Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cryptography to 42.0.4 and update certdir (SYN-3552, SYN-6860) #3568

Merged
merged 39 commits into from
Feb 28, 2024
Merged

Update cryptography to 42.0.4 and update certdir (SYN-3552, SYN-6860) #3568

merged 39 commits into from
Feb 28, 2024

Conversation

vEpiphyte
Copy link
Contributor

@vEpiphyte vEpiphyte commented Feb 15, 2024
edited
Loading

  • Cryptography update addresses older version of cryptography package containing CVE-2023-50782 & CVE-2024-26130
  • certdir now uses cryptography X509 objects and RSA private key objects, instead of PyOpenSSL X509 and Pkey objects. This is largely due to the removal of APIs from PyOpenSSL which we were utilizing for PKCS12 support and the guidance from PyOpenSSL project to not utilize the Crypto module in new projects as it is considered deprecated in favor of Cryptography. Per prior discussion, there should be no API stability concerns related to this change since the CertDir class is not exposed via telepath or storm apis.
  • certdir is now fully typed. This identified issues where we were declaring bytes as inputs on certdir and Cortex was passing in PEM strings instead of bytes.
  • Remove PyOpenSSL use where it is possible to do so. We now only use it for doing X509 path building and certificate verification, eventually we'll be able to remove this in favor of APIs provided by Cryptography ( see PyOpenSSL X509Store / Context parity in Cryptography pyca/cryptography#10393 X.509 path building follow-ups pyca/cryptography#10034 )

@vEpiphyte
At least allow things to import properly
aecd886
@vEpiphyte
Merge branch 'master' into feat_cryptography_update
f896c05
@vEpiphyte
Steel thread for a certdir rewrite - CA generation is working.
b4b8244
@vEpiphyte
Generally working basicAssumptions :D
b6c5344
@vEpiphyte
More progress
e6e848a
@vEpiphyte
Fix up User test implementation
b7ba9be
@vEpiphyte
Add CSR support
900e8e0
@vEpiphyte
Add codesign
fcf39e0
@vEpiphyte
Start cutting over to using new certdir implementation, add some serv…
134eded 
…er ssl context tests
@vEpiphyte
Add getHostCertHash
4cca69d
@vEpiphyte
Additional compatibility updates
c1ce876
@vEpiphyte
Some more cleanup
1f1d259
@vEpiphyte
Remvoe old certdir interface
2d66bf2
@vEpiphyte
Correct types
27906db
@vEpiphyte
Add missing typehint
cae4c76
@vEpiphyte
Cleanup some other uses of pyopenssl
66292ea
@vEpiphyte
Some more assertion tests and SANS support for host certificates.
d1ef0cd
@vEpiphyte
nsCertType support
e8164e8
@vEpiphyte
Merge branch 'master' into feat_cryptography_update
73d1608
@vEpiphyte
Fix test
f44cf4b
@vEpiphyte
Restore cortex codesign / package loading tests
7243b07
@vEpiphyte
Remove old type hints from documentation, fix example rendering
f8b96c8
@vEpiphyte
Remove fixme; remove bad type hints from tests
41bf934
@vEpiphyte
Tidy up easycert test coverage
b72aa95
@vEpiphyte
Shorten up type hinting labels
cce421a
@vEpiphyte
utcnow is deprecated
f8bf84c
@vEpiphyte vEpiphyte added enhancement reqChangelog requires changelog labels Feb 15, 2024
@vEpiphyte vEpiphyte changed the title Update cryptography to 42.0.2 and update certdir Update cryptography to 42.0.2 and update certdir (SYN-6860) Feb 15, 2024
@vEpiphyte vEpiphyte changed the title Update cryptography to 42.0.2 and update certdir (SYN-6860) Update cryptography to 42.0.2 and update certdir (SYN-3552, SYN-6860) Feb 15, 2024
Cisphyx
Cisphyx reviewed Feb 19, 2024
View reviewed changes
synapse/lib/certdir.py Outdated Show resolved Hide resolved
Cisphyx
Cisphyx reviewed Feb 20, 2024
View reviewed changes
synapse/lib/certdir.py Outdated Show resolved Hide resolved
Cisphyx
Cisphyx reviewed Feb 20, 2024
View reviewed changes
synapse/lib/certdir.py Outdated Show resolved Hide resolved
Cisphyx
Cisphyx reviewed Feb 20, 2024
View reviewed changes
synapse/lib/certdir.py Outdated Show resolved Hide resolved
Cisphyx
Cisphyx reviewed Feb 20, 2024
View reviewed changes
synapse/lib/certdir.py Outdated Show resolved Hide resolved
Cisphyx
Cisphyx reviewed Feb 20, 2024
View reviewed changes
synapse/lib/certdir.py Outdated Show resolved Hide resolved
Cisphyx
Cisphyx previously approved these changes Feb 20, 2024
View reviewed changes
@vEpiphyte vEpiphyte added this to the v2.16x.x milestone Feb 21, 2024
This was referenced Feb 22, 2024
Closed
Merged
MichaelSquires
MichaelSquires requested changes Feb 22, 2024
View reviewed changes
synapse/lib/certdir.py Show resolved Hide resolved
synapse/lib/certdir.py Outdated Show resolved Hide resolved
requirements.txt Outdated Show resolved Hide resolved
pyproject.toml Outdated Show resolved Hide resolved
@vEpiphyte vEpiphyte changed the title Update cryptography to 42.0.2 and update certdir (SYN-3552, SYN-6860) Update cryptography to 42.0.4 and update certdir (SYN-3552, SYN-6860) Feb 23, 2024
@vEpiphyte vEpiphyte merged commit 5a60657 into master Feb 28, 2024
5 checks passed
@vEpiphyte vEpiphyte deleted the feat_cryptography_update branch February 28, 2024 20:09
@vEpiphyte vEpiphyte removed the reqChangelog requires changelog label Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikemoritz mikemoritz mikemoritz approved these changes

@MichaelSquires MichaelSquires MichaelSquires approved these changes

@Cisphyx Cisphyx Cisphyx approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
v2.164.0
Development

Successfully merging this pull request may close these issues.
4 participants
@vEpiphyte @Cisphyx @MichaelSquires @mikemoritz