From 9379ca043654ee57db711e7bb71c2b11724a2f47 Mon Sep 17 00:00:00 2001 From: Kenneth Kehl <@kkehl@flexion.us> Date: Wed, 4 Jun 2025 07:38:53 -0700 Subject: [PATCH] get rid of oscrypto --- app/notifications/sns_cert_validator.py | 27 +++++++++++++++----- poetry.lock | 33 +------------------------ pyproject.toml | 1 - 3 files changed, 22 insertions(+), 39 deletions(-) diff --git a/app/notifications/sns_cert_validator.py b/app/notifications/sns_cert_validator.py index 861927ea9..de5c353e5 100644 --- a/app/notifications/sns_cert_validator.py +++ b/app/notifications/sns_cert_validator.py @@ -2,8 +2,12 @@ import base64 import re from urllib.parse import urlparse -import oscrypto.asymmetric -import oscrypto.errors +#import oscrypto.asymmetric +#import oscrypto.errors +from cryptography import x509 +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.exceptions import InvalidSignature import requests import six @@ -110,15 +114,26 @@ def validate_sns_cert(sns_payload): if isinstance(certificate, six.text_type): certificate = certificate.encode() + # load the certificate + certificate = x509.load_pem_x509_certificate(certificate) + signature = base64.b64decode(sns_payload["Signature"]) try: - oscrypto.asymmetric.rsa_pkcs1v15_verify( - oscrypto.asymmetric.load_certificate(certificate), + public_key = certificate.public_key() + public_key.verify( signature, string_to_sign, - "sha1", + padding.PKCS1v15(), + hashes.SHA256() # or SHA1? ) + #oscrypto.asymmetric.rsa_pkcs1v15_verify( + # oscrypto.asymmetric.load_certificate(certificate), + # signature, + # string_to_sign, + # "sha1", + #) return True - except oscrypto.errors.SignatureError: + #except oscrypto.errors.SignatureError: + except InvalidSignature: raise ValidationError("Invalid signature") diff --git a/poetry.lock b/poetry.lock index 1b7291d3d..cfa62e31f 100644 --- a/poetry.lock +++ b/poetry.lock @@ -211,18 +211,6 @@ types-python-dateutil = ">=2.8.10" doc = ["doc8", "sphinx (>=7.0.0)", "sphinx-autobuild", "sphinx-autodoc-typehints", "sphinx_rtd_theme (>=1.3.0)"] test = ["dateparser (==1.*)", "pre-commit", "pytest", "pytest-cov", "pytest-mock", "pytz (==2021.1)", "simplejson (==3.*)"] -[[package]] -name = "asn1crypto" -version = "1.5.1" -description = "Fast ASN.1 parser and serializer with definitions for private keys, public keys, certificates, CRL, OCSP, CMS, PKCS#3, PKCS#7, PKCS#8, PKCS#12, PKCS#5, X.509 and TSP" -optional = false -python-versions = "*" -groups = ["main"] -files = [ - {file = "asn1crypto-1.5.1-py2.py3-none-any.whl", hash = "sha256:db4e40728b728508912cbb3d44f19ce188f218e9eba635821bb4b68564f8fd67"}, - {file = "asn1crypto-1.5.1.tar.gz", hash = "sha256:13ae38502be632115abf8a24cbe5f4da52e3b5231990aff31123c805306ccb9c"}, -] - [[package]] name = "async-timeout" version = "5.0.1" @@ -3135,25 +3123,6 @@ files = [ [package.extras] dev = ["black", "mypy", "pytest"] -[[package]] -name = "oscrypto" -version = "1.3.0" -description = "TLS (SSL) sockets, key generation, encryption, decryption, signing, verification and KDFs using the OS crypto libraries. Does not require a compiler, and relies on the OS for patching. Works on Windows, OS X and Linux/BSD." -optional = false -python-versions = "*" -groups = ["main"] -files = [] -develop = false - -[package.dependencies] -asn1crypto = ">=1.5.1" - -[package.source] -type = "git" -url = "https://github.com/wbond/oscrypto.git" -reference = "1547f53" -resolved_reference = "1547f535001ba568b239b8797465536759c742a3" - [[package]] name = "packageurl-python" version = "0.16.0" @@ -5608,4 +5577,4 @@ cffi = ["cffi (>=1.11)"] [metadata] lock-version = "2.1" python-versions = "^3.13.2" -content-hash = "12dd1482c9ad1e19d4edefb9fa0abf614346883c37dc600769bb3acf610410d4" +content-hash = "879c7bb9dd451bb098c7a092498dd458224dcc766eb504fafe2cdc10255ccf7e" diff --git a/pyproject.toml b/pyproject.toml index 3e4577d64..f026ced23 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -41,7 +41,6 @@ marshmallow = "==3.26.1" marshmallow-sqlalchemy = "==1.0.0" newrelic = "*" notifications-python-client = "==10.0.1" -oscrypto = { git = "https://github.com/wbond/oscrypto.git", rev = "1547f53" } packaging = "==25.0" poetry-dotenv-plugin = "==0.2.0" psycopg2-binary = "==2.9.10"