From cefd4bd98ba200d54a58514e15ed3239a57fbc6a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 21 Nov 2021 10:15:48 +0800 Subject: [PATCH] Remove use of deprecated verifier with cryptography This was deprecated in version 2.1 and cryptography will be removing it soon. The replacement function is available in all versions of cryptography that certbot supports (2.1+) --- certbot/certbot/crypto_util.py | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/certbot/certbot/crypto_util.py b/certbot/certbot/crypto_util.py index f7dca341b66..e3a62cc9ebe 100644 --- a/certbot/certbot/crypto_util.py +++ b/certbot/certbot/crypto_util.py @@ -363,9 +363,8 @@ def verify_renewable_cert_sig(renewable_cert: interfaces.RenewableCert) -> None: with open(renewable_cert.cert_path, 'rb') as cert_file: cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend()) pk = chain.public_key() - with warnings.catch_warnings(): - verify_signed_payload(pk, cert.signature, cert.tbs_certificate_bytes, - cert.signature_hash_algorithm) + verify_signed_payload(pk, cert.signature, cert.tbs_certificate_bytes, + cert.signature_hash_algorithm) except (IOError, ValueError, InvalidSignature) as e: error_str = "verifying the signature of the certificate located at {0} has failed. \ Details: {1}".format(renewable_cert.cert_path, e) @@ -387,22 +386,16 @@ def verify_signed_payload(public_key: Union[DSAPublicKey, 'Ed25519PublicKey', 'E :raises InvalidSignature: If signature verification fails. :raises errors.Error: If public key type is not supported """ - with warnings.catch_warnings(): - warnings.simplefilter("ignore") - if isinstance(public_key, RSAPublicKey): - verifier = public_key.verifier( - signature, PKCS1v15(), signature_hash_algorithm - ) - verifier.update(payload) - verifier.verify() - elif isinstance(public_key, EllipticCurvePublicKey): - verifier = public_key.verifier( - signature, ECDSA(signature_hash_algorithm) - ) - verifier.update(payload) - verifier.verify() - else: - raise errors.Error("Unsupported public key type.") + if isinstance(public_key, RSAPublicKey): + public_key.verify( + signature, payload, PKCS1v15(), signature_hash_algorithm + ) + elif isinstance(public_key, EllipticCurvePublicKey): + public_key.verify( + signature, payload, ECDSA(signature_hash_algorithm) + ) + else: + raise errors.Error("Unsupported public key type.") def verify_cert_matches_priv_key(cert_path: str, key_path: str) -> None: