Revert "SNOW-843716: cryptography dep cleanup (#1773)" (#1778)

This reverts commit 6398696.
snowflakedb · Oct 17, 2023 · 5b61af7 · 5b61af7
1 parent d85e56a
commit 5b61af7
Show file tree

Hide file tree

Showing 8 changed files with 186 additions and 50 deletions.
diff --git a/DESCRIPTION.md b/DESCRIPTION.md
@@ -13,7 +13,6 @@ Source code is also available at: https://github.com/snowflakedb/snowflake-conne
  - Added for non-Windows platforms command suggestions (chown/chmod) for insufficient file permissions of config files.
  - Fixed issue with connection diagnostics failing to complete certificate checks.
  - Fixed issue that arrow iterator causes `ImportError` when the c extensions are not compiled.
- - Removed dependencies on Cryptodome and oscrypto and removed the `use_openssl_only` parameter. All connections now go through OpenSSL via the cryptography library, which was already a dependency.
 
 - v3.3.0(October 10,2023)
 

diff --git a/ci/test_fips_docker.sh b/ci/test_fips_docker.sh
@@ -21,6 +21,7 @@ user_id=$(id -u $USER)
 docker run --network=host \
  -e LANG=en_US.UTF-8 \
  -e TERM=vt102 \
+ -e SF_USE_OPENSSL_ONLY=True \
  -e PIP_DISABLE_PIP_VERSION_CHECK=1 \
  -e LOCAL_USER_ID=$user_id \
  -e CRYPTOGRAPHY_ALLOW_OPENSSL_102=1 \

diff --git a/setup.cfg b/setup.cfg
@@ -45,7 +45,9 @@ install_requires =
  asn1crypto>0.24.0,<2.0.0
  cffi>=1.9,<2.0.0
  cryptography>=3.1.0,<42.0.0
+ oscrypto<2.0.0
  pyOpenSSL>=16.2.0,<24.0.0
+ pycryptodomex!=3.5.0,>=3.2,<4.0.0
  pyjwt<3.0.0
  pytz
  requests<3.0.0

diff --git a/src/snowflake/connector/connection.py b/src/snowflake/connector/connection.py
@@ -189,9 +189,9 @@ def DefaultConverterClass() -> type:
  "client_store_temporary_credential": (False, bool),
  "client_request_mfa_token": (False, bool),
  "use_openssl_only": (
- True,
+ False,
  bool,
- ), # ignored - python only crypto modules are no longer used
+ ), # only use openssl instead of python only crypto modules
  # whether to convert Arrow number values to decimal instead of doubles
  "arrow_number_to_decimal": (False, bool),
  "enable_stage_s3_privatelink_for_us_east_1": (
@@ -287,6 +287,7 @@ class SnowflakeConnection:
  validate_default_parameters: Validate database, schema, role and warehouse used on Snowflake.
  is_pyformat: Whether the current argument binding is pyformat or format.
  consent_cache_id_token: Consented cache ID token.
+ use_openssl_only: Use OpenSSL instead of pure Python libraries for signature verification and encryption.
  enable_stage_s3_privatelink_for_us_east_1: when true, clients use regional s3 url to upload files.
  enable_connection_diag: when true, clients will generate a connectivity diagnostic report.
  connection_diag_log_path: path to location to create diag report with enable_connection_diag.
@@ -573,8 +574,7 @@ def disable_request_pooling(self, value) -> None:
 
  @property
  def use_openssl_only(self) -> bool:
- # Deprecated, kept for backwards compatibility
- return True
+ return self._use_openssl_only
 
  @property
  def arrow_number_to_decimal(self):
@@ -1117,6 +1117,19 @@ def __config(self, **kwargs):
  "CHECKED."
  )
 
+ if "SF_USE_OPENSSL_ONLY" not in os.environ:
+ logger.info("Setting use_openssl_only mode to %s", self.use_openssl_only)
+ os.environ["SF_USE_OPENSSL_ONLY"] = str(self.use_openssl_only)
+ elif (
+ os.environ.get("SF_USE_OPENSSL_ONLY", "False") == "True"
+ ) != self.use_openssl_only:
+ logger.warning(
+ "Mode use_openssl_only is already set to: %s, ignoring set request to: %s",
+ os.environ["SF_USE_OPENSSL_ONLY"],
+ self.use_openssl_only,
+ )
+ self._use_openssl_only = os.environ["SF_USE_OPENSSL_ONLY"] == "True"
+
  def cmd_query(
  self,
  sql: str,

diff --git a/src/snowflake/connector/encryption_util.py b/src/snowflake/connector/encryption_util.py
@@ -12,6 +12,7 @@
 from logging import getLogger
 from typing import IO, TYPE_CHECKING
 
+from Cryptodome.Cipher import AES
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 
@@ -68,6 +69,7 @@ def encrypt_stream(
  The encryption metadata.
  """
  logger = getLogger(__name__)
+ use_openssl_only = os.getenv("SF_USE_OPENSSL_ONLY", "False") == "True"
  decoded_key = base64.standard_b64decode(
  encryption_material.query_stage_master_key
  )
@@ -77,9 +79,14 @@ def encrypt_stream(
  # Generate key for data encryption
  iv_data = SnowflakeEncryptionUtil.get_secure_random(block_size)
  file_key = SnowflakeEncryptionUtil.get_secure_random(key_size)
- backend = default_backend()
- cipher = Cipher(algorithms.AES(file_key), modes.CBC(iv_data), backend=backend)
- encryptor = cipher.encryptor()
+ if not use_openssl_only:
+ data_cipher = AES.new(key=file_key, mode=AES.MODE_CBC, IV=iv_data)
+ else:
+ backend = default_backend()
+ cipher = Cipher(
+ algorithms.AES(file_key), modes.CBC(iv_data), backend=backend
+ )
+ encryptor = cipher.encryptor()
 
  padded = False
  while True:
@@ -89,17 +96,30 @@ def encrypt_stream(
  elif len(chunk) % block_size != 0:
  chunk = PKCS5_PAD(chunk, block_size)
  padded = True
- out.write(encryptor.update(chunk))
+ if not use_openssl_only:
+ out.write(data_cipher.encrypt(chunk))
+ else:
+ out.write(encryptor.update(chunk))
  if not padded:
- out.write(encryptor.update(block_size * chr(block_size).encode(UTF8)))
- out.write(encryptor.finalize())
+ if not use_openssl_only:
+ out.write(
+ data_cipher.encrypt(block_size * chr(block_size).encode(UTF8))
+ )
+ else:
+ out.write(encryptor.update(block_size * chr(block_size).encode(UTF8)))
+ if use_openssl_only:
+ out.write(encryptor.finalize())
 
  # encrypt key with QRMK
- cipher = Cipher(algorithms.AES(decoded_key), modes.ECB(), backend=backend)
- encryptor = cipher.encryptor()
- enc_kek = (
- encryptor.update(PKCS5_PAD(file_key, block_size)) + encryptor.finalize()
- )
+ if not use_openssl_only:
+ key_cipher = AES.new(key=decoded_key, mode=AES.MODE_ECB)
+ enc_kek = key_cipher.encrypt(PKCS5_PAD(file_key, block_size))
+ else:
+ cipher = Cipher(algorithms.AES(decoded_key), modes.ECB(), backend=backend)
+ encryptor = cipher.encryptor()
+ enc_kek = (
+ encryptor.update(PKCS5_PAD(file_key, block_size)) + encryptor.finalize()
+ )
 
  mat_desc = MaterialDescriptor(
  smk_id=encryption_material.smk_id,
@@ -158,6 +178,7 @@ def decrypt_stream(
  ) -> None:
  """To read from `src` stream then decrypt to `out` stream."""
 
+ use_openssl_only = os.getenv("SF_USE_OPENSSL_ONLY", "False") == "True"
  key_base64 = metadata.key
  iv_base64 = metadata.iv
  decoded_key = base64.standard_b64decode(
@@ -166,26 +187,37 @@ def decrypt_stream(
  key_bytes = base64.standard_b64decode(key_base64)
  iv_bytes = base64.standard_b64decode(iv_base64)
 
- backend = default_backend()
- cipher = Cipher(algorithms.AES(decoded_key), modes.ECB(), backend=backend)
- decryptor = cipher.decryptor()
- file_key = PKCS5_UNPAD(decryptor.update(key_bytes) + decryptor.finalize())
- cipher = Cipher(algorithms.AES(file_key), modes.CBC(iv_bytes), backend=backend)
- decryptor = cipher.decryptor()
+ if not use_openssl_only:
+ key_cipher = AES.new(key=decoded_key, mode=AES.MODE_ECB)
+ file_key = PKCS5_UNPAD(key_cipher.decrypt(key_bytes))
+ data_cipher = AES.new(key=file_key, mode=AES.MODE_CBC, IV=iv_bytes)
+ else:
+ backend = default_backend()
+ cipher = Cipher(algorithms.AES(decoded_key), modes.ECB(), backend=backend)
+ decryptor = cipher.decryptor()
+ file_key = PKCS5_UNPAD(decryptor.update(key_bytes) + decryptor.finalize())
+ cipher = Cipher(
+ algorithms.AES(file_key), modes.CBC(iv_bytes), backend=backend
+ )
+ decryptor = cipher.decryptor()
 
  last_decrypted_chunk = None
  chunk = src.read(chunk_size)
  while len(chunk) != 0:
  if last_decrypted_chunk is not None:
  out.write(last_decrypted_chunk)
- d = decryptor.update(chunk)
+ if not use_openssl_only:
+ d = data_cipher.decrypt(chunk)
+ else:
+ d = decryptor.update(chunk)
  last_decrypted_chunk = d
  chunk = src.read(chunk_size)
 
  if last_decrypted_chunk is not None:
  offset = PKCS5_OFFSET(last_decrypted_chunk)
  out.write(last_decrypted_chunk[:-offset])
- out.write(decryptor.finalize())
+ if use_openssl_only:
+ out.write(decryptor.finalize())
 
  @staticmethod
  def decrypt_file(

diff --git a/src/snowflake/connector/file_util.py b/src/snowflake/connector/file_util.py
@@ -13,6 +13,7 @@
 from logging import getLogger
 from typing import IO
 
+from Cryptodome.Hash import SHA256
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 
@@ -32,17 +33,27 @@ def get_digest_and_size(src: IO[bytes]) -> tuple[str, int]:
  Returns:
  Tuple of src's digest and src's size in bytes.
  """
+ use_openssl_only = os.getenv("SF_USE_OPENSSL_ONLY", "False") == "True"
  CHUNK_SIZE = 64 * kilobyte
- backend = default_backend()
- chosen_hash = hashes.SHA256()
- hasher = hashes.Hash(chosen_hash, backend)
+ if not use_openssl_only:
+ m = SHA256.new()
+ else:
+ backend = default_backend()
+ chosen_hash = hashes.SHA256()
+ hasher = hashes.Hash(chosen_hash, backend)
  while True:
  chunk = src.read(CHUNK_SIZE)
  if chunk == b"":
  break
- hasher.update(chunk)
-
- digest = base64.standard_b64encode(hasher.finalize()).decode(UTF8)
+ if not use_openssl_only:
+ m.update(chunk)
+ else:
+ hasher.update(chunk)
+
+ if not use_openssl_only:
+ digest = base64.standard_b64encode(m.digest()).decode(UTF8)
+ else:
+ digest = base64.standard_b64encode(hasher.finalize()).decode(UTF8)
 
  size = src.tell()
  src.seek(0)

diff --git a/src/snowflake/connector/ocsp_asn1crypto.py b/src/snowflake/connector/ocsp_asn1crypto.py
@@ -5,6 +5,10 @@
 
 from __future__ import annotations
 
+import os
+import platform
+import sys
+import warnings
 from base64 import b64decode, b64encode
 from collections import OrderedDict
 from datetime import datetime, timezone
@@ -24,6 +28,9 @@
  Version,
 )
 from asn1crypto.x509 import Certificate
+from Cryptodome.Hash import SHA1, SHA256, SHA384, SHA512
+from Cryptodome.PublicKey import RSA
+from Cryptodome.Signature import PKCS1_v1_5
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes, serialization
@@ -41,6 +48,20 @@
 from snowflake.connector.errors import RevocationCheckError
 from snowflake.connector.ocsp_snowflake import SnowflakeOCSP, generate_cache_key
 
+with warnings.catch_warnings():
+ warnings.simplefilter("ignore")
+ # force versioned dylibs onto oscrypto ssl on catalina
+ if sys.platform == "darwin" and platform.mac_ver()[0].startswith("10.15"):
+ from oscrypto import _module_values, use_openssl
+
+ if _module_values["backend"] is None:
+ use_openssl(
+ libcrypto_path="/usr/lib/libcrypto.35.dylib",
+ libssl_path="/usr/lib/libssl.35.dylib",
+ )
+ from oscrypto import asymmetric
+
+
 logger = getLogger(__name__)
 
 
@@ -49,6 +70,12 @@ class SnowflakeOCSPAsn1Crypto(SnowflakeOCSP):
 
  # map signature algorithm name to digest class
  SIGNATURE_ALGORITHM_TO_DIGEST_CLASS = {
+ "sha256": SHA256,
+ "sha384": SHA384,
+ "sha512": SHA512,
+ }
+
+ SIGNATURE_ALGORITHM_TO_DIGEST_CLASS_OPENSSL = {
  "sha256": hashes.SHA256,
  "sha384": hashes.SHA3_384,
  "sha512": hashes.SHA3_512,
@@ -351,29 +378,51 @@ def process_ocsp_response(self, issuer, cert_id, ocsp_response):
  raise RevocationCheckError(msg=debug_msg, errno=op_er.errno)
 
  def verify_signature(self, signature_algorithm, signature, cert, data):
- backend = default_backend()
- public_key = serialization.load_der_public_key(
- cert.public_key.dump(), backend=default_backend()
- )
- if (
- signature_algorithm
- in SnowflakeOCSPAsn1Crypto.SIGNATURE_ALGORITHM_TO_DIGEST_CLASS
- ):
- chosen_hash = SnowflakeOCSPAsn1Crypto.SIGNATURE_ALGORITHM_TO_DIGEST_CLASS[
+ use_openssl_only = os.getenv("SF_USE_OPENSSL_ONLY", "False") == "True"
+ if not use_openssl_only:
+ pubkey = asymmetric.load_public_key(cert.public_key).unwrap().dump()
+ rsakey = RSA.importKey(pubkey)
+ signer = PKCS1_v1_5.new(rsakey)
+ if (
  signature_algorithm
- ]()
+ in SnowflakeOCSPAsn1Crypto.SIGNATURE_ALGORITHM_TO_DIGEST_CLASS
+ ):
+ digest = SnowflakeOCSPAsn1Crypto.SIGNATURE_ALGORITHM_TO_DIGEST_CLASS[
+ signature_algorithm
+ ].new()
+ else:
+ # the last resort. should not happen.
+ digest = SHA1.new()
+ digest.update(data.dump())
+ if not signer.verify(digest, signature):
+ raise RevocationCheckError(msg="Failed to verify the signature")
+
  else:
- # the last resort. should not happen.
- chosen_hash = hashes.SHA1()
- hasher = hashes.Hash(chosen_hash, backend)
- hasher.update(data.dump())
- digest = hasher.finalize()
- try:
- public_key.verify(
- signature, digest, padding.PKCS1v15(), utils.Prehashed(chosen_hash)
+ backend = default_backend()
+ public_key = serialization.load_der_public_key(
+ cert.public_key.dump(), backend=default_backend()
  )
- except InvalidSignature:
- raise RevocationCheckError(msg="Failed to verify the signature")
+ if (
+ signature_algorithm
+ in SnowflakeOCSPAsn1Crypto.SIGNATURE_ALGORITHM_TO_DIGEST_CLASS
+ ):
+ chosen_hash = (
+ SnowflakeOCSPAsn1Crypto.SIGNATURE_ALGORITHM_TO_DIGEST_CLASS_OPENSSL[
+ signature_algorithm
+ ]()
+ )
+ else:
+ # the last resort. should not happen.
+ chosen_hash = hashes.SHA1()
+ hasher = hashes.Hash(chosen_hash, backend)
+ hasher.update(data.dump())
+ digest = hasher.finalize()
+ try:
+ public_key.verify(
+ signature, digest, padding.PKCS1v15(), utils.Prehashed(chosen_hash)
+ )
+ except InvalidSignature:
+ raise RevocationCheckError(msg="Failed to verify the signature")
 
  def extract_certificate_chain(
  self, connection: Connection