Update cryptography to 42.0.4 and update certdir (SYN-3552, SYN-6860) (…

…#3568) - Cryptography update addresses older version of cryptography package containing CVE-2023-50782 & CVE-2024-26130 - certdir now uses cryptography X509 objects and RSA private key objects, instead of PyOpenSSL X509 and Pkey objects. This is largely due to the removal of APIs from PyOpenSSL which we were utilizing for PKCS12 support and the guidance from PyOpenSSL project to not utilize the ``Crypto`` module in new projects as it is considered deprecated in favor of Cryptography. Per prior discussion, there should be no API stability concerns related to this change since the CertDir class is not exposed via telepath or storm apis. - certdir is now fully typed. This identified issues where we were declaring bytes as inputs on certdir and Cortex was passing in PEM strings instead of bytes. - Remove PyOpenSSL use where it is possible to do so. We now only use it for doing X509 path building and certificate verification, eventually we'll be able to remove this in favor of APIs provided by Cryptography ( see pyca/cryptography#10393 pyca/cryptography#10034 ) --------- Co-authored-by: Cisphyx <[email protected]>
vertexproject · Feb 28, 2024 · 5a60657 · 5a60657
1 parent e0f6601
commit 5a60657
Show file tree

Hide file tree

Showing 14 changed files with 1,106 additions and 587 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -23,8 +23,8 @@ classifiers = [
  'Operating System :: POSIX :: Linux',
 ]
 dependencies = [
- 'pyOpenSSL>=23.0.0,<23.3.0',
- 'cryptography>=39.0.1,<42.0.0',
+ 'pyOpenSSL>=24.0.0,<25.0.0',
+ 'cryptography>=42.0.4,<43.0.0',
  'msgpack>=1.0.5,<1.1.0',
  'xxhash>=1.4.4,<3.5.0',
  'lmdb>=1.2.1,<1.5.0',

diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-pyOpenSSL>=23.0.0,<23.3.0
+pyOpenSSL>=24.0.0,<25.0.0
 msgpack>=1.0.5,<1.1.0
 xxhash>=1.4.4,<3.5.0
 lmdb>=1.2.1,<1.5.0
@@ -32,4 +32,4 @@ beautifulsoup4[html5lib]>=4.11.1,<5.0.0
 # pin. Cryptography also vendors a copy of OpenSSL, so it needs to be able to
 # have a minimum version bumped in the event of a OpenSSL vulnerability that
 # needs to be patched.
-cryptography>=39.0.1,<42.0.0
+cryptography>=42.0.4,<43.0.0
diff --git a/synapse/cortex.py b/synapse/cortex.py
@@ -2451,7 +2451,7 @@ async def addStormPkg(self, pkgdef, verify=False):
  raise s_exc.BadPkgDef(mesg=mesg)
 
  try:
- cert = self.certdir.loadCertByts(certbyts)
+ cert = self.certdir.loadCertByts(certbyts.encode('utf-8'))
  except s_exc.BadCertBytes as e:
  raise s_exc.BadPkgDef(mesg='Storm package has malformed certificate!') from None
 
@@ -2465,7 +2465,7 @@ async def addStormPkg(self, pkgdef, verify=False):
  mesg = 'Storm package has invalid certificate!'
  raise s_exc.BadPkgDef(mesg=mesg) from None
 
- pubk = s_rsa.PubKey(cert.get_pubkey().to_cryptography_key())
+ pubk = s_rsa.PubKey(cert.public_key())
  if not pubk.verifyitem(pkgcopy, s_common.uhex(signbyts)):
  mesg = 'Storm package signature does not match!'
  raise s_exc.BadPkgDef(mesg=mesg)

diff --git a/synapse/lib/aha.py b/synapse/lib/aha.py
@@ -5,6 +5,8 @@
 import logging
 import collections
 
+import cryptography.x509 as c_x509
+
 import synapse.exc as s_exc
 import synapse.common as s_common
 import synapse.daemon as s_daemon
@@ -379,8 +381,9 @@ async def signUserCsr(self, byts):
  username = f'{ahauser}@{ahanetw}'
 
  xcsr = self.aha.certdir._loadCsrByts(byts)
- if xcsr.get_subject().CN != username:
- mesg = f'Invalid user CSR CN={xcsr.get_subject().CN}.'
+ name = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
+ if name != username:
+ mesg = f'Invalid user CSR CN={name}.'
  raise s_exc.BadArg(mesg=mesg)
 
  pkey, cert = self.aha.certdir.signUserCsr(xcsr, ahanetw, save=False)
@@ -407,8 +410,9 @@ async def signHostCsr(self, byts):
  hostname = f'{ahaname}.{ahanetw}'
 
  xcsr = self.aha.certdir._loadCsrByts(byts)
- if xcsr.get_subject().CN != hostname:
- mesg = f'Invalid host CSR CN={xcsr.get_subject().CN}.'
+ name = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
+ if name != hostname:
+ mesg = f'Invalid host CSR CN={name}.'
  raise s_exc.BadArg(mesg=mesg)
 
  pkey, cert = self.aha.certdir.signHostCsr(xcsr, ahanetw, save=False)
@@ -422,8 +426,9 @@ async def signUserCsr(self, byts):
  username = f'{ahauser}@{ahanetw}'
 
  xcsr = self.aha.certdir._loadCsrByts(byts)
- if xcsr.get_subject().CN != username:
- mesg = f'Invalid user CSR CN={xcsr.get_subject().CN}.'
+ name = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
+ if name != username:
+ mesg = f'Invalid user CSR CN={name}.'
  raise s_exc.BadArg(mesg=mesg)
 
  pkey, cert = self.aha.certdir.signUserCsr(xcsr, ahanetw, save=False)
@@ -938,7 +943,7 @@ async def saveUserCert(self, name, userkey, usercert):
  async def signHostCsr(self, csrtext, signas=None, sans=None):
  xcsr = self.certdir._loadCsrByts(csrtext.encode())
 
- hostname = xcsr.get_subject().CN
+ hostname = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
 
  hostpath = s_common.genpath(self.dirn, 'certs', 'hosts', f'{hostname}.crt')
  if os.path.isfile(hostpath):
@@ -957,7 +962,7 @@ async def signHostCsr(self, csrtext, signas=None, sans=None):
  async def signUserCsr(self, csrtext, signas=None):
  xcsr = self.certdir._loadCsrByts(csrtext.encode())
 
- username = xcsr.get_subject().CN
+ username = xcsr.subject.get_attributes_for_oid(c_x509.NameOID.COMMON_NAME)[0].value
 
  userpath = s_common.genpath(self.dirn, 'certs', 'users', f'{username}.crt')
  if os.path.isfile(userpath):