Use FIPS 140-2 compliant RSA library

awscli/customizations/cloudfront.py

@@ -14,7 +14,9 @@
 import time
 import random
 
-import rsa
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.backends import default_backend
 from botocore.utils import parse_to_aware_datetime
 from botocore.signers import CloudFrontSigner
 
@@ -254,7 +256,10 @@ def _run_main(self, args, parsed_globals):
 
 class RSASigner(object):
     def __init__(self, private_key):
-        self.priv_key = rsa.PrivateKey.load_pkcs1(private_key.encode('utf8'))
+        self.priv_key = serialization.load_pem_private_key(
+            private_key.encode('utf8'), password=None,
+            backend=default_backend())
 
     def sign(self, message):
-        return rsa.sign(message, self.priv_key, 'SHA-1')
+        return self.priv_key.sign(
+            message, padding.PKCS1v15(), hashes.SHA1())

awscli/customizations/cloudtrail/validation.py

@@ -22,8 +22,10 @@
 from datetime import datetime, timedelta
 from dateutil import tz, parser
 
-from pyasn1.error import PyAsn1Error
-import rsa
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.exceptions import InvalidSignature
 
 from awscli.customizations.cloudtrail.utils import get_trail_by_arn, \
     get_account_id_from_arn
@@ -530,20 +532,18 @@ def validate(self, bucket, key, public_key, digest_data, inflated_digest):
         """
         try:
             decoded_key = base64.b64decode(public_key)
-            public_key = rsa.PublicKey.load_pkcs1(decoded_key, format='DER')
+            public_key = serialization.load_der_public_key(decoded_key,
+                backend=default_backend())
             to_sign = self._create_string_to_sign(digest_data, inflated_digest)
             signature_bytes = binascii.unhexlify(digest_data['_signature'])
-            rsa.verify(to_sign, signature_bytes, public_key)
-        except PyAsn1Error:
+            public_key.verify(signature_bytes, to_sign, padding.PKCS1v15(),
+                hashes.SHA256())
+        except (ValueError, TypeError):
             raise DigestError(
                 ('Digest file\ts3://%s/%s\tINVALID: Unable to load PKCS #1 key'
                  ' with fingerprint %s')
                 % (bucket, key, digest_data['digestPublicKeyFingerprint']))
-        except rsa.pkcs1.VerificationError:
-            # Note from the Python-RSA docs: Never display the stack trace of
-            # a rsa.pkcs1.VerificationError exception. It shows where in the
-            # code the exception occurred, and thus leaks information about
-            # the key.
+        except InvalidSignature:
             raise DigestSignatureError(bucket, key)
 
     def _create_string_to_sign(self, digest_data, inflated_digest):

awscli/customizations/ec2/decryptpassword.py

@@ -13,7 +13,9 @@
 import logging
 import os
 import base64
-import rsa
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding
 from awscli.compat import six
 
 from botocore import model
@@ -109,9 +111,11 @@ def _decrypt_password_data(self, parsed, **kwargs):
             try:
                 with open(self._key_path) as pk_file:
                     pk_contents = pk_file.read()
-                    private_key = rsa.PrivateKey.load_pkcs1(six.b(pk_contents))
+                    private_key = serialization.load_pem_private_key(
+                        six.b(pk_contents), password=None,
+                        backend=default_backend())
                     value = base64.b64decode(value)
-                    value = rsa.decrypt(value, private_key)
+                    value = private_key.decrypt(value, padding.PKCS1v15())
                     logger.debug(parsed)
                     parsed['PasswordData'] = value.decode('utf-8')
                     logger.debug(parsed)

requirements.txt

@@ -9,6 +9,6 @@ docutils>=0.10
 nose==1.3.0
 colorama>=0.2.5,<=0.3.7
 mock==1.3.0
-rsa>=3.1.2,<=3.5.0
+cryptography==2.1.4
 wheel==0.24.0
 PyYAML>=3.10,<=3.12