Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cryptography to 42.0.4 and update certdir (SYN-3552, SYN-6860) #3568

Merged
merged 39 commits into from
Feb 28, 2024
Merged

Update cryptography to 42.0.4 and update certdir (SYN-3552, SYN-6860) #3568

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
aecd886
At least allow things to import properly
vEpiphyte Feb 6, 2024
f896c05
Merge branch 'master' into feat_cryptography_update
vEpiphyte Feb 9, 2024
b4b8244
Steel thread for a certdir rewrite - CA generation is working.
vEpiphyte Feb 9, 2024
b6c5344
Generally working basicAssumptions :D
vEpiphyte Feb 9, 2024
e6e848a
More progress
vEpiphyte Feb 9, 2024
b7ba9be
Fix up User test implementation
vEpiphyte Feb 12, 2024
900e8e0
Add CSR support
vEpiphyte Feb 12, 2024
fcf39e0
Add codesign
vEpiphyte Feb 13, 2024
134eded
Start cutting over to using new certdir implementation, add some serv…
vEpiphyte Feb 13, 2024
4cca69d
Add getHostCertHash
vEpiphyte Feb 13, 2024
c1ce876
Additional compatibility updates
vEpiphyte Feb 13, 2024
1f1d259
Some more cleanup
vEpiphyte Feb 13, 2024
2d66bf2
Remvoe old certdir interface
vEpiphyte Feb 13, 2024
27906db
Correct types
vEpiphyte Feb 13, 2024
cae4c76
Add missing typehint
vEpiphyte Feb 13, 2024
66292ea
Cleanup some other uses of pyopenssl
vEpiphyte Feb 13, 2024
d1ef0cd
Some more assertion tests and SANS support for host certificates.
vEpiphyte Feb 14, 2024
e8164e8
nsCertType support
vEpiphyte Feb 14, 2024
73d1608
Merge branch 'master' into feat_cryptography_update
vEpiphyte Feb 14, 2024
f44cf4b
Fix test
vEpiphyte Feb 14, 2024
7243b07
Restore cortex codesign / package loading tests
vEpiphyte Feb 14, 2024
f8b96c8
Remove old type hints from documentation, fix example rendering
vEpiphyte Feb 14, 2024
41bf934
Remove fixme; remove bad type hints from tests
vEpiphyte Feb 14, 2024
b72aa95
Tidy up easycert test coverage
vEpiphyte Feb 15, 2024
cce421a
Shorten up type hinting labels
vEpiphyte Feb 15, 2024
f8bf84c
utcnow is deprecated
vEpiphyte Feb 15, 2024
0d883f9
Merge branch 'master' into feat_cryptography_update
vEpiphyte Feb 15, 2024
55d96b1
Apply suggestions from code review
vEpiphyte Feb 16, 2024
e961b0d
Cleanup imports in test_lib_cell.py
vEpiphyte Feb 16, 2024
62f9ee2
cleanup code for consistency
vEpiphyte Feb 16, 2024
ad9b836
Merge remote-tracking branch 'refs/remotes/origin/feat_cryptography_u…
vEpiphyte Feb 16, 2024
5888fd8
Merge branch 'master' into feat_cryptography_update
vEpiphyte Feb 16, 2024
eb21100
Apply suggestions from code review
vEpiphyte Feb 20, 2024
89e368d
Merge branch 'master' into feat_cryptography_update
vEpiphyte Feb 22, 2024
7d11c67
Update cryptography dep
vEpiphyte Feb 22, 2024
99b7257
Correct pyopenssl constraint; use s_const.year
vEpiphyte Feb 22, 2024
80db8d4
Remove the one use of optional
vEpiphyte Feb 22, 2024
f86f188
Merge branch 'master' into feat_cryptography_update
vEpiphyte Feb 27, 2024
7b221b0
Merge branch 'master' into feat_cryptography_update
vEpiphyte Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ classifiers = [
'Operating System :: POSIX :: Linux',
]
dependencies = [
'pyOpenSSL>=23.0.0,<23.3.0',
'cryptography>=39.0.1,<42.0.0',
'pyOpenSSL>=24.0.0,<25.0.0',
'cryptography>=42.0.4,<43.0.0',
'msgpack>=1.0.5,<1.1.0',
'xxhash>=1.4.4,<3.5.0',
'lmdb>=1.2.1,<1.5.0',
Expand Down
4 changes: 2 additions & 2 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
pyOpenSSL>=23.0.0,<23.3.0
pyOpenSSL>=24.0.0,<25.0.0
msgpack>=1.0.5,<1.1.0
xxhash>=1.4.4,<3.5.0
lmdb>=1.2.1,<1.5.0
Expand Down Expand Up @@ -32,4 +32,4 @@ beautifulsoup4[html5lib]>=4.11.1,<5.0.0
# pin. Cryptography also vendors a copy of OpenSSL, so it needs to be able to
# have a minimum version bumped in the event of a OpenSSL vulnerability that
# needs to be patched.
cryptography>=39.0.1,<42.0.0
cryptography>=42.0.4,<43.0.0
4 changes: 2 additions & 2 deletions synapse/cortex.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2451,7 +2451,7 @@ async def addStormPkg(self, pkgdef, verify=False):
raise s_exc.BadPkgDef(mesg=mesg)

try:
cert = self.certdir.loadCertByts(certbyts)
cert = self.certdir.loadCertByts(certbyts.encode('utf-8'))
except s_exc.BadCertBytes as e:
raise s_exc.BadPkgDef(mesg='Storm package has malformed certificate!') from None

Expand All @@ -2465,7 +2465,7 @@ async def addStormPkg(self, pkgdef, verify=False):
mesg = 'Storm package has invalid certificate!'
raise s_exc.BadPkgDef(mesg=mesg) from None

pubk = s_rsa.PubKey(cert.get_pubkey().to_cryptography_key())
pubk = s_rsa.PubKey(cert.public_key())
if not pubk.verifyitem(pkgcopy, s_common.uhex(signbyts)):
mesg = 'Storm package signature does not match!'
raise s_exc.BadPkgDef(mesg=mesg)
Expand Down
21 changes: 13 additions & 8 deletions synapse/lib/aha.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
import logging
import collections

import cryptography.x509 as c_x509

import synapse.exc as s_exc
import synapse.common as s_common
import synapse.daemon as s_daemon
Expand Down Expand Up @@ -379,8 +381,9 @@ async def signUserCsr(self, byts):
username = f'{ahauser}@{ahanetw}'

xcsr = self.aha.certdir._loadCsrByts(byts)
if xcsr.get_subject().CN != username:
mesg = f'Invalid user CSR CN={xcsr.get_subject().CN}.'
name = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
if name != username:
mesg = f'Invalid user CSR CN={name}.'
raise s_exc.BadArg(mesg=mesg)

pkey, cert = self.aha.certdir.signUserCsr(xcsr, ahanetw, save=False)
Expand All @@ -407,8 +410,9 @@ async def signHostCsr(self, byts):
hostname = f'{ahaname}.{ahanetw}'

xcsr = self.aha.certdir._loadCsrByts(byts)
if xcsr.get_subject().CN != hostname:
mesg = f'Invalid host CSR CN={xcsr.get_subject().CN}.'
name = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
if name != hostname:
mesg = f'Invalid host CSR CN={name}.'
raise s_exc.BadArg(mesg=mesg)

pkey, cert = self.aha.certdir.signHostCsr(xcsr, ahanetw, save=False)
Expand All @@ -422,8 +426,9 @@ async def signUserCsr(self, byts):
username = f'{ahauser}@{ahanetw}'

xcsr = self.aha.certdir._loadCsrByts(byts)
if xcsr.get_subject().CN != username:
mesg = f'Invalid user CSR CN={xcsr.get_subject().CN}.'
name = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
if name != username:
mesg = f'Invalid user CSR CN={name}.'
raise s_exc.BadArg(mesg=mesg)

pkey, cert = self.aha.certdir.signUserCsr(xcsr, ahanetw, save=False)
Expand Down Expand Up @@ -938,7 +943,7 @@ async def saveUserCert(self, name, userkey, usercert):
async def signHostCsr(self, csrtext, signas=None, sans=None):
xcsr = self.certdir._loadCsrByts(csrtext.encode())

hostname = xcsr.get_subject().CN
hostname = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value

hostpath = s_common.genpath(self.dirn, 'certs', 'hosts', f'{hostname}.crt')
if os.path.isfile(hostpath):
Expand All @@ -957,7 +962,7 @@ async def signHostCsr(self, csrtext, signas=None, sans=None):
async def signUserCsr(self, csrtext, signas=None):
xcsr = self.certdir._loadCsrByts(csrtext.encode())

username = xcsr.get_subject().CN
username = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value

userpath = s_common.genpath(self.dirn, 'certs', 'users', f'{username}.crt')
if os.path.isfile(userpath):
Expand Down
Loading
Loading