Dynamic (#77)

tests/dynamic_fixtures/crypto/python/benign.py

@@ -0,0 +1,9 @@
+# Phase 11 (Track J.9) — Python CRYPTO benign control fixture.
+#
+# Uses `secrets.token_bytes(32)` (a CSPRNG) so the produced key
+# trivially exceeds the weak budget.
+import secrets
+
+
+def run(_value):
+    return secrets.token_bytes(32)

tests/dynamic_fixtures/crypto/python/vuln.py

@@ -0,0 +1,23 @@
+# Phase 11 (Track J.9) — Python CRYPTO vuln fixture.
+#
+# Models a config-driven crypto endpoint that picks the RNG based on
+# the request payload — `*_WEAK` routes through `random.randint(0, 0xFFFF)`
+# (a non-CSPRNG) and `*_STRONG` routes through `secrets.token_bytes(32)`
+# (a CSPRNG).  This shape is needed by the differential runner: the
+# vuln-payload attempt and the benign-control attempt both load the same
+# fixture, and only the payload-routed weak branch trips the
+# `WeakKeyEntropy` predicate.  Real-world analogue: a JWT-signing or
+# session-token endpoint that exposes an `algorithm`/`key_strength`
+# knob whose weak setting falls back to a non-CSPRNG seed.
+import random
+import secrets
+
+
+def run(value):
+    if isinstance(value, (bytes, bytearray)):
+        value = value.decode("utf-8", "replace")
+    elif not isinstance(value, str):
+        value = str(value)
+    if "STRONG" in value:
+        return secrets.token_bytes(32)
+    return random.randint(0, 0xFFFF)