Blame SOURCES/python-rsa-to-cryptography.patch

ca55f7
diff -uNr a/awscli/customizations/cloudfront.py b/awscli/customizations/cloudfront.py
ca55f7
--- a/awscli/customizations/cloudfront.py	2018-03-01 21:17:11.000000000 +0100
ca55f7
+++ b/awscli/customizations/cloudfront.py	2018-06-28 09:11:54.560750789 +0200
ca55f7
@@ -14,7 +14,9 @@
ca55f7
 import time
ca55f7
 import random
ca55f7
 
ca55f7
-import rsa
ca55f7
+from cryptography.hazmat.primitives import serialization, hashes
ca55f7
+from cryptography.hazmat.primitives.asymmetric import padding
ca55f7
+from cryptography.hazmat.backends import default_backend
ca55f7
 from botocore.utils import parse_to_aware_datetime
ca55f7
 from botocore.signers import CloudFrontSigner
ca55f7
 
ca55f7
@@ -254,7 +256,16 @@
ca55f7
 
ca55f7
 class RSASigner(object):
ca55f7
     def __init__(self, private_key):
ca55f7
-        self.priv_key = rsa.PrivateKey.load_pkcs1(private_key.encode('utf8'))
ca55f7
+        try:
ca55f7
+            self.priv_key = serialization.load_pem_private_key(
ca55f7
+                private_key.encode('utf8'), password=None,
ca55f7
+                backend=default_backend())
ca55f7
+        except ValueError:
ca55f7
+            self.priv_key = ''
ca55f7
 
ca55f7
     def sign(self, message):
ca55f7
-        return rsa.sign(message, self.priv_key, 'SHA-1')
ca55f7
+        try:
ca55f7
+            return self.priv_key.sign(
ca55f7
+                message, padding.PKCS1v15(), hashes.SHA1())
ca55f7
+        except AttributeError:
ca55f7
+            return b''
ca55f7
diff -uNr a/awscli/customizations/cloudtrail/validation.py b/awscli/customizations/cloudtrail/validation.py
ca55f7
--- a/awscli/customizations/cloudtrail/validation.py	2018-03-01 21:17:11.000000000 +0100
ca55f7
+++ b/awscli/customizations/cloudtrail/validation.py	2018-06-28 09:11:54.559750804 +0200
ca55f7
@@ -22,8 +22,10 @@
ca55f7
 from datetime import datetime, timedelta
ca55f7
 from dateutil import tz, parser
ca55f7
 
ca55f7
-from pyasn1.error import PyAsn1Error
ca55f7
-import rsa
ca55f7
+from cryptography.hazmat.primitives import serialization, hashes
ca55f7
+from cryptography.hazmat.backends import default_backend
ca55f7
+from cryptography.hazmat.primitives.asymmetric import padding
ca55f7
+from cryptography.exceptions import InvalidSignature
ca55f7
 
ca55f7
 from awscli.customizations.cloudtrail.utils import get_trail_by_arn, \
ca55f7
     get_account_id_from_arn
ca55f7
@@ -530,20 +532,18 @@
ca55f7
         """
ca55f7
         try:
ca55f7
             decoded_key = base64.b64decode(public_key)
ca55f7
-            public_key = rsa.PublicKey.load_pkcs1(decoded_key, format='DER')
ca55f7
+            public_key = serialization.load_der_public_key(decoded_key,
ca55f7
+                backend=default_backend())
ca55f7
             to_sign = self._create_string_to_sign(digest_data, inflated_digest)
ca55f7
             signature_bytes = binascii.unhexlify(digest_data['_signature'])
ca55f7
-            rsa.verify(to_sign, signature_bytes, public_key)
ca55f7
-        except PyAsn1Error:
ca55f7
+            public_key.verify(signature_bytes, to_sign, padding.PKCS1v15(),
ca55f7
+                hashes.SHA256())
ca55f7
+        except (ValueError, TypeError):
ca55f7
             raise DigestError(
ca55f7
                 ('Digest file\ts3://%s/%s\tINVALID: Unable to load PKCS #1 key'
ca55f7
                  ' with fingerprint %s')
ca55f7
                 % (bucket, key, digest_data['digestPublicKeyFingerprint']))
ca55f7
-        except rsa.pkcs1.VerificationError:
ca55f7
-            # Note from the Python-RSA docs: Never display the stack trace of
ca55f7
-            # a rsa.pkcs1.VerificationError exception. It shows where in the
ca55f7
-            # code the exception occurred, and thus leaks information about
ca55f7
-            # the key.
ca55f7
+        except InvalidSignature:
ca55f7
             raise DigestSignatureError(bucket, key)
ca55f7
 
ca55f7
     def _create_string_to_sign(self, digest_data, inflated_digest):
ca55f7
diff -uNr a/awscli/customizations/ec2/decryptpassword.py b/awscli/customizations/ec2/decryptpassword.py
ca55f7
--- a/awscli/customizations/ec2/decryptpassword.py	2018-03-01 21:17:11.000000000 +0100
ca55f7
+++ b/awscli/customizations/ec2/decryptpassword.py	2018-06-28 09:11:54.559750804 +0200
ca55f7
@@ -13,7 +13,9 @@
ca55f7
 import logging
ca55f7
 import os
ca55f7
 import base64
ca55f7
-import rsa
ca55f7
+from cryptography.hazmat.primitives import serialization
ca55f7
+from cryptography.hazmat.backends import default_backend
ca55f7
+from cryptography.hazmat.primitives.asymmetric import padding
ca55f7
 from awscli.compat import six
ca55f7
 
ca55f7
 from botocore import model
ca55f7
@@ -109,9 +111,11 @@
ca55f7
             try:
ca55f7
                 with open(self._key_path) as pk_file:
ca55f7
                     pk_contents = pk_file.read()
ca55f7
-                    private_key = rsa.PrivateKey.load_pkcs1(six.b(pk_contents))
ca55f7
+                    private_key = serialization.load_pem_private_key(
ca55f7
+                        six.b(pk_contents), password=None,
ca55f7
+                        backend=default_backend())
ca55f7
                     value = base64.b64decode(value)
ca55f7
-                    value = rsa.decrypt(value, private_key)
ca55f7
+                    value = private_key.decrypt(value, padding.PKCS1v15())
ca55f7
                     logger.debug(parsed)
ca55f7
                     parsed['PasswordData'] = value.decode('utf-8')
ca55f7
                     logger.debug(parsed)
ca55f7
diff -uNr a/requirements.txt b/requirements.txt
ca55f7
--- a/requirements.txt	2018-03-01 21:17:11.000000000 +0100
ca55f7
+++ b/requirements.txt	2018-06-28 09:11:54.560750789 +0200
ca55f7
@@ -9,6 +9,6 @@
ca55f7
 nose==1.3.0
ca55f7
 colorama>=0.2.5,<=0.3.7
ca55f7
 mock==1.3.0
ca55f7
-rsa>=3.1.2,<=3.5.0
ca55f7
+cryptography==2.0.3
ca55f7
 wheel==0.24.0
ca55f7
 PyYAML>=3.10,<=3.12