|
|
d49da0 |
From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
|
|
|
d49da0 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
d49da0 |
Date: Tue, 27 Oct 2020 16:42:15 +0100
|
|
|
d49da0 |
Subject: [PATCH 1] Re-add deprecated and removed features
|
|
|
d49da0 |
|
|
|
d49da0 |
* encode_rfc6979_signature()
|
|
|
d49da0 |
* decode_rfc6979_signature()
|
|
|
d49da0 |
* Certificate.serial property
|
|
|
d49da0 |
* MACContext
|
|
|
d49da0 |
* osrandom engine is disabled
|
|
|
d49da0 |
|
|
|
d49da0 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
d49da0 |
---
|
|
|
d49da0 |
.../hazmat/backends/openssl/cmac.py | 3 +-
|
|
|
d49da0 |
.../hazmat/backends/openssl/hmac.py | 3 +-
|
|
|
d49da0 |
.../hazmat/backends/openssl/x509.py | 4 ++
|
|
|
d49da0 |
.../hazmat/primitives/asymmetric/utils.py | 8 ++++
|
|
|
d49da0 |
src/cryptography/hazmat/primitives/cmac.py | 3 +-
|
|
|
d49da0 |
src/cryptography/hazmat/primitives/hmac.py | 3 +-
|
|
|
d49da0 |
src/cryptography/hazmat/primitives/mac.py | 37 +++++++++++++++++++
|
|
|
d49da0 |
src/cryptography/x509/extensions.py | 6 ++-
|
|
|
d49da0 |
tests/hazmat/backends/test_openssl.py | 3 ++
|
|
|
d49da0 |
tests/hazmat/primitives/test_asym_utils.py | 9 +++++
|
|
|
d49da0 |
tests/x509/test_x509.py | 1 +
|
|
|
d49da0 |
tests/x509/test_x509_ext.py | 5 +++
|
|
|
d49da0 |
12 files changed, 80 insertions(+), 5 deletions(-)
|
|
|
d49da0 |
create mode 100644 src/cryptography/hazmat/primitives/mac.py
|
|
|
d49da0 |
|
|
|
d49da0 |
diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
|
|
|
d49da0 |
index 195fc230f..5281f634d 100644
|
|
|
d49da0 |
--- a/src/cryptography/hazmat/backends/openssl/cmac.py
|
|
|
d49da0 |
+++ b/src/cryptography/hazmat/backends/openssl/cmac.py
|
|
|
d49da0 |
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
|
|
|
d49da0 |
UnsupportedAlgorithm,
|
|
|
d49da0 |
_Reasons,
|
|
|
d49da0 |
)
|
|
|
d49da0 |
-from cryptography.hazmat.primitives import constant_time
|
|
|
d49da0 |
+from cryptography.hazmat.primitives import constant_time, mac
|
|
|
d49da0 |
from cryptography.hazmat.primitives.ciphers.modes import CBC
|
|
|
d49da0 |
|
|
|
d49da0 |
|
|
|
d49da0 |
+@utils.register_interface(mac.MACContext)
|
|
|
d49da0 |
class _CMACContext(object):
|
|
|
d49da0 |
def __init__(self, backend, algorithm, ctx=None):
|
|
|
d49da0 |
if not backend.cmac_algorithm_supported(algorithm):
|
|
|
d49da0 |
diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
|
|
|
d49da0 |
index 5024223b2..11c850e10 100644
|
|
|
d49da0 |
--- a/src/cryptography/hazmat/backends/openssl/hmac.py
|
|
|
d49da0 |
+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
|
|
|
d49da0 |
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
|
|
|
d49da0 |
UnsupportedAlgorithm,
|
|
|
d49da0 |
_Reasons,
|
|
|
d49da0 |
)
|
|
|
d49da0 |
-from cryptography.hazmat.primitives import constant_time, hashes
|
|
|
d49da0 |
+from cryptography.hazmat.primitives import constant_time, hashes, mac
|
|
|
d49da0 |
|
|
|
d49da0 |
|
|
|
d49da0 |
+@utils.register_interface(mac.MACContext)
|
|
|
d49da0 |
@utils.register_interface(hashes.HashContext)
|
|
|
d49da0 |
class _HMACContext(object):
|
|
|
d49da0 |
def __init__(self, backend, key, algorithm, ctx=None):
|
|
|
d49da0 |
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
|
|
|
d49da0 |
index 4d0dac764..c9074f59e 100644
|
|
|
d49da0 |
--- a/src/cryptography/hazmat/backends/openssl/x509.py
|
|
|
d49da0 |
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
|
|
|
d49da0 |
@@ -73,6 +73,10 @@ class _Certificate(object):
|
|
|
d49da0 |
self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
|
|
|
d49da0 |
return _asn1_integer_to_int(self._backend, asn1_int)
|
|
|
d49da0 |
|
|
|
d49da0 |
+ @property
|
|
|
d49da0 |
+ def serial(self):
|
|
|
d49da0 |
+ return self.serial_number
|
|
|
d49da0 |
+
|
|
|
d49da0 |
def public_key(self):
|
|
|
d49da0 |
pkey = self._backend._lib.X509_get_pubkey(self._x509)
|
|
|
d49da0 |
if pkey == self._backend._ffi.NULL:
|
|
|
d49da0 |
diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
|
|
|
d49da0 |
index 5f9b67786..886d7565b 100644
|
|
|
d49da0 |
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
|
|
|
d49da0 |
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
|
|
|
d49da0 |
@@ -39,3 +39,11 @@ class Prehashed(object):
|
|
|
d49da0 |
self._digest_size = algorithm.digest_size
|
|
|
d49da0 |
|
|
|
d49da0 |
digest_size = utils.read_only_property("_digest_size")
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+def decode_rfc6979_signature(signature):
|
|
|
d49da0 |
+ return decode_dss_signature(signature)
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+def encode_rfc6979_signature(r, s):
|
|
|
d49da0 |
+ return encode_dss_signature(r, s)
|
|
|
d49da0 |
diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
|
|
|
d49da0 |
index bf962c906..7f37f13cc 100644
|
|
|
d49da0 |
--- a/src/cryptography/hazmat/primitives/cmac.py
|
|
|
d49da0 |
+++ b/src/cryptography/hazmat/primitives/cmac.py
|
|
|
d49da0 |
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
|
|
|
d49da0 |
)
|
|
|
d49da0 |
from cryptography.hazmat.backends import _get_backend
|
|
|
d49da0 |
from cryptography.hazmat.backends.interfaces import CMACBackend
|
|
|
d49da0 |
-from cryptography.hazmat.primitives import ciphers
|
|
|
d49da0 |
+from cryptography.hazmat.primitives import ciphers, mac
|
|
|
d49da0 |
|
|
|
d49da0 |
|
|
|
d49da0 |
+@utils.register_interface(mac.MACContext)
|
|
|
d49da0 |
class CMAC(object):
|
|
|
d49da0 |
def __init__(self, algorithm, backend=None, ctx=None):
|
|
|
d49da0 |
backend = _get_backend(backend)
|
|
|
d49da0 |
diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
|
|
|
d49da0 |
index 8c421dc68..6f03a1071 100644
|
|
|
d49da0 |
--- a/src/cryptography/hazmat/primitives/hmac.py
|
|
|
d49da0 |
+++ b/src/cryptography/hazmat/primitives/hmac.py
|
|
|
d49da0 |
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
|
|
|
d49da0 |
)
|
|
|
d49da0 |
from cryptography.hazmat.backends import _get_backend
|
|
|
d49da0 |
from cryptography.hazmat.backends.interfaces import HMACBackend
|
|
|
d49da0 |
-from cryptography.hazmat.primitives import hashes
|
|
|
d49da0 |
+from cryptography.hazmat.primitives import hashes, mac
|
|
|
d49da0 |
|
|
|
d49da0 |
|
|
|
d49da0 |
+@utils.register_interface(mac.MACContext)
|
|
|
d49da0 |
@utils.register_interface(hashes.HashContext)
|
|
|
d49da0 |
class HMAC(object):
|
|
|
d49da0 |
def __init__(self, key, algorithm, backend=None, ctx=None):
|
|
|
d49da0 |
diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
|
|
|
d49da0 |
new file mode 100644
|
|
|
d49da0 |
index 000000000..4c95190ba
|
|
|
d49da0 |
--- /dev/null
|
|
|
d49da0 |
+++ b/src/cryptography/hazmat/primitives/mac.py
|
|
|
d49da0 |
@@ -0,0 +1,37 @@
|
|
|
d49da0 |
+# This file is dual licensed under the terms of the Apache License, Version
|
|
|
d49da0 |
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
|
|
|
d49da0 |
+# for complete details.
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+from __future__ import absolute_import, division, print_function
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+import abc
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+import six
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+@six.add_metaclass(abc.ABCMeta)
|
|
|
d49da0 |
+class MACContext(object):
|
|
|
d49da0 |
+ @abc.abstractmethod
|
|
|
d49da0 |
+ def update(self, data):
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
+ Processes the provided bytes.
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+ @abc.abstractmethod
|
|
|
d49da0 |
+ def finalize(self):
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
+ Returns the message authentication code as bytes.
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+ @abc.abstractmethod
|
|
|
d49da0 |
+ def copy(self):
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
+ Return a MACContext that is a copy of the current context.
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+ @abc.abstractmethod
|
|
|
d49da0 |
+ def verify(self, signature):
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
+ Checks if the generated message authentication code matches the
|
|
|
d49da0 |
+ signature.
|
|
|
d49da0 |
+ """
|
|
|
d49da0 |
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
|
|
|
d49da0 |
index 130ba69b8..ddbccdf3b 100644
|
|
|
d49da0 |
--- a/src/cryptography/x509/extensions.py
|
|
|
d49da0 |
+++ b/src/cryptography/x509/extensions.py
|
|
|
d49da0 |
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
|
|
|
d49da0 |
|
|
|
d49da0 |
@classmethod
|
|
|
d49da0 |
def from_issuer_subject_key_identifier(cls, ski):
|
|
|
d49da0 |
+ if isinstance(ski, SubjectKeyIdentifier):
|
|
|
d49da0 |
+ digest = ski.digest
|
|
|
d49da0 |
+ else:
|
|
|
d49da0 |
+ digest = ski.value.digest
|
|
|
d49da0 |
return cls(
|
|
|
d49da0 |
- key_identifier=ski.digest,
|
|
|
d49da0 |
+ key_identifier=digest,
|
|
|
d49da0 |
authority_cert_issuer=None,
|
|
|
d49da0 |
authority_cert_serial_number=None,
|
|
|
d49da0 |
)
|
|
|
d49da0 |
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
|
|
|
d49da0 |
index 2f7e7bebf..73c17d84f 100644
|
|
|
d49da0 |
--- a/tests/hazmat/backends/test_openssl.py
|
|
|
d49da0 |
+++ b/tests/hazmat/backends/test_openssl.py
|
|
|
d49da0 |
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
|
|
|
d49da0 |
res = backend._lib.ENGINE_free(e)
|
|
|
d49da0 |
assert res == 1
|
|
|
d49da0 |
|
|
|
d49da0 |
+ def test_rhel8_no_osrandom(self):
|
|
|
d49da0 |
+ pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
|
|
|
d49da0 |
+
|
|
|
d49da0 |
|
|
|
d49da0 |
@pytest.mark.skipif(
|
|
|
d49da0 |
backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
|
|
|
d49da0 |
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
|
|
|
d49da0 |
index 70bff012f..334b459b5 100644
|
|
|
d49da0 |
--- a/tests/hazmat/primitives/test_asym_utils.py
|
|
|
d49da0 |
+++ b/tests/hazmat/primitives/test_asym_utils.py
|
|
|
d49da0 |
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
|
|
|
d49da0 |
Prehashed,
|
|
|
d49da0 |
decode_dss_signature,
|
|
|
d49da0 |
encode_dss_signature,
|
|
|
d49da0 |
+ encode_rfc6979_signature,
|
|
|
d49da0 |
+ decode_rfc6979_signature
|
|
|
d49da0 |
)
|
|
|
d49da0 |
|
|
|
d49da0 |
|
|
|
d49da0 |
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
|
|
|
d49da0 |
def test_pass_invalid_prehashed_arg():
|
|
|
d49da0 |
with pytest.raises(TypeError):
|
|
|
d49da0 |
Prehashed(object())
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+
|
|
|
d49da0 |
+def test_deprecated_rfc6979_signature():
|
|
|
d49da0 |
+ sig = encode_rfc6979_signature(1, 1)
|
|
|
d49da0 |
+ assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
|
|
|
d49da0 |
+ decoded = decode_rfc6979_signature(sig)
|
|
|
d49da0 |
+ assert decoded == (1, 1)
|
|
|
d49da0 |
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
|
|
|
d49da0 |
index 11c80816c..e5bdf17d4 100644
|
|
|
d49da0 |
--- a/tests/x509/test_x509.py
|
|
|
d49da0 |
+++ b/tests/x509/test_x509.py
|
|
|
d49da0 |
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
|
|
|
d49da0 |
)
|
|
|
d49da0 |
assert isinstance(cert, x509.Certificate)
|
|
|
d49da0 |
assert cert.serial_number == 11559813051657483483
|
|
|
d49da0 |
+ assert cert.serial == cert.serial_number
|
|
|
d49da0 |
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
|
|
|
d49da0 |
assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
|
|
|
d49da0 |
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
|
|
|
d49da0 |
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
|
|
|
d49da0 |
index 2cd216fb6..ac2b2c03d 100644
|
|
|
d49da0 |
--- a/tests/x509/test_x509_ext.py
|
|
|
d49da0 |
+++ b/tests/x509/test_x509_ext.py
|
|
|
d49da0 |
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
|
|
|
d49da0 |
)
|
|
|
d49da0 |
assert ext.value == aki
|
|
|
d49da0 |
|
|
|
d49da0 |
+ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
|
|
|
d49da0 |
+ ski_ext
|
|
|
d49da0 |
+ )
|
|
|
d49da0 |
+ assert ext.value == aki
|
|
|
d49da0 |
+
|
|
|
d49da0 |
|
|
|
d49da0 |
class TestNameConstraints(object):
|
|
|
d49da0 |
def test_ipaddress_wrong_type(self):
|
|
|
d49da0 |
--
|
|
|
d49da0 |
2.26.2
|
|
|
d49da0 |
|