From c4498196fe7f2314768950d333ad3e297cca0b02 Mon Sep 17 00:00:00 2001 From: HanslettTheDev Date: Tue, 4 Jul 2023 00:28:38 +0100 Subject: [PATCH 1/3] feat: added the signing of certificates and refactored the code Signed-off-by: HanslettTheDev --- wsaa.py | 76 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 45 insertions(+), 31 deletions(-) diff --git a/wsaa.py b/wsaa.py index 30bf49d95..894f93972 100644 --- a/wsaa.py +++ b/wsaa.py @@ -54,6 +54,7 @@ from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.bindings.openssl.binding import Binding + from cryptography.hazmat.primitives.serialization import pkcs7 except ImportError: ex = exception_info() @@ -113,11 +114,6 @@ def sign_tra(tra, cert=CERT, privatekey=PRIVATEKEY, passphrase=""): tra = tra.encode("utf8") if Binding: - _lib = Binding.lib - _ffi = Binding.ffi - # Crear un buffer desde el texto - bio_in = _lib.BIO_new_mem_buf(tra, len(tra)) - # Leer privatekey y cert if not privatekey.startswith(b"-----BEGIN RSA PRIVATE KEY-----"): privatekey = open(privatekey).read() @@ -136,42 +132,60 @@ def sign_tra(tra, cert=CERT, privatekey=PRIVATEKEY, passphrase=""): cert = open(cert).read() if isinstance(cert, str): cert = cert.encode("utf-8") - cert = x509.load_pem_x509_certificate(cert, default_backend()) + cert = x509.load_pem_x509_certificate(cert) - try: - # Firmar el texto (tra) usando cryptography (openssl bindings para python) - p7 = _lib.PKCS7_sign( - cert._x509, private_key._evp_pkey, _ffi.NULL, bio_in, 0 - ) - finally: - # Liberar memoria asignada - _lib.BIO_free(bio_in) - # Se crea un buffer nuevo porque la firma lo consume - bio_in = _lib.BIO_new_mem_buf(tra, len(tra)) - try: - # Crear buffer de salida - bio_out = _lib.BIO_new(_lib.BIO_s_mem()) - try: - # Instanciar un SMIME - _lib.SMIME_write_PKCS7(bio_out, p7, bio_in, 0) + if sys.version_info.major == 2: + _lib = Binding.lib + _ffi = Binding.ffi + # Crear un buffer desde el texto + # Se crea un buffer nuevo porque la firma lo consume + bio_in = _lib.BIO_new_mem_buf(tra, len(tra)) - # Tomar datos para la salida - result_buffer = _ffi.new("char**") - buffer_length = _lib.BIO_get_mem_data(bio_out, result_buffer) - output = _ffi.buffer(result_buffer[0], buffer_length)[:] + try: + # Firmar el texto (tra) usando cryptography (openssl bindings para python) + p7 = _lib.PKCS7_sign( + cert._x509, private_key._evp_pkey, _ffi.NULL, bio_in, 0 + ) finally: - _lib.BIO_free(bio_out) - finally: - _lib.BIO_free(bio_in) + # Liberar memoria asignada + _lib.BIO_free(bio_in) + # Se crea un buffer nuevo porque la firma lo consume + bio_in = _lib.BIO_new_mem_buf(tra, len(tra)) + try: + # Crear buffer de salida + bio_out = _lib.BIO_new(_lib.BIO_s_mem()) + try: + # Instanciar un SMIME + _lib.SMIME_write_PKCS7(bio_out, p7, bio_in, 0) + + # Tomar datos para la salida + result_buffer = _ffi.new("char**") + buffer_length = _lib.BIO_get_mem_data(bio_out, result_buffer) + p7 = _ffi.buffer(result_buffer[0], buffer_length)[:] + finally: + _lib.BIO_free(bio_out) + finally: + _lib.BIO_free(bio_in) + + else: + p7 = pkcs7.PKCS7SignatureBuilder().set_data( + tra + ).add_signer( + cert, private_key, hashes.SHA256() + ).sign( + serialization.Encoding.SMIME, [pkcs7.PKCS7Options.Binary] + ) # Generar p7 en formato mail y recortar headers - msg = email.message_from_string(output.decode("utf8")) + msg = email.message_from_string(p7.decode("utf8")) for part in msg.walk(): filename = part.get_filename() - if filename == "smime.p7m": + if filename and filename.startswith("smime.p7"): # Es la parte firmada? # Devolver CMS return part.get_payload(decode=False) + else: + raise RuntimeError("Part not found") else: # Firmar el texto (tra) usando OPENSSL directamente try: From d075fdafa18f252a00ebd1ca74ceda0fcf1d4a88 Mon Sep 17 00:00:00 2001 From: HanslettTheDev Date: Tue, 4 Jul 2023 00:29:53 +0100 Subject: [PATCH 2/3] bump: upgraded cryptography from 3.3.2 -> 41.0.1 Signed-off-by: HanslettTheDev --- requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index 59cb59a04..c65ebdda1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,13 +1,13 @@ httplib2==0.9.2; python_version <= '2.7' httplib2==0.20.4; python_version > '3' pysimplesoap==1.08.14; python_version <= '2.7' -git+https://github.com/pysimplesoap/pysimplesoap.git@py311#pysimplesoap; python_version > '3' +git+https://github.com/pysimplesoap/pysimplesoap.git@py311#pysimplesoap ; python_version > '3' cryptography==3.3.2; python_version <= '2.7' -cryptography==3.4.7; python_version > '3' +cryptography==41.0.1; python_version > '3' fpdf>=1.7.2 dbf>=0.88.019 Pillow>=2.0.0 tabulate==0.8.5 certifi>=2020.4.5.1 qrcode==6.1 -future==0.18.3 +future==0.18.3 \ No newline at end of file From 752908fdf55eb8912bf57ae29d8a6dca5e1ecff5 Mon Sep 17 00:00:00 2001 From: Mariano Reingart Date: Tue, 4 Jul 2023 23:48:52 -0300 Subject: [PATCH 3/3] Fix whitespace issues due merge Signed-off-by: Mariano Reingart --- requirements.txt | 2 +- wsaa.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index c65ebdda1..3bb3036d1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,7 @@ httplib2==0.9.2; python_version <= '2.7' httplib2==0.20.4; python_version > '3' pysimplesoap==1.08.14; python_version <= '2.7' -git+https://github.com/pysimplesoap/pysimplesoap.git@py311#pysimplesoap ; python_version > '3' +git+https://github.com/pysimplesoap/pysimplesoap.git@py311#pysimplesoap; python_version > '3' cryptography==3.3.2; python_version <= '2.7' cryptography==41.0.1; python_version > '3' fpdf>=1.7.2 diff --git a/wsaa.py b/wsaa.py index 5e65f1693..ca5f4c891 100644 --- a/wsaa.py +++ b/wsaa.py @@ -115,7 +115,7 @@ def sign_tra(tra, cert=CERT, privatekey=PRIVATEKEY, passphrase=""): if Binding: - # Leer privatekey y cert + # Leer privatekey y cert if not privatekey.startswith(b"-----BEGIN RSA PRIVATE KEY-----"): privatekey = open(privatekey).read() if isinstance(privatekey, str):