From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 27 Oct 2020 16:42:15 +0100 Subject: [PATCH 1] Re-add deprecated and removed features * encode_rfc6979_signature() * decode_rfc6979_signature() * Certificate.serial property * MACContext * osrandom engine is disabled Signed-off-by: Christian Heimes --- .../hazmat/backends/openssl/cmac.py | 3 +- .../hazmat/backends/openssl/hmac.py | 3 +- .../hazmat/backends/openssl/x509.py | 4 ++ .../hazmat/primitives/asymmetric/utils.py | 8 ++++ src/cryptography/hazmat/primitives/cmac.py | 3 +- src/cryptography/hazmat/primitives/hmac.py | 3 +- src/cryptography/hazmat/primitives/mac.py | 37 +++++++++++++++++++ src/cryptography/x509/extensions.py | 6 ++- tests/hazmat/backends/test_openssl.py | 3 ++ tests/hazmat/primitives/test_asym_utils.py | 9 +++++ tests/x509/test_x509.py | 1 + tests/x509/test_x509_ext.py | 5 +++ 12 files changed, 80 insertions(+), 5 deletions(-) create mode 100644 src/cryptography/hazmat/primitives/mac.py diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py index 195fc230f..5281f634d 100644 --- a/src/cryptography/hazmat/backends/openssl/cmac.py +++ b/src/cryptography/hazmat/backends/openssl/cmac.py @@ -11,10 +11,11 @@ from cryptography.exceptions import ( UnsupportedAlgorithm, _Reasons, ) -from cryptography.hazmat.primitives import constant_time +from cryptography.hazmat.primitives import constant_time, mac from cryptography.hazmat.primitives.ciphers.modes import CBC +@utils.register_interface(mac.MACContext) class _CMACContext(object): def __init__(self, backend, algorithm, ctx=None): if not backend.cmac_algorithm_supported(algorithm): diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py index 5024223b2..11c850e10 100644 --- a/src/cryptography/hazmat/backends/openssl/hmac.py +++ b/src/cryptography/hazmat/backends/openssl/hmac.py @@ -11,9 +11,10 @@ from cryptography.exceptions import ( UnsupportedAlgorithm, _Reasons, ) -from cryptography.hazmat.primitives import constant_time, hashes +from cryptography.hazmat.primitives import constant_time, hashes, mac +@utils.register_interface(mac.MACContext) @utils.register_interface(hashes.HashContext) class _HMACContext(object): def __init__(self, backend, key, algorithm, ctx=None): diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index 4d0dac764..c9074f59e 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -73,6 +73,10 @@ class _Certificate(object): self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL) return _asn1_integer_to_int(self._backend, asn1_int) + @property + def serial(self): + return self.serial_number + def public_key(self): pkey = self._backend._lib.X509_get_pubkey(self._x509) if pkey == self._backend._ffi.NULL: diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py index 5f9b67786..886d7565b 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/utils.py +++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py @@ -39,3 +39,11 @@ class Prehashed(object): self._digest_size = algorithm.digest_size digest_size = utils.read_only_property("_digest_size") + + +def decode_rfc6979_signature(signature): + return decode_dss_signature(signature) + + +def encode_rfc6979_signature(r, s): + return encode_dss_signature(r, s) diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py index bf962c906..7f37f13cc 100644 --- a/src/cryptography/hazmat/primitives/cmac.py +++ b/src/cryptography/hazmat/primitives/cmac.py @@ -12,9 +12,10 @@ from cryptography.exceptions import ( ) from cryptography.hazmat.backends import _get_backend from cryptography.hazmat.backends.interfaces import CMACBackend -from cryptography.hazmat.primitives import ciphers +from cryptography.hazmat.primitives import ciphers, mac +@utils.register_interface(mac.MACContext) class CMAC(object): def __init__(self, algorithm, backend=None, ctx=None): backend = _get_backend(backend) diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py index 8c421dc68..6f03a1071 100644 --- a/src/cryptography/hazmat/primitives/hmac.py +++ b/src/cryptography/hazmat/primitives/hmac.py @@ -12,9 +12,10 @@ from cryptography.exceptions import ( ) from cryptography.hazmat.backends import _get_backend from cryptography.hazmat.backends.interfaces import HMACBackend -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, mac +@utils.register_interface(mac.MACContext) @utils.register_interface(hashes.HashContext) class HMAC(object): def __init__(self, key, algorithm, backend=None, ctx=None): diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py new file mode 100644 index 000000000..4c95190ba --- /dev/null +++ b/src/cryptography/hazmat/primitives/mac.py @@ -0,0 +1,37 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function + +import abc + +import six + + +@six.add_metaclass(abc.ABCMeta) +class MACContext(object): + @abc.abstractmethod + def update(self, data): + """ + Processes the provided bytes. + """ + + @abc.abstractmethod + def finalize(self): + """ + Returns the message authentication code as bytes. + """ + + @abc.abstractmethod + def copy(self): + """ + Return a MACContext that is a copy of the current context. + """ + + @abc.abstractmethod + def verify(self, signature): + """ + Checks if the generated message authentication code matches the + signature. + """ diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 130ba69b8..ddbccdf3b 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object): @classmethod def from_issuer_subject_key_identifier(cls, ski): + if isinstance(ski, SubjectKeyIdentifier): + digest = ski.digest + else: + digest = ski.value.digest return cls( - key_identifier=ski.digest, + key_identifier=digest, authority_cert_issuer=None, authority_cert_serial_number=None, ) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 2f7e7bebf..73c17d84f 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object): res = backend._lib.ENGINE_free(e) assert res == 1 + def test_rhel8_no_osrandom(self): + pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667") + @pytest.mark.skipif( backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE, diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py index 70bff012f..334b459b5 100644 --- a/tests/hazmat/primitives/test_asym_utils.py +++ b/tests/hazmat/primitives/test_asym_utils.py @@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import ( Prehashed, decode_dss_signature, encode_dss_signature, + encode_rfc6979_signature, + decode_rfc6979_signature ) @@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1(): def test_pass_invalid_prehashed_arg(): with pytest.raises(TypeError): Prehashed(object()) + + +def test_deprecated_rfc6979_signature(): + sig = encode_rfc6979_signature(1, 1) + assert sig == b"0\x06\x02\x01\x01\x02\x01\x01" + decoded = decode_rfc6979_signature(sig) + assert decoded == (1, 1) diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py index 11c80816c..e5bdf17d4 100644 --- a/tests/x509/test_x509.py +++ b/tests/x509/test_x509.py @@ -685,6 +685,7 @@ class TestRSACertificate(object): ) assert isinstance(cert, x509.Certificate) assert cert.serial_number == 11559813051657483483 + assert cert.serial == cert.serial_number fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8" assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index 2cd216fb6..ac2b2c03d 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object): ) assert ext.value == aki + aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( + ski_ext + ) + assert ext.value == aki + class TestNameConstraints(object): def test_ipaddress_wrong_type(self): -- 2.26.2