awscli/SOURCES/python-rsa-to-cryptography.patch

diff -uNr a/awscli/customizations/cloudfront.py b/awscli/customizations/cloudfront.py
--- a/awscli/customizations/cloudfront.py	2017-08-12 01:39:00.000000000 +0200
+++ b/awscli/customizations/cloudfront.py	2018-01-05 09:40:09.445445687 +0100
@@ -14,7 +14,9 @@
 import time
 import random
 
-import rsa
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.backends import default_backend
 from botocore.utils import parse_to_aware_datetime
 from botocore.signers import CloudFrontSigner
 
@@ -254,7 +256,10 @@
 
 class RSASigner(object):
     def __init__(self, private_key):
-        self.priv_key = rsa.PrivateKey.load_pkcs1(private_key.encode('utf8'))
+        self.priv_key = serialization.load_pem_private_key(
+            private_key.encode('utf8'), password=None,
+            backend=default_backend())
 
     def sign(self, message):
-        return rsa.sign(message, self.priv_key, 'SHA-1')
+        return self.priv_key.sign(
+            message, padding.PKCS1v15(), hashes.SHA1())
diff -uNr a/awscli/customizations/cloudtrail/validation.py b/awscli/customizations/cloudtrail/validation.py
--- a/awscli/customizations/cloudtrail/validation.py	2017-08-12 01:39:00.000000000 +0200
+++ b/awscli/customizations/cloudtrail/validation.py	2018-01-04 17:04:38.869212582 +0100
@@ -22,8 +22,10 @@
 from datetime import datetime, timedelta
 from dateutil import tz, parser
 
-from pyasn1.error import PyAsn1Error
-import rsa
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.exceptions import InvalidSignature
 
 from awscli.customizations.cloudtrail.utils import get_trail_by_arn, \
     get_account_id_from_arn
@@ -530,20 +532,18 @@
         """
         try:
             decoded_key = base64.b64decode(public_key)
-            public_key = rsa.PublicKey.load_pkcs1(decoded_key, format='DER')
+            public_key = serialization.load_der_public_key(decoded_key,
+                backend=default_backend())
             to_sign = self._create_string_to_sign(digest_data, inflated_digest)
             signature_bytes = binascii.unhexlify(digest_data['_signature'])
-            rsa.verify(to_sign, signature_bytes, public_key)
-        except PyAsn1Error:
+            public_key.verify(signature_bytes, to_sign, padding.PKCS1v15(),
+                hashes.SHA256())
+        except (ValueError, TypeError):
             raise DigestError(
                 ('Digest file\ts3://%s/%s\tINVALID: Unable to load PKCS #1 key'
                  ' with fingerprint %s')
                 % (bucket, key, digest_data['digestPublicKeyFingerprint']))
-        except rsa.pkcs1.VerificationError:
-            # Note from the Python-RSA docs: Never display the stack trace of
-            # a rsa.pkcs1.VerificationError exception. It shows where in the
-            # code the exception occurred, and thus leaks information about
-            # the key.
+        except InvalidSignature:
             raise DigestSignatureError(bucket, key)
 
     def _create_string_to_sign(self, digest_data, inflated_digest):
diff -uNr a/awscli/customizations/ec2/decryptpassword.py b/awscli/customizations/ec2/decryptpassword.py
--- a/awscli/customizations/ec2/decryptpassword.py	2017-08-12 01:39:00.000000000 +0200
+++ b/awscli/customizations/ec2/decryptpassword.py	2018-01-04 16:24:42.565140244 +0100
@@ -13,7 +13,9 @@
 import logging
 import os
 import base64
-import rsa
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import padding
 from awscli.compat import six
 
 from botocore import model
@@ -109,9 +111,11 @@
             try:
                 with open(self._key_path) as pk_file:
                     pk_contents = pk_file.read()
-                    private_key = rsa.PrivateKey.load_pkcs1(six.b(pk_contents))
+                    private_key = serialization.load_pem_private_key(
+                        six.b(pk_contents), password=None,
+                        backend=default_backend())
                     value = base64.b64decode(value)
-                    value = rsa.decrypt(value, private_key)
+                    value = private_key.decrypt(value, padding.PKCS1v15())
                     logger.debug(parsed)
                     parsed['PasswordData'] = value.decode('utf-8')
                     logger.debug(parsed)
import awscli-1.14.50-5.el8 2019-07-30 04:22:03 +00:00			`diff -uNr a/awscli/customizations/cloudfront.py b/awscli/customizations/cloudfront.py`
import awscli-1.23.2-1.el8 2022-09-27 21:35:53 +00:00			`--- a/awscli/customizations/cloudfront.py 2017-08-12 01:39:00.000000000 +0200`
			`+++ b/awscli/customizations/cloudfront.py 2018-01-05 09:40:09.445445687 +0100`
import awscli-1.14.50-5.el8 2019-07-30 04:22:03 +00:00			`@@ -14,7 +14,9 @@`
			`import time`
			`import random`

			`-import rsa`
			`+from cryptography.hazmat.primitives import serialization, hashes`
			`+from cryptography.hazmat.primitives.asymmetric import padding`
			`+from cryptography.hazmat.backends import default_backend`
			`from botocore.utils import parse_to_aware_datetime`
			`from botocore.signers import CloudFrontSigner`

import awscli-1.23.2-1.el8 2022-09-27 21:35:53 +00:00			`@@ -254,7 +256,10 @@`
import awscli-1.14.50-5.el8 2019-07-30 04:22:03 +00:00
			`class RSASigner(object):`
			`def __init__(self, private_key):`
			`- self.priv_key = rsa.PrivateKey.load_pkcs1(private_key.encode('utf8'))`
import awscli-1.23.2-1.el8 2022-09-27 21:35:53 +00:00			`+ self.priv_key = serialization.load_pem_private_key(`
			`+ private_key.encode('utf8'), password=None,`
			`+ backend=default_backend())`
import awscli-1.14.50-5.el8 2019-07-30 04:22:03 +00:00
			`def sign(self, message):`
			`- return rsa.sign(message, self.priv_key, 'SHA-1')`
import awscli-1.23.2-1.el8 2022-09-27 21:35:53 +00:00			`+ return self.priv_key.sign(`
			`+ message, padding.PKCS1v15(), hashes.SHA1())`
import awscli-1.14.50-5.el8 2019-07-30 04:22:03 +00:00			`diff -uNr a/awscli/customizations/cloudtrail/validation.py b/awscli/customizations/cloudtrail/validation.py`
import awscli-1.23.2-1.el8 2022-09-27 21:35:53 +00:00			`--- a/awscli/customizations/cloudtrail/validation.py 2017-08-12 01:39:00.000000000 +0200`
			`+++ b/awscli/customizations/cloudtrail/validation.py 2018-01-04 17:04:38.869212582 +0100`
import awscli-1.14.50-5.el8 2019-07-30 04:22:03 +00:00			`@@ -22,8 +22,10 @@`
			`from datetime import datetime, timedelta`
			`from dateutil import tz, parser`

			`-from pyasn1.error import PyAsn1Error`
			`-import rsa`
			`+from cryptography.hazmat.primitives import serialization, hashes`
			`+from cryptography.hazmat.backends import default_backend`
			`+from cryptography.hazmat.primitives.asymmetric import padding`
			`+from cryptography.exceptions import InvalidSignature`

			`from awscli.customizations.cloudtrail.utils import get_trail_by_arn, \`
			`get_account_id_from_arn`
			`@@ -530,20 +532,18 @@`
			`"""`
			`try:`
			`decoded_key = base64.b64decode(public_key)`
			`- public_key = rsa.PublicKey.load_pkcs1(decoded_key, format='DER')`
			`+ public_key = serialization.load_der_public_key(decoded_key,`
			`+ backend=default_backend())`
			`to_sign = self._create_string_to_sign(digest_data, inflated_digest)`
			`signature_bytes = binascii.unhexlify(digest_data['_signature'])`
			`- rsa.verify(to_sign, signature_bytes, public_key)`
			`- except PyAsn1Error:`
			`+ public_key.verify(signature_bytes, to_sign, padding.PKCS1v15(),`
			`+ hashes.SHA256())`
			`+ except (ValueError, TypeError):`
			`raise DigestError(`
			`('Digest file\ts3://%s/%s\tINVALID: Unable to load PKCS #1 key'`
			`' with fingerprint %s')`
			`% (bucket, key, digest_data['digestPublicKeyFingerprint']))`
			`- except rsa.pkcs1.VerificationError:`
			`- # Note from the Python-RSA docs: Never display the stack trace of`
			`- # a rsa.pkcs1.VerificationError exception. It shows where in the`
			`- # code the exception occurred, and thus leaks information about`
			`- # the key.`
			`+ except InvalidSignature:`
			`raise DigestSignatureError(bucket, key)`

			`def _create_string_to_sign(self, digest_data, inflated_digest):`
			`diff -uNr a/awscli/customizations/ec2/decryptpassword.py b/awscli/customizations/ec2/decryptpassword.py`
import awscli-1.23.2-1.el8 2022-09-27 21:35:53 +00:00			`--- a/awscli/customizations/ec2/decryptpassword.py 2017-08-12 01:39:00.000000000 +0200`
			`+++ b/awscli/customizations/ec2/decryptpassword.py 2018-01-04 16:24:42.565140244 +0100`
import awscli-1.14.50-5.el8 2019-07-30 04:22:03 +00:00			`@@ -13,7 +13,9 @@`
			`import logging`
			`import os`
			`import base64`
			`-import rsa`
			`+from cryptography.hazmat.primitives import serialization`
			`+from cryptography.hazmat.backends import default_backend`
			`+from cryptography.hazmat.primitives.asymmetric import padding`
			`from awscli.compat import six`

			`from botocore import model`
			`@@ -109,9 +111,11 @@`
			`try:`
			`with open(self._key_path) as pk_file:`
			`pk_contents = pk_file.read()`
			`- private_key = rsa.PrivateKey.load_pkcs1(six.b(pk_contents))`
			`+ private_key = serialization.load_pem_private_key(`
			`+ six.b(pk_contents), password=None,`
			`+ backend=default_backend())`
			`value = base64.b64decode(value)`
			`- value = rsa.decrypt(value, private_key)`
			`+ value = private_key.decrypt(value, padding.PKCS1v15())`
			`logger.debug(parsed)`
			`parsed['PasswordData'] = value.decode('utf-8')`
			`logger.debug(parsed)`