[tor-commits] [stem/master] Narrow cryptography imports
atagar at torproject.org
atagar at torproject.org
Sun Nov 17 23:40:39 UTC 2019
commit fc747a4ec73c1b10c1c8ba158320b5b898927732
Author: Damian Johnson <atagar at torproject.org>
Date: Fri Oct 18 14:02:59 2019 -0700
Narrow cryptography imports
Cryptography imports must be localized to where we use it. Otherwise this
completely breaks stem when cryptography is unavilable.
---
stem/descriptor/hidden_service.py | 12 ++++++++----
stem/descriptor/hsv3_crypto.py | 11 +++++++----
test/unit/descriptor/hidden_service_v3.py | 12 ++++++++----
3 files changed, 23 insertions(+), 12 deletions(-)
diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py
index 2037cc0e..8ecc0eb7 100644
--- a/stem/descriptor/hidden_service.py
+++ b/stem/descriptor/hidden_service.py
@@ -49,10 +49,6 @@ from stem.client.datatype import CertType
from stem.descriptor import hsv3_crypto
from stem.descriptor.certificate import Ed25519Certificate
-from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
-from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
-
from stem.descriptor import (
PGP_BLOCK_END,
@@ -235,6 +231,8 @@ class IntroductionPointV3(object):
if not descriptor_signing_privkey:
raise ValueError('Cannot encode: Descriptor signing key not provided')
+ from cryptography.hazmat.primitives import serialization
+
cert_expiration_date = datetime.datetime.utcnow() + datetime.timedelta(hours=54)
body = b''
@@ -870,6 +868,9 @@ def _get_middle_descriptor_layer_body(encrypted):
(It's just fake client auth data since client auth is disabled)
"""
+ from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
+ from cryptography.hazmat.primitives import serialization
+
fake_pub_key = X25519PrivateKey.generate().public_key()
fake_pub_key_bytes = fake_pub_key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw)
fake_pub_key_bytes_b64 = base64.b64encode(fake_pub_key_bytes)
@@ -957,6 +958,9 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
the blinded key from the identity key
"""
+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+ from cryptography.hazmat.primitives import serialization
+
if sign:
raise NotImplementedError('Signing of %s not implemented' % cls.__name__)
diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py
index 2b99f030..8dd769c9 100644
--- a/stem/descriptor/hsv3_crypto.py
+++ b/stem/descriptor/hsv3_crypto.py
@@ -9,16 +9,14 @@ import stem.prereq
from stem.descriptor import ed25519_exts_ref
from stem.descriptor import slow_ed25519
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import serialization
-
def pubkeys_are_equal(pubkey1, pubkey2):
"""
Compare the raw bytes of the two pubkeys and return True if they are the same
"""
+ from cryptography.hazmat.primitives import serialization
+
pubkey1_bytes = pubkey1.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw)
pubkey2_bytes = pubkey2.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw)
@@ -42,6 +40,8 @@ certificate module.
class HSv3PrivateBlindedKey(object):
def __init__(self, hazmat_private_key, blinding_param):
+ from cryptography.hazmat.primitives import serialization
+
secret_seed = hazmat_private_key.private_bytes(encoding = serialization.Encoding.Raw, format = serialization.PrivateFormat.Raw, encryption_algorithm = serialization.NoEncryption())
assert(len(secret_seed) == 32)
@@ -195,6 +195,9 @@ def _encrypt_descriptor_layer(plaintext, revision_counter, subcredential, secret
Encrypt descriptor layer at 'plaintext'
"""
+ from cryptography.hazmat.backends import default_backend
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+
salt = os.urandom(16)
secret_key, secret_iv, mac_key = get_desc_keys(secret_data, string_constant, subcredential, revision_counter, salt)
diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py
index e668b04f..1f61b23b 100644
--- a/test/unit/descriptor/hidden_service_v3.py
+++ b/test/unit/descriptor/hidden_service_v3.py
@@ -5,10 +5,6 @@ Unit tests for stem.descriptor.hidden_service for version 3.
import functools
import unittest
-from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
-from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
-from cryptography.hazmat.primitives import serialization
-
import stem.client.datatype
import stem.descriptor
import stem.prereq
@@ -151,6 +147,8 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase):
self.skipTest('(requires cryptography ed25519 support)')
return
+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+
line_to_attr = {
'hs-descriptor': 'version',
'descriptor-lifetime': 'lifetime',
@@ -221,6 +219,9 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase):
self.assertRaisesWith(ValueError, 'Bad checksum (expected def7 but was 842e)', HiddenServiceDescriptorV3._public_key_from_address, '5' * 56)
def _helper_get_intro(self):
+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+ from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
+
link_specifiers = []
link1, _ = stem.client.datatype.LinkSpecifier.pop(b'\x03\x20CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC')
@@ -252,6 +253,9 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase):
self.skipTest('(requires cryptography ed25519 support)')
return
+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+ from cryptography.hazmat.primitives import serialization
+
# Build the service
private_identity_key = Ed25519PrivateKey.from_private_bytes(b'a' * 32)
public_identity_key = private_identity_key.public_key()
More information about the tor-commits
mailing list