cloudvision/Connector: Use SHA256 to sign the CSR

0. Currently the cloudvision-python package pins the lib `cryptography` to 39.X.Y, as 40.0.X has breaking changes for our use-case. 1. Also, the package is using the same signing algorithm as of client/user's certificate. But there is no such a hard requirement. It can use any acceptable signing algorithm. 2. `cryptography version 40.0.0 onwards, the lib has restricted the choices of hashing algorithm to be used for signing a CSR i.e. `CertificateSigningRequestBuilder.sign()` has restricted the acceptable types of signing algorithm from `typing.Optional[hashes.HashAlgorithm]` to `typing.Optional[_AllowedHashTypes]` where `_AllowedHashTypes` is a subset of `hashes.HashAlgorithm`. 3. The backward incompatible change #2 in `cryptography` along with the hard requirement as per #1 together blocks the cloudvision-python package from upgrading the `cryptography` lib. Thus, this change is required to remove the hard requirement of using the same signing algorithm as of client/user's certificate. And decided to use SHA256 as a preferred choice. Fixes: BUG857524, BUG792700 Change-Id: I9c033f34b6aee7da24871afbeff7e3a3425503a7
aristanetworks · Sep 12, 2023 · 5552d31 · 5552d31
1 parent 8254bb3
commit 5552d31
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/cloudvision/Connector/auth/cert.py b/cloudvision/Connector/auth/cert.py
@@ -5,7 +5,7 @@
 from typing import Any, Optional, Tuple
 
 from cryptography import x509
-from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives import hashes, serialization
 
 
 def gen_csr_der(cert_path: str, key_path: str) -> bytes:
@@ -31,8 +31,8 @@ def create_csr(cert: x509.Certificate, key: Any) -> x509.CertificateSigningReque
 
     return (
         x509.CertificateSigningRequestBuilder().subject_name(cert.subject)
-        # NOTE: Stick to the same old signature hash algo used earlier
-        .sign(key, cert.signature_hash_algorithm)
+        # Use SHA256 as signing algorithm
+        .sign(key, hashes.SHA256())
     )
 
 

diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-cryptography>=39.0.0,<40.0.0
+cryptography>=41.0.3,<42.0.0
 grpcio>=1.46.0
 msgpack>=1.0.3
 protobuf>=3.20.1,<4.0

diff --git a/test/connector/auth/test_cert.py b/test/connector/auth/test_cert.py
@@ -7,6 +7,7 @@
 
 from pathlib import Path
 from typing import Union
+from cryptography.hazmat.primitives import hashes
 
 import pytest
 from cryptography import x509
@@ -58,7 +59,7 @@ def test_gen_csr_der(self, cert_path, key_path):
         csr = load_der_x509_csr(csr_der)
         cert, key = load_key_cert_pair(cert_path, key_path)
         assert csr.subject == cert.subject
-        assert csr.signature_hash_algorithm == cert.signature_hash_algorithm
+        assert isinstance(csr.signature_hash_algorithm, hashes.SHA256)
         assert csr.public_key().public_bytes(
             Encoding.DER, PublicFormat.SubjectPublicKeyInfo
         ) == key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)
@@ -71,7 +72,7 @@ def test_create_csr(self, cert_path, key_path):
         cert, key = load_key_cert_pair(cert_path, key_path)
         csr: x509.CertificateSigningRequest = create_csr(cert, key)
         assert csr.subject == cert.subject
-        assert csr.signature_hash_algorithm == cert.signature_hash_algorithm
+        assert isinstance(csr.signature_hash_algorithm, hashes.SHA256)
         assert csr.public_key().public_bytes(
             Encoding.DER, PublicFormat.SubjectPublicKeyInfo
         ) == key.public_key().public_bytes(Encoding.DER, PublicFormat.SubjectPublicKeyInfo)