commit fc747a4ec73c1b10c1c8ba158320b5b898927732 Author: Damian Johnson atagar@torproject.org Date: Fri Oct 18 14:02:59 2019 -0700

Narrow cryptography imports

Cryptography imports must be localized to where we use it. Otherwise this completely breaks stem when cryptography is unavilable. --- stem/descriptor/hidden_service.py | 12 ++++++++---- stem/descriptor/hsv3_crypto.py | 11 +++++++---- test/unit/descriptor/hidden_service_v3.py | 12 ++++++++---- 3 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 2037cc0e..8ecc0eb7 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -49,10 +49,6 @@ from stem.client.datatype import CertType from stem.descriptor import hsv3_crypto from stem.descriptor.certificate import Ed25519Certificate

-from cryptography.hazmat.primitives import serialization -from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey -from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey -

from stem.descriptor import ( PGP_BLOCK_END, @@ -235,6 +231,8 @@ class IntroductionPointV3(object): if not descriptor_signing_privkey: raise ValueError('Cannot encode: Descriptor signing key not provided')

+ from cryptography.hazmat.primitives import serialization + cert_expiration_date = datetime.datetime.utcnow() + datetime.timedelta(hours=54)

body = b'' @@ -870,6 +868,9 @@ def _get_middle_descriptor_layer_body(encrypted): (It's just fake client auth data since client auth is disabled) """

+ from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey + from cryptography.hazmat.primitives import serialization + fake_pub_key = X25519PrivateKey.generate().public_key() fake_pub_key_bytes = fake_pub_key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) fake_pub_key_bytes_b64 = base64.b64encode(fake_pub_key_bytes) @@ -957,6 +958,9 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): the blinded key from the identity key """

+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + from cryptography.hazmat.primitives import serialization + if sign: raise NotImplementedError('Signing of %s not implemented' % cls.__name__)

diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py index 2b99f030..8dd769c9 100644 --- a/stem/descriptor/hsv3_crypto.py +++ b/stem/descriptor/hsv3_crypto.py @@ -9,16 +9,14 @@ import stem.prereq from stem.descriptor import ed25519_exts_ref from stem.descriptor import slow_ed25519

-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import serialization -

def pubkeys_are_equal(pubkey1, pubkey2): """ Compare the raw bytes of the two pubkeys and return True if they are the same """

+ from cryptography.hazmat.primitives import serialization + pubkey1_bytes = pubkey1.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) pubkey2_bytes = pubkey2.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw)

@@ -42,6 +40,8 @@ certificate module.

class HSv3PrivateBlindedKey(object): def __init__(self, hazmat_private_key, blinding_param): + from cryptography.hazmat.primitives import serialization + secret_seed = hazmat_private_key.private_bytes(encoding = serialization.Encoding.Raw, format = serialization.PrivateFormat.Raw, encryption_algorithm = serialization.NoEncryption()) assert(len(secret_seed) == 32)

@@ -195,6 +195,9 @@ def _encrypt_descriptor_layer(plaintext, revision_counter, subcredential, secret Encrypt descriptor layer at 'plaintext' """

+ from cryptography.hazmat.backends import default_backend + from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes + salt = os.urandom(16)

secret_key, secret_iv, mac_key = get_desc_keys(secret_data, string_constant, subcredential, revision_counter, salt) diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index e668b04f..1f61b23b 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -5,10 +5,6 @@ Unit tests for stem.descriptor.hidden_service for version 3. import functools import unittest

-from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey -from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey -from cryptography.hazmat.primitives import serialization - import stem.client.datatype import stem.descriptor import stem.prereq @@ -151,6 +147,8 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.skipTest('(requires cryptography ed25519 support)') return

+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + line_to_attr = { 'hs-descriptor': 'version', 'descriptor-lifetime': 'lifetime', @@ -221,6 +219,9 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertRaisesWith(ValueError, 'Bad checksum (expected def7 but was 842e)', HiddenServiceDescriptorV3._public_key_from_address, '5' * 56)

def _helper_get_intro(self): + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey + link_specifiers = []

link1, _ = stem.client.datatype.LinkSpecifier.pop(b'\x03\x20CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC') @@ -252,6 +253,9 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.skipTest('(requires cryptography ed25519 support)') return

+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + from cryptography.hazmat.primitives import serialization + # Build the service private_identity_key = Ed25519PrivateKey.from_private_bytes(b'a' * 32) public_identity_key = private_identity_key.public_key()