added v3

venv/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/__init__.py

@@ -0,0 +1,9 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.backends.openssl.backend import backend
+
+__all__ = ["backend"]

venv/lib/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py

@@ -0,0 +1,285 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import annotations
+
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
+from cryptography.hazmat.bindings.openssl import binding
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives._asymmetric import AsymmetricPadding
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.asymmetric import utils as asym_utils
+from cryptography.hazmat.primitives.asymmetric.padding import (
+    MGF1,
+    OAEP,
+    PSS,
+    PKCS1v15,
+)
+from cryptography.hazmat.primitives.ciphers import (
+    CipherAlgorithm,
+)
+from cryptography.hazmat.primitives.ciphers.algorithms import (
+    AES,
+)
+from cryptography.hazmat.primitives.ciphers.modes import (
+    CBC,
+    Mode,
+)
+
+
+class Backend:
+    """
+    OpenSSL API binding interfaces.
+    """
+
+    name = "openssl"
+
+    # TripleDES encryption is disallowed/deprecated throughout 2023 in
+    # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA).
+    _fips_ciphers = (AES,)
+    # Sometimes SHA1 is still permissible. That logic is contained
+    # within the various *_supported methods.
+    _fips_hashes = (
+        hashes.SHA224,
+        hashes.SHA256,
+        hashes.SHA384,
+        hashes.SHA512,
+        hashes.SHA512_224,
+        hashes.SHA512_256,
+        hashes.SHA3_224,
+        hashes.SHA3_256,
+        hashes.SHA3_384,
+        hashes.SHA3_512,
+        hashes.SHAKE128,
+        hashes.SHAKE256,
+    )
+    _fips_ecdh_curves = (
+        ec.SECP224R1,
+        ec.SECP256R1,
+        ec.SECP384R1,
+        ec.SECP521R1,
+    )
+    _fips_rsa_min_key_size = 2048
+    _fips_rsa_min_public_exponent = 65537
+    _fips_dsa_min_modulus = 1 << 2048
+    _fips_dh_min_key_size = 2048
+    _fips_dh_min_modulus = 1 << _fips_dh_min_key_size
+
+    def __init__(self) -> None:
+        self._binding = binding.Binding()
+        self._ffi = self._binding.ffi
+        self._lib = self._binding.lib
+        self._fips_enabled = rust_openssl.is_fips_enabled()
+
+    def __repr__(self) -> str:
+        return (
+            f"<OpenSSLBackend(version: {self.openssl_version_text()}, "
+            f"FIPS: {self._fips_enabled}, "
+            f"Legacy: {rust_openssl._legacy_provider_loaded})>"
+        )
+
+    def openssl_assert(self, ok: bool) -> None:
+        return binding._openssl_assert(ok)
+
+    def _enable_fips(self) -> None:
+        # This function enables FIPS mode for OpenSSL 3.0.0 on installs that
+        # have the FIPS provider installed properly.
+        rust_openssl.enable_fips(rust_openssl._providers)
+        assert rust_openssl.is_fips_enabled()
+        self._fips_enabled = rust_openssl.is_fips_enabled()
+
+    def openssl_version_text(self) -> str:
+        """
+        Friendly string name of the loaded OpenSSL library. This is not
+        necessarily the same version as it was compiled against.
+
+        Example: OpenSSL 3.2.1 30 Jan 2024
+        """
+        return rust_openssl.openssl_version_text()
+
+    def openssl_version_number(self) -> int:
+        return rust_openssl.openssl_version()
+
+    def hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        if self._fips_enabled and not isinstance(algorithm, self._fips_hashes):
+            return False
+
+        return rust_openssl.hashes.hash_supported(algorithm)
+
+    def signature_hash_supported(
+        self, algorithm: hashes.HashAlgorithm
+    ) -> bool:
+        # Dedicated check for hashing algorithm use in message digest for
+        # signatures, e.g. RSA PKCS#1 v1.5 SHA1 (sha1WithRSAEncryption).
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+            return False
+        return self.hash_supported(algorithm)
+
+    def scrypt_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        else:
+            return hasattr(rust_openssl.kdf.Scrypt, "derive")
+
+    def argon2_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        else:
+            return hasattr(rust_openssl.kdf.Argon2id, "derive")
+
+    def hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        # FIPS mode still allows SHA1 for HMAC
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+            return True
+
+        return self.hash_supported(algorithm)
+
+    def cipher_supported(self, cipher: CipherAlgorithm, mode: Mode) -> bool:
+        if self._fips_enabled:
+            # FIPS mode requires AES. TripleDES is disallowed/deprecated in
+            # FIPS 140-3.
+            if not isinstance(cipher, self._fips_ciphers):
+                return False
+
+        return rust_openssl.ciphers.cipher_supported(cipher, mode)
+
+    def pbkdf2_hmac_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        return self.hmac_supported(algorithm)
+
+    def _consume_errors(self) -> list[rust_openssl.OpenSSLError]:
+        return rust_openssl.capture_error_stack()
+
+    def _oaep_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
+            return False
+
+        return isinstance(
+            algorithm,
+            (
+                hashes.SHA1,
+                hashes.SHA224,
+                hashes.SHA256,
+                hashes.SHA384,
+                hashes.SHA512,
+            ),
+        )
+
+    def rsa_padding_supported(self, padding: AsymmetricPadding) -> bool:
+        if isinstance(padding, PKCS1v15):
+            return True
+        elif isinstance(padding, PSS) and isinstance(padding._mgf, MGF1):
+            # SHA1 is permissible in MGF1 in FIPS even when SHA1 is blocked
+            # as signature algorithm.
+            if self._fips_enabled and isinstance(
+                padding._mgf._algorithm, hashes.SHA1
+            ):
+                return True
+            else:
+                return self.hash_supported(padding._mgf._algorithm)
+        elif isinstance(padding, OAEP) and isinstance(padding._mgf, MGF1):
+            return self._oaep_hash_supported(
+                padding._mgf._algorithm
+            ) and self._oaep_hash_supported(padding._algorithm)
+        else:
+            return False
+
+    def rsa_encryption_supported(self, padding: AsymmetricPadding) -> bool:
+        if self._fips_enabled and isinstance(padding, PKCS1v15):
+            return False
+        else:
+            return self.rsa_padding_supported(padding)
+
+    def dsa_supported(self) -> bool:
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+            and not self._fips_enabled
+        )
+
+    def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+        if not self.dsa_supported():
+            return False
+        return self.signature_hash_supported(algorithm)
+
+    def cmac_algorithm_supported(self, algorithm) -> bool:
+        return self.cipher_supported(
+            algorithm, CBC(b"\x00" * algorithm.block_size)
+        )
+
+    def elliptic_curve_supported(self, curve: ec.EllipticCurve) -> bool:
+        if self._fips_enabled and not isinstance(
+            curve, self._fips_ecdh_curves
+        ):
+            return False
+
+        return rust_openssl.ec.curve_supported(curve)
+
+    def elliptic_curve_signature_algorithm_supported(
+        self,
+        signature_algorithm: ec.EllipticCurveSignatureAlgorithm,
+        curve: ec.EllipticCurve,
+    ) -> bool:
+        # We only support ECDSA right now.
+        if not isinstance(signature_algorithm, ec.ECDSA):
+            return False
+
+        return self.elliptic_curve_supported(curve) and (
+            isinstance(signature_algorithm.algorithm, asym_utils.Prehashed)
+            or self.hash_supported(signature_algorithm.algorithm)
+        )
+
+    def elliptic_curve_exchange_algorithm_supported(
+        self, algorithm: ec.ECDH, curve: ec.EllipticCurve
+    ) -> bool:
+        return self.elliptic_curve_supported(curve) and isinstance(
+            algorithm, ec.ECDH
+        )
+
+    def dh_supported(self) -> bool:
+        return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+
+    def dh_x942_serialization_supported(self) -> bool:
+        return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1
+
+    def x25519_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return True
+
+    def x448_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        )
+
+    def ed25519_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return True
+
+    def ed448_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return (
+            not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
+            and not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        )
+
+    def ecdsa_deterministic_supported(self) -> bool:
+        return (
+            rust_openssl.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER
+            and not self._fips_enabled
+        )
+
+    def poly1305_supported(self) -> bool:
+        if self._fips_enabled:
+            return False
+        return True
+
+    def pkcs7_supported(self) -> bool:
+        return not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+
+
+backend = Backend()