diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3e951356854d..479287db4cff 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -276,11 +276,9 @@ def mldsa_supported(self) -> bool: return rust_openssl.CRYPTOGRAPHY_IS_AWSLC def ed25519_supported(self) -> bool: - return not self._fips_enabled + return True def ed448_supported(self) -> bool: - if self._fips_enabled: - return False return ( not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL diff --git a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py index b5508e7b34d6..70aec5b10217 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py @@ -6,7 +6,6 @@ import abc -from cryptography.exceptions import UnsupportedAlgorithm, _Reasons from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import _serialization from cryptography.utils import Buffer @@ -15,14 +14,6 @@ class Ed25519PublicKey(metaclass=abc.ABCMeta): @classmethod def from_public_bytes(cls, data: bytes) -> Ed25519PublicKey: - from cryptography.hazmat.backends.openssl.backend import backend - - if not backend.ed25519_supported(): - raise UnsupportedAlgorithm( - "ed25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, - ) - return rust_openssl.ed25519.from_public_bytes(data) @abc.abstractmethod @@ -73,26 +64,10 @@ def __deepcopy__(self, memo: dict) -> Ed25519PublicKey: class Ed25519PrivateKey(metaclass=abc.ABCMeta): @classmethod def generate(cls) -> Ed25519PrivateKey: - from cryptography.hazmat.backends.openssl.backend import backend - - if not backend.ed25519_supported(): - raise UnsupportedAlgorithm( - "ed25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, - ) - return rust_openssl.ed25519.generate_key() @classmethod def from_private_bytes(cls, data: Buffer) -> Ed25519PrivateKey: - from cryptography.hazmat.backends.openssl.backend import backend - - if not backend.ed25519_supported(): - raise UnsupportedAlgorithm( - "ed25519 is not supported by this version of OpenSSL.", - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM, - ) - return rust_openssl.ed25519.from_private_bytes(data) @abc.abstractmethod diff --git a/tests/hazmat/primitives/test_ed25519.py b/tests/hazmat/primitives/test_ed25519.py index 18ad9792373d..e14a4ac773e3 100644 --- a/tests/hazmat/primitives/test_ed25519.py +++ b/tests/hazmat/primitives/test_ed25519.py @@ -10,7 +10,7 @@ import pytest -from cryptography.exceptions import InvalidSignature, _Reasons +from cryptography.exceptions import InvalidSignature from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric.ed25519 import ( Ed25519PrivateKey, @@ -18,7 +18,7 @@ ) from ...doubles import DummyKeySerializationEncryption -from ...utils import load_vectors_from_file, raises_unsupported_algorithm +from ...utils import load_vectors_from_file def load_ed25519_vectors(vector_data): @@ -45,31 +45,10 @@ def load_ed25519_vectors(vector_data): return data -@pytest.mark.supported( - only_if=lambda backend: not backend.ed25519_supported(), - skip_message="Requires OpenSSL without Ed25519 support", -) -def test_ed25519_unsupported(backend): - with raises_unsupported_algorithm( - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ): - Ed25519PublicKey.from_public_bytes(b"0" * 32) - - with raises_unsupported_algorithm( - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ): - Ed25519PrivateKey.from_private_bytes(b"0" * 32) - - with raises_unsupported_algorithm( - _Reasons.UNSUPPORTED_PUBLIC_KEY_ALGORITHM - ): - Ed25519PrivateKey.generate() +def test_ed25519_always_supported(backend): + assert backend.ed25519_supported() -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) class TestEd25519Signing: def test_sign_verify_input(self, backend, subtests): vectors = load_vectors_from_file( @@ -292,10 +271,6 @@ def test_buffer_protocol(self, backend): ) -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) def test_public_key_equality(backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "Ed25519", "ed25519-pkcs8.der"), @@ -313,10 +288,6 @@ def test_public_key_equality(backend): key1 < key2 # type: ignore[operator] -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) def test_public_key_copy(backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "Ed25519", "ed25519-pkcs8.der"), @@ -329,10 +300,6 @@ def test_public_key_copy(backend): assert key1 == key2 -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) def test_public_key_deepcopy(backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "Ed25519", "ed25519-pkcs8.der"), @@ -345,10 +312,6 @@ def test_public_key_deepcopy(backend): assert key1 == key2 -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) def test_private_key_copy(backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "Ed25519", "ed25519-pkcs8.der"), @@ -361,10 +324,6 @@ def test_private_key_copy(backend): assert key1 == key2 -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) def test_private_key_deepcopy(backend): key_bytes = load_vectors_from_file( os.path.join("asymmetric", "Ed25519", "ed25519-pkcs8.der"), diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index a1cf73a4cedc..131ae59b1aef 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -323,10 +323,6 @@ class TestPKCS12Creation: ed25519.Ed25519PrivateKey.generate, ed25519.Ed25519PrivateKey, [], - marks=pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ), ), (rsa.generate_private_key, rsa.RSAPrivateKey, [65537, 1024]), (dsa.generate_private_key, dsa.DSAPrivateKey, [1024]), diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index bf1809e4cc93..930829994932 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -213,10 +213,6 @@ def test_not_a_cert(self, backend): hashes.SHA256(), ) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Does not support ed25519.", - ) def test_unsupported_key_type(self, backend): cert, _ = _load_cert_key() key = ed25519.Ed25519PrivateKey.generate() diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py index 1b579740bc4f..f4bc7084b1c8 100644 --- a/tests/hazmat/primitives/test_serialization.py +++ b/tests/hazmat/primitives/test_serialization.py @@ -1399,10 +1399,6 @@ def test_encryption_with_zero_length_password(self): BestAvailableEncryption(b"") -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) class TestEd25519Serialization: def test_load_der_private_key(self, backend): data = load_vectors_from_file( diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py index ee4b708bfc66..d9d3e4ab523c 100644 --- a/tests/hazmat/primitives/test_ssh.py +++ b/tests/hazmat/primitives/test_ssh.py @@ -68,9 +68,6 @@ class TestOpenSSHSerialization: ], ) def test_load_ssh_public_key(self, key_file, cert_file, backend): - if "ed25519" in key_file and not backend.ed25519_supported(): - pytest.skip("Requires OpenSSL with Ed25519 support") - # normal public key pub_data = load_vectors_from_file( os.path.join("asymmetric", "OpenSSH", key_file), @@ -174,8 +171,6 @@ def run_partial_pubkey(self, pubdata, backend): ], ) def test_load_ssh_private_key(self, key_file, backend): - if "ed25519" in key_file and not backend.ed25519_supported(): - pytest.skip("Requires OpenSSL with Ed25519 support") if "-psw" in key_file and not ssh._bcrypt_supported: pytest.skip("Requires bcrypt module") @@ -261,10 +256,6 @@ def test_load_ssh_private_key(self, key_file, backend): maxline = max(map(len, priv_data2.split(b"\n"))) assert maxline < 80 - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires Ed25519 support", - ) @pytest.mark.parametrize( "key_file", [ @@ -281,10 +272,6 @@ def test_load_unsupported_ssh_private_key(self, key_file): with pytest.raises(UnsupportedAlgorithm): load_ssh_private_key(data, None) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires Ed25519 support", - ) @pytest.mark.supported( only_if=lambda backend: ssh._bcrypt_supported, skip_message="Requires that bcrypt exists", @@ -304,10 +291,6 @@ def test_load_ssh_private_key_invalid_tag(self, backend): with pytest.raises(InvalidTag): load_ssh_private_key(priv_data, b"password") - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires Ed25519 support", - ) @pytest.mark.supported( only_if=lambda backend: ssh._bcrypt_supported, skip_message="Requires that bcrypt exists", @@ -1140,10 +1123,6 @@ def test_load_ssh_public_key_ecdsa_nist_p256_bad_curve_name(self, backend): load_ssh_public_key(ssh_key, backend) -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) class TestEd25519SSHSerialization: def test_load_ssh_public_key(self, backend): ssh_key = ( @@ -1186,10 +1165,6 @@ def test_load_ssh_public_key_trailing_data(self, backend): class TestSSHCertificate: - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_loads_ssh_cert(self, backend): # secp256r1 public key, ed25519 signing key cert = load_ssh_public_identity( @@ -1718,10 +1693,6 @@ def test_crit_opts_exts_lexically_sorted(self): (b"zebra@cryptography.io", b""), ] - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_sign_ed25519(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() builder = ( @@ -1818,10 +1789,6 @@ def test_sign_and_byte_compare_rsa(self, monkeypatch): b"zbwL217Q93R08bJn1hDWuiTiaHGauSy2gPUI+cnkvlEocHM" ) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_sign_and_byte_compare_ed25519(self, monkeypatch, backend): # Monkey patch urandom to return a known value so we # get a deterministic signature with Ed25519. @@ -1911,10 +1878,7 @@ def test_ssh_key_fingerprint_rsa_sha256(self): ) @pytest.mark.supported( - only_if=lambda backend: ( - backend.hash_supported(hashes.MD5()) - and backend.ed25519_supported() - ), + only_if=lambda backend: backend.hash_supported(hashes.MD5()), skip_message="Does not support MD5 or Ed25519", ) def test_ssh_key_fingerprint_ed25519_md5(self): @@ -1927,10 +1891,6 @@ def test_ssh_key_fingerprint_ed25519_md5(self): fingerprint = ssh_key_fingerprint(public_key, hashes.MD5()) assert fingerprint == b"\xe5R=\x01\x9e\xa0\xc1\xe9\x8c?L|\xc5\x94W\x85" - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Ed25519 not supported", - ) def test_ssh_key_fingerprint_ed25519_sha256(self): ssh_key = load_vectors_from_file( os.path.join("asymmetric", "OpenSSH", "ed25519-nopsw.key.pub"), diff --git a/tests/wycheproof/test_eddsa.py b/tests/wycheproof/test_eddsa.py index 3aabacdd9024..23cff11092fa 100644 --- a/tests/wycheproof/test_eddsa.py +++ b/tests/wycheproof/test_eddsa.py @@ -13,10 +13,6 @@ from .utils import wycheproof_tests -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) @wycheproof_tests("ed25519_test.json") def test_ed25519_signature(backend, wycheproof): # We want to fail if/when wycheproof adds more edwards curve tests diff --git a/tests/x509/test_ocsp.py b/tests/x509/test_ocsp.py index 9de9bfd81bd8..4cab2c95cc97 100644 --- a/tests/x509/test_ocsp.py +++ b/tests/x509/test_ocsp.py @@ -1638,10 +1638,6 @@ def test_unknown_response_status(self): class TestOCSPEdDSA: - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support / OCSP", - ) def test_invalid_algorithm(self, backend): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() @@ -1670,10 +1666,6 @@ def test_invalid_algorithm(self, backend): with pytest.raises(ValueError): builder.sign(private_key, hashes.SHA256()) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support / OCSP", - ) def test_sign_ed25519(self, backend): builder = ocsp.OCSPResponseBuilder() cert, issuer = _cert_and_issuer() diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index a10c8ed9e345..88545b6a486e 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -1834,9 +1834,7 @@ def test_verify_directly_issued_by_algorithm_mismatch( cert.verify_directly_issued_by(ca2) @pytest.mark.supported( - only_if=lambda backend: ( - backend.ed25519_supported() and backend.x25519_supported() - ), + only_if=lambda backend: backend.x25519_supported(), skip_message="Requires OpenSSL with Ed25519 and X25519 support", ) def test_verify_directly_issued_by_unsupported_key_type(self, backend): @@ -3361,10 +3359,6 @@ def test_sign_with_unsupported_hash( with pytest.raises(TypeError): builder.sign(private_key, algorithm, backend) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_sign_with_unsupported_hash_ed25519(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() builder = ( @@ -3724,10 +3718,6 @@ def test_build_cert_with_bmpstring_universalstring_name( assert cert.issuer == issuer assert cert.subject == subject - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_build_cert_with_ed25519(self, backend): issuer_private_key = ed25519.Ed25519PrivateKey.generate() subject_private_key = ed25519.Ed25519PrivateKey.generate() @@ -3787,10 +3777,6 @@ def test_build_cert_with_ed25519(self, backend): x509.DNSName("cryptography.io"), ] - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_build_cert_with_public_ed25519_rsa_sig( self, rsa_key_2048: rsa.RSAPrivateKey, backend ): @@ -4617,10 +4603,6 @@ def test_sign_invalid_hash_algorithm( backend, ) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_request_with_unsupported_hash_ed25519(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() builder = x509.CertificateSigningRequestBuilder().subject_name( @@ -4928,10 +4910,6 @@ def test_csr_deterministic_wrong_key_type(self, rsa_key_2048, backend): ecdsa_deterministic=True, ) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_build_ca_request_with_ed25519(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() @@ -6555,10 +6533,6 @@ def test_universalstring_bytes(self, backend): ) -@pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", -) class TestEd25519Certificate: def test_load_pem_cert(self, backend): cert = _load_cert( diff --git a/tests/x509/test_x509_crlbuilder.py b/tests/x509/test_x509_crlbuilder.py index b2e3b31fece0..deb17af4aa86 100644 --- a/tests/x509/test_x509_crlbuilder.py +++ b/tests/x509/test_x509_crlbuilder.py @@ -539,10 +539,6 @@ def test_sign_with_invalid_hash( backend, ) - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_sign_with_invalid_hash_ed25519(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() last_update = datetime.datetime(2002, 1, 1, 12, 1) @@ -708,10 +704,6 @@ def test_sign_ec_key(self, backend): assert ext.critical is False assert ext.value == invalidity_date - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_sign_ed25519_key(self, backend): private_key = ed25519.Ed25519PrivateKey.generate() invalidity_date = x509.InvalidityDate( diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 919478fb6368..5830f395a92f 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -1788,10 +1788,6 @@ def test_from_ec_public_key(self, backend): ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key()) assert ext.value == ski - @pytest.mark.supported( - only_if=lambda backend: backend.ed25519_supported(), - skip_message="Requires OpenSSL with Ed25519 support", - ) def test_from_ed25519_public_key(self, backend): cert = _load_cert( os.path.join("x509", "ed25519", "root-ed25519.pem"),