From 0ba9cffa40edba919c0c07dba7fd0527d350206e Mon Sep 17 00:00:00 2001 From: Sergei Maertens Date: Thu, 22 Feb 2024 12:18:35 +0100 Subject: [PATCH] :recycle: Use cryptography primivites for x509 certificate processing Instead of relying on the (implicitly installed) PyOpenSSL dependency. --- digid_eherkenning/saml2/eherkenning.py | 21 ++++++++++----------- setup.cfg | 1 + 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/digid_eherkenning/saml2/eherkenning.py b/digid_eherkenning/saml2/eherkenning.py index 01ca00f..ba80e35 100644 --- a/digid_eherkenning/saml2/eherkenning.py +++ b/digid_eherkenning/saml2/eherkenning.py @@ -7,10 +7,11 @@ from django.urls import reverse from django.utils import timezone +from cryptography.hazmat.primitives import serialization +from cryptography.x509 import load_pem_x509_certificate from furl.furl import furl from lxml.builder import ElementMaker from lxml.etree import Element, tostring -from OpenSSL import crypto from ..choices import AssuranceLevels from ..models import EherkenningConfiguration @@ -268,19 +269,17 @@ def create_classifiers_element(classifiers: list) -> ElementMaker: return ESC("Classifiers", *classifiers_elements) -def create_key_descriptor(x509_certificate_content): - x509_certificate = crypto.load_certificate( - crypto.FILETYPE_PEM, x509_certificate_content - ) - key_descriptor_cert = b64encode( - crypto.dump_certificate(crypto.FILETYPE_ASN1, x509_certificate) - ).decode("ascii") - - certificate = x509_certificate.to_cryptography() +def create_key_descriptor(x509_certificate_content: bytes): + certificate = load_pem_x509_certificate(x509_certificate_content) key_name = binascii.hexlify( certificate.fingerprint(certificate.signature_hash_algorithm) ).decode("ascii") + # grab the actual base64 data describding the certificate, but without the + # BEGIN/END CERTIFICATE headers and footers and stripped of line breaks. + certificate_content = certificate.public_bytes(serialization.Encoding.DER) + key_descriptor_cert = b64encode(certificate_content).decode("ascii") + args = [ DS( "KeyInfo", @@ -297,7 +296,7 @@ def create_service_catalogus(conf, validate=True): https://afsprakenstelsel.etoegang.nl/display/as/Service+catalog """ with conf["cert_file"].open("rb") as cert_file: - x509_certificate_content = cert_file.read() + x509_certificate_content: bytes = cert_file.read() sc_id = str(uuid4()) service_provider_id = conf["oin"] diff --git a/setup.cfg b/setup.cfg index 00689ea..6cd56a9 100644 --- a/setup.cfg +++ b/setup.cfg @@ -34,6 +34,7 @@ zip_safe = False include_package_data = True packages = find: install_requires = + cryptography >= 40.0.0 django >= 3.2.0 django-sessionprofile django-simple-certmanager