Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix cryptography PKCS7_sign _x509 error with PKCS7SignatureBuilder #110

Closed
1 task
reingart opened this issue Mar 19, 2023 · 1 comment
Closed
1 task

Fix cryptography PKCS7_sign _x509 error with PKCS7SignatureBuilder #110

reingart opened this issue Mar 19, 2023 · 1 comment
Labels
good first issue Good for newcomers

Comments

@reingart
Copy link
Member

reingart commented Mar 19, 2023
edited
Loading

Bump cryptography from 3.4.7 to 39.0.1, see dependabot ticket reingart#103
But, there are failures in the unit tests:

AttributeError: 'builtins.Certificate' object has no attribute '_x509'

The problem seems to be in wsaa.py line 144:

p7 = _lib.PKCS7_sign(cert._x509, private_key._evp_pkey, _ffi.NULL, bio_in, 0)

The new version of cryptography seems to have changed the signature methods: documentation:

p7 = pkcs7.PKCS7SignatureBuilder().set_data(
    b"data to sign"
).add_signer(
    cert, key, hashes.SHA256()
).sign(
    serialization.Encoding.SMIME, options
)
  • Ensure this fix work both for python2 and python3 workflows
@reingart reingart added the good first issue Good for newcomers label Mar 19, 2023
@reingart reingart changed the title Fix cryptography PKCS7_sign with PKCS7SignatureBuilder Fix cryptography PKCS7_sign _x509 error with PKCS7SignatureBuilder Mar 19, 2023
@NicolasSandoval NicolasSandoval mentioned this issue Jun 17, 2023
Closed
3 tasks
reingart added a commit that referenced this issue Jul 5, 2023
@reingart
Merge pull request #124 from HanslettTheDev/update-signature
6d786a3 
Update signature #110

This resurrects old cryptography compatibility until we can remove python2 support.
@reingart
Copy link
Member Author

reingart commented Jul 5, 2023

Python 2.7 is deprecated, but we should maintain backward compatibility, specially with old cryptography versions

waa.sign_tra() should be split in 3 separate functions:

  1. sign_tra_new() for python3 current cryptography versions >= 39
  2. sign_tra_old() for legacy python2 and python3 with cryptography versions < 39
  3. sign_tra_openssl() for the workaround using openssl binary directly via command-line interface

The sign_tra original function should call the 3 versions in order (new, old, openssl), so it will work in any scenario.

Comments and documentation should be improved to reflect this changes, including proper Unit Tests

@HanslettTheDev HanslettTheDev mentioned this issue Jul 11, 2023
Merged
2 tasks
reingart added a commit that referenced this issue Jan 7, 2024
@reingart
Merge pull request #110 from reingart/main-dev-jun-2023
6ae7241 
Cumulative updates from develop (python3 conversion)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reingart @NicolasSandoval