|
 |
ac6d36 |
diff -uNr a/awscli/customizations/cloudfront.py b/awscli/customizations/cloudfront.py
|
|
|
ac6d36 |
--- a/awscli/customizations/cloudfront.py 2017-08-12 01:39:00.000000000 +0200
|
|
|
ac6d36 |
+++ b/awscli/customizations/cloudfront.py 2018-01-05 09:40:09.445445687 +0100
|
|
|
ac6d36 |
@@ -14,7 +14,9 @@
|
|
|
ac6d36 |
import time
|
|
|
ac6d36 |
import random
|
|
|
ac6d36 |
|
|
|
ac6d36 |
-import rsa
|
|
|
ac6d36 |
+from cryptography.hazmat.primitives import serialization, hashes
|
|
|
ac6d36 |
+from cryptography.hazmat.primitives.asymmetric import padding
|
|
|
ac6d36 |
+from cryptography.hazmat.backends import default_backend
|
|
|
ac6d36 |
from botocore.utils import parse_to_aware_datetime
|
|
|
ac6d36 |
from botocore.signers import CloudFrontSigner
|
|
|
ac6d36 |
|
|
|
ac6d36 |
@@ -254,7 +256,10 @@
|
|
|
ac6d36 |
|
|
|
ac6d36 |
class RSASigner(object):
|
|
|
ac6d36 |
def __init__(self, private_key):
|
|
|
ac6d36 |
- self.priv_key = rsa.PrivateKey.load_pkcs1(private_key.encode('utf8'))
|
|
|
ac6d36 |
+ self.priv_key = serialization.load_pem_private_key(
|
|
|
ac6d36 |
+ private_key.encode('utf8'), password=None,
|
|
|
ac6d36 |
+ backend=default_backend())
|
|
|
ac6d36 |
|
|
|
ac6d36 |
def sign(self, message):
|
|
|
ac6d36 |
- return rsa.sign(message, self.priv_key, 'SHA-1')
|
|
|
ac6d36 |
+ return self.priv_key.sign(
|
|
|
ac6d36 |
+ message, padding.PKCS1v15(), hashes.SHA1())
|
|
|
ac6d36 |
diff -uNr a/awscli/customizations/cloudtrail/validation.py b/awscli/customizations/cloudtrail/validation.py
|
|
|
ac6d36 |
--- a/awscli/customizations/cloudtrail/validation.py 2017-08-12 01:39:00.000000000 +0200
|
|
|
ac6d36 |
+++ b/awscli/customizations/cloudtrail/validation.py 2018-01-04 17:04:38.869212582 +0100
|
|
|
ac6d36 |
@@ -22,8 +22,10 @@
|
|
|
ac6d36 |
from datetime import datetime, timedelta
|
|
|
ac6d36 |
from dateutil import tz, parser
|
|
|
ac6d36 |
|
|
|
ac6d36 |
-from pyasn1.error import PyAsn1Error
|
|
|
ac6d36 |
-import rsa
|
|
|
ac6d36 |
+from cryptography.hazmat.primitives import serialization, hashes
|
|
|
ac6d36 |
+from cryptography.hazmat.backends import default_backend
|
|
|
ac6d36 |
+from cryptography.hazmat.primitives.asymmetric import padding
|
|
|
ac6d36 |
+from cryptography.exceptions import InvalidSignature
|
|
|
ac6d36 |
|
|
|
ac6d36 |
from awscli.customizations.cloudtrail.utils import get_trail_by_arn, \
|
|
|
ac6d36 |
get_account_id_from_arn
|
|
|
ac6d36 |
@@ -530,20 +532,18 @@
|
|
|
ac6d36 |
"""
|
|
|
ac6d36 |
try:
|
|
|
ac6d36 |
decoded_key = base64.b64decode(public_key)
|
|
|
ac6d36 |
- public_key = rsa.PublicKey.load_pkcs1(decoded_key, format='DER')
|
|
|
ac6d36 |
+ public_key = serialization.load_der_public_key(decoded_key,
|
|
|
ac6d36 |
+ backend=default_backend())
|
|
|
ac6d36 |
to_sign = self._create_string_to_sign(digest_data, inflated_digest)
|
|
|
ac6d36 |
signature_bytes = binascii.unhexlify(digest_data['_signature'])
|
|
|
ac6d36 |
- rsa.verify(to_sign, signature_bytes, public_key)
|
|
|
ac6d36 |
- except PyAsn1Error:
|
|
|
ac6d36 |
+ public_key.verify(signature_bytes, to_sign, padding.PKCS1v15(),
|
|
|
ac6d36 |
+ hashes.SHA256())
|
|
|
ac6d36 |
+ except (ValueError, TypeError):
|
|
|
ac6d36 |
raise DigestError(
|
|
|
ac6d36 |
('Digest file\ts3://%s/%s\tINVALID: Unable to load PKCS #1 key'
|
|
|
ac6d36 |
' with fingerprint %s')
|
|
|
ac6d36 |
% (bucket, key, digest_data['digestPublicKeyFingerprint']))
|
|
|
ac6d36 |
- except rsa.pkcs1.VerificationError:
|
|
|
ac6d36 |
- # Note from the Python-RSA docs: Never display the stack trace of
|
|
|
ac6d36 |
- # a rsa.pkcs1.VerificationError exception. It shows where in the
|
|
|
ac6d36 |
- # code the exception occurred, and thus leaks information about
|
|
|
ac6d36 |
- # the key.
|
|
|
ac6d36 |
+ except InvalidSignature:
|
|
|
ac6d36 |
raise DigestSignatureError(bucket, key)
|
|
|
ac6d36 |
|
|
|
ac6d36 |
def _create_string_to_sign(self, digest_data, inflated_digest):
|
|
|
ac6d36 |
diff -uNr a/awscli/customizations/ec2/decryptpassword.py b/awscli/customizations/ec2/decryptpassword.py
|
|
|
ac6d36 |
--- a/awscli/customizations/ec2/decryptpassword.py 2017-08-12 01:39:00.000000000 +0200
|
|
|
ac6d36 |
+++ b/awscli/customizations/ec2/decryptpassword.py 2018-01-04 16:24:42.565140244 +0100
|
|
|
ac6d36 |
@@ -13,7 +13,9 @@
|
|
|
ac6d36 |
import logging
|
|
|
ac6d36 |
import os
|
|
|
ac6d36 |
import base64
|
|
|
ac6d36 |
-import rsa
|
|
|
ac6d36 |
+from cryptography.hazmat.primitives import serialization
|
|
|
ac6d36 |
+from cryptography.hazmat.backends import default_backend
|
|
|
ac6d36 |
+from cryptography.hazmat.primitives.asymmetric import padding
|
|
|
ac6d36 |
from awscli.compat import six
|
|
|
ac6d36 |
|
|
|
ac6d36 |
from botocore import model
|
|
|
ac6d36 |
@@ -109,9 +111,11 @@
|
|
|
ac6d36 |
try:
|
|
|
ac6d36 |
with open(self._key_path) as pk_file:
|
|
|
ac6d36 |
pk_contents = pk_file.read()
|
|
|
ac6d36 |
- private_key = rsa.PrivateKey.load_pkcs1(six.b(pk_contents))
|
|
|
ac6d36 |
+ private_key = serialization.load_pem_private_key(
|
|
|
ac6d36 |
+ six.b(pk_contents), password=None,
|
|
|
ac6d36 |
+ backend=default_backend())
|
|
|
ac6d36 |
value = base64.b64decode(value)
|
|
|
ac6d36 |
- value = rsa.decrypt(value, private_key)
|
|
|
ac6d36 |
+ value = private_key.decrypt(value, padding.PKCS1v15())
|
|
|
ac6d36 |
logger.debug(parsed)
|
|
|
ac6d36 |
parsed['PasswordData'] = value.decode('utf-8')
|
|
|
ac6d36 |
logger.debug(parsed)
|