diff -uNr a/awscli/customizations/cloudfront.py b/awscli/customizations/cloudfront.py --- a/awscli/customizations/cloudfront.py 2017-08-12 01:39:00.000000000 +0200 +++ b/awscli/customizations/cloudfront.py 2018-01-05 09:40:09.445445687 +0100 @@ -14,7 +14,9 @@ import time import random -import rsa +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.hazmat.backends import default_backend from botocore.utils import parse_to_aware_datetime from botocore.signers import CloudFrontSigner @@ -254,7 +256,10 @@ class RSASigner(object): def __init__(self, private_key): - self.priv_key = rsa.PrivateKey.load_pkcs1(private_key.encode('utf8')) + self.priv_key = serialization.load_pem_private_key( + private_key.encode('utf8'), password=None, + backend=default_backend()) def sign(self, message): - return rsa.sign(message, self.priv_key, 'SHA-1') + return self.priv_key.sign( + message, padding.PKCS1v15(), hashes.SHA1()) diff -uNr a/awscli/customizations/cloudtrail/validation.py b/awscli/customizations/cloudtrail/validation.py --- a/awscli/customizations/cloudtrail/validation.py 2017-08-12 01:39:00.000000000 +0200 +++ b/awscli/customizations/cloudtrail/validation.py 2018-01-04 17:04:38.869212582 +0100 @@ -22,8 +22,10 @@ from datetime import datetime, timedelta from dateutil import tz, parser -from pyasn1.error import PyAsn1Error -import rsa +from cryptography.hazmat.primitives import serialization, hashes +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.asymmetric import padding +from cryptography.exceptions import InvalidSignature from awscli.customizations.cloudtrail.utils import get_trail_by_arn, \ get_account_id_from_arn @@ -530,20 +532,18 @@ """ try: decoded_key = base64.b64decode(public_key) - public_key = rsa.PublicKey.load_pkcs1(decoded_key, format='DER') + public_key = serialization.load_der_public_key(decoded_key, + backend=default_backend()) to_sign = self._create_string_to_sign(digest_data, inflated_digest) signature_bytes = binascii.unhexlify(digest_data['_signature']) - rsa.verify(to_sign, signature_bytes, public_key) - except PyAsn1Error: + public_key.verify(signature_bytes, to_sign, padding.PKCS1v15(), + hashes.SHA256()) + except (ValueError, TypeError): raise DigestError( ('Digest file\ts3://%s/%s\tINVALID: Unable to load PKCS #1 key' ' with fingerprint %s') % (bucket, key, digest_data['digestPublicKeyFingerprint'])) - except rsa.pkcs1.VerificationError: - # Note from the Python-RSA docs: Never display the stack trace of - # a rsa.pkcs1.VerificationError exception. It shows where in the - # code the exception occurred, and thus leaks information about - # the key. + except InvalidSignature: raise DigestSignatureError(bucket, key) def _create_string_to_sign(self, digest_data, inflated_digest): diff -uNr a/awscli/customizations/ec2/decryptpassword.py b/awscli/customizations/ec2/decryptpassword.py --- a/awscli/customizations/ec2/decryptpassword.py 2017-08-12 01:39:00.000000000 +0200 +++ b/awscli/customizations/ec2/decryptpassword.py 2018-01-04 16:24:42.565140244 +0100 @@ -13,7 +13,9 @@ import logging import os import base64 -import rsa +from cryptography.hazmat.primitives import serialization +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.asymmetric import padding from awscli.compat import six from botocore import model @@ -109,9 +111,11 @@ try: with open(self._key_path) as pk_file: pk_contents = pk_file.read() - private_key = rsa.PrivateKey.load_pkcs1(six.b(pk_contents)) + private_key = serialization.load_pem_private_key( + six.b(pk_contents), password=None, + backend=default_backend()) value = base64.b64decode(value) - value = rsa.decrypt(value, private_key) + value = private_key.decrypt(value, padding.PKCS1v15()) logger.debug(parsed) parsed['PasswordData'] = value.decode('utf-8') logger.debug(parsed)