Remove direct refeferences to PyNaCl (use signedjson instead)

changelog.d/12902.misc

@@ -0,0 +1 @@
+Remove PyNaCl occurrences directly used in Synapse code.

contrib/cmdclient/console.py

@@ -16,6 +16,7 @@
 
 """ Starts a synapse client console. """
 import argparse
+import binascii
 import cmd
 import getpass
 import json
@@ -26,22 +27,21 @@
 from http import TwistedHttpClient
 from typing import Optional
 
-import nacl.encoding
-import nacl.signing
 import urlparse
+from signedjson.key import decode_verify_key_bytes
 from signedjson.sign import SignatureVerifyException, verify_signed_json
 
 from twisted.internet import defer, reactor, threads
 
 CONFIG_JSON = "cmdclient_config.json"
+NACL_ED25519 = "ed25519"
 
 # TODO: The concept of trusted identity servers has been deprecated. This option and checks
 #  should be removed
 TRUSTED_ID_SERVERS = ["localhost:8001"]
 
 
 class SynapseCmd(cmd.Cmd):
-
     """Basic synapse command-line processor.
 
     This processes commands from the user and calls the relevant HTTP methods.
@@ -420,8 +420,8 @@ def _do_invite(self, roomid, userstring):
                 pubKey = None
                 pubKeyObj = yield self.http_client.do_request("GET", url)
                 if "public_key" in pubKeyObj:
-                    pubKey = nacl.signing.VerifyKey(
-                        pubKeyObj["public_key"], encoder=nacl.encoding.HexEncoder
+                    pubKey = decode_verify_key_bytes(
+                        NACL_ED25519, binascii.unhexlify(pubKeyObj["public_key"])
                     )
                 else:
                     print("No public key found in pubkey response!")

pyproject.toml

@@ -113,7 +113,6 @@ unpaddedbase64 = ">=2.1.0"
 canonicaljson = ">=1.4.0"
 # we use the type definitions added in signedjson 1.1.
 signedjson = ">=1.1.0"
-PyNaCl = ">=1.2.1"
 # validating SSL certs for IP addresses requires service_identity 18.1.
 service-identity = ">=18.1.0"
 # Twisted 18.9 introduces some logger improvements that the structured

tests/crypto/test_event_signing.py

@@ -12,10 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-import nacl.signing
-import signedjson.types
-from unpaddedbase64 import decode_base64
+from signedjson.key import decode_signing_key_base64
+from signedjson.types import SigningKey
 
 from synapse.api.room_versions import RoomVersions
 from synapse.crypto.event_signing import add_hashes_and_signatures
@@ -25,7 +23,7 @@
 
 # Perform these tests using given secret key so we get entirely deterministic
 # signatures output that we can test against.
-SIGNING_KEY_SEED = decode_base64("YJDBA9Xnr2sVqXD9Vj7XVUnmFZcZrlw8Md7kMW+3XA1")
+SIGNING_KEY_SEED = "YJDBA9Xnr2sVqXD9Vj7XVUnmFZcZrlw8Md7kMW+3XA1"
 
 KEY_ALG = "ed25519"
 KEY_VER = "1"
@@ -36,14 +34,9 @@
 
 class EventSigningTestCase(unittest.TestCase):
     def setUp(self):
-        # NB: `signedjson` expects `nacl.signing.SigningKey` instances which have been
-        # monkeypatched to include new `alg` and `version` attributes. This is captured
-        # by the `signedjson.types.SigningKey` protocol.
-        self.signing_key: signedjson.types.SigningKey = nacl.signing.SigningKey(  # type: ignore[assignment]
-            SIGNING_KEY_SEED
+        self.signing_key: SigningKey = decode_signing_key_base64(
+            KEY_ALG, KEY_VER, SIGNING_KEY_SEED
         )
-        self.signing_key.alg = KEY_ALG
-        self.signing_key.version = KEY_VER
 
     def test_sign_minimal(self):
         event_dict = {

tests/crypto/test_keyring.py

@@ -19,8 +19,8 @@
 import canonicaljson
 import signedjson.key
 import signedjson.sign
-from nacl.signing import SigningKey
 from signedjson.key import encode_verify_key_base64, get_verify_key
+from signedjson.types import SigningKey
 
 from twisted.internet import defer
 from twisted.internet.defer import Deferred, ensureDeferred