diff --git a/awscli/customizations/cloudfront.py b/awscli/customizations/cloudfront.py index 968a1c65a3b8a..9339d4f516e96 100644 --- a/awscli/customizations/cloudfront.py +++ b/awscli/customizations/cloudfront.py @@ -14,7 +14,9 @@ import time import random -import rsa +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.backends import default_backend from botocore.utils import parse_to_aware_datetime from botocore.signers import CloudFrontSigner @@ -254,7 +256,11 @@ def _run_main(self, args, parsed_globals): class RSASigner(object): def __init__(self, private_key): - self.priv_key = rsa.PrivateKey.load_pkcs1(private_key.encode('utf8')) + self.priv_key = serialization.load_pem_private_key( + private_key.encode('utf8'), password=None, + backend=default_backend()) + def sign(self, message): - return rsa.sign(message, self.priv_key, 'SHA-1') + return self.priv_key.sign( + message, padding.PKCS1v15(), hashes.SHA1()) diff --git a/awscli/customizations/cloudtrail/validation.py b/awscli/customizations/cloudtrail/validation.py index 707912189133a..05cfec82d0fa3 100644 --- a/awscli/customizations/cloudtrail/validation.py +++ b/awscli/customizations/cloudtrail/validation.py @@ -22,8 +22,10 @@ from datetime import datetime, timedelta from dateutil import tz, parser -from pyasn1.error import PyAsn1Error -import rsa +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.exceptions import InvalidSignature from awscli.customizations.cloudtrail.utils import get_trail_by_arn, \ get_account_id_from_arn @@ -530,20 +532,18 @@ def validate(self, bucket, key, public_key, digest_data, inflated_digest): """ try: decoded_key = base64.b64decode(public_key) - public_key = rsa.PublicKey.load_pkcs1(decoded_key, format='DER') + public_key = serialization.load_der_public_key(decoded_key, + backend=default_backend()) to_sign = self._create_string_to_sign(digest_data, inflated_digest) signature_bytes = binascii.unhexlify(digest_data['_signature']) - rsa.verify(to_sign, signature_bytes, public_key) - except PyAsn1Error: + public_key.verify(signature_bytes, to_sign, padding.PKCS1v15(), + hashes.SHA256()) + except (ValueError, TypeError): raise DigestError( ('Digest file\ts3://%s/%s\tINVALID: Unable to load PKCS #1 key' ' with fingerprint %s') % (bucket, key, digest_data['digestPublicKeyFingerprint'])) - except rsa.pkcs1.VerificationError: - # Note from the Python-RSA docs: Never display the stack trace of - # a rsa.pkcs1.VerificationError exception. It shows where in the - # code the exception occurred, and thus leaks information about - # the key. + except InvalidSignature: raise DigestSignatureError(bucket, key) def _create_string_to_sign(self, digest_data, inflated_digest): diff --git a/awscli/customizations/ec2/decryptpassword.py b/awscli/customizations/ec2/decryptpassword.py index 9d110636463dd..091b39f7cd2a0 100644 --- a/awscli/customizations/ec2/decryptpassword.py +++ b/awscli/customizations/ec2/decryptpassword.py @@ -13,7 +13,9 @@ import logging import os import base64 -import rsa +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.asymmetric import padding from awscli.compat import six from botocore import model @@ -109,9 +111,11 @@ def _decrypt_password_data(self, parsed, **kwargs): try: with open(self._key_path) as pk_file: pk_contents = pk_file.read() - private_key = rsa.PrivateKey.load_pkcs1(six.b(pk_contents)) + private_key = serialization.load_pem_private_key( + six.b(pk_contents), password=None, + backend=default_backend()) value = base64.b64decode(value) - value = rsa.decrypt(value, private_key) + value = private_key.decrypt(value, padding.PKCS1v15()) logger.debug(parsed) parsed['PasswordData'] = value.decode('utf-8') logger.debug(parsed) diff --git a/requirements.txt b/requirements.txt index cb9be8e887b01..1a6084abee142 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,6 +9,6 @@ docutils>=0.10 nose==1.3.0 colorama>=0.2.5,<=0.3.7 mock==1.3.0 -rsa>=3.1.2,<=3.5.0 +cryptography==2.1.4 wheel==0.24.0 PyYAML>=3.10,<=3.12