3c00769e65
Sync patches from Fedora 43, to fix multiple pccs npm security flaws, and fix typo in pccsadmin help text. CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2025-13465, CVE-2025-15284 Resolves: RHEL-145005, RHEL-144190, RHEL-142482, RHEL-138075, RHEL-140108 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
105 lines
3.7 KiB
Diff
105 lines
3.7 KiB
Diff
From 9d3da2fd99ba2832fcaa4067dd5db3f7f349c306 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
|
Date: Wed, 3 Dec 2025 17:59:09 +0000
|
|
Subject: [PATCH 124/136] pccsadmin: prefer pycryptography over pyopenssl
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The only part of pccsadmin that still needs pyopenssl is certificate
|
|
verification. As of pycryptography 45.0.0, there are sufficient APIs
|
|
available to replace the remaining usage of pyopenssl.
|
|
|
|
Since new pycryptography is still not widely available in distros,
|
|
keep pyopenssl code as a fallback.
|
|
|
|
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
---
|
|
tools/PccsAdminTool/lib/intelsgx/pcs.py | 60 +++++++++++++++++++------
|
|
1 file changed, 47 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/tools/PccsAdminTool/lib/intelsgx/pcs.py b/tools/PccsAdminTool/lib/intelsgx/pcs.py
|
|
index f6b58a6b..eeb29697 100644
|
|
--- a/tools/PccsAdminTool/lib/intelsgx/pcs.py
|
|
+++ b/tools/PccsAdminTool/lib/intelsgx/pcs.py
|
|
@@ -4,11 +4,28 @@ import requests
|
|
import json
|
|
import binascii
|
|
from urllib import parse
|
|
-from OpenSSL import crypto
|
|
+
|
|
from cryptography import x509
|
|
from cryptography.exceptions import InvalidSignature
|
|
-from cryptography.hazmat.primitives import hashes
|
|
+from cryptography.hazmat.primitives import hashes, serialization
|
|
from cryptography.hazmat.primitives.asymmetric import ec
|
|
+
|
|
+# Prefer pycryptography for cert verification if new
|
|
+# enough, but fallback to pyopenssl
|
|
+try:
|
|
+ # 'verification' module available from >= 42.0.0, but
|
|
+ # the required 'ExtensionPolicy' API is from >= 45.0.0
|
|
+ from cryptography.x509 import verification
|
|
+ if not hasattr(verification, 'ExtensionPolicy'):
|
|
+ verification = None
|
|
+ else:
|
|
+ crypto = None
|
|
+except ImportError:
|
|
+ verification = None
|
|
+
|
|
+if verification is None:
|
|
+ from OpenSSL import crypto
|
|
+
|
|
from platform import system
|
|
if system() == 'Windows':
|
|
from pypac import PACSession
|
|
@@ -133,17 +150,34 @@ class PCS:
|
|
return True
|
|
|
|
def verify_cert_trust(self, pychain, pycerts):
|
|
- store= self.init_cert_store(pychain)
|
|
-
|
|
- for pycert in pycerts:
|
|
- store_ctx= crypto.X509StoreContext(
|
|
- store, crypto.X509.from_cryptography(pycert))
|
|
- try:
|
|
- store_ctx.verify_certificate()
|
|
- except crypto.X509StoreContextError as e:
|
|
- # Printing or logging the error details
|
|
- print(e)
|
|
- return False
|
|
+ if verification is not None:
|
|
+ store= verification.Store(pychain)
|
|
+
|
|
+ builder= verification.PolicyBuilder().store(store)
|
|
+ builder= builder.extension_policies(
|
|
+ ee_policy=verification.ExtensionPolicy.permit_all(),
|
|
+ ca_policy=verification.ExtensionPolicy.webpki_defaults_ca())
|
|
+
|
|
+ verifier= builder.build_client_verifier()
|
|
+ for pycert in pycerts:
|
|
+ try:
|
|
+ verifier.verify(pycert,[])
|
|
+ except verification.VerificationError as e:
|
|
+ # Printing or logging the error details
|
|
+ print(e)
|
|
+ return False
|
|
+ else:
|
|
+ store= self.init_cert_store(pychain)
|
|
+
|
|
+ for pycert in pycerts:
|
|
+ store_ctx= crypto.X509StoreContext(
|
|
+ store, crypto.X509.from_cryptography(pycert))
|
|
+ try:
|
|
+ store_ctx.verify_certificate()
|
|
+ except crypto.X509StoreContextError as e:
|
|
+ # Printing or logging the error details
|
|
+ print(e)
|
|
+ return False
|
|
|
|
return True
|
|
|
|
--
|
|
2.52.0
|
|
|