diff --git a/setup.py b/setup.py index d59833cf0..a81b6321f 100644 --- a/setup.py +++ b/setup.py @@ -63,7 +63,7 @@ packages=["aioquic", "aioquic.asyncio", "aioquic.h0", "aioquic.h3", "aioquic.quic"], install_requires=[ "certifi", - "cryptography >= 2.5, < 4", + "cryptography >= 3.1, < 4", 'dataclasses; python_version < "3.7"', "pylsqpack >= 0.3.3, < 0.4.0", ], diff --git a/src/aioquic/quic/retry.py b/src/aioquic/quic/retry.py index b84aa170a..465a569ad 100644 --- a/src/aioquic/quic/retry.py +++ b/src/aioquic/quic/retry.py @@ -1,7 +1,6 @@ import ipaddress from typing import Tuple -from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import padding, rsa @@ -16,9 +15,7 @@ def encode_address(addr: NetworkAddress) -> bytes: class QuicRetryTokenHandler: def __init__(self) -> None: - self._key = rsa.generate_private_key( - public_exponent=65537, key_size=1024, backend=default_backend() - ) + self._key = rsa.generate_private_key(public_exponent=65537, key_size=1024) def create_token( self, diff --git a/src/aioquic/tls.py b/src/aioquic/tls.py index e1730718f..236650471 100644 --- a/src/aioquic/tls.py +++ b/src/aioquic/tls.py @@ -172,14 +172,13 @@ def hkdf_expand_label( algorithm=algorithm, length=length, info=hkdf_label(label, hash_value, length), - backend=default_backend(), ).derive(secret) def hkdf_extract( algorithm: hashes.HashAlgorithm, salt: bytes, key_material: bytes ) -> bytes: - h = hmac.HMAC(salt, algorithm, backend=default_backend()) + h = hmac.HMAC(salt, algorithm) h.update(key_material) return h.finalize() @@ -190,9 +189,7 @@ def load_pem_private_key( """ Load a PEM-encoded private key. """ - return serialization.load_pem_private_key( - data, password=password, backend=default_backend() - ) + return serialization.load_pem_private_key(data, password=password) def load_pem_x509_certificates(data: bytes) -> List[x509.Certificate]: @@ -203,11 +200,7 @@ def load_pem_x509_certificates(data: bytes) -> List[x509.Certificate]: certificates = [] for chunk in data.split(boundary): if chunk: - certificates.append( - x509.load_pem_x509_certificate( - chunk + boundary, backend=default_backend() - ) - ) + certificates.append(x509.load_pem_x509_certificate(chunk + boundary)) return certificates @@ -971,7 +964,7 @@ def __init__(self, cipher_suite: CipherSuite): self.algorithm = cipher_suite_hash(cipher_suite) self.cipher_suite = cipher_suite self.generation = 0 - self.hash = hashes.Hash(self.algorithm, default_backend()) + self.hash = hashes.Hash(self.algorithm) self.hash_empty_value = self.hash.copy().finalize() self.secret = bytes(self.algorithm.digest_size) @@ -987,7 +980,7 @@ def finished_verify_data(self, secret: bytes) -> bytes: length=self.algorithm.digest_size, ) - h = hmac.HMAC(hmac_key, algorithm=self.algorithm, backend=default_backend()) + h = hmac.HMAC(hmac_key, algorithm=self.algorithm) h.update(self.hash.copy().finalize()) return h.finalize() @@ -1112,11 +1105,7 @@ def negotiate( return None -def signature_algorithm_params( - signature_algorithm: int, -) -> Union[ - Tuple[()], Tuple[ec.ECDSA], Tuple[padding.AsymmetricPadding, hashes.HashAlgorithm] -]: +def signature_algorithm_params(signature_algorithm: int) -> Tuple: if signature_algorithm in (SignatureAlgorithm.ED25519, SignatureAlgorithm.ED448): return tuple() @@ -1396,7 +1385,7 @@ def _client_send_hello(self, output_buf: Buffer) -> None: for group in self._supported_groups: if group == Group.SECP256R1: self._ec_private_key = ec.generate_private_key( - GROUP_TO_CURVE[Group.SECP256R1](), default_backend() + GROUP_TO_CURVE[Group.SECP256R1]() ) key_share.append(encode_public_key(self._ec_private_key.public_key())) supported_groups.append(Group.SECP256R1) @@ -1562,12 +1551,10 @@ def _client_handle_certificate(self, input_buf: Buffer) -> None: certificate = pull_certificate(input_buf) self._peer_certificate = x509.load_der_x509_certificate( - certificate.certificates[0][0], backend=default_backend() + certificate.certificates[0][0] ) self._peer_certificate_chain = [ - x509.load_der_x509_certificate( - certificate.certificates[i][0], backend=default_backend() - ) + x509.load_der_x509_certificate(certificate.certificates[i][0]) for i in range(1, len(certificate.certificates)) ] @@ -1799,7 +1786,7 @@ def _server_handle_hello( break elif isinstance(peer_public_key, ec.EllipticCurvePublicKey): self._ec_private_key = ec.generate_private_key( - GROUP_TO_CURVE[key_share[0]](), default_backend() + GROUP_TO_CURVE[key_share[0]]() ) public_key = self._ec_private_key.public_key() shared_key = self._ec_private_key.exchange(ec.ECDH(), peer_public_key) diff --git a/tests/utils.py b/tests/utils.py index f41dbc212..2fbf150b5 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -6,7 +6,6 @@ import sys from cryptography import x509 -from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric import ec, ed448, ed25519 @@ -40,12 +39,12 @@ def generate_certificate(*, alternative_names, common_name, hash_algorithm, key) ), critical=False, ) - cert = builder.sign(key, hash_algorithm, default_backend()) + cert = builder.sign(key, hash_algorithm) return cert, key def generate_ec_certificate(common_name, alternative_names=[], curve=ec.SECP256R1): - key = ec.generate_private_key(backend=default_backend(), curve=curve) + key = ec.generate_private_key(curve=curve) return generate_certificate( alternative_names=alternative_names, common_name=common_name,