centos / centpkg

Clone
Source Code
GIT

#53 Migrate from pyOpenSSL to cryptography
Merged 2 years ago by tdawson. Opened 2 years ago by carlwgeorge.
centos/ carlwgeorge/centpkg cryptography  into  develop

file modified
+1 -1 
@@ -1,5 +1,5 @@ 
 

  pycurl
 

- pyOpenSSL
 

+ cryptography
 

  rpkg
 

  six
 

  GitPython 

\ No newline at end of file

file modified
+15 -21 
@@ -1,8 +1,7 @@ 
 

- 

  from __future__ import print_function
 

  

  import os
 

- from OpenSSL import crypto
 

+ from cryptography import x509
 

  import urlgrabber
 

  import datetime
 

  
@@ -23,8 +22,13 @@ 
 

      if not os.access(cert_file, os.R_OK):
 

          raise centos_cert_error("""!!!    cannot read your centos cert file   !!!
 

  !!! Ensure the file is readable and try again !!!""")
 

-     raw_cert = open(cert_file).read()
 

-     my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert)
 

+     raw_cert = open(cert_file, 'rb').read()

does this line leaves the file handler open (I don't see it being closed anywhere). using a "with" block would automatically close it.

It does, but it gets closed when the program exits. That's how the code is now as well. I also prefer using a with statement but that's a separate change from this pull request. I tried to only change what was needed to switch to cryptography.

 
+     try:
 

+         my_cert = x509.load_pem_x509_certificate(raw_cert)
 

+     except TypeError:
 

+         # it was required to specify a backend prior to cryptography 3.1
 

+         from cryptography.hazmat.backends import default_backend
 

+         my_cert = x509.load_pem_x509_certificate(raw_cert, default_backend())
 

      return my_cert
 

  

  def verify_cert():
 
@@ -35,17 +39,13 @@ 
 

      Expiry time warn if less than 21 days
 

      """
 

      my_cert = _open_cert()
 

-     serial_no = my_cert.get_serial_number()
 

-     valid_until = my_cert.get_notAfter()[:8]
 

      # CRL verification would go here
 

      #crl = urlgrabber.urlread("https://<url_to_crl>/ca/crl.pem")
 

-     dateFmt = '%Y%m%d'
 

-     delta = datetime.datetime.now() + datetime.timedelta(days=21)
 

-     warn = datetime.datetime.strftime(delta, dateFmt)
 

+     warn = datetime.datetime.now() + datetime.timedelta(days=21)
 

  

-     print('cert expires: %s-%s-%s' % (valid_until[:4], valid_until[4:6], valid_until[6:8]))
 

+     print(my_cert.not_valid_after.strftime('cert expires: %Y-%m-%d'))
 

  

-     if valid_until < warn:
 

+     if my_cert.not_valid_after < warn:
 

          print('WARNING: Your cert expires soon.')
 

  

  
@@ -57,10 +57,8 @@ 
 

      """
 

      my_cert = _open_cert()
 

  

-     if my_cert.has_expired():
 

-         return True
 

-     else:
 

-         return False
 

+     return my_cert.not_valid_after < datetime.datetime.now()
 

+ 

  

  def read_user_cert():
 

      """
 
@@ -69,9 +67,5 @@ 
 

      """
 

      my_cert = _open_cert()
 

  

-     subject = str(my_cert.get_subject())
 

-     subject_line = subject.split("CN=")
 

-     cn_parts = subject_line[1].split("/")
 

-     username = cn_parts[0]
 

-     return username
 

- 

+     [common_name] = my_cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)
 

+     return common_name.value

pyOpenSSL upstream "strongly suggests" switching to cryptography.

https://github.com/pyca/pyopenssl/commit/959a031fa329a510f49f5fdbe1eb4a0d3f4103ef

Resolves #52

does this line leaves the file handler open (I don't see it being closed anywhere). using a "with" block would automatically close it.

It does, but it gets closed when the program exits. That's how the code is now as well. I also prefer using a with statement but that's a separate change from this pull request. I tried to only change what was needed to switch to cryptography.

LGTM - all tests passed as well.

I wonder if this file is even used. It imports from urlgrabber but my centpkg works without urlgrabber just fine.

rebased onto 0bc8420d6d25b37a471b41b43f25d8d139de35d3
2 years ago

Do we still want to merge this. It Looks Good To Me also.
I don't know if the file is used or not, but I think it would be better if this was merged, and then a second pull request removing the file if we really don't need it, rather than wait another six months for testing.

rebased onto 73d5290
2 years ago

I am merging this pull request.
I'm going to be doing some work to get centos-sig working, and it will be good to have this in there already.

Pull-Request has been merged by tdawson
2 years ago
Metadata
None
No Tags
Changes Summary 2
+1 -1
file changed
requirements.txt
+15 -21
file changed
src/centpkg/centos_cert.py

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation