From fa92e09c55c79b625a66b8a242d6d71e02f21e99 Mon Sep 17 00:00:00 2001 From: Bob Halley Date: Sat, 20 Sep 2025 10:17:27 -0700 Subject: [PATCH] Do not test ECDSA deterministic mode if cryptography could not build a wheel with support for it. This can happen with pypy on ubuntu-latest. --- tests/test_dnssec.py | 27 +++++++++++++++++++-------- tests/test_dnssecalgs.py | 15 +++++++++++++++ 2 files changed, 34 insertions(+), 8 deletions(-) diff --git a/tests/test_dnssec.py b/tests/test_dnssec.py index 117244b1..77bd4fef 100644 --- a/tests/test_dnssec.py +++ b/tests/test_dnssec.py @@ -44,8 +44,17 @@ try: except ImportError: pass # Cryptography ImportError already handled in dns.dnssec + def default_backend(): + raise NotImplementedError + + # pylint: disable=line-too-long +if dns.dnssec._have_pyca: + have_deterministic = default_backend().ecdsa_deterministic_supported() +else: + have_deterministic = False + abs_dnspython_org = dns.name.from_text("dnspython.org") abs_keys = { @@ -1092,19 +1101,18 @@ class DNSSECMiscTestCase(unittest.TestCase): def test_sign_zone_initially_empty(self): zone = dns.zone.Zone("example.") - soa = dns.rdataset.from_text("IN", "SOA", 3600, - "ns.example. hostmaster.example. 1 2 3 4 5") + soa = dns.rdataset.from_text( + "IN", "SOA", 3600, "ns.example. hostmaster.example. 1 2 3 4 5" + ) privkey = ed25519.Ed25519PrivateKey.generate() - dnskey = dns.dnssec.make_dnskey(privkey.public_key(), - dns.dnssec.ED25519) + dnskey = dns.dnssec.make_dnskey(privkey.public_key(), dns.dnssec.ED25519) with zone.writer() as txn: txn.add(dns.name.empty, soa) - dns.dnssec.sign_zone(zone, txn=txn, keys=[(privkey, dnskey)], - lifetime=3600) + dns.dnssec.sign_zone(zone, txn=txn, keys=[(privkey, dnskey)], lifetime=3600) self.assertIsNotNone(zone.find_rdataset(dns.name.empty, "SOA")) - self.assertIsNotNone(zone.find_rdataset(dns.name.empty, "RRSIG", - covers="SOA")) + self.assertIsNotNone(zone.find_rdataset(dns.name.empty, "RRSIG", covers="SOA")) + @unittest.skipUnless(dns.dnssec._have_pyca, "Python Cryptography cannot be imported") class DNSSECMakeDSTestCase(unittest.TestCase): @@ -1412,10 +1420,12 @@ class DNSSECSignatureTestCase(unittest.TestCase): ) self._test_signature(key, dns.dnssec.Algorithm.RSASHA256, abs_soa) + @unittest.skipUnless(have_deterministic, "deterministic ECDSA not available") def testSignatureECDSAP256SHA256(self): # type: () -> None key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend()) self._test_signature(key, dns.dnssec.Algorithm.ECDSAP256SHA256, abs_soa) + @unittest.skipUnless(have_deterministic, "deterministic ECDSA not available") def testDeterministicSignatureECDSAP256SHA256(self): # type: () -> None key = ec.generate_private_key(curve=ec.SECP256R1(), backend=default_backend()) inception = time.time() @@ -1454,6 +1464,7 @@ class DNSSECSignatureTestCase(unittest.TestCase): ) assert rrsigset1 != rrsigset2 + @unittest.skipUnless(have_deterministic, "deterministic ECDSA not available") def testSignatureECDSAP384SHA384(self): # type: () -> None key = ec.generate_private_key(curve=ec.SECP384R1(), backend=default_backend()) self._test_signature(key, dns.dnssec.Algorithm.ECDSAP384SHA384, abs_soa) diff --git a/tests/test_dnssecalgs.py b/tests/test_dnssecalgs.py index 8f6f9bd7..9982f0d1 100644 --- a/tests/test_dnssecalgs.py +++ b/tests/test_dnssecalgs.py @@ -42,6 +42,20 @@ try: except ImportError: pass # Cryptography ImportError already handled in dns.dnssec +try: + from cryptography.hazmat.backends import default_backend +except ImportError: + pass # Cryptography ImportError already handled in dns.dnssec + + def default_backend(): + raise NotImplementedError + + +if dns.dnssec._have_pyca: + have_deterministic = default_backend().ecdsa_deterministic_supported() +else: + have_deterministic = False + @unittest.skipUnless(dns.dnssec._have_pyca, "Python Cryptography cannot be imported") class DNSSECAlgorithm(unittest.TestCase): @@ -92,6 +106,7 @@ class DNSSECAlgorithm(unittest.TestCase): k = PrivateDSA.generate(2048) k.sign(b"hello") + @unittest.skipUnless(have_deterministic, "deterministic ECDSA not available") def test_ecdsa(self): self._test_dnssec_alg(PrivateECDSAP256SHA256) self._test_dnssec_alg(PrivateECDSAP384SHA384) -- 2.47.3