You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
183 lines
6.3 KiB
183 lines
6.3 KiB
From 99bb0c7430c9f954582eabd3a9581fe0db6f2e81 Mon Sep 17 00:00:00 2001
|
|
From: Pascal Ernster <git@hardfalcon.net>
|
|
Date: Mon, 22 Jul 2019 04:25:18 +0200
|
|
Subject: [PATCH] Replace libnacl with python-cryptography, add support for
|
|
algo 16 (Ed448)
|
|
|
|
Origin: https://github.com/dnsviz/dnsviz/pull/54
|
|
|
|
---
|
|
Dockerfile | 2 +-
|
|
README.md | 8 ++++----
|
|
contrib/dnsviz-py2.spec | 2 +-
|
|
contrib/dnsviz-py3.spec | 2 +-
|
|
dnsviz/crypto.py | 30 +++++++++++++++++++++++++-----
|
|
requirements.txt | 2 +-
|
|
setup.py | 2 +-
|
|
7 files changed, 34 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/Dockerfile b/Dockerfile
|
|
index dc6a0d9e..61a319de 100644
|
|
--- a/Dockerfile
|
|
+++ b/Dockerfile
|
|
@@ -2,7 +2,7 @@ FROM alpine:edge
|
|
|
|
RUN apk add python3 graphviz ttf-liberation libsodium bind bind-tools
|
|
RUN apk add --virtual builddeps linux-headers python3-dev graphviz-dev gcc libc-dev openssl-dev swig && \
|
|
- pip3 install pygraphviz m2crypto dnspython libnacl && \
|
|
+ pip3 install pygraphviz m2crypto dnspython cryptography && \
|
|
apk del builddeps
|
|
|
|
COPY . /tmp/dnsviz
|
|
diff --git a/README.md b/README.md
|
|
index e9dcda83..03d9c3dd 100644
|
|
--- a/README.md
|
|
+++ b/README.md
|
|
@@ -41,7 +41,7 @@ Instructions for running in a Docker container are also available
|
|
|
|
* M2Crypto (0.28.0 or later) - https://gitlab.com/m2crypto/m2crypto
|
|
|
|
-* libnacl - https://github.com/saltstack/libnacl
|
|
+* Cryptography (2.6 or later) - https://cryptography.io/
|
|
|
|
Note that the software versions listed above are known to work with the current
|
|
version of DNSViz. Other versions might also work well together, but might
|
|
@@ -85,7 +85,7 @@ $ source ~/myenv/bin/activate
|
|
```
|
|
(Note that this installs the dependencies that are python packages, but some of
|
|
these packages have non-python dependecies, such as Graphviz (required for
|
|
-pygraphviz) and libsodium (required for libnacl), that are not installed
|
|
+pygraphviz) and OpenSSL (required for Cryptography), that are not installed
|
|
automatically.)
|
|
|
|
Next download and install DNSViz from the Python Package Index (PyPI):
|
|
@@ -121,9 +121,9 @@ $ cp dist/dnsviz-*.tar.gz ~/rpmbuild/SOURCES/
|
|
$ cp contrib/dnsviz-py${PY_VERS}.spec ~/rpmbuild/SPECS/dnsviz.spec
|
|
```
|
|
|
|
-Install dnspython, pygraphviz, M2Crypto, and libnacl.
|
|
+Install dnspython, pygraphviz, M2Crypto, and Cryptography.
|
|
```
|
|
-$ sudo dnf install python${PY_VERS}-dns python${PY_VERS}-pygraphviz python${PY_VERS}-libnacl
|
|
+$ sudo dnf install python${PY_VERS}-dns python${PY_VERS}-pygraphviz python${PY_VERS}-cryptography
|
|
```
|
|
For python2:
|
|
```
|
|
diff --git a/contrib/dnsviz-py2.spec b/contrib/dnsviz-py2.spec
|
|
index 0bea597b..65033c95 100644
|
|
--- a/contrib/dnsviz-py2.spec
|
|
+++ b/contrib/dnsviz-py2.spec
|
|
@@ -15,7 +15,7 @@ BuildRequires: make
|
|
Requires: python2-pygraphviz >= 1.3
|
|
Requires: m2crypto >= 0.28.0
|
|
Requires: python2-dns >= 1.13
|
|
-Requires: python2-libnacl
|
|
+Requires: python2-cryptography
|
|
|
|
%description
|
|
DNSViz is a tool suite for analysis and visualization of Domain Name System
|
|
diff --git a/contrib/dnsviz-py3.spec b/contrib/dnsviz-py3.spec
|
|
index ef25f4b5..975f3e10 100644
|
|
--- a/contrib/dnsviz-py3.spec
|
|
+++ b/contrib/dnsviz-py3.spec
|
|
@@ -15,7 +15,7 @@ BuildRequires: make
|
|
Requires: python3-pygraphviz >= 1.3
|
|
Requires: python3-m2crypto >= 0.28.0
|
|
Requires: python3-dns >= 1.13
|
|
-Requires: python3-libnacl
|
|
+Requires: python3-cryptography
|
|
|
|
%description
|
|
DNSViz is a tool suite for analysis and visualization of Domain Name System
|
|
diff --git a/dnsviz/crypto.py b/dnsviz/crypto.py
|
|
index b011cbf3..283eac4d 100644
|
|
--- a/dnsviz/crypto.py
|
|
+++ b/dnsviz/crypto.py
|
|
@@ -55,7 +55,7 @@
|
|
'M2Crypto >= 0.21.1': (set([1,5,7,8,10]), set([1,2,4]), set([1])),
|
|
'M2Crypto >= 0.24.0': (set([3,6,13,14]), set(), set()),
|
|
'M2Crypto >= 0.24.0 and either openssl < 1.1.0 or openssl >= 1.1.0 plus the OpenSSL GOST Engine': (set([12]), set([3]), set()),
|
|
- 'libnacl': (set([15]), set(), set()),
|
|
+ 'cryptography': (set([15,16]), set(), set()),
|
|
}
|
|
_logged_modules = set()
|
|
|
|
@@ -72,12 +72,19 @@
|
|
_supported_digest_algs.update(set([1,2,4]))
|
|
|
|
try:
|
|
- from libnacl.sign import Verifier as ed25519Verifier
|
|
+ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
|
|
except ImportError:
|
|
pass
|
|
else:
|
|
_supported_algs.add(15)
|
|
|
|
+try:
|
|
+ from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey
|
|
+except ImportError:
|
|
+ pass
|
|
+else:
|
|
+ _supported_algs.add(16)
|
|
+
|
|
GOST_PREFIX = b'\x30\x63\x30\x1c\x06\x06\x2a\x85\x03\x02\x02\x13\x30\x12\x06\x07\x2a\x85\x03\x02\x02\x23\x01\x06\x07\x2a\x85\x03\x02\x02\x1e\x01\x03\x43\x00\x04\x40'
|
|
GOST_ENGINE_NAME = b'gost'
|
|
GOST_DIGEST_NAME = b'GOST R 34.11-94'
|
|
@@ -386,10 +393,21 @@ def _validate_rrsig_ec(alg, sig, msg, key):
|
|
|
|
def _validate_rrsig_ed25519(alg, sig, msg, key):
|
|
try:
|
|
- verifier = ed25519Verifier(binascii.hexlify(key))
|
|
- return verifier.verify(sig + msg) == msg
|
|
- except ValueError:
|
|
+ verifier = Ed25519PublicKey.from_public_bytes(key)
|
|
+ verifier.verify(sig, msg)
|
|
+ except:
|
|
return False
|
|
+ else:
|
|
+ return True
|
|
+
|
|
+def _validate_rrsig_ed448(alg, sig, msg, key):
|
|
+ try:
|
|
+ verifier = Ed448PublicKey.from_public_bytes(key)
|
|
+ verifier.verify(sig, msg)
|
|
+ except:
|
|
+ return False
|
|
+ else:
|
|
+ return True
|
|
|
|
def validate_rrsig(alg, sig, msg, key):
|
|
if not alg_is_supported(alg):
|
|
@@ -407,6 +425,8 @@ def validate_rrsig(alg, sig, msg, key):
|
|
return _validate_rrsig_ec(alg, sig, msg, key)
|
|
elif alg in (15,):
|
|
return _validate_rrsig_ed25519(alg, sig, msg, key)
|
|
+ elif alg in (16,):
|
|
+ return _validate_rrsig_ed448(alg, sig, msg, key)
|
|
|
|
def get_digest_for_nsec3(val, salt, alg, iterations):
|
|
if not nsec3_alg_is_supported(alg):
|
|
diff --git a/requirements.txt b/requirements.txt
|
|
index d6b2de5e..af2be235 100644
|
|
--- a/requirements.txt
|
|
+++ b/requirements.txt
|
|
@@ -1,4 +1,4 @@
|
|
dnspython
|
|
pygraphviz
|
|
m2crypto
|
|
-libnacl
|
|
+cryptography
|
|
diff --git a/setup.py b/setup.py
|
|
index ba1016e3..b531c025 100644
|
|
--- a/setup.py
|
|
+++ b/setup.py
|
|
@@ -135,7 +135,7 @@ def run(self):
|
|
'pygraphviz (>=1.1)',
|
|
'm2crypto (>=0.24.0)',
|
|
'dnspython (>=1.11)',
|
|
- 'libnacl',
|
|
+ 'cryptography (>=2.6)',
|
|
],
|
|
classifiers=[
|
|
'Development Status :: 5 - Production/Stable',
|