From b3dfe43389f7794c9796b30e0130d5ed2582927e Mon Sep 17 00:00:00 2001 From: karen-avetisyan-mc Date: Fri, 9 Feb 2024 09:46:00 +0000 Subject: [PATCH 1/5] fixing security issues --- client_encryption/encryption_utils.py | 8 +++++--- requirements.txt | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/client_encryption/encryption_utils.py b/client_encryption/encryption_utils.py index b776591..a6d842e 100644 --- a/client_encryption/encryption_utils.py +++ b/client_encryption/encryption_utils.py @@ -2,7 +2,7 @@ from Crypto.Hash import SHA1, SHA224, SHA256, SHA384, SHA512 from OpenSSL.crypto import load_certificate, load_pkcs12, dump_privatekey, FILETYPE_PEM, FILETYPE_ASN1, Error from client_encryption.encryption_exception import CertificateError, PrivateKeyError, HashAlgorithmError - +from cryptography.hazmat.primitives.serialization import pkcs12 _SUPPORTED_HASH = {"SHA1": SHA1, "SHA224": SHA224, "SHA256": SHA256, "SHA384": SHA384, "SHA512": SHA512} @@ -43,8 +43,10 @@ def load_decryption_key(key_file_path, decryption_key_password=None): def __load_pkcs12_private_key(pkcs12_key, password): """Load a private key in ASN1 format out of a PKCS#12 container.""" - pkcs12 = load_pkcs12(pkcs12_key, password.encode("utf-8")).get_privatekey() - return dump_privatekey(FILETYPE_ASN1, pkcs12) + #pkcs12 = load_pkcs12(pkcs12_key, password.encode("utf-8")).get_privatekey() + with open(key_file_path, "rb") as f: + private_key = pkcs12.load_pkcs12(pkcs12_key, password) + return dump_privatekey(FILETYPE_ASN1, private_key) def __get_crypto_file_type(file_content): diff --git a/requirements.txt b/requirements.txt index d16ccdd..f699369 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ -pycryptodome==3.8.1 -pyOpenSSL>=22.1.0,<=23.2.0 +pycryptodome==3.19.1 +pyOpenSSL>=23.3.0 setuptools>=39.0.1 coverage>=4.5.3 cryptography>=39.0.0 From 01dd10e6eeba99110ead184dfe6efdb9f899287b Mon Sep 17 00:00:00 2001 From: karen-avetisyan-mc Date: Fri, 9 Feb 2024 09:57:44 +0000 Subject: [PATCH 2/5] removing extra code --- client_encryption/encryption_utils.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/client_encryption/encryption_utils.py b/client_encryption/encryption_utils.py index a6d842e..65118c2 100644 --- a/client_encryption/encryption_utils.py +++ b/client_encryption/encryption_utils.py @@ -43,8 +43,6 @@ def load_decryption_key(key_file_path, decryption_key_password=None): def __load_pkcs12_private_key(pkcs12_key, password): """Load a private key in ASN1 format out of a PKCS#12 container.""" - #pkcs12 = load_pkcs12(pkcs12_key, password.encode("utf-8")).get_privatekey() - with open(key_file_path, "rb") as f: private_key = pkcs12.load_pkcs12(pkcs12_key, password) return dump_privatekey(FILETYPE_ASN1, private_key) From e33aaa6b3bab0a0fdee4946fc1da45618bc11207 Mon Sep 17 00:00:00 2001 From: karen-avetisyan-mc Date: Fri, 9 Feb 2024 10:07:43 +0000 Subject: [PATCH 3/5] Updating the cryptography version moving to version 42.0.0.0 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f699369..ccac1cf 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,4 +2,4 @@ pycryptodome==3.19.1 pyOpenSSL>=23.3.0 setuptools>=39.0.1 coverage>=4.5.3 -cryptography>=39.0.0 +cryptography>=42.0.0 From f3acf140d1e8ebea23bfd7d49e719bd4763e9268 Mon Sep 17 00:00:00 2001 From: karen-avetisyan-mc Date: Fri, 9 Feb 2024 10:17:32 +0000 Subject: [PATCH 4/5] removing redundant functions --- client_encryption/encryption_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client_encryption/encryption_utils.py b/client_encryption/encryption_utils.py index 65118c2..6f71647 100644 --- a/client_encryption/encryption_utils.py +++ b/client_encryption/encryption_utils.py @@ -1,6 +1,6 @@ from Crypto.PublicKey import RSA from Crypto.Hash import SHA1, SHA224, SHA256, SHA384, SHA512 -from OpenSSL.crypto import load_certificate, load_pkcs12, dump_privatekey, FILETYPE_PEM, FILETYPE_ASN1, Error +from OpenSSL.crypto import load_certificate, dump_privatekey, FILETYPE_PEM, FILETYPE_ASN1, Error from client_encryption.encryption_exception import CertificateError, PrivateKeyError, HashAlgorithmError from cryptography.hazmat.primitives.serialization import pkcs12 From b1782ac7def72771dc0ebc9618930a9de5212956 Mon Sep 17 00:00:00 2001 From: karen-avetisyan-mc Date: Fri, 9 Feb 2024 13:09:16 +0000 Subject: [PATCH 5/5] Fixing the unit tests --- client_encryption/encryption_utils.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/client_encryption/encryption_utils.py b/client_encryption/encryption_utils.py index 6f71647..e48b3a5 100644 --- a/client_encryption/encryption_utils.py +++ b/client_encryption/encryption_utils.py @@ -1,8 +1,9 @@ from Crypto.PublicKey import RSA from Crypto.Hash import SHA1, SHA224, SHA256, SHA384, SHA512 -from OpenSSL.crypto import load_certificate, dump_privatekey, FILETYPE_PEM, FILETYPE_ASN1, Error +from OpenSSL.crypto import load_certificate, FILETYPE_PEM, FILETYPE_ASN1, Error from client_encryption.encryption_exception import CertificateError, PrivateKeyError, HashAlgorithmError -from cryptography.hazmat.primitives.serialization import pkcs12 +from cryptography.hazmat.primitives.serialization import pkcs12 +from cryptography.hazmat.primitives import serialization _SUPPORTED_HASH = {"SHA1": SHA1, "SHA224": SHA224, "SHA256": SHA256, "SHA384": SHA384, "SHA512": SHA512} @@ -40,11 +41,10 @@ def load_decryption_key(key_file_path, decryption_key_password=None): raise PrivateKeyError("Wrong decryption key format.") -def __load_pkcs12_private_key(pkcs12_key, password): +def __load_pkcs12_private_key(pkcs_file, password): """Load a private key in ASN1 format out of a PKCS#12 container.""" - - private_key = pkcs12.load_pkcs12(pkcs12_key, password) - return dump_privatekey(FILETYPE_ASN1, private_key) + private_key, certs, addcerts = pkcs12.load_key_and_certificates(pkcs_file, password.encode("utf-8")) + return private_key.private_bytes(serialization.Encoding.PEM, serialization.PrivateFormat.TraditionalOpenSSL, serialization.NoEncryption()) def __get_crypto_file_type(file_content):