Unrevert #6000 and silence deprecation warnings (#6082)

* Revert "Revert "switch signature verification to use pure cryptography (#6000)" (#6074)" This reverts commit 3cffe1449c. * Fixes #6073. This silences the deprecation warnings from cryptography. I looked into only silencing the cryptography warning specifically in the function, however, CryptographyDeprecationWarning doesn't seem to be publicly documented, so we probably shouldn't depend on it.
2026-06-04 06:15:36 -04:00 · 2018-06-07 14:45:23 -07:00 · 2018-06-07 14:45:23 -07:00 · afa7e3fb82
commit afa7e3fb82
parent 3a8de6d172
5 changed files with 64 additions and 10 deletions
--- a/certbot/crypto_util.py
+++ b/certbot/crypto_util.py
@ -7,16 +7,21 @@
 import hashlib
 import logging
 import os
-
+import warnings

 import pyrfc3339
 import six
 import zope.component
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric.ec import ECDSA
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey
+from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
+# https://github.com/python/typeshed/tree/master/third_party/2/cryptography
+from cryptography import x509 # type: ignore
 from OpenSSL import crypto
 from OpenSSL import SSL  # type: ignore
-from cryptography.hazmat.backends import default_backend
-# https://github.com/python/typeshed/tree/master/third_party/2/cryptography
-from cryptography import x509  # type: ignore

 from acme import crypto_util as acme_crypto_util
 from acme.magic_typing import IO  # pylint: disable=unused-import, no-name-in-module
@ -228,13 +233,28 @@ def verify_renewable_cert_sig(renewable_cert):
    """
    try:
        with open(renewable_cert.chain, 'rb') as chain_file:  # type: IO[bytes]
-            chain, _ = pyopenssl_load_certificate(chain_file.read())
+            chain = x509.load_pem_x509_certificate(chain_file.read(), default_backend())
        with open(renewable_cert.cert, 'rb') as cert_file:  # type: IO[bytes]
-            cert = x509.load_pem_x509_certificate(
-                cert_file.read(), default_backend())
-        hash_name = cert.signature_hash_algorithm.name
-        crypto.verify(chain, cert.signature, cert.tbs_certificate_bytes, hash_name)
-    except (IOError, ValueError, crypto.Error) as e:
+            cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend())
+        pk = chain.public_key()
+        with warnings.catch_warnings():
+            warnings.simplefilter("ignore")
+            if isinstance(pk, RSAPublicKey):
+                # https://github.com/python/typeshed/blob/master/third_party/2/cryptography/hazmat/primitives/asymmetric/rsa.pyi
+                verifier = pk.verifier(  # type: ignore
+                    cert.signature, PKCS1v15(), cert.signature_hash_algorithm
+                )
+                verifier.update(cert.tbs_certificate_bytes)
+                verifier.verify()
+            elif isinstance(pk, EllipticCurvePublicKey):
+                verifier = pk.verifier(
+                    cert.signature, ECDSA(cert.signature_hash_algorithm)
+                )
+                verifier.update(cert.tbs_certificate_bytes)
+                verifier.verify()
+            else:
+                raise errors.Error("Unsupported public key type")
+    except (IOError, ValueError, InvalidSignature) as e:
        error_str = "verifying the signature of the cert located at {0} has failed. \
                Details: {1}".format(renewable_cert.cert, e)
        logger.exception(error_str)
--- a/certbot/tests/crypto_util_test.py
+++ b/certbot/tests/crypto_util_test.py
@ -21,6 +21,9 @@ CERT_PATH = test_util.vector_path('cert_512.pem')
 CERT = test_util.load_vector('cert_512.pem')
 SS_CERT_PATH = test_util.vector_path('cert_2048.pem')
 SS_CERT = test_util.load_vector('cert_2048.pem')
+P256_KEY = test_util.load_vector('nistp256_key.pem')
+P256_CERT_PATH = test_util.vector_path('cert-nosans_nistp256.pem')
+P256_CERT = test_util.load_vector('cert-nosans_nistp256.pem')

 class InitSaveKeyTest(test_util.TempDirTestCase):
    """Tests for certbot.crypto_util.init_save_key."""
@ -217,6 +220,13 @@ class VerifyRenewableCertSigTest(VerifyCertSetup):
    def test_cert_sig_match(self):
        self.assertEqual(None, self._call(self.renewable_cert))

+    def test_cert_sig_match_ec(self):
+        renewable_cert = mock.MagicMock()
+        renewable_cert.cert = P256_CERT_PATH
+        renewable_cert.chain = P256_CERT_PATH
+        renewable_cert.privkey = P256_KEY
+        self.assertEqual(None, self._call(renewable_cert))
+
    def test_cert_sig_mismatch(self):
        self.bad_renewable_cert.cert = test_util.vector_path('cert_512_bad.pem')
        self.assertRaises(errors.Error, self._call, self.bad_renewable_cert)
--- a/certbot/tests/testdata/cert-nosans_nistp256.pem
+++ b/certbot/tests/testdata/cert-nosans_nistp256.pem
@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBoDCCAUYCCQDCnzfUZ7TQdDAKBggqhkjOPQQDAjBYMQswCQYDVQQGEwJVUzER
+MA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjEMMAoGA1UECgwD
+RUZGMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xODA1MTUxNzIyMzlaFw0xODA2
+MTQxNzIyMzlaMFgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNaWNoaWdhbjESMBAG
+A1UEBwwJQW5uIEFyYm9yMQwwCgYDVQQKDANFRkYxFDASBgNVBAMMC2V4YW1wbGUu
+Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPPl0JauSZukvAUWv4l5VNLAY
+QXhuPXYQBf4dVET3s0E5q9ZCbSe+pNUbko9F+TFkuc7XVjQPsfkDbh0I9nD0tzAK
+BggqhkjOPQQDAgNIADBFAiEAv8S2GXmWJqZ+j3DBfm72E1YK+HkOf+TOUHsbVR+O
+Z1oCIFWNt1SPdIgRp4QAyzVk2pcTF8jDNajEMLWETDtxgRvM
+-----END CERTIFICATE-----
--- a/certbot/tests/testdata/csr-nosans_nistp256.pem
+++ b/certbot/tests/testdata/csr-nosans_nistp256.pem
@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBFDCBugIBADBYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITWljaGlnYW4xEjAQ
+BgNVBAcMCUFubiBBcmJvcjEMMAoGA1UECgwDRUZGMRQwEgYDVQQDDAtleGFtcGxl
+LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDz5dCWrkmbpLwFFr+JeVTSw
+GEF4bj12EAX+HVRE97NBOavWQm0nvqTVG5KPRfkxZLnO11Y0D7H5A24dCPZw9Leg
+ADAKBggqhkjOPQQDAgNJADBGAiEAuoZHrYA5sy2DRTdLAxJTBNHKFFKbtaGt+QaJ
+A62qa8sCIQCUkSgSAiNaEnJ7r5fKphdjeORHqhpl6flYkLE3lGmGdg==
+-----END CERTIFICATE REQUEST-----
--- a/certbot/tests/testdata/nistp256_key.pem
+++ b/certbot/tests/testdata/nistp256_key.pem
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOvXH384CyNNv2lfxvjc7hg2f7ScYoLvlk/VpINLJlGBoAoGCCqGSM49
+AwEHoUQDQgAEPPl0JauSZukvAUWv4l5VNLAYQXhuPXYQBf4dVET3s0E5q9ZCbSe+
+pNUbko9F+TFkuc7XVjQPsfkDbh0I9nD0tw==
+-----END EC PRIVATE KEY-----