Merge pull request #124 from HanslettTheDev/update-signature

reingart · web-flow · commit 6d786a3cf649 · 2023-07-04T23:58:22.000-03:00
Update signature #110 This resurrects old cryptography compatibility until we can remove python2 support.
diff --git a/requirements.txt b/requirements.txt
@@ -3,11 +3,11 @@ httplib2==0.20.4; python_version > '3'
 pysimplesoap==1.08.14; python_version <= '2.7'
 git+https://github.com/pysimplesoap/pysimplesoap.git@py311#pysimplesoap; python_version > '3'
 cryptography==3.3.2; python_version <= '2.7'
-cryptography==39.0.2; python_version > '3'
+cryptography==41.0.1; python_version > '3'
 fpdf>=1.7.2
 dbf>=0.88.019
 Pillow>=2.0.0
 tabulate==0.8.5
 certifi>=2020.4.5.1
 qrcode==6.1
-future==0.18.3
+future==0.18.3
diff --git a/wsaa.py b/wsaa.py
@@ -56,7 +56,6 @@
     from cryptography.hazmat.bindings.openssl.binding import Binding
     from cryptography.hazmat.primitives.serialization import pkcs7
 
-
 except ImportError:
     ex = exception_info()
     warnings.warn("No es posible importar cryptography (OpenSSL)")
@@ -115,9 +114,6 @@ def sign_tra(tra, cert=CERT, privatekey=PRIVATEKEY, passphrase=""):
         tra = tra.encode("utf8")
 
     if Binding:
-        _lib = Binding.lib
-        _ffi = Binding.ffi
-        # Crear un buffer desde el texto
 
         # Leer privatekey y cert
         if not privatekey.startswith(b"-----BEGIN RSA PRIVATE KEY-----"):
@@ -139,20 +135,53 @@ def sign_tra(tra, cert=CERT, privatekey=PRIVATEKEY, passphrase=""):
                 cert = cert.encode("utf-8")
         cert = x509.load_pem_x509_certificate(cert)
 
+        if sys.version_info.major == 2:
+            _lib = Binding.lib
+            _ffi = Binding.ffi
+            # Crear un buffer desde el texto
+            # Se crea un buffer nuevo porque la firma lo consume
+            bio_in = _lib.BIO_new_mem_buf(tra, len(tra))
+
+            try:
+                # Firmar el texto (tra) usando cryptography (openssl bindings para python)
+                p7 = _lib.PKCS7_sign(
+                    cert._x509, private_key._evp_pkey, _ffi.NULL, bio_in, 0
+                )
+            finally:
+                # Liberar memoria asignada
+                _lib.BIO_free(bio_in)
+            # Se crea un buffer nuevo porque la firma lo consume
+            bio_in = _lib.BIO_new_mem_buf(tra, len(tra))
+            try:
+                # Crear buffer de salida
+                bio_out = _lib.BIO_new(_lib.BIO_s_mem())
+                try:
+                    # Instanciar un SMIME
+                    _lib.SMIME_write_PKCS7(bio_out, p7, bio_in, 0)
+
+                    # Tomar datos para la salida
+                    result_buffer = _ffi.new("char**")
+                    buffer_length = _lib.BIO_get_mem_data(bio_out, result_buffer)
+                    p7 = _ffi.buffer(result_buffer[0], buffer_length)[:]
+                finally:
+                    _lib.BIO_free(bio_out)
+            finally:
+                _lib.BIO_free(bio_in)
 
-        p7 = pkcs7.PKCS7SignatureBuilder().set_data(
+        else:
+            p7 = pkcs7.PKCS7SignatureBuilder().set_data(
                 tra
-        ).add_signer(
-            cert, private_key, hashes.SHA256()
-        ).sign(
-            serialization.Encoding.SMIME, [pkcs7.PKCS7Options.Binary]
-        )
+            ).add_signer(
+                cert, private_key, hashes.SHA256()
+            ).sign(
+                serialization.Encoding.SMIME, [pkcs7.PKCS7Options.Binary]
+            )
 
         # Generar p7 en formato mail y recortar headers
         msg = email.message_from_string(p7.decode("utf8"))
         for part in msg.walk():
             filename = part.get_filename()
-            if filename == "smime.p7s":
+            if filename and filename.startswith("smime.p7"):
                 # Es la parte firmada?
                 # Devolver CMS
                 return part.get_payload(decode=False)
