From 99bb0c7430c9f954582eabd3a9581fe0db6f2e81 Mon Sep 17 00:00:00 2001 From: Pascal Ernster Date: Mon, 22 Jul 2019 04:25:18 +0200 Subject: [PATCH] Replace libnacl with python-cryptography, add support for algo 16 (Ed448) Origin: https://github.com/dnsviz/dnsviz/pull/54 --- Dockerfile | 2 +- README.md | 8 ++++---- contrib/dnsviz-py2.spec | 2 +- contrib/dnsviz-py3.spec | 2 +- dnsviz/crypto.py | 30 +++++++++++++++++++++++++----- requirements.txt | 2 +- setup.py | 2 +- 7 files changed, 34 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index dc6a0d9e..61a319de 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM alpine:edge RUN apk add python3 graphviz ttf-liberation libsodium bind bind-tools RUN apk add --virtual builddeps linux-headers python3-dev graphviz-dev gcc libc-dev openssl-dev swig && \ - pip3 install pygraphviz m2crypto dnspython libnacl && \ + pip3 install pygraphviz m2crypto dnspython cryptography && \ apk del builddeps COPY . /tmp/dnsviz diff --git a/README.md b/README.md index e9dcda83..03d9c3dd 100644 --- a/README.md +++ b/README.md @@ -41,7 +41,7 @@ Instructions for running in a Docker container are also available * M2Crypto (0.28.0 or later) - https://gitlab.com/m2crypto/m2crypto -* libnacl - https://github.com/saltstack/libnacl +* Cryptography (2.6 or later) - https://cryptography.io/ Note that the software versions listed above are known to work with the current version of DNSViz. Other versions might also work well together, but might @@ -85,7 +85,7 @@ $ source ~/myenv/bin/activate ``` (Note that this installs the dependencies that are python packages, but some of these packages have non-python dependecies, such as Graphviz (required for -pygraphviz) and libsodium (required for libnacl), that are not installed +pygraphviz) and OpenSSL (required for Cryptography), that are not installed automatically.) Next download and install DNSViz from the Python Package Index (PyPI): @@ -121,9 +121,9 @@ $ cp dist/dnsviz-*.tar.gz ~/rpmbuild/SOURCES/ $ cp contrib/dnsviz-py${PY_VERS}.spec ~/rpmbuild/SPECS/dnsviz.spec ``` -Install dnspython, pygraphviz, M2Crypto, and libnacl. +Install dnspython, pygraphviz, M2Crypto, and Cryptography. ``` -$ sudo dnf install python${PY_VERS}-dns python${PY_VERS}-pygraphviz python${PY_VERS}-libnacl +$ sudo dnf install python${PY_VERS}-dns python${PY_VERS}-pygraphviz python${PY_VERS}-cryptography ``` For python2: ``` diff --git a/contrib/dnsviz-py2.spec b/contrib/dnsviz-py2.spec index 0bea597b..65033c95 100644 --- a/contrib/dnsviz-py2.spec +++ b/contrib/dnsviz-py2.spec @@ -15,7 +15,7 @@ BuildRequires: make Requires: python2-pygraphviz >= 1.3 Requires: m2crypto >= 0.28.0 Requires: python2-dns >= 1.13 -Requires: python2-libnacl +Requires: python2-cryptography %description DNSViz is a tool suite for analysis and visualization of Domain Name System diff --git a/contrib/dnsviz-py3.spec b/contrib/dnsviz-py3.spec index ef25f4b5..975f3e10 100644 --- a/contrib/dnsviz-py3.spec +++ b/contrib/dnsviz-py3.spec @@ -15,7 +15,7 @@ BuildRequires: make Requires: python3-pygraphviz >= 1.3 Requires: python3-m2crypto >= 0.28.0 Requires: python3-dns >= 1.13 -Requires: python3-libnacl +Requires: python3-cryptography %description DNSViz is a tool suite for analysis and visualization of Domain Name System diff --git a/dnsviz/crypto.py b/dnsviz/crypto.py index b011cbf3..283eac4d 100644 --- a/dnsviz/crypto.py +++ b/dnsviz/crypto.py @@ -55,7 +55,7 @@ 'M2Crypto >= 0.21.1': (set([1,5,7,8,10]), set([1,2,4]), set([1])), 'M2Crypto >= 0.24.0': (set([3,6,13,14]), set(), set()), 'M2Crypto >= 0.24.0 and either openssl < 1.1.0 or openssl >= 1.1.0 plus the OpenSSL GOST Engine': (set([12]), set([3]), set()), - 'libnacl': (set([15]), set(), set()), + 'cryptography': (set([15,16]), set(), set()), } _logged_modules = set() @@ -72,12 +72,19 @@ _supported_digest_algs.update(set([1,2,4])) try: - from libnacl.sign import Verifier as ed25519Verifier + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey except ImportError: pass else: _supported_algs.add(15) +try: + from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey +except ImportError: + pass +else: + _supported_algs.add(16) + GOST_PREFIX = b'\x30\x63\x30\x1c\x06\x06\x2a\x85\x03\x02\x02\x13\x30\x12\x06\x07\x2a\x85\x03\x02\x02\x23\x01\x06\x07\x2a\x85\x03\x02\x02\x1e\x01\x03\x43\x00\x04\x40' GOST_ENGINE_NAME = b'gost' GOST_DIGEST_NAME = b'GOST R 34.11-94' @@ -386,10 +393,21 @@ def _validate_rrsig_ec(alg, sig, msg, key): def _validate_rrsig_ed25519(alg, sig, msg, key): try: - verifier = ed25519Verifier(binascii.hexlify(key)) - return verifier.verify(sig + msg) == msg - except ValueError: + verifier = Ed25519PublicKey.from_public_bytes(key) + verifier.verify(sig, msg) + except: return False + else: + return True + +def _validate_rrsig_ed448(alg, sig, msg, key): + try: + verifier = Ed448PublicKey.from_public_bytes(key) + verifier.verify(sig, msg) + except: + return False + else: + return True def validate_rrsig(alg, sig, msg, key): if not alg_is_supported(alg): @@ -407,6 +425,8 @@ def validate_rrsig(alg, sig, msg, key): return _validate_rrsig_ec(alg, sig, msg, key) elif alg in (15,): return _validate_rrsig_ed25519(alg, sig, msg, key) + elif alg in (16,): + return _validate_rrsig_ed448(alg, sig, msg, key) def get_digest_for_nsec3(val, salt, alg, iterations): if not nsec3_alg_is_supported(alg): diff --git a/requirements.txt b/requirements.txt index d6b2de5e..af2be235 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ dnspython pygraphviz m2crypto -libnacl +cryptography diff --git a/setup.py b/setup.py index ba1016e3..b531c025 100644 --- a/setup.py +++ b/setup.py @@ -135,7 +135,7 @@ def run(self): 'pygraphviz (>=1.1)', 'm2crypto (>=0.24.0)', 'dnspython (>=1.11)', - 'libnacl', + 'cryptography (>=2.6)', ], classifiers=[ 'Development Status :: 5 - Production/Stable',