style: start migrating from deprecated OpenSSL to cryptography

In the end, we should migrate completely to cryptography. A lot of bits of the legacy OpenSSL module are being deprecated, some that we use (notably signature and verification tools) already are.

style: start migrating from deprecated OpenSSL to cryptography
In the end, we should migrate completely to cryptography. A lot of bits of the legacy OpenSSL module are being deprecated, some that we use (notably signature and verification tools) already are.
56e68106 · Tom Niget · 3b6f14f9 · 56e68106
Commit 56e68106 authored Jun 14, 2024 by Tom Niget
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 7 deletions

re6st/x509.py re6st/x509.py +30 -7

No files found.
--- a/re6st/x509.py
+++ b/re6st/x509.py
 # -*- coding: utf-8 -*-
 import calendar, hashlib, hmac, logging, os, struct, subprocess, threading, time
 from OpenSSL import crypto
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from cryptography.x509 import load_pem_x509_certificate
+
 from . import utils
 from .version import protocol

@@ -8,6 +13,7 @@ def newHmacSecret():
    return utils.newHmacSecret(int(time.time() * 1000000))

 def networkFromCa(ca):
+    # TODO: will be ca.serial_number after migration to cryptography
    return bin(ca.get_serial_number())[3:]

 def subnetFromCert(cert):
@@ -90,10 +96,15 @@ class Cert:
        self.ca_path = ca
        self.cert_path = cert
        self.key_path = key
+        # TODO: finish migration from old OpenSSL module to cryptography
        with open(ca, "rb") as f:
-            self.ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
+            ca_pem = f.read()
+            self.ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_pem)
+            self.ca_crypto = load_pem_x509_certificate(ca_pem)
        with open(key, "rb") as f:
-            self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
+            key_pem = f.read()
+            self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
+            self.key_crypto = load_pem_private_key(key_pem, password=None)
        if cert:
            with open(cert) as f:
                self.cert = self.loadVerify(f.read().encode())
@@ -151,11 +162,23 @@ class Cert:
                    raise VerifyError(int(code), int(depth), msg.strip())
        return r

-    def verify(self, sign: bytes, data):
-        crypto.verify(self.ca, sign, data, 'sha512')
-
-    def sign(self, data) -> bytes:
-        return crypto.sign(self.key, data, 'sha512')
+    def verify(self, sign: bytes, data: bytes):
+        assert isinstance(data, bytes)
+        pub_key = self.ca_crypto.public_key()
+        pub_key.verify(
+            sign,
+            data,
+            padding.PKCS1v15(),
+            hashes.SHA512()
+        )
+
+    def sign(self, data: bytes) -> bytes:
+        assert isinstance(data, bytes)
+        return self.key_crypto.sign(
+            data,
+            padding.PKCS1v15(),
+            hashes.SHA512()
+        )

    def decrypt(self, data: bytes) -> bytes:
        p = openssl('rsautl', '-decrypt', '-inkey', self.key_path)