From 94770319e08bd7412a7e0b62abf206e0d78b997b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Mar 2015 15:52:56 -0600 Subject: move private_bytes to a shared method so we can reuse it --- .../hazmat/backends/openssl/backend.py | 61 ++++++++++++++++++++- src/cryptography/hazmat/backends/openssl/rsa.py | 64 +++------------------- 2 files changed, 67 insertions(+), 58 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index eb23ef00..e1758dae 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -36,7 +36,7 @@ from cryptography.hazmat.backends.openssl.rsa import ( ) from cryptography.hazmat.backends.openssl.x509 import _Certificate from cryptography.hazmat.bindings.openssl.binding import Binding -from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, rsa from cryptography.hazmat.primitives.asymmetric.padding import ( MGF1, OAEP, PKCS1v15, PSS @@ -1093,6 +1093,65 @@ class Backend(object): return ctx + def _private_bytes(self, encoding, format, encryption_algorithm, + pem_write_func, evp_pkey, cdata): + if not isinstance(encoding, serialization.Encoding): + raise TypeError("encoding must be an item from the Encoding enum") + + if not isinstance(format, serialization.Format): + raise TypeError("format must be an item from the Format enum") + + # This is a temporary check until we land DER serialization. + if encoding is not serialization.Encoding.PEM: + raise ValueError("Only PEM encoding is supported by this backend") + + if format is serialization.Format.PKCS8: + write_bio = self._lib.PEM_write_bio_PKCS8PrivateKey + key = evp_pkey + elif format is serialization.Format.TraditionalOpenSSL: + write_bio = pem_write_func + key = cdata + + if not isinstance(encryption_algorithm, + serialization.KeySerializationEncryption): + raise TypeError( + "Encryption algorithm must be a KeySerializationEncryption " + "instance" + ) + + if isinstance(encryption_algorithm, serialization.NoEncryption): + password = b"" + passlen = 0 + evp_cipher = self._ffi.NULL + elif isinstance(encryption_algorithm, + serialization.BestAvailableEncryption): + # This is a curated value that we will update over time. + evp_cipher = self._lib.EVP_get_cipherbyname( + b"aes-256-cbc" + ) + password = encryption_algorithm.password + passlen = len(password) + if passlen > 1023: + raise ValueError( + "Passwords longer than 1023 bytes are not supported by " + "this backend" + ) + else: + raise ValueError("Unsupported encryption type") + + bio = self._create_mem_bio() + res = write_bio( + bio, + key, + evp_cipher, + password, + passlen, + self._ffi.NULL, + self._ffi.NULL + ) + assert res == 1 + return self._read_mem_bio(bio) + class GetCipherByName(object): def __init__(self, fmt): diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index e7365c11..05648d85 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -21,10 +21,6 @@ from cryptography.hazmat.primitives.asymmetric.rsa import ( RSAPrivateKeyWithNumbers, RSAPrivateKeyWithSerialization, RSAPublicKeyWithNumbers ) -from cryptography.hazmat.primitives.serialization import ( - BestAvailableEncryption, Encoding, Format, KeySerializationEncryption, - NoEncryption -) def _get_rsa_pss_salt_length(pss, key_size, digest_size): @@ -566,60 +562,14 @@ class _RSAPrivateKey(object): ) def private_bytes(self, encoding, format, encryption_algorithm): - if not isinstance(encoding, Encoding): - raise TypeError("encoding must be an item from the Encoding enum") - - if not isinstance(format, Format): - raise TypeError("format must be an item from the Format enum") - - # This is a temporary check until we land DER serialization. - if encoding is not Encoding.PEM: - raise ValueError("Only PEM encoding is supported by this backend") - - if format is Format.PKCS8: - write_bio = self._backend._lib.PEM_write_bio_PKCS8PrivateKey - key = self._evp_pkey - elif format is Format.TraditionalOpenSSL: - write_bio = self._backend._lib.PEM_write_bio_RSAPrivateKey - key = self._rsa_cdata - - if not isinstance(encryption_algorithm, KeySerializationEncryption): - raise TypeError( - "Encryption algorithm must be a KeySerializationEncryption " - "instance" - ) - - if isinstance(encryption_algorithm, NoEncryption): - password = b"" - passlen = 0 - evp_cipher = self._backend._ffi.NULL - elif isinstance(encryption_algorithm, BestAvailableEncryption): - # This is a curated value that we will update over time. - evp_cipher = self._backend._lib.EVP_get_cipherbyname( - b"aes-256-cbc" - ) - password = encryption_algorithm.password - passlen = len(password) - if passlen > 1023: - raise ValueError( - "Passwords longer than 1023 bytes are not supported by " - "this backend" - ) - else: - raise ValueError("Unsupported encryption type") - - bio = self._backend._create_mem_bio() - res = write_bio( - bio, - key, - evp_cipher, - password, - passlen, - self._backend._ffi.NULL, - self._backend._ffi.NULL + return self._backend._private_bytes( + encoding, + format, + encryption_algorithm, + self._backend._lib.PEM_write_bio_RSAPrivateKey, + self._evp_pkey, + self._rsa_cdata ) - assert res == 1 - return self._backend._read_mem_bio(bio) @utils.register_interface(RSAPublicKeyWithNumbers) -- cgit v1.2.3 From 98975e9990e4ee1232bbd6f426dddcce1643e87e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 1 Mar 2015 15:58:14 -0600 Subject: update naming --- src/cryptography/hazmat/backends/openssl/backend.py | 6 +++--- src/cryptography/hazmat/backends/openssl/rsa.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index e1758dae..ce11f6cb 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1093,8 +1093,8 @@ class Backend(object): return ctx - def _private_bytes(self, encoding, format, encryption_algorithm, - pem_write_func, evp_pkey, cdata): + def _private_key_bytes(self, encoding, format, encryption_algorithm, + traditional_write_func, evp_pkey, cdata): if not isinstance(encoding, serialization.Encoding): raise TypeError("encoding must be an item from the Encoding enum") @@ -1109,7 +1109,7 @@ class Backend(object): write_bio = self._lib.PEM_write_bio_PKCS8PrivateKey key = evp_pkey elif format is serialization.Format.TraditionalOpenSSL: - write_bio = pem_write_func + write_bio = traditional_write_func key = cdata if not isinstance(encryption_algorithm, diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 05648d85..0470c3fd 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -562,7 +562,7 @@ class _RSAPrivateKey(object): ) def private_bytes(self, encoding, format, encryption_algorithm): - return self._backend._private_bytes( + return self._backend._private_key_bytes( encoding, format, encryption_algorithm, -- cgit v1.2.3