From 717e8e928d21211fb40fa564b1288dc3b44854cb Mon Sep 17 00:00:00 2001 From: "James E. Blair" Date: Fri, 17 Mar 2017 11:03:27 -0700 Subject: [PATCH] Augment references of pkcs1 with oaep Rightly the system in use is RSAES-OAEP, part of the PKCS#1 standard. "PKCS#1" is not enough information to communicate to someone the encryption scheme in use. Refer to the scheme Zuul uses as "PKCS#1-OAEP" or "pkcs1-oaep" to clarify. Change-Id: I74dcde6fa3756354ce65233c64c6189d1b241e90 --- tests/encrypt_secret.py | 2 +- .../config/ansible/git/common-config/zuul.yaml | 2 +- tests/unit/test_encryption.py | 10 +++++----- tests/unit/test_model.py | 2 +- zuul/configloader.py | 10 +++++----- zuul/lib/encryption.py | 12 ++++++------ 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/tests/encrypt_secret.py b/tests/encrypt_secret.py index ab2c1df6cd..b8524a0fd9 100644 --- a/tests/encrypt_secret.py +++ b/tests/encrypt_secret.py @@ -27,7 +27,7 @@ def main(): private_key, public_key = \ encryption.deserialize_rsa_keypair(f.read()) - ciphertext = encryption.encrypt_pkcs1(sys.argv[1], public_key) + ciphertext = encryption.encrypt_pkcs1_oaep(sys.argv[1], public_key) print(ciphertext.encode('base64')) if __name__ == '__main__': diff --git a/tests/fixtures/config/ansible/git/common-config/zuul.yaml b/tests/fixtures/config/ansible/git/common-config/zuul.yaml index c21d694896..3678f94f73 100644 --- a/tests/fixtures/config/ansible/git/common-config/zuul.yaml +++ b/tests/fixtures/config/ansible/git/common-config/zuul.yaml @@ -38,7 +38,7 @@ name: test_secret data: username: test-username - password: !encrypted/pkcs1 | + password: !encrypted/pkcs1-oaep | BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi1wGZZ L0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4joeusC9drN3AA8a4o ykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CRgd0QBMPl6VDoFgBPB8vxtJw+ diff --git a/tests/unit/test_encryption.py b/tests/unit/test_encryption.py index 28ed76d249..4dda78bf2b 100644 --- a/tests/unit/test_encryption.py +++ b/tests/unit/test_encryption.py @@ -39,14 +39,14 @@ class TestEncryption(BaseTestCase): self.assertEqual(self.public.public_numbers(), public2.public_numbers()) - def test_pkcs1(self): + def test_pkcs1_oaep(self): "Verify encryption and decryption" orig_plaintext = "some text to encrypt" - ciphertext = encryption.encrypt_pkcs1(orig_plaintext, self.public) - plaintext = encryption.decrypt_pkcs1(ciphertext, self.private) + ciphertext = encryption.encrypt_pkcs1_oaep(orig_plaintext, self.public) + plaintext = encryption.decrypt_pkcs1_oaep(ciphertext, self.private) self.assertEqual(orig_plaintext, plaintext) - def test_openssl_pkcs1(self): + def test_openssl_pkcs1_oaep(self): "Verify that we can decrypt something encrypted with OpenSSL" orig_plaintext = "some text to encrypt" pem_public = encryption.serialize_rsa_public_key(self.public) @@ -65,5 +65,5 @@ class TestEncryption(BaseTestCase): finally: os.unlink(public_file.name) - plaintext = encryption.decrypt_pkcs1(ciphertext, self.private) + plaintext = encryption.decrypt_pkcs1_oaep(ciphertext, self.private) self.assertEqual(orig_plaintext, plaintext) diff --git a/tests/unit/test_model.py b/tests/unit/test_model.py index 377193fd4b..45176fa594 100644 --- a/tests/unit/test_model.py +++ b/tests/unit/test_model.py @@ -313,7 +313,7 @@ class TestJob(BaseTestCase): name: pypi-credentials data: username: test-username - password: !encrypted/pkcs1 | + password: !encrypted/pkcs1-oaep | BFhtdnm8uXx7kn79RFL/zJywmzLkT1GY78P3bOtp4WghUFWobkifSu7ZpaV4NeO0s71YUsi1wGZZ L0LveZjUN0t6OU1VZKSG8R5Ly7urjaSo1pPVIq5Rtt/H7W14Lecd+cUeKb4joeusC9drN3AA8a4o ykcVpt1wVqUnTbMGC9ARMCQP6eopcs1l7tzMseprW4RDNhIuz3CRgd0QBMPl6VDoFgBPB8vxtJw+ diff --git a/zuul/configloader.py b/zuul/configloader.py index 73408c3581..c29a1eaf89 100644 --- a/zuul/configloader.py +++ b/zuul/configloader.py @@ -123,8 +123,8 @@ repo {repo} on branch {branch}. The error was: loader.dispose() -class EncryptedPKCS1(yaml.YAMLObject): - yaml_tag = u'!encrypted/pkcs1' +class EncryptedPKCS1_OAEP(yaml.YAMLObject): + yaml_tag = u'!encrypted/pkcs1-oaep' yaml_loader = yaml.SafeLoader def __init__(self, ciphertext): @@ -134,7 +134,7 @@ class EncryptedPKCS1(yaml.YAMLObject): return not self.__eq__(other) def __eq__(self, other): - if not isinstance(other, EncryptedPKCS1): + if not isinstance(other, EncryptedPKCS1_OAEP): return False return (self.ciphertext == other.ciphertext) @@ -143,7 +143,7 @@ class EncryptedPKCS1(yaml.YAMLObject): return cls(node.value) def decrypt(self, private_key): - return encryption.decrypt_pkcs1(self.ciphertext, private_key) + return encryption.decrypt_pkcs1_oaep(self.ciphertext, private_key) class NodeSetParser(object): @@ -175,7 +175,7 @@ class NodeSetParser(object): class SecretParser(object): @staticmethod def getSchema(): - data = {str: vs.Any(str, EncryptedPKCS1)} + data = {str: vs.Any(str, EncryptedPKCS1_OAEP)} secret = {vs.Required('name'): str, vs.Required('data'): data, diff --git a/zuul/lib/encryption.py b/zuul/lib/encryption.py index 76f07f9f26..24224d8f84 100644 --- a/zuul/lib/encryption.py +++ b/zuul/lib/encryption.py @@ -95,10 +95,10 @@ def deserialize_rsa_keypair(data): # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#decryption -def decrypt_pkcs1(ciphertext, private_key): - """Decrypt PKCS1 (RSAES-OAEP) encoded ciphertext +def decrypt_pkcs1_oaep(ciphertext, private_key): + """Decrypt PKCS#1 (RSAES-OAEP) encoded ciphertext - :arg ciphertext: A string previously encrypted with PKCS1 + :arg ciphertext: A string previously encrypted with PKCS#1 (RSAES-OAEP). :arg private_key: A private key object as returned by :func:generate_rsa_keypair() @@ -117,10 +117,10 @@ def decrypt_pkcs1(ciphertext, private_key): # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption -def encrypt_pkcs1(plaintext, public_key): - """Encrypt data with PKCS1 (RSAES-OAEP) +def encrypt_pkcs1_oaep(plaintext, public_key): + """Encrypt data with PKCS#1 (RSAES-OAEP) - :arg plaintext: A string to encrypt with PKCS1 (RSAES-OAEP). + :arg plaintext: A string to encrypt with PKCS#1 (RSAES-OAEP). :arg public_key: A public key object as returned by :func:generate_rsa_keypair()