imports: Fix external imports (crypto, nacl)

Modify the way nacl and cryptography imports are made to make them compatible with vendoring tool.
secure-systems-lab · Jan 14, 2021 · f0d8fbb · f0d8fbb
1 parent 2e7ed4f
commit f0d8fbb
Show file tree

Hide file tree

Showing 8 changed files with 38 additions and 37 deletions.
diff --git a/securesystemslib/ecdsa_keys.py b/securesystemslib/ecdsa_keys.py
@@ -51,7 +51,7 @@
   from cryptography.hazmat.primitives.serialization import load_pem_public_key
   from cryptography.hazmat.primitives.serialization import load_pem_private_key
 
-  import cryptography.exceptions
+  from cryptography.exceptions import (InvalidSignature, UnsupportedAlgorithm)
 
   _SCHEME_HASHER = {
     'ecdsa-sha2-nistp256': ec.ECDSA(hashes.SHA256()),
@@ -335,7 +335,7 @@ def verify_signature(public_key, scheme, signature, data):
     ecdsa_key.verify(signature, data, _SCHEME_HASHER[scheme])
     return True
 
-  except (TypeError, cryptography.exceptions.InvalidSignature):
+  except (TypeError, InvalidSignature):
     return False
 
 
@@ -418,7 +418,7 @@ def create_ecdsa_public_and_private_from_pem(pem, password=None):
     private = load_pem_private_key(pem.encode('utf-8'), password=password,
       backend=default_backend())
 
-  except (ValueError, cryptography.exceptions.UnsupportedAlgorithm) as e:
+  except (ValueError, UnsupportedAlgorithm) as e:
     raise exceptions.CryptoError('Could not import private'
       ' PEM.\n' + str(e))
 

diff --git a/securesystemslib/ed25519_keys.py b/securesystemslib/ed25519_keys.py
@@ -72,8 +72,10 @@
 NACL = True
 NO_NACL_MSG = "ed25519 key support requires the nacl library"
 try:
-  import nacl.signing
-  import nacl.encoding
+  from nacl.encoding import RawEncoder
+  from nacl.signing import (SigningKey, VerifyKey)
+  # avoid conflicts with own exceptions of same name
+  from nacl import exceptions as nacl_exceptions
 except ImportError:
     NACL = False
 
@@ -142,8 +144,8 @@ def generate_public_and_private():
 
   # Generate the public key.  PyNaCl (i.e., 'nacl' module) performs the actual
   # key generation.
-  nacl_key = nacl.signing.SigningKey(seed)
-  public = nacl_key.verify_key.encode(encoder=nacl.encoding.RawEncoder())
+  nacl_key = SigningKey(seed)
+  public = nacl_key.verify_key.encode(encoder=RawEncoder())
 
   return public, seed
 
@@ -233,11 +235,11 @@ def create_signature(public_key, private_key, data, scheme):
   # statement to accommodate schemes that might be added in the future.
   if scheme == 'ed25519':
     try:
-      nacl_key = nacl.signing.SigningKey(private_key)
+      nacl_key = SigningKey(private_key)
       nacl_sig = nacl_key.sign(data)
       signature = nacl_sig.signature
 
-    except (ValueError, TypeError, nacl.exceptions.CryptoError) as e:
+    except (ValueError, TypeError, nacl_exceptions.CryptoError) as e:
       raise exceptions.CryptoError('An "ed25519" signature'
           ' could not be created with PyNaCl.' + str(e))
 
@@ -325,11 +327,11 @@ def verify_signature(public_key, scheme, signature, data):
   if scheme in _SUPPORTED_ED25519_SIGNING_SCHEMES:
     if NACL:
       try:
-        nacl_verify_key = nacl.signing.VerifyKey(public)
+        nacl_verify_key = VerifyKey(public)
         nacl_verify_key.verify(data, signature)
         valid_signature = True
 
-      except nacl.exceptions.BadSignatureError:
+      except nacl_exceptions.BadSignatureError:
         pass
 
     # Verify 'ed25519' signature with the pure Python implementation.

diff --git a/securesystemslib/gpg/dsa.py b/securesystemslib/gpg/dsa.py
@@ -19,10 +19,10 @@
 CRYPTO = True
 NO_CRYPTO_MSG = 'DSA key support for GPG requires the cryptography library'
 try:
-  import cryptography.hazmat.primitives.asymmetric.dsa as dsa
-  import cryptography.hazmat.backends as backends
-  import cryptography.hazmat.primitives.asymmetric.utils as dsautils
-  import cryptography.exceptions
+  from cryptography.exceptions import InvalidSignature
+  from cryptography.hazmat import backends
+  from cryptography.hazmat.primitives.asymmetric import dsa
+  from cryptography.hazmat.primitives.asymmetric import utils as dsautils
 except ImportError:
   CRYPTO = False
 
@@ -248,5 +248,5 @@ def verify_signature(signature_object, pubkey_info, content,
       dsautils.Prehashed(hasher())
     )
     return True
-  except cryptography.exceptions.InvalidSignature:
+  except InvalidSignature:
     return False
diff --git a/securesystemslib/gpg/eddsa.py b/securesystemslib/gpg/eddsa.py
@@ -26,8 +26,8 @@
 CRYPTO = True
 NO_CRYPTO_MSG = 'EdDSA key support for GPG requires the cryptography library'
 try:
-  import cryptography.hazmat.primitives.asymmetric.ed25519 as pyca_ed25519
-  import cryptography.exceptions
+  from cryptography.hazmat.primitives.asymmetric import ed25519 as pyca_ed25519
+  from cryptography.exceptions import InvalidSignature
 except ImportError:
   CRYPTO = False
 
@@ -242,5 +242,5 @@ def verify_signature(signature_object, pubkey_info, content,
     )
     return True
 
-  except cryptography.exceptions.InvalidSignature:
+  except InvalidSignature:
     return False
diff --git a/securesystemslib/gpg/rsa.py b/securesystemslib/gpg/rsa.py
@@ -19,11 +19,11 @@
 CRYPTO = True
 NO_CRYPTO_MSG = 'RSA key support for GPG requires the cryptography library'
 try:
-  import cryptography.hazmat.primitives.asymmetric.rsa as rsa
-  import cryptography.hazmat.backends as backends
-  import cryptography.hazmat.primitives.asymmetric.padding as padding
-  import cryptography.hazmat.primitives.asymmetric.utils as utils
-  import cryptography.exceptions
+  from cryptography.hazmat.primitives.asymmetric import rsa
+  from cryptography.hazmat import backends
+  from cryptography.hazmat.primitives.asymmetric import padding
+  from cryptography.hazmat.primitives.asymmetric import utils
+  from cryptography.exceptions import InvalidSignature
 except ImportError:
   CRYPTO = False
 
@@ -221,5 +221,5 @@ def verify_signature(signature_object, pubkey_info, content,
       utils.Prehashed(hasher())
     )
     return True
-  except cryptography.exceptions.InvalidSignature:
+  except InvalidSignature:
     return False
diff --git a/securesystemslib/gpg/util.py b/securesystemslib/gpg/util.py
@@ -24,8 +24,8 @@
 CRYPTO = True
 NO_CRYPTO_MSG = 'gpg.utils requires the cryptography library'
 try:
-  import cryptography.hazmat.backends as backends
-  import cryptography.hazmat.primitives.hashes as hashing
+  from cryptography.hazmat import backends
+  from cryptography.hazmat.primitives import hashes as hashing
 except ImportError:
   CRYPTO = False
 

diff --git a/securesystemslib/hash.py b/securesystemslib/hash.py
@@ -47,9 +47,8 @@
 
 # If `pyca_crypto` is installed, add it to supported libraries
 try:
-  import cryptography.exceptions
-  import cryptography.hazmat.backends
-  import cryptography.hazmat.primitives.hashes as _pyca_hashes
+  from cryptography.hazmat.backends import default_backend
+  from cryptography.hazmat.primitives import hashes as _pyca_hashes
   import binascii
 
   # Dictionary of `pyca/cryptography` supported hash algorithms.
@@ -204,8 +203,7 @@ def digest(algorithm=DEFAULT_HASH_ALGORITHM, hash_library=DEFAULT_HASH_LIBRARY):
     try:
       hash_algorithm = PYCA_DIGEST_OBJECTS_CACHE[algorithm]()
       return PycaDiggestWrapper(
-        cryptography.hazmat.primitives.hashes.Hash(hash_algorithm,
-            cryptography.hazmat.backends.default_backend()))
+        _pyca_hashes.Hash(hash_algorithm, default_backend()))
 
     except KeyError:
       raise exceptions.UnsupportedAlgorithmError(algorithm)

diff --git a/securesystemslib/rsa_keys.py b/securesystemslib/rsa_keys.py
@@ -72,7 +72,8 @@
   from cryptography.hazmat.backends import default_backend
 
   # Import Exception classes need to catch pyca/cryptography exceptions.
-  import cryptography.exceptions
+  from cryptography.exceptions import (
+      InvalidSignature, UnsupportedAlgorithm)
 
   # 'cryptography.hazmat.primitives.asymmetric' (i.e., pyca/cryptography's
   # public-key cryptography modules) supports algorithms like the Digital
@@ -369,7 +370,7 @@ def create_rsa_signature(private_key, data, scheme='rsassa-pss-sha256'):
   # serialized key is of a type that is not supported by the backend, or if
   # the key is encrypted with a symmetric cipher that is not supported by
   # the backend.
-  except cryptography.exceptions.UnsupportedAlgorithm:  # pragma: no cover
+  except UnsupportedAlgorithm:  # pragma: no cover
     raise exceptions.CryptoError('The private key is'
         ' encrypted with an unsupported algorithm.')
 
@@ -481,11 +482,11 @@ def verify_rsa_signature(signature, signature_scheme, public_key, data):
 
       return True
 
-    except cryptography.exceptions.InvalidSignature:
+    except InvalidSignature:
       return False
 
   # Raised by load_pem_public_key().
-  except (ValueError, cryptography.exceptions.UnsupportedAlgorithm) as e:
+  except (ValueError, UnsupportedAlgorithm) as e:
     raise exceptions.CryptoError('The PEM could not be'
         ' decoded successfully, or contained an unsupported key type: ' + str(e))
 
@@ -670,7 +671,7 @@ def create_rsa_public_and_private_from_pem(pem, passphrase=None):
   # Or if the key was encrypted but no password was supplied.
   # UnsupportedAlgorithm: If the private key (or if the key is encrypted with
   # an unsupported symmetric cipher) is not supported by the backend.
-  except (ValueError, TypeError, cryptography.exceptions.UnsupportedAlgorithm) as e:
+  except (ValueError, TypeError, UnsupportedAlgorithm) as e:
     # Raise 'securesystemslib.exceptions.CryptoError' and pyca/cryptography's
     # exception message.  Avoid propogating pyca/cryptography's exception trace
     # to avoid revealing sensitive error.