Remove pyOpenSSL dependency

(I figured out what padding to use with cryptography)
This commit is contained in:
Andrew Godwin 2022-11-20 18:42:39 -07:00
parent 97a841d1bb
commit 6a8fe5cb4b
2 changed files with 31 additions and 29 deletions

View File

@ -4,12 +4,12 @@ from typing import Dict, List, Literal, Optional, Tuple, TypedDict
from urllib.parse import urlparse from urllib.parse import urlparse
import httpx import httpx
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.asymmetric import padding, rsa
from django.http import HttpRequest from django.http import HttpRequest
from django.utils import timezone from django.utils import timezone
from django.utils.http import http_date, parse_http_date from django.utils.http import http_date, parse_http_date
from OpenSSL import crypto
from pyld import jsonld from pyld import jsonld
from core.ld import format_ld_date from core.ld import format_ld_date
@ -121,16 +121,17 @@ class HttpSignature:
cleartext: str, cleartext: str,
public_key: str, public_key: str,
): ):
x509 = crypto.X509() public_key_instance = serialization.load_pem_public_key(
x509.set_pubkey( public_key.encode("ascii")
crypto.load_publickey(
crypto.FILETYPE_PEM,
public_key.encode("ascii"),
)
) )
try: try:
crypto.verify(x509, signature, cleartext.encode("ascii"), "sha256") public_key_instance.verify(
except crypto.Error: signature,
cleartext.encode("ascii"),
padding.PKCS1v15(),
hashes.SHA256(),
)
except InvalidSignature:
raise VerificationError("Signature mismatch") raise VerificationError("Signature mismatch")
@classmethod @classmethod
@ -199,14 +200,14 @@ class HttpSignature:
signed_string = "\n".join( signed_string = "\n".join(
f"{name.lower()}: {value}" for name, value in headers.items() f"{name.lower()}: {value}" for name, value in headers.items()
) )
pkey = crypto.load_privatekey( private_key_instance = serialization.load_pem_private_key(
crypto.FILETYPE_PEM,
private_key.encode("ascii"), private_key.encode("ascii"),
password=None,
) )
signature = crypto.sign( signature = private_key_instance.sign(
pkey,
signed_string.encode("ascii"), signed_string.encode("ascii"),
"sha256", padding.PKCS1v15(),
hashes.SHA256(),
) )
headers["Signature"] = cls.compile_signature( headers["Signature"] = cls.compile_signature(
{ {
@ -266,21 +267,17 @@ class LDSignature:
# Get the normalised hash of each document # Get the normalised hash of each document
final_hash = cls.normalized_hash(options) + cls.normalized_hash(document) final_hash = cls.normalized_hash(options) + cls.normalized_hash(document)
# Verify the signature # Verify the signature
x509 = crypto.X509() public_key_instance = serialization.load_pem_public_key(
x509.set_pubkey( public_key.encode("ascii")
crypto.load_publickey(
crypto.FILETYPE_PEM,
public_key.encode("ascii"),
)
) )
try: try:
crypto.verify( public_key_instance.verify(
x509,
base64.b64decode(signature["signatureValue"]), base64.b64decode(signature["signatureValue"]),
final_hash, final_hash,
"sha256", padding.PKCS1v15(),
hashes.SHA256(),
) )
except crypto.Error: except InvalidSignature:
raise VerificationError("Signature mismatch") raise VerificationError("Signature mismatch")
@classmethod @classmethod
@ -299,11 +296,17 @@ class LDSignature:
# Get the normalised hash of each document # Get the normalised hash of each document
final_hash = cls.normalized_hash(options) + cls.normalized_hash(document) final_hash = cls.normalized_hash(options) + cls.normalized_hash(document)
# Create the signature # Create the signature
pkey = crypto.load_privatekey( private_key_instance = serialization.load_pem_private_key(
crypto.FILETYPE_PEM,
private_key.encode("ascii"), private_key.encode("ascii"),
password=None,
)
signature = base64.b64encode(
private_key_instance.sign(
final_hash,
padding.PKCS1v15(),
hashes.SHA256(),
)
) )
signature = base64.b64encode(crypto.sign(pkey, final_hash, "sha256"))
# Add it to the options document along with other bits # Add it to the options document along with other bits
options["signatureValue"] = signature.decode("ascii") options["signatureValue"] = signature.decode("ascii")
options["type"] = "RsaSignature2017" options["type"] = "RsaSignature2017"

View File

@ -4,7 +4,6 @@ pillow~=9.3.0
urlman~=2.0.1 urlman~=2.0.1
cryptography~=38.0 cryptography~=38.0
httpx~=0.23 httpx~=0.23
pyOpenSSL~=22.1.0
uvicorn~=0.19 uvicorn~=0.19
gunicorn~=20.1.0 gunicorn~=20.1.0
psycopg2~=2.9.5 psycopg2~=2.9.5