def local_oscrypto():
"""
Make sure oscrypto is initialized and the backend is selected via env vars
:return:
A 2-element tuple with the (asn1crypto, oscrypto) modules
"""
global _asn1crypto_module
global _oscrypto_module
if _oscrypto_module:
return (_asn1crypto_module, _oscrypto_module)
tests_dir = os.path.dirname(os.path.abspath(__file__))
# If we are in a source checkout, load the local oscrypto module, and
# local asn1crypto module if possible. Otherwise do a normal import.
in_source_checkout = os.path.basename(tests_dir) == 'tests'
if in_source_checkout:
_asn1crypto_module = _import_from(
'asn1crypto',
os.path.abspath(os.path.join(tests_dir, '..', '..', 'asn1crypto')))
if _asn1crypto_module is None:
import asn1crypto as _asn1crypto_module
if in_source_checkout:
_oscrypto_module = _import_from(
'oscrypto', os.path.abspath(os.path.join(tests_dir, '..')))
if _oscrypto_module is None:
import oscrypto as _oscrypto_module
if os.environ.get('OSCRYPTO_USE_CTYPES'):
_oscrypto_module.use_ctypes()
# Configuring via env vars so CI for other packages doesn't need to do
# anything complicated to get the alternate backends
if os.environ.get('OSCRYPTO_USE_OPENSSL'):
paths = os.environ.get('OSCRYPTO_USE_OPENSSL').split(',')
if len(paths) != 2:
raise ValueError(
'Value for OSCRYPTO_USE_OPENSSL env var must be two paths separated by a comma'
)
_oscrypto_module.use_openssl(*paths)
elif os.environ.get('OSCRYPTO_USE_WINLEGACY'):
_oscrypto_module.use_winlegacy()
return (_asn1crypto_module, _oscrypto_module)
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import padding, utils
from snowflake.connector.errorcode import ER_INVALID_OCSP_RESPONSE, ER_INVALID_OCSP_RESPONSE_CODE
from snowflake.connector.errors import RevocationCheckError
from snowflake.connector.ocsp_snowflake import SnowflakeOCSP
from snowflake.connector.ssd_internal_keys import ret_wildcard_hkey
with warnings.catch_warnings():
warnings.simplefilter("ignore")
# force versioned dylibs onto oscrypto ssl on catalina
if sys.platform == 'darwin' and platform.mac_ver()[0].startswith('10.15'):
from oscrypto import use_openssl, _module_values
if _module_values['backend'] is None:
use_openssl(libcrypto_path='/usr/lib/libcrypto.35.dylib', libssl_path='/usr/lib/libssl.35.dylib')
from oscrypto import asymmetric
logger = getLogger(__name__)
class SnowflakeOCSPAsn1Crypto(SnowflakeOCSP):
"""OCSP checks by asn1crypto."""
# map signature algorithm name to digest class
SIGNATURE_ALGORITHM_TO_DIGEST_CLASS = {
'sha256': SHA256,
'sha384': SHA384,
'sha512': SHA512,
}
import pytest
import os
from oscrypto import use_openssl
libcrypto_path = os.path.abspath(
"C:\\Program Files (x86)\\OpenSSL-Win32\\libcrypto-1_1.dll")
libssl_path = os.path.abspath(
"C:\\Program Files (x86)\\OpenSSL-Win32\\libssl-1_1.dll")
use_openssl(libcrypto_path, libssl_path)
from oscrypto.asymmetric import ecdsa_verify, load_public_key
from oscrypto.errors import SignatureError
from asn1crypto import keys, core
from optigatrust import objects
from optigatrust import crypto
tbs_str = b'Test String to Sign'
tbs_str_fail = b'FAILED Test String to Sign'
@pytest.mark.parametrize("oid, curve, max_sign_size, hashname",
[(0xe0f1, 'secp256r1', 72, 'sha256'),
(0xe0f1, 'secp384r1', 104, 'sha384'),
(0xe0f1, 'secp521r1', 141, 'sha512'),
(0xe0f1, 'brainpoolp256r1', 72, 'sha256'),
(0xe0f1, 'brainpoolp384r1', 104, 'sha384'),
(0xe0f1, 'brainpoolp512r1', 137, 'sha512'),
(0xe0f2, 'secp256r1', 72, 'sha256'),
(0xe0f2, 'secp384r1', 104, 'sha384'),
(0xe0f2, 'secp521r1', 141, 'sha512'),
(0xe0f2, 'brainpoolp256r1', 72, 'sha256'),
import datetime
import secrets
import platform
from unicrypto import hashlib
from asn1crypto import cms
from asn1crypto import algos
from asn1crypto import core
from asn1crypto import x509
from asn1crypto import keys
import oscrypto
if platform.system().lower() == 'emscripten':
# these imports are pyodide-specific
import ssl
oscrypto.use_openssl('/lib/python3.9/site-packages/libcrypto.so',
'/lib/python3.9/site-packages/libssl.so')
from oscrypto.keys import parse_pkcs12
from oscrypto.asymmetric import rsa_pkcs1v15_sign, load_private_key
from minikerberos.protocol.constants import NAME_TYPE, MESSAGE_TYPE, PaDataType
from minikerberos.protocol.encryption import Enctype, _checksum_table, _enctype_table, Key
from minikerberos.protocol.structures import AuthenticatorChecksum
from minikerberos.protocol.asn1_structs import KDC_REQ_BODY, PrincipalName, HostAddress, \
KDCOptions, EncASRepPart, AP_REQ, AuthorizationData, Checksum, krb5_pvno, Realm, \
EncryptionKey, Authenticator, Ticket, APOptions, EncryptedData, AS_REQ, AP_REP
from minikerberos.protocol.rfc4556 import PKAuthenticator, AuthPack, Dunno1, Dunno2, MetaData, Info, CertIssuer, CertIssuers, PA_PK_AS_REP, KDCDHKeyInfo
from minikerberos.protocol.rfc_iakerb import KRB_FINISHED
from minikerberos.protocol.mskile import LSAP_TOKEN_INFO_INTEGRITY, KERB_AD_RESTRICTION_ENTRY, KERB_AD_RESTRICTION_ENTRYS
from minikerberos.gssapi.gssapi import GSSAPIFlags
ER_OCSP_RESPONSE_LOAD_FAILURE,
ER_OCSP_RESPONSE_STATUS_UNSUCCESSFUL,
)
from snowflake.connector.errors import RevocationCheckError
from snowflake.connector.ocsp_snowflake import SnowflakeOCSP
from snowflake.connector.ssd_internal_keys import ret_wildcard_hkey
with warnings.catch_warnings():
warnings.simplefilter("ignore")
# force versioned dylibs onto oscrypto ssl on catalina
if sys.platform == "darwin" and platform.mac_ver()[0].startswith("10.15"):
from oscrypto import _module_values, use_openssl
if _module_values["backend"] is None:
use_openssl(
libcrypto_path="/usr/lib/libcrypto.35.dylib",
libssl_path="/usr/lib/libssl.35.dylib",
)
from oscrypto import asymmetric
logger = getLogger(__name__)
class SnowflakeOCSPAsn1Crypto(SnowflakeOCSP):
"""OCSP checks by asn1crypto."""
# map signature algorithm name to digest class
SIGNATURE_ALGORITHM_TO_DIGEST_CLASS = {
"sha256": SHA256,
"sha384": SHA384,
"sha512": SHA512,
}
