Commit 6f404adc authored by Tom Niget's avatar Tom Niget

style: start migrating from deprecated OpenSSL to cryptography

In the end, we should migrate completely to cryptography. A lot of bits of the legacy OpenSSL module are being deprecated, some that we use (notably signature and verification tools) already are.
parent b93c307c
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
import calendar, hashlib, hmac, logging, os, struct, subprocess, threading, time import calendar, hashlib, hmac, logging, os, struct, subprocess, threading, time
from OpenSSL import crypto from OpenSSL import crypto
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives.serialization import load_pem_private_key
from cryptography.x509 import load_pem_x509_certificate
from . import utils from . import utils
from .version import protocol from .version import protocol
...@@ -8,6 +13,7 @@ def newHmacSecret(): ...@@ -8,6 +13,7 @@ def newHmacSecret():
return utils.newHmacSecret(int(time.time() * 1000000)) return utils.newHmacSecret(int(time.time() * 1000000))
def networkFromCa(ca): def networkFromCa(ca):
# TODO: will be ca.serial_number after migration to cryptography
return bin(ca.get_serial_number())[3:] return bin(ca.get_serial_number())[3:]
def subnetFromCert(cert): def subnetFromCert(cert):
...@@ -90,10 +96,15 @@ class Cert: ...@@ -90,10 +96,15 @@ class Cert:
self.ca_path = ca self.ca_path = ca
self.cert_path = cert self.cert_path = cert
self.key_path = key self.key_path = key
# TODO: finish migration from old OpenSSL module to cryptography
with open(ca, "rb") as f: with open(ca, "rb") as f:
self.ca = crypto.load_certificate(crypto.FILETYPE_PEM, f.read()) ca_pem = f.read()
self.ca = crypto.load_certificate(crypto.FILETYPE_PEM, ca_pem)
self.ca_crypto = load_pem_x509_certificate(ca_pem)
with open(key, "rb") as f: with open(key, "rb") as f:
self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read()) key_pem = f.read()
self.key = crypto.load_privatekey(crypto.FILETYPE_PEM, key_pem)
self.key_crypto = load_pem_private_key(key_pem, password=None)
if cert: if cert:
with open(cert) as f: with open(cert) as f:
self.cert = self.loadVerify(f.read().encode()) self.cert = self.loadVerify(f.read().encode())
...@@ -152,11 +163,23 @@ class Cert: ...@@ -152,11 +163,23 @@ class Cert:
raise VerifyError(int(code), int(depth), msg.strip()) raise VerifyError(int(code), int(depth), msg.strip())
return r return r
def verify(self, sign: bytes, data): def verify(self, sign: bytes, data: bytes):
crypto.verify(self.ca, sign, data, 'sha512') assert isinstance(data, bytes)
pub_key = self.ca_crypto.public_key()
def sign(self, data) -> bytes: pub_key.verify(
return crypto.sign(self.key, data, 'sha512') sign,
data,
padding.PKCS1v15(),
hashes.SHA512()
)
def sign(self, data: bytes) -> bytes:
assert isinstance(data, bytes)
return self.key_crypto.sign(
data,
padding.PKCS1v15(),
hashes.SHA512()
)
def decrypt(self, data: bytes) -> bytes: def decrypt(self, data: bytes) -> bytes:
p = openssl('rsautl', '-decrypt', '-inkey', self.key_path) p = openssl('rsautl', '-decrypt', '-inkey', self.key_path)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment