From 5552d318dcb717dac758dae3148a3d747bda8fb6 Mon Sep 17 00:00:00 2001 From: Toran Sahu Date: Tue, 12 Sep 2023 12:10:36 +0530 Subject: [PATCH] cloudvision/Connector: Use SHA256 to sign the CSR 0. Currently the cloudvision-python package pins the lib `cryptography` to 39.X.Y, as 40.0.X has breaking changes for our use-case. 1. Also, the package is using the same signing algorithm as of client/user's certificate. But there is no such a hard requirement. It can use any acceptable signing algorithm. 2. `cryptography version 40.0.0 onwards, the lib has restricted the choices of hashing algorithm to be used for signing a CSR i.e. `CertificateSigningRequestBuilder.sign()` has restricted the acceptable types of signing algorithm from `typing.Optional[hashes.HashAlgorithm]` to `typing.Optional[_AllowedHashTypes]` where `_AllowedHashTypes` is a subset of `hashes.HashAlgorithm`. 3. The backward incompatible change #2 in `cryptography` along with the hard requirement as per #1 together blocks the cloudvision-python package from upgrading the `cryptography` lib. Thus, this change is required to remove the hard requirement of using the same signing algorithm as of client/user's certificate. And decided to use SHA256 as a preferred choice. Fixes: BUG857524, BUG792700 Change-Id: I9c033f34b6aee7da24871afbeff7e3a3425503a7 --- cloudvision/Connector/auth/cert.py | 6 +++--- requirements.txt | 2 +- test/connector/auth/test_cert.py | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/cloudvision/Connector/auth/cert.py b/cloudvision/Connector/auth/cert.py index 9025c212..8eeb5cd9 100644 --- a/cloudvision/Connector/auth/cert.py +++ b/cloudvision/Connector/auth/cert.py @@ -5,7 +5,7 @@ from typing import Any, Optional, Tuple from cryptography import x509 -from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.primitives import hashes, serialization def gen_csr_der(cert_path: str, key_path: str) -> bytes: @@ -31,8 +31,8 @@ def create_csr(cert: x509.Certificate, key: Any) -> x509.CertificateSigningReque return ( x509.CertificateSigningRequestBuilder().subject_name(cert.subject) - # NOTE: Stick to the same old signature hash algo used earlier - .sign(key, cert.signature_hash_algorithm) + # Use SHA256 as signing algorithm + .sign(key, hashes.SHA256()) ) diff --git a/requirements.txt b/requirements.txt index ec706ddd..55712dc5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -cryptography>=39.0.0,<40.0.0 +cryptography>=41.0.3,<42.0.0 grpcio>=1.46.0 msgpack>=1.0.3 protobuf>=3.20.1,<4.0 diff --git a/test/connector/auth/test_cert.py b/test/connector/auth/test_cert.py index 5607164c..9394e28d 100644 --- a/test/connector/auth/test_cert.py +++ b/test/connector/auth/test_cert.py @@ -7,6 +7,7 @@ from pathlib import Path from typing import Union +from cryptography.hazmat.primitives import hashes import pytest from cryptography import x509 @@ -58,7 +59,7 @@ def test_gen_csr_der(self, cert_path, key_path): csr = load_der_x509_csr(csr_der) cert, key = load_key_cert_pair(cert_path, key_path) assert csr.subject == cert.subject - assert csr.signature_hash_algorithm == cert.signature_hash_algorithm + assert isinstance(csr.signature_hash_algorithm, hashes.SHA256) assert csr.public_key().public_bytes( Encoding.DER, PublicFormat.SubjectPublicKeyInfo ) == key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo) @@ -71,7 +72,7 @@ def test_create_csr(self, cert_path, key_path): cert, key = load_key_cert_pair(cert_path, key_path) csr: x509.CertificateSigningRequest = create_csr(cert, key) assert csr.subject == cert.subject - assert csr.signature_hash_algorithm == cert.signature_hash_algorithm + assert isinstance(csr.signature_hash_algorithm, hashes.SHA256) assert csr.public_key().public_bytes( Encoding.DER, PublicFormat.SubjectPublicKeyInfo ) == key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)