commit 30156ada4979eb02fa06236066cc94d73c75f9ce Author: Damian Johnson atagar@torproject.org Date: Fri Oct 18 12:33:34 2019 -0700
Remove _is_crypto_ed25519_supported() helper
We have a couple checks that are unpleasantly similar...
* "is_crypto_available(ed25519 = True)" checks if the cryptography module has ed25519 support (ie. if cryptograhy itself is modern enough)
* "_is_crypto_ed25519_supported()" checks if OpenSSL has ed25519 support
This is confusing, so combining these into a single "is ed25519 fully supported?" check. This potentially makes our checks stricter (ie. we do less when one check is true, and the other is false) but this isn't worth the additional confusion. --- stem/descriptor/certificate.py | 2 +- stem/descriptor/hidden_service.py | 9 +++----- stem/descriptor/server_descriptor.py | 2 +- stem/prereq.py | 34 +++++++++---------------------- test/require.py | 2 +- test/unit/descriptor/hidden_service_v3.py | 12 ++++------- 6 files changed, 20 insertions(+), 41 deletions(-)
diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index c0897b13..90476576 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -290,7 +290,7 @@ class Ed25519CertificateV1(Ed25519Certificate): * **ImportError** if cryptography module or ed25519 support unavailable """
- if not stem.prereq._is_crypto_ed25519_supported(): + if not stem.prereq.is_crypto_available(ed25519 = True): raise ImportError('Certificate validation requires the cryptography module and ed25519 support')
if isinstance(descriptor, stem.descriptor.server_descriptor.RelayDescriptor): diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 1a2ce69c..2037cc0e 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -188,8 +188,6 @@ class IntroductionPointV3(object): descriptor_signing_key is provided. """
- from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey - # if not link_specifiers or not onion_key or not enc_key: # raise ValueError('Introduction point missing essential keys')
@@ -197,7 +195,8 @@ class IntroductionPointV3(object): raise ValueError('Either auth key or auth key cert needs to be provided')
# If we have an auth key cert but not an auth key, extract the key - if auth_key_cert and not auth_key: + if auth_key_cert and not auth_key and stem.prereq.is_crypto_available(ed25519 = True): + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey auth_key = Ed25519PublicKey.from_public_bytes(auth_key_cert.key)
self.link_specifiers = link_specifiers @@ -1031,8 +1030,6 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
@classmethod def create(cls, attr = None, exclude = (), validate = True, sign = False): - # Create a string-representation of the descriptor and then parse it - # immediately to create an object. return cls(cls.content(attr, exclude, sign), validate = validate, skip_crypto_validation = not sign)
def __init__(self, raw_contents, validate = False): @@ -1055,7 +1052,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
self._parse(entries, validate)
- if self.signing_cert: + if self.signing_cert and stem.prereq.is_crypto_available(ed25519 = True): self.signing_cert.validate(self) else: self._entries = entries diff --git a/stem/descriptor/server_descriptor.py b/stem/descriptor/server_descriptor.py index ebadcde2..a2be8483 100644 --- a/stem/descriptor/server_descriptor.py +++ b/stem/descriptor/server_descriptor.py @@ -858,7 +858,7 @@ class RelayDescriptor(ServerDescriptor): if onion_key_crosscert_digest != self._onion_key_crosscert_digest(): raise ValueError('Decrypted onion-key-crosscert digest does not match local digest (calculated: %s, local: %s)' % (onion_key_crosscert_digest, self._onion_key_crosscert_digest()))
- if stem.prereq._is_crypto_ed25519_supported() and self.certificate: + if stem.prereq.is_crypto_available(ed25519 = True) and self.certificate: self.certificate.validate(self)
@classmethod diff --git a/stem/prereq.py b/stem/prereq.py index e8218e7f..40c2f006 100644 --- a/stem/prereq.py +++ b/stem/prereq.py @@ -127,12 +127,14 @@ def is_crypto_available(ed25519 = False):
:param bool ed25519: check for `ed25519 support https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed25519/`_, - which was added in version 2.6 + which requires both cryptography version 2.6 and OpenSSL support
:returns: **True** if we can use the cryptography module and **False** otherwise """
+ from stem.util import log + try: from cryptography.utils import int_from_bytes, int_to_bytes from cryptography.hazmat.backends import default_backend @@ -145,11 +147,17 @@ def is_crypto_available(ed25519 = False): raise ImportError()
if ed25519: + # The following import confirms cryptography support (ie. version 2.6+), + # whereas ed25519_supported() checks for OpenSSL bindings. + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+ if not hasattr(backend, 'ed25519_supported') or not backend.ed25519_supported(): + log.log_once('stem.prereq._is_crypto_ed25519_supported', log.INFO, ED25519_UNSUPPORTED) + return False + return True except ImportError: - from stem.util import log log.log_once('stem.prereq.is_crypto_available', log.INFO, CRYPTO_UNAVAILABLE) return False
@@ -253,28 +261,6 @@ def _is_lru_cache_available(): return hasattr(functools, 'lru_cache')
-def _is_crypto_ed25519_supported(): - """ - Checks if ed25519 is supported by current versions of the cryptography - package and OpenSSL. This is used for verifying ed25519 certificates in relay - descriptor signatures. - - :returns: **True** if ed25519 is supported and **False** otherwise - """ - - if not is_crypto_available(): - return False - - from stem.util import log - from cryptography.hazmat.backends.openssl.backend import backend - - if hasattr(backend, 'ed25519_supported') and backend.ed25519_supported(): - return True - else: - log.log_once('stem.prereq._is_crypto_ed25519_supported', log.INFO, ED25519_UNSUPPORTED) - return False - - def _is_sha3_available(): """ Check if hashlib has sha3 support. This requires Python 3.6+ *or* the `pysha3 diff --git a/test/require.py b/test/require.py index 1117ea1e..af33359f 100644 --- a/test/require.py +++ b/test/require.py @@ -98,7 +98,7 @@ def version(req_version):
cryptography = needs(stem.prereq.is_crypto_available, 'requires cryptography') -ed25519_support = needs(stem.prereq._is_crypto_ed25519_supported, 'requires ed25519 support') +ed25519_support = needs(lambda: stem.prereq.is_crypto_available(ed25519 = True), 'requires ed25519 support') proc = needs(stem.util.proc.is_available, 'proc unavailable') controller = needs(_can_access_controller, 'no connection') ptrace = needs(_can_ptrace, 'DisableDebuggerAttachment is set') diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index b3a26931..e668b04f 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -5,7 +5,6 @@ Unit tests for stem.descriptor.hidden_service for version 3. import functools import unittest
-from cryptography.hazmat.backends.openssl.backend import backend from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey from cryptography.hazmat.primitives import serialization @@ -148,8 +147,8 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): Check that we require the mandatory fields. """
- if not backend.x25519_supported(): - self.skipTest('(requires openssl ed25519 support)') + if not stem.prereq.is_crypto_available(ed25519 = True): + self.skipTest('(requires cryptography ed25519 support)') return
line_to_attr = { @@ -216,9 +215,6 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): elif not stem.prereq._is_sha3_available(): self.skipTest('(requires sha3 support)') return - elif not backend.x25519_supported(): - self.skipTest('(requires openssl ed25519 support)') - return
self.assertEqual(b'\x92\xe6\x80\xfaWU.}HL\x9d*>\xdbF\xfb\xc0v\xe5N\xa9\x0bw\xbb\x84\xe3\xe6\xd5e}R\xa1', HiddenServiceDescriptorV3._public_key_from_address(HS_ADDRESS)) self.assertRaisesWith(ValueError, "'boom.onion' isn't a valid hidden service v3 address", HiddenServiceDescriptorV3._public_key_from_address, 'boom') @@ -252,8 +248,8 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): making onion service descriptors. """
- if not backend.x25519_supported(): - self.skipTest('(requires openssl ed25519 support)') + if not stem.prereq.is_crypto_available(ed25519 = True): + self.skipTest('(requires cryptography ed25519 support)') return
# Build the service