Converted to pycryptodomex to decouple from Pycrypto

dwightgunning · dwightgunning · commit 10ec1a19f6ca · 2017-12-21T10:47:30.000+01:00
diff --git a/setup.py b/setup.py
@@ -32,7 +32,7 @@
     requests = 'requests[security]>=2.4.1,<3'
 
 install_requires = [
-    'pycryptodome==3.4.7',
+    'pycryptodomex==3.4.7',
     'pyjwt==1.3.0',
     requests,
     'six>=1.8.0'
diff --git a/stream/httpsig/sign.py b/stream/httpsig/sign.py
@@ -1,9 +1,9 @@
 import base64
 import six
 
-from Crypto.Hash import HMAC
-from Crypto.PublicKey import RSA
-from Crypto.Signature import PKCS1_v1_5
+from Cryptodome.Hash import HMAC
+from Cryptodome.PublicKey import RSA
+from Cryptodome.Signature import PKCS1_v1_5
 
 from .utils import *
 
@@ -15,28 +15,28 @@ class Signer(object):
     """
     When using an RSA algo, the secret is a PEM-encoded private key.
     When using an HMAC algo, the secret is the HMAC signing secret.
-    
+
     Password-protected keyfiles are not supported.
     """
     def __init__(self, secret, algorithm=None):
         if algorithm is None:
             algorithm = DEFAULT_SIGN_ALGORITHM
-        
+
         assert algorithm in ALGORITHMS, "Unknown algorithm"
         if isinstance(secret, six.string_types): secret = secret.encode("ascii")
-        
+
         self._rsa = None
         self._hash = None
         self.sign_algorithm, self.hash_algorithm = algorithm.split('-')
-        
+
         if self.sign_algorithm == 'rsa':
             try:
                 rsa_key = RSA.importKey(secret)
                 self._rsa = PKCS1_v1_5.new(rsa_key)
                 self._hash = HASHES[self.hash_algorithm]
             except ValueError:
                 raise HttpSigException("Invalid key.")
-            
+
         elif self.sign_algorithm == 'hmac':
             self._hash = HMAC.new(secret, digestmod=HASHES[self.hash_algorithm])
 
@@ -81,7 +81,7 @@ class HeaderSigner(Signer):
     def __init__(self, key_id, secret, algorithm=None, headers=None):
         if algorithm is None:
             algorithm = DEFAULT_SIGN_ALGORITHM
-        
+
         super(HeaderSigner, self).__init__(secret=secret, algorithm=algorithm)
         self.headers = headers or ['date']
         self.signature_template = build_signature_template(key_id, algorithm, headers)
@@ -98,9 +98,9 @@ def sign(self, headers, host=None, method=None, path=None):
         headers = CaseInsensitiveDict(headers)
         required_headers = self.headers or ['date']
         signable = generate_message(required_headers, headers, host, method, path)
-        
+
         signature = self._sign(signable)
         headers['authorization'] = self.signature_template % signature
-        
+
         return headers
 
diff --git a/stream/httpsig/utils.py b/stream/httpsig/utils.py
@@ -11,8 +11,8 @@
     # Python 2
     from urllib2 import parse_http_list
 
-from Crypto.PublicKey import RSA
-from Crypto.Hash import SHA, SHA256, SHA512
+from Cryptodome.PublicKey import RSA
+from Cryptodome.Hash import SHA, SHA256, SHA512
 
 ALGORITHMS = frozenset(['rsa-sha1', 'rsa-sha256', 'rsa-sha512', 'hmac-sha1', 'hmac-sha256', 'hmac-sha512'])
 HASHES = {'sha1':   SHA,
@@ -42,23 +42,23 @@ def ct_bytes_compare(a, b):
             result |= ord(x) ^ ord(y)
         else:
             result |= x ^ y
-            
+
     return (result == 0)
 
 def generate_message(required_headers, headers, host=None, method=None, path=None):
     headers = CaseInsensitiveDict(headers)
-    
+
     if not required_headers:
         required_headers = ['date']
-    
+
     signable_list = []
     for h in required_headers:
         h = h.lower()
         if h == '(request-target)':
             if not method or not path:
                 raise Exception('method and path arguments required when using "(request-target)"')
             signable_list.append('%s: %s %s' % (h, method.lower(), path))
-        
+
         elif h == 'host':
             # 'host' special case due to requests lib restrictions
             # 'host' is not available when adding auth so must use a param
@@ -82,33 +82,33 @@ def generate_message(required_headers, headers, host=None, method=None, path=Non
 def parse_authorization_header(header):
     if not isinstance(header, six.string_types):
         header = header.decode("ascii") #HTTP headers cannot be Unicode.
-    
+
     auth = header.split(" ", 1)
     if len(auth) > 2:
         raise ValueError('Invalid authorization header. (eg. Method key1=value1,key2="value, \"2\"")')
-    
+
     # Split up any args into a dictionary.
     values = {}
     if len(auth) == 2:
         auth_value = auth[1]
         if auth_value and len(auth_value):
             # This is tricky string magic.  Let urllib do it.
             fields = parse_http_list(auth_value)
-        
+
             for item in fields:
                 # Only include keypairs.
                 if '=' in item:
                     # Split on the first '=' only.
                     key, value = item.split('=', 1)
                     if not (len(key) and len(value)):
                         continue
-                    
+
                     # Unquote values, if quoted.
                     if value[0] == '"':
                         value = value[1:-1]
-                
+
                     values[key] = value
-    
+
     # ("Signature", {"headers": "date", "algorithm": "hmac-sha256", ... })
     return (auth[0], CaseInsensitiveDict(values))
 
diff --git a/stream/httpsig/verify.py b/stream/httpsig/verify.py
@@ -3,9 +3,9 @@
 """
 import six
 
-from Crypto.Hash import HMAC
-from Crypto.PublicKey import RSA
-from Crypto.Signature import PKCS1_v1_5
+from Cryptodome.Hash import HMAC
+from Cryptodome.PublicKey import RSA
+from Cryptodome.Signature import PKCS1_v1_5
 from base64 import b64decode
 
 from .sign import Signer
@@ -24,20 +24,20 @@ def _verify(self, data, signature):
         `data` is the message to verify
         `signature` is a base64-encoded signature to verify against `data`
         """
-        
+
         if isinstance(data, six.string_types): data = data.encode("ascii")
         if isinstance(signature, six.string_types): signature = signature.encode("ascii")
-        
+
         if self.sign_algorithm == 'rsa':
             h = self._hash.new()
             h.update(data)
             return self._rsa.verify(h, b64decode(signature))
-        
+
         elif self.sign_algorithm == 'hmac':
             h = self._sign_hmac(data)
             s = b64decode(signature)
             return ct_bytes_compare(h, s)
-        
+
         else:
             raise HttpSigException("Unsupported algorithm.")
 
@@ -49,7 +49,7 @@ class HeaderVerifier(Verifier):
     def __init__(self, headers, secret, required_headers=None, method=None, path=None, host=None):
         """
         Instantiate a HeaderVerifier object.
-        
+
         :param headers:             A dictionary of headers from the HTTP request.
         :param secret:              The HMAC secret or RSA *public* key.
         :param required_headers:    Optional. A list of headers required to be present to validate, even if the signature is otherwise valid.  Defaults to ['date'].
@@ -58,33 +58,33 @@ def __init__(self, headers, secret, required_headers=None, method=None, path=Non
         :param host:                Optional. The value to use for the Host header, if not supplied in :param:headers.
         """
         required_headers = required_headers or ['date']
-        
+
         auth = parse_authorization_header(headers['authorization'])
         if len(auth) == 2:
             self.auth_dict = auth[1]
         else:
             raise HttpSigException("Invalid authorization header.")
-        
+
         self.headers = CaseInsensitiveDict(headers)
         self.required_headers = [s.lower() for s in required_headers]
         self.method = method
         self.path = path
         self.host = host
-        
+
         super(HeaderVerifier, self).__init__(secret, algorithm=self.auth_dict['algorithm'])
 
     def verify(self):
         """
         Verify the headers based on the arguments passed at creation and current properties.
-        
+
         Raises an Exception if a required header (:param:required_headers) is not found in the signature.
         Returns True or False.
         """
         auth_headers = self.auth_dict.get('headers', 'date').split(' ')
-        
+
         if len(set(self.required_headers) - set(auth_headers)) > 0:
             raise Exception('{} is a required header(s)'.format(', '.join(set(self.required_headers)-set(auth_headers))))
-        
+
         signing_str = generate_message(auth_headers, self.headers, self.host, self.method, self.path)
-        
+
         return self._verify(signing_str, self.auth_dict['signature'])
