
87  ``asymmetric/DER_Serialization/dsa_public_key.der`` - Contains a DSA 2048 bit
88  key generated using OpenSSL from ``dsa_private_key.pem``.
89* ``asymmetric/PKCS8/unenc-dsa-pkcs8.pem`` and
90  ``asymmetric/DER_Serialization/unenc-dsa-pkcs8.der`` - Contains a DSA 1024
91  bit key generated using OpenSSL.
92* ``asymmetric/PKCS8/unenc-dsa-pkcs8.pub.pem`` and
93  ``asymmetric/DER_Serialization/unenc-dsa-pkcs8.pub.der`` - Contains a DSA
94  2048 bit public key generated using OpenSSL from ``unenc-dsa-pkcs8.pem``.
95* DER conversions of the `GnuTLS example keys`_ for DSA as well as the
96  `OpenSSL example key`_ for RSA.
97* DER conversions of `enc-rsa-pkcs8.pem`_, `enc2-rsa-pkcs8.pem`_, and
98  `unenc-rsa-pkcs8.pem`_.
99* ``asymmetric/public/PKCS1/rsa.pub.pem`` and
100  ``asymmetric/public/PKCS1/rsa.pub.der`` are PKCS1 conversions of the public
101  key from ``asymmetric/PKCS8/unenc-rsa-pkcs8.pem`` using PEM and DER encoding.
102* ``x509/custom/ca/ca_key.pem`` - An unencrypted PCKS8 ``secp256r1`` key. It is
103  the private key for the certificate ``x509/custom/ca/ca.pem``. This key is
104  encoded in several of the PKCS12 custom vectors.
105* ``asymmetric/EC/compressed_points.txt`` - Contains compressed public points
106  generated using OpenSSL.
107* ``asymmetric/X448/x448-pkcs8-enc.pem`` and
108  ``asymmetric/X448/x448-pkcs8-enc.der`` contain an X448 key encrypted with
109  AES 256 CBC with the password ``password``.
110* ``asymmetric/X448/x448-pkcs8.pem`` and ``asymmetric/X448/x448-pkcs8.der``
111  contain an unencrypted X448 key.
112* ``asymmetric/X448/x448-pub.pem`` and ``asymmetric/X448/x448-pub.der`` contain
113  an X448 public key.
114* ``asymmetric/X25519/x25519-pkcs8-enc.pem`` and
115  ``asymmetric/X25519/x25519-pkcs8-enc.der`` contain an X25519 key encrypted
116  with AES 256 CBC with the password ``password``.
117* ``asymmetric/X25519/x25519-pkcs8.pem`` and
118  ``asymmetric/X25519/x25519-pkcs8.der`` contain an unencrypted X25519 key.
119* ``asymmetric/X25519/x25519-pub.pem`` and ``asymmetric/X25519/x25519-pub.der``
120  contain an X25519 public key.
121
122
123Key exchange
124~~~~~~~~~~~~
125
126* ``vectors/cryptography_vectors/asymmetric/DH/rfc3526.txt`` contains
127  several standardized Diffie-Hellman groups from :rfc:`3526`.
128
129* ``vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt`` contains
130  Diffie-Hellman examples from appendix A.1, A.2 and A.3 of :rfc:`5114`.
131
132* ``vectors/cryptography_vectors/asymmetric/DH/vec.txt`` contains
133  Diffie-Hellman examples from `botan`_.
134
135* ``vectors/cryptography_vectors/asymmetric/DH/bad_exchange.txt`` contains
136  Diffie-Hellman vector pairs that were generated using OpenSSL
137  ``DH_generate_parameters_ex`` and ``DH_generate_key``.
138
139* ``vectors/cryptography_vectors/asymmetric/DH/dhp.pem``,
140  ``vectors/cryptography_vectors/asymmetric/DH/dhkey.pem`` and
141  ``vectors/cryptography_vectors/asymmetric/DH/dhpub.pem`` contains
142  Diffie-Hellman parameters and key respectively. The keys were
143  generated using OpenSSL following `DHKE`_ guide.
144  ``vectors/cryptography_vectors/asymmetric/DH/dhkey.txt`` contains
145  all parameter in text.
146  ``vectors/cryptography_vectors/asymmetric/DH/dhp.der``,
147  ``vectors/cryptography_vectors/asymmetric/DH/dhkey.der`` and
148  ``vectors/cryptography_vectors/asymmetric/DH/dhpub.der`` contains
149  are the above parameters and keys in DER format.
150
151* ``vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.pem``,
152  ``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.pem`` and
153  ``vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.pem`` contains
154  Diffie-Hellman parameters and key respectively. The keys were
155  generated using OpenSSL following `DHKE`_ guide. When creating the
156  parameters we added the `-pkeyopt dh_rfc5114:2` option to use
157  :rfc:`5114` 2048 bit DH parameters with 224 bit subgroup.
158  ``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.txt`` contains
159  all parameter in text.
160  ``vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.der``,
161  ``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.der`` and
162  ``vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.der`` contains
163  are the above parameters and keys in DER format.
164
165* ``vectors/cryptoraphy_vectors/asymmetric/ECDH/brainpool.txt`` contains
166  Brainpool vectors from :rfc:`7027`.
167
168X.509
169~~~~~
170
171* PKITS test suite from `NIST PKI Testing`_.
172* ``v1_cert.pem`` from the OpenSSL source tree (`testx509.pem`_).
173* ``ecdsa_root.pem`` - `DigiCert Global Root G3`_, a ``secp384r1`` ECDSA root
174  certificate.
175* ``verisign-md2-root.pem`` - A legacy Verisign public root signed using the
176  MD2 algorithm. This is a PEM conversion of the `root data`_ in the NSS source
177  tree.
178* ``cryptography.io.pem`` - A leaf certificate issued by RapidSSL for the
179  cryptography website.
180* ``rapidssl_sha256_ca_g3.pem`` - The intermediate CA that issued the
181  ``cryptography.io.pem`` certificate.
182* ``cryptography.io.precert.pem`` - A pre-certificate with the CT poison
183  extension for the cryptography website.
184* ``cryptography-scts.io.pem`` - A leaf certificate issued by Let's Encrypt for
185  the cryptography website which contains signed certificate timestamps.
186* ``wildcard_san.pem`` - A leaf certificate issued by a public CA for
187  ``langui.sh`` that contains wildcard entries in the SAN extension.
188* ``san_edipartyname.der`` - A DSA certificate from a `Mozilla bug`_
189  containing a SAN extension with an ``ediPartyName`` general name.
190* ``san_x400address.der`` - A DSA certificate from a `Mozilla bug`_ containing
191  a SAN extension with an ``x400Address`` general name.
192* ``department-of-state-root.pem`` - The intermediary CA for the Department of
193  State, issued by the United States Federal Government's Common Policy CA.
194  Notably has a ``critical`` policy constraints extensions.
195* ``e-trust.ru.der`` - A certificate from a `Russian CA`_ signed using the GOST
196  cipher and containing numerous unusual encodings such as NUMERICSTRING in
197  the subject DN.
198* ``alternate-rsa-sha1-oid.pem`` - A certificate from an
199  `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for
200  RSA with SHA1.
201* ``badssl-sct.pem`` - A certificate with the certificate transparency signed
202  certificate timestamp extension.
203* ``bigoid.pem`` - A certificate with a rather long OID in the
204  Certificate Policies extension.  We need to make sure we can parse
205  long OIDs.
206* ``wosign-bc-invalid.pem`` - A certificate issued by WoSign that contains
207  a basic constraints extension with CA set to false and a path length of zero
208  in violation of :rfc:`5280`.
209* ``tls-feature-ocsp-staple.pem`` - A certificate issued by Let's Encrypt that
210  contains a TLS Feature extension with the ``status_request`` feature
211  (commonly known as OCSP Must-Staple).
212* ``unique-identifier.pem`` - A certificate containing
213  a distinguished name with an ``x500UniqueIdentifier``.
214* ``utf8-dnsname.pem`` - A certificate containing non-ASCII characters in the
215  DNS name entries of the SAN extension.
216* ``badasn1time.pem`` - A certificate containing an incorrectly specified
217  UTCTime in its validity->not_after.
218* ``letsencryptx3.pem`` - A subordinate certificate used by Let's Encrypt to
219  issue end entity certificates.
220
221Custom X.509 Vectors
222~~~~~~~~~~~~~~~~~~~~
223
224* ``invalid_version.pem`` - Contains an RSA 2048 bit certificate with the
225  X.509 version field set to ``0x7``.
226* ``post2000utctime.pem`` - Contains an RSA 2048 bit certificate with the
227  ``notBefore`` and ``notAfter`` fields encoded as post-2000 ``UTCTime``.
228* ``dsa_selfsigned_ca.pem`` - Contains a DSA self-signed CA certificate
229  generated using OpenSSL.
230* ``ec_no_named_curve.pem`` - Contains an ECDSA certificate that does not have
231  an embedded OID defining the curve.
232* ``all_supported_names.pem`` - An RSA 2048 bit certificate generated using
233  OpenSSL that contains a subject and issuer that have two of each supported
234  attribute type from :rfc:`5280`.
235* ``unsupported_subject_name.pem`` - An RSA 2048 bit self-signed CA certificate
236  generated using OpenSSL that contains the unsupported "initials" name.
237* ``utf8_common_name.pem`` - An RSA 2048 bit self-signed CA certificate
238  generated using OpenSSL that contains a UTF8String common name with the value
239  "We heart UTF8!™".
240* ``two_basic_constraints.pem`` - An RSA 2048 bit self-signed certificate
241  containing two basic constraints extensions.
242* ``basic_constraints_not_critical.pem`` - An RSA 2048 bit self-signed
243  certificate containing a basic constraints extension that is not marked as
244  critical.
245* ``bc_path_length_zero.pem`` - An RSA 2048 bit self-signed
246  certificate containing a basic constraints extension with a path length of
247  zero.
248* ``unsupported_extension.pem`` - An RSA 2048 bit self-signed certificate
249  containing an unsupported extension type. The OID was encoded as
250  "1.2.3.4" with an ``extnValue`` of "value".
251* ``unsupported_extension_2.pem`` - A ``secp256r1`` certificate
252  containing two unsupported extensions. The OIDs are ``1.3.6.1.4.1.41482.2``
253  with an ``extnValue`` of ``1.3.6.1.4.1.41482.1.2`` and
254  ``1.3.6.1.4.1.45724.2.1.1`` with an ``extnValue`` of ``\x03\x02\x040``
255* ``unsupported_extension_critical.pem`` - An RSA 2048 bit self-signed
256  certificate containing an unsupported extension type marked critical. The OID
257  was encoded as "1.2.3.4" with an ``extnValue`` of "value".
258* ``san_email_dns_ip_dirname_uri.pem`` - An RSA 2048 bit self-signed
259  certificate containing a subject alternative name extension with the
260  following general names: ``rfc822Name``, ``dNSName``, ``iPAddress``,
261  ``directoryName``, and ``uniformResourceIdentifier``.
262* ``san_empty_hostname.pem`` - An RSA 2048 bit self-signed certificate
263  containing a subject alternative extension with an empty ``dNSName``
264  general name.
265* ``san_other_name.pem`` - An RSA 2048 bit self-signed certificate containing
266  a subject alternative name extension with the ``otherName`` general name.
267* ``san_registered_id.pem`` - An RSA 1024 bit certificate containing a
268  subject alternative name extension with the ``registeredID`` general name.
269* ``all_key_usages.pem`` - An RSA 2048 bit self-signed certificate containing
270  a key usage extension with all nine purposes set to true.
271* ``extended_key_usage.pem`` - An RSA 2048 bit self-signed certificate
272  containing an extended key usage extension with eight usages.
273* ``san_idna_names.pem`` - An RSA 2048 bit self-signed certificate containing
274  a subject alternative name extension with ``rfc822Name``, ``dNSName``, and
275  ``uniformResourceIdentifier`` general names with IDNA (:rfc:`5895`) encoding.
276* ``san_wildcard_idna.pem`` - An RSA 2048 bit self-signed certificate
277  containing a subject alternative name extension with a ``dNSName`` general
278  name with a wildcard IDNA (:rfc:`5895`) domain.
279* ``san_idna2003_dnsname.pem`` - An RSA 2048 bit self-signed certificate
280  containing a subject alternative name extension with an IDNA 2003
281  (:rfc:`3490`) ``dNSName``.
282* ``san_rfc822_names.pem`` - An RSA 2048 bit self-signed certificate containing
283  a subject alternative name extension with various ``rfc822Name`` values.
284* ``san_rfc822_idna.pem`` - An RSA 2048 bit self-signed certificate containing
285  a subject alternative name extension with an IDNA ``rfc822Name``.
286* ``san_uri_with_port.pem`` - An RSA 2048 bit self-signed certificate
287  containing a subject alternative name extension with various
288  ``uniformResourceIdentifier`` values.
289* ``san_ipaddr.pem`` - An RSA 2048 bit self-signed certificate containing a
290  subject alternative name extension with an ``iPAddress`` value.
291* ``san_dirname.pem`` - An RSA 2048 bit self-signed certificate containing a
292  subject alternative name extension with a ``directoryName`` value.
293* ``inhibit_any_policy_5.pem`` - An RSA 2048 bit self-signed certificate
294  containing an inhibit any policy extension with the value 5.
295* ``inhibit_any_policy_negative.pem`` - An RSA 2048 bit self-signed certificate
296  containing an inhibit any policy extension with the value -1.
297* ``authority_key_identifier.pem`` - An RSA 2048 bit self-signed certificate
298  containing an authority key identifier extension with key identifier,
299  authority certificate issuer, and authority certificate serial number fields.
300* ``authority_key_identifier_no_keyid.pem`` - An RSA 2048 bit self-signed
301  certificate containing an authority key identifier extension with authority
302  certificate issuer and authority certificate serial number fields.
303* ``aia_ocsp_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate
304  containing an authority information access extension with two OCSP and one
305  CA issuers entry.
306* ``aia_ocsp.pem`` - An RSA 2048 bit self-signed certificate
307  containing an authority information access extension with an OCSP entry.
308* ``aia_ca_issuers.pem`` - An RSA 2048 bit self-signed certificate
309  containing an authority information access extension with a CA issuers entry.
310* ``cdp_empty_hostname.pem`` - An RSA 2048 bit self-signed certificate
311  containing a CRL distribution point extension with ``fullName`` URI without
312  a hostname.
313* ``cdp_fullname_reasons_crl_issuer.pem`` - An RSA 1024 bit certificate
314  containing a CRL distribution points extension with ``fullName``,
315  ``cRLIssuer``, and ``reasons`` data.
316* ``cdp_crl_issuer.pem`` - An RSA 1024 bit certificate containing a CRL
317  distribution points extension with ``cRLIssuer`` data.
318* ``cdp_all_reasons.pem`` - An RSA 1024 bit certificate containing a CRL
319  distribution points extension with all ``reasons`` bits set.
320* ``cdp_reason_aa_compromise.pem`` - An RSA 1024 bit certificate containing a
321  CRL distribution points extension with the ``AACompromise`` ``reasons`` bit
322  set.
323* ``nc_permitted_excluded.pem`` - An RSA 2048 bit self-signed certificate
324  containing a name constraints extension with both permitted and excluded
325  elements. Contains ``IPv4`` and ``IPv6`` addresses with network mask as well
326  as ``dNSName`` with a leading period.
327* ``nc_permitted_excluded_2.pem`` - An RSA 2048 bit self-signed certificate
328  containing a name constraints extension with both permitted and excluded
329  elements. Unlike ``nc_permitted_excluded.pem``, the general names do not
330  contain any name constraints specific values.
331* ``nc_permitted.pem`` - An RSA 2048 bit self-signed certificate containing a
332  name constraints extension with permitted elements.
333* ``nc_permitted_2.pem`` - An RSA 2048 bit self-signed certificate containing a
334  name constraints extension with permitted elements that do not contain any
335  name constraints specific values.
336* ``nc_excluded.pem`` - An RSA 2048 bit self-signed certificate containing a
337  name constraints extension with excluded elements.
338* ``nc_invalid_ip_netmask.pem`` - An RSA 2048 bit self-signed certificate
339  containing a name constraints extension with a permitted element that has an
340  ``IPv6`` IP and an invalid network mask.
341* ``nc_single_ip_netmask.pem`` - An RSA 2048 bit self-signed certificate
342  containing a name constraints extension with a permitted element that has two
343  IPs with ``/32`` and ``/128`` network masks.
344* ``cp_user_notice_with_notice_reference.pem`` - An RSA 2048 bit self-signed
345  certificate containing a certificate policies extension with a
346  notice reference in the user notice.
347* ``cp_user_notice_with_explicit_text.pem`` - An RSA 2048 bit self-signed
348  certificate containing a certificate policies extension with explicit
349  text and no notice reference.
350* ``cp_cps_uri.pem`` - An RSA 2048 bit self-signed certificate containing a
351  certificate policies extension with a CPS URI and no user notice.
352* ``cp_user_notice_no_explicit_text.pem`` - An RSA 2048 bit self-signed
353  certificate containing a certificate policies extension with a user notice
354  with no explicit text.
355* ``cp_invalid.pem`` - An RSA 2048 bit self-signed certificate containing a
356  certificate policies extension with invalid data.
357* ``ian_uri.pem`` - An RSA 2048 bit certificate containing an issuer
358  alternative name extension with a ``URI`` general name.
359* ``ocsp_nocheck.pem`` - An RSA 2048 bit self-signed certificate containing
360  an ``OCSPNoCheck`` extension.
361* ``pc_inhibit_require.pem`` - An RSA 2048 bit self-signed certificate
362  containing a policy constraints extension with both inhibit policy mapping
363  and require explicit policy elements.
364* ``pc_inhibit.pem`` - An RSA 2048 bit self-signed certificate containing a
365  policy constraints extension with an inhibit policy mapping element.
366* ``pc_require.pem`` - An RSA 2048 bit self-signed certificate containing a
367  policy constraints extension with a require explicit policy element.
368* ``unsupported_subject_public_key_info.pem`` - A certificate whose public key
369  is an unknown OID (``1.3.6.1.4.1.8432.1.1.2``).
370* ``policy_constraints_explicit.pem`` - A self-signed certificate containing
371  a ``policyConstraints`` extension with a ``requireExplicitPolicy`` value.
372* ``freshestcrl.pem`` - A self-signed certificate containing a ``freshestCRL``
373  extension.
374* ``ca/ca.pem`` - A self-signed certificate with ``basicConstraints`` set to
375  true. Its private key is ``ca/ca_key.pem``. This certificate is encoded in
376  several of the PKCS12 custom vectors.
377
378Custom X.509 Request Vectors
379~~~~~~~~~~~~~~~~~~~~~~~~~~~~
380
381* ``dsa_sha1.pem`` and ``dsa_sha1.der`` - Contain a certificate request using
382  1024-bit DSA parameters and SHA1 generated using OpenSSL.
383* ``rsa_md4.pem`` and ``rsa_md4.der`` - Contain a certificate request using
384  2048 bit RSA and MD4 generated using OpenSSL.
385* ``rsa_sha1.pem`` and ``rsa_sha1.der`` - Contain a certificate request using
386  2048 bit RSA and SHA1 generated using OpenSSL.
387* ``rsa_sha256.pem`` and ``rsa_sha256.der`` - Contain a certificate request
388  using 2048 bit RSA and SHA256 generated using OpenSSL.
389* ``ec_sha256.pem`` and ``ec_sha256.der`` - Contain a certificate request
390  using EC (``secp384r1``) and SHA256 generated using OpenSSL.
391* ``san_rsa_sha1.pem`` and ``san_rsa_sha1.der`` - Contain a certificate
392  request using RSA and SHA1 with a subject alternative name extension
393  generated using OpenSSL.
394* ``two_basic_constraints.pem`` - A certificate signing request
395  for an RSA 2048 bit key containing two basic constraints extensions.
396* ``unsupported_extension.pem`` - A certificate signing request
397  for an RSA 2048 bit key containing containing an unsupported
398  extension type. The OID was encoded as "1.2.3.4" with an
399  ``extnValue`` of "value".
400* ``unsupported_extension_critical.pem`` - A certificate signing
401  request for an RSA 2048 bit key containing containing an unsupported
402  extension type marked critical. The OID was encoded as "1.2.3.4"
403  with an ``extnValue`` of "value".
404* ``basic_constraints.pem`` - A certificate signing request for an RSA
405  2048 bit key containing a basic constraints extension marked as
406  critical.
407* ``invalid_signature.pem`` - A certificate signing request for an RSA
408  1024 bit key containing an invalid signature with correct padding.
409
410Custom X.509 Certificate Revocation List Vectors
411~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
412
413* ``crl_all_reasons.pem`` - Contains a CRL with 12 revoked certificates, whose
414  serials match their list position. It includes one revocation without
415  any entry extensions, 10 revocations with every supported reason code and one
416  revocation with an unsupported, non-critical entry extension with the OID
417  value set to "1.2.3.4".
418* ``crl_dup_entry_ext.pem`` - Contains a CRL with one revocation which has a
419  duplicate entry extension.
420* ``crl_md2_unknown_crit_entry_ext.pem`` - Contains a CRL with one revocation
421  which contains an unsupported critical entry extension with the OID value set
422  to "1.2.3.4". The CRL uses an unsupported MD2 signature algorithm.
423* ``crl_unsupported_reason.pem`` - Contains a CRL with one revocation which has
424  an unsupported reason code.
425* ``crl_inval_cert_issuer_entry_ext.pem`` - Contains a CRL with one revocation
426  which has one entry extension for certificate issuer with an empty value.
427* ``crl_empty.pem`` - Contains a CRL with no revoked certificates.
428* ``crl_ian_aia_aki.pem`` - Contains a CRL with ``IssuerAlternativeName``,
429  ``AuthorityInformationAccess``, ``AuthorityKeyIdentifier`` and ``CRLNumber``
430  extensions.
431* ``valid_signature.pem`` - Contains a CRL with the public key which was used
432  to generate it.
433* ``invalid_signature.pem`` - Contains a CRL with the last signature byte
434  incremented by 1 to produce an invalid signature, and the public key which
435  was used to generate it.
436* ``crl_delta_crl_indicator.pem`` - Contains a CRL with the
437  ``DeltaCRLIndicator`` extension.
438* ``crl_idp_fullname_only.pem`` - Contains a CRL with an
439  ``IssuingDistributionPoints`` extension with only a ``fullname`` for the
440  distribution point.
441* ``crl_idp_only_ca.pem`` - Contains a CRL with an
442  ``IssuingDistributionPoints`` extension that is only valid for CA certificate
443  revocation.
444* ``crl_idp_fullname_only_aa.pem`` - Contains a CRL with an
445  ``IssuingDistributionPoints`` extension that sets a ``fullname`` and is only
446  valid for attribute certificate revocation.
447* ``crl_idp_fullname_only_user.pem`` - Contains a CRL with an
448  ``IssuingDistributionPoints`` extension that sets a ``fullname`` and is only
449  valid for user certificate revocation.
450* ``crl_idp_fullname_indirect_crl.pem`` - Contains a CRL with an
451  ``IssuingDistributionPoints`` extension that sets a ``fullname`` and the
452  indirect CRL flag.
453* ``crl_idp_reasons_only.pem`` - Contains a CRL with an
454  ``IssuingDistributionPoints`` extension that is only valid for revocations
455  with the ``keyCompromise`` reason.
456* ``crl_idp_relative_user_all_reasons.pem`` - Contains a CRL with an
457  ``IssuingDistributionPoints`` extension that sets all revocation reasons as
458  allowed.
459* ``crl_idp_relativename_only.pem`` - Contains a CRL with an
460  ``IssuingDistributionPoints`` extension with only a ``relativename`` for
461  the distribution point.
462
463X.509 OCSP Test Vectors
464~~~~~~~~~~~~~~~~~~~~~~~
465* ``x509/ocsp/resp-sha256.der`` - An OCSP response for ``cryptography.io`` with
466  a SHA256 signature.
467* ``x509/ocsp/resp-unauthorized.der`` - An OCSP response with an unauthorized
468  status.
469* ``x509/ocsp/resp-revoked.der`` - An OCSP response for ``revoked.badssl.com``
470  with a revoked status.
471* ``x509/ocsp/resp-delegate-unknown-cert.der`` - An OCSP response for an
472  unknown cert from ``AC Camerafirma``. This response also contains a delegate
473  certificate.
474* ``x509/ocsp/resp-responder-key-hash.der`` - An OCSP response from the
475  ``DigiCert`` OCSP responder that uses a key hash for the responder ID.
476* ``x509/ocsp/resp-revoked-reason.der`` - An OCSP response from the
477  ``QuoVadis`` OCSP responder that contains a revoked certificate with a
478  revocation reason.
479* ``x509/ocsp/resp-revoked-no-next-update.der`` - An OCSP response that
480  contains a revoked certificate and no ``nextUpdate`` value.
481* ``x509/ocsp/resp-invalid-signature-oid.der`` - An OCSP response that was
482  modified to contain an MD2 signature algorithm object identifier.
483
484Custom X.509 OCSP Test Vectors
485~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
486* ``x509/ocsp/req-sha1.der`` - An OCSP request containing a single request and
487  using SHA1 as the hash algorithm.
488* ``x509/ocsp/req-multi-sha1.der`` - An OCSP request containing multiple
489  requests.
490* ``x509/ocsp/req-invalid-hash-alg.der`` - An OCSP request containing an
491  invalid hash algorithm OID.
492* ``x509/ocsp/req-ext-nonce.der`` - An OCSP request containing a nonce
493  extension.
494
495Custom PKCS12 Test Vectors
496~~~~~~~~~~~~~~~~~~~~~~~~~~
497* ``pkcs12/cert-key-aes256cbc.p12`` - A PKCS12 file containing a cert
498  (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``)
499  both encrypted with AES 256 CBC with the password ``cryptography``.
500* ``pkcs12/cert-none-key-none.p12`` - A PKCS12 file containing a cert
501  (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``)
502  with no encryption. The password (used for integrity checking only) is
503  ``cryptography``.
504* ``pkcs12/cert-rc2-key-3des.p12`` - A PKCS12 file containing a cert
505  (``x509/custom/ca/ca.pem``) encrypted with RC2 and key
506  (``x509/custom/ca/ca_key.pem``) encrypted via 3DES with the password
507  ``cryptography``.
508* ``pkcs12/no-password.p12`` - A PKCS12 file containing a cert
509  (``x509/custom/ca/ca.pem``) and key (``x509/custom/ca/ca_key.pem``) with no
510  encryption and no password.
511* ``pkcs12/no-cert-key-aes256cbc.p12`` - A PKCS12 file containing a key
512  (``x509/custom/ca/ca_key.pem``) encrypted via AES 256 CBC with the
513  password ``cryptography`` and no certificate.
514* ``pkcs12/cert-aes256cbc-no-key.p12`` - A PKCS12 file containing a cert
515  (``x509/custom/ca/ca.pem``) encrypted via AES 256 CBC with the
516  password ``cryptography`` and no private key.
517
518Hashes
519~~~~~~
520
521* MD5 from :rfc:`1321`.
522* RIPEMD160 from the `RIPEMD website`_.
523* SHA1 from `NIST CAVP`_.
524* SHA2 (224, 256, 384, 512, 512/224, 512/256) from `NIST CAVP`_.
525* SHA3 (224, 256, 384, 512) from `NIST CAVP`_.
526* SHAKE (128, 256) from `NIST CAVP`_.
527* Blake2s and Blake2b from OpenSSL `test/evptests.txt`_.
528
529HMAC
530~~~~
531
532* HMAC-MD5 from :rfc:`2202`.
533* HMAC-SHA1 from :rfc:`2202`.
534* HMAC-RIPEMD160 from :rfc:`2286`.
535* HMAC-SHA2 (224, 256, 384, 512) from :rfc:`4231`.
536
537Key derivation functions
538~~~~~~~~~~~~~~~~~~~~~~~~
539
540* HKDF (SHA1, SHA256) from :rfc:`5869`.
541* PBKDF2 (HMAC-SHA1) from :rfc:`6070`.
542* scrypt from the `draft RFC`_.
543* X9.63 KDF from `NIST CAVP`_.
544* SP 800-108 Counter Mode KDF (HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
545  HMAC-SHA384, HMAC-SHA512) from `NIST CAVP`_.
546
547Key wrapping
548~~~~~~~~~~~~
549
550* AES key wrap (AESKW) and 3DES key wrap test vectors from `NIST CAVP`_.
551* AES key wrap with padding vectors from `Botan's key wrap vectors`_.
552
553Recipes
554~~~~~~~
555
556* Fernet from its `specification repository`_.
557
558Symmetric ciphers
559~~~~~~~~~~~~~~~~~
560
561* AES (CBC, CFB, ECB, GCM, OFB, CCM) from `NIST CAVP`_.
562* AES CTR from :rfc:`3686`.
563* 3DES (CBC, CFB, ECB, OFB) from `NIST CAVP`_.
564* ARC4 (KEY-LENGTH: 40, 56, 64, 80, 128, 192, 256) from :rfc:`6229`.
565* ARC4 (KEY-LENGTH: 160) generated by this project.
566  See: :doc:`/development/custom-vectors/arc4`
567* Blowfish (CBC, CFB, ECB, OFB) from `Bruce Schneier's vectors`_.
568* Camellia (ECB) from NTT's `Camellia page`_ as linked by `CRYPTREC`_.
569* Camellia (CBC, CFB, OFB) from `OpenSSL's test vectors`_.
570* CAST5 (ECB) from :rfc:`2144`.
571* CAST5 (CBC, CFB, OFB) generated by this project.
572  See: :doc:`/development/custom-vectors/cast5`
573* ChaCha20 from :rfc:`7539`.
574* ChaCha20Poly1305 from :rfc:`7539`, `OpenSSL's evpciph.txt`_, and the
575  `BoringSSL ChaCha20Poly1305 tests`_.
576* IDEA (ECB) from the `NESSIE IDEA vectors`_ created by `NESSIE`_.
577* IDEA (CBC, CFB, OFB) generated by this project.
578  See: :doc:`/development/custom-vectors/idea`
579* SEED (ECB) from :rfc:`4269`.
580* SEED (CBC) from :rfc:`4196`.
581* SEED (CFB, OFB) generated by this project.
582  See: :doc:`/development/custom-vectors/seed`
583
584Two factor authentication
585~~~~~~~~~~~~~~~~~~~~~~~~~
586
587* HOTP from :rfc:`4226`
588* TOTP from :rfc:`6238` (Note that an `errata`_ for the test vectors in RFC
589  6238 exists)
590
591CMAC
592~~~~
593
594* AES-128, AES-192, AES-256, 3DES from `NIST SP-800-38B`_
595
596Creating test vectors
597---------------------
598
599When official vectors are unavailable ``cryptography`` may choose to build
600its own using existing vectors as source material.
601
602Created Vectors
603~~~~~~~~~~~~~~~
604
605.. toctree::
606    :maxdepth: 1
607
608    custom-vectors/arc4
609    custom-vectors/cast5
610    custom-vectors/idea
611    custom-vectors/seed
612    custom-vectors/hkdf
613
614
615If official test vectors appear in the future the custom generated vectors
616should be discarded.
617
618Any vectors generated by this method must also be prefixed with the following
619header format (substituting the correct information):
620
621.. code-block:: python
622
623    # CAST5 CBC vectors built for https://github.com/pyca/cryptography
624    # Derived from the AESVS MMT test data for CBC
625    # Verified against the CommonCrypto and Go crypto packages
626    # Key Length : 128
627
628.. _`NIST`: https://www.nist.gov/
629.. _`IETF`: https://www.ietf.org/
630.. _`Project Wycheproof`: https://github.com/google/wycheproof
631.. _`NIST CAVP`: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program
632.. _`Bruce Schneier's vectors`: https://www.schneier.com/code/vectors.txt
633.. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/
634.. _`CRYPTREC`: https://www.cryptrec.go.jp
635.. _`OpenSSL's test vectors`: https://github.com/openssl/openssl/blob/97cf1f6c2854a3a955fd7dd3a1f113deba00c9ef/crypto/evp/evptests.txt#L232
636.. _`OpenSSL's evpciph.txt`: https://github.com/openssl/openssl/blob/5a7bc0be97dee9ac715897fe8180a08e211bc6ea/test/evpciph.txt#L2362
637.. _`BoringSSL ChaCha20Poly1305 tests`: https://boringssl.googlesource.com/boringssl/+/2e2a226ac9201ac411a84b5e79ac3a7333d8e1c9/crypto/cipher_extra/test/chacha20_poly1305_tests.txt
638.. _`BoringSSL evp tests`: https://boringssl.googlesource.com/boringssl/+/ce3773f9fe25c3b54390bc51d72572f251c7d7e6/crypto/evp/evp_tests.txt
639.. _`RIPEMD website`: https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
640.. _`draft RFC`: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01
641.. _`Specification repository`: https://github.com/fernet/spec
642.. _`errata`: https://www.rfc-editor.org/errata_search.php?rfc=6238
643.. _`OpenSSL example key`: https://github.com/openssl/openssl/blob/d02b48c63a58ea4367a0e905979f140b7d090f86/test/testrsa.pem
644.. _`GnuTLS key parsing tests`: https://gitlab.com/gnutls/gnutls/commit/f16ef39ef0303b02d7fa590a37820440c466ce8d
645.. _`enc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/encpkcs8.pem
646.. _`enc2-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/enc2pkcs8.pem
647.. _`unenc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/unencpkcs8.pem
648.. _`pkcs12_s2k_pem.c`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs12_s2k_pem.c
649.. _`Botan's ECC private keys`: https://github.com/randombit/botan/tree/4917f26a2b154e841cd27c1bcecdd41d2bdeb6ce/src/tests/data/ecc
650.. _`GnuTLS example keys`: https://gitlab.com/gnutls/gnutls/commit/ad2061deafdd7db78fd405f9d143b0a7c579da7b
651.. _`NESSIE IDEA vectors`: https://www.cosic.esat.kuleuven.be/nessie/testvectors/bc/idea/Idea-128-64.verified.test-vectors
652.. _`NESSIE`: https://en.wikipedia.org/wiki/NESSIE
653.. _`Ed25519 website`: https://ed25519.cr.yp.to/software.html
654.. _`NIST SP-800-38B`: https://csrc.nist.gov/publications/detail/sp/800-38b/archive/2005-05-01
655.. _`NIST PKI Testing`: https://csrc.nist.gov/Projects/PKI-Testing
656.. _`testx509.pem`: https://github.com/openssl/openssl/blob/master/test/testx509.pem
657.. _`DigiCert Global Root G3`: https://cacerts.digicert.com/DigiCertGlobalRootG3.crt
658.. _`root data`: https://hg.mozilla.org/projects/nss/file/25b2922cc564/security/nss/lib/ckfw/builtins/certdata.txt#l2053
659.. _`asymmetric/public/PKCS1/dsa.pub.pem`: https://github.com/ruby/ruby/blob/4ccb387f3bc436a08fc6d72c4931994f5de95110/test/openssl/test_pkey_dsa.rb#L53
660.. _`Mozilla bug`: https://bugzilla.mozilla.org/show_bug.cgi?id=233586
661.. _`Russian CA`: https://e-trust.gosuslugi.ru/MainCA
662.. _`test/evptests.txt`: https://github.com/openssl/openssl/blob/2d0b44126763f989a4cbffbffe9d0c7518158bb7/test/evptests.txt
663.. _`unknown signature OID`: https://bugzilla.mozilla.org/show_bug.cgi?id=405966
664.. _`botan`: https://github.com/randombit/botan/blob/57789bdfc55061002b2727d0b32587612829a37c/src/tests/data/pubkey/dh.vec
665.. _`DHKE`: https://sandilands.info/sgordon/diffie-hellman-secret-key-exchange-with-openssl
666.. _`Botan's key wrap vectors`: https://github.com/randombit/botan/blob/737f33c09a18500e044dca3e2ae13bd2c08bafdd/src/tests/data/keywrap/nist_key_wrap.vec
667