You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
python-cryptography/SOURCES/0001-Re-add-deprecated-and-...

255 lines
9.4 KiB

From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 27 Oct 2020 16:42:15 +0100
Subject: [PATCH 1] Re-add deprecated and removed features
* encode_rfc6979_signature()
* decode_rfc6979_signature()
* Certificate.serial property
* MACContext
* osrandom engine is disabled
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
.../hazmat/backends/openssl/cmac.py | 3 +-
.../hazmat/backends/openssl/hmac.py | 3 +-
.../hazmat/backends/openssl/x509.py | 4 ++
.../hazmat/primitives/asymmetric/utils.py | 8 ++++
src/cryptography/hazmat/primitives/cmac.py | 3 +-
src/cryptography/hazmat/primitives/hmac.py | 3 +-
src/cryptography/hazmat/primitives/mac.py | 37 +++++++++++++++++++
src/cryptography/x509/extensions.py | 6 ++-
tests/hazmat/backends/test_openssl.py | 3 ++
tests/hazmat/primitives/test_asym_utils.py | 9 +++++
tests/x509/test_x509.py | 1 +
tests/x509/test_x509_ext.py | 5 +++
12 files changed, 80 insertions(+), 5 deletions(-)
create mode 100644 src/cryptography/hazmat/primitives/mac.py
diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
index 195fc230f..5281f634d 100644
--- a/src/cryptography/hazmat/backends/openssl/cmac.py
+++ b/src/cryptography/hazmat/backends/openssl/cmac.py
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
UnsupportedAlgorithm,
_Reasons,
)
-from cryptography.hazmat.primitives import constant_time
+from cryptography.hazmat.primitives import constant_time, mac
from cryptography.hazmat.primitives.ciphers.modes import CBC
+@utils.register_interface(mac.MACContext)
class _CMACContext(object):
def __init__(self, backend, algorithm, ctx=None):
if not backend.cmac_algorithm_supported(algorithm):
diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
index 5024223b2..11c850e10 100644
--- a/src/cryptography/hazmat/backends/openssl/hmac.py
+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
UnsupportedAlgorithm,
_Reasons,
)
-from cryptography.hazmat.primitives import constant_time, hashes
+from cryptography.hazmat.primitives import constant_time, hashes, mac
+@utils.register_interface(mac.MACContext)
@utils.register_interface(hashes.HashContext)
class _HMACContext(object):
def __init__(self, backend, key, algorithm, ctx=None):
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4d0dac764..c9074f59e 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -73,6 +73,10 @@ class _Certificate(object):
self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
return _asn1_integer_to_int(self._backend, asn1_int)
+ @property
+ def serial(self):
+ return self.serial_number
+
def public_key(self):
pkey = self._backend._lib.X509_get_pubkey(self._x509)
if pkey == self._backend._ffi.NULL:
diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
index 5f9b67786..886d7565b 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -39,3 +39,11 @@ class Prehashed(object):
self._digest_size = algorithm.digest_size
digest_size = utils.read_only_property("_digest_size")
+
+
+def decode_rfc6979_signature(signature):
+ return decode_dss_signature(signature)
+
+
+def encode_rfc6979_signature(r, s):
+ return encode_dss_signature(r, s)
diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
index bf962c906..7f37f13cc 100644
--- a/src/cryptography/hazmat/primitives/cmac.py
+++ b/src/cryptography/hazmat/primitives/cmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
)
from cryptography.hazmat.backends import _get_backend
from cryptography.hazmat.backends.interfaces import CMACBackend
-from cryptography.hazmat.primitives import ciphers
+from cryptography.hazmat.primitives import ciphers, mac
+@utils.register_interface(mac.MACContext)
class CMAC(object):
def __init__(self, algorithm, backend=None, ctx=None):
backend = _get_backend(backend)
diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
index 8c421dc68..6f03a1071 100644
--- a/src/cryptography/hazmat/primitives/hmac.py
+++ b/src/cryptography/hazmat/primitives/hmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
)
from cryptography.hazmat.backends import _get_backend
from cryptography.hazmat.backends.interfaces import HMACBackend
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, mac
+@utils.register_interface(mac.MACContext)
@utils.register_interface(hashes.HashContext)
class HMAC(object):
def __init__(self, key, algorithm, backend=None, ctx=None):
diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
new file mode 100644
index 000000000..4c95190ba
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/mac.py
@@ -0,0 +1,37 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class MACContext(object):
+ @abc.abstractmethod
+ def update(self, data):
+ """
+ Processes the provided bytes.
+ """
+
+ @abc.abstractmethod
+ def finalize(self):
+ """
+ Returns the message authentication code as bytes.
+ """
+
+ @abc.abstractmethod
+ def copy(self):
+ """
+ Return a MACContext that is a copy of the current context.
+ """
+
+ @abc.abstractmethod
+ def verify(self, signature):
+ """
+ Checks if the generated message authentication code matches the
+ signature.
+ """
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index 130ba69b8..ddbccdf3b 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
@classmethod
def from_issuer_subject_key_identifier(cls, ski):
+ if isinstance(ski, SubjectKeyIdentifier):
+ digest = ski.digest
+ else:
+ digest = ski.value.digest
return cls(
- key_identifier=ski.digest,
+ key_identifier=digest,
authority_cert_issuer=None,
authority_cert_serial_number=None,
)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 2f7e7bebf..73c17d84f 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
res = backend._lib.ENGINE_free(e)
assert res == 1
+ def test_rhel8_no_osrandom(self):
+ pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
+
@pytest.mark.skipif(
backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
index 70bff012f..334b459b5 100644
--- a/tests/hazmat/primitives/test_asym_utils.py
+++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
Prehashed,
decode_dss_signature,
encode_dss_signature,
+ encode_rfc6979_signature,
+ decode_rfc6979_signature
)
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
def test_pass_invalid_prehashed_arg():
with pytest.raises(TypeError):
Prehashed(object())
+
+
+def test_deprecated_rfc6979_signature():
+ sig = encode_rfc6979_signature(1, 1)
+ assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
+ decoded = decode_rfc6979_signature(sig)
+ assert decoded == (1, 1)
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 11c80816c..e5bdf17d4 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
)
assert isinstance(cert, x509.Certificate)
assert cert.serial_number == 11559813051657483483
+ assert cert.serial == cert.serial_number
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 2cd216fb6..ac2b2c03d 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
)
assert ext.value == aki
+ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+ ski_ext
+ )
+ assert ext.value == aki
+
class TestNameConstraints(object):
def test_ipaddress_wrong_type(self):
--
2.26.2