search

pyauth / tsp-client

A Python IETF Time-Stamp Protocol (TSP) (RFC 3161) client
Apache License 2.0
6 stars 1 forks source link

Does not work with latest pyOpenSSL #6

Open pjrobertson opened 3 days ago

pjrobertson commented 3 days ago

See https://github.com/bellingcat/auto-archiver/issues/155 for more info.

Here's the stack trace, when using pyOpenSSL==24.3.0

  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/auto_archiver/enrichers/timestamping_enricher.py", line 3, in <module>
    from tsp_client import TSPSigner, SigningSettings, TSPVerifier
  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/tsp_client/__init__.py", line 2, in <module>
    from .signer import SigningSettings, TSPSigner
  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/tsp_client/signer.py", line 12, in <module>
    from .verifier import TSPVerifier, VerifyResult
  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/tsp_client/verifier.py", line 40, in <module>
    from OpenSSL.crypto import verify as openssl_verify
ImportError: cannot import name 'verify' from 'OpenSSL.crypto' (unknown location)

From pyOpenSSL docs, the crypto package is deprecated: https://www.pyopenssl.org/en/24.3.0/api/crypto.html

Screen Region 2024-12-01 at 13 43 04

But I can't seem to see any better solution as to how to do this. The recommended pyca/cryptography doesn't seem to make it any easier either. Submitting here to keep a record on this

kislyuk commented 2 days ago

Thanks for reporting! I will publish a new version shortly that restricts the PyOpenSSL dependency version range so that only versions that contain the required functionality are installed.

The certificate validation (verification) function is indeed deprecated in PyOpenSSL. Migrating it to Cryptography is possible but requires some effort (I have successfully completed this work in another package I maintain, SignXML, but not in tsp-client yet) and the validation criteria in Cryptography are much stricter and less flexible than in PyOpenSSL, so I'm not sure yet if they will work with all TSP applications.

kislyuk commented 2 days ago

OK, I have released tsp-client v0.2.1 which works around this issue. I will post another update here when I've made progress on migrating certificate validation to Cryptography.

pjrobertson commented 2 days ago

Great, thanks for the quick update! Note that I've tested and confirms it still works with pyopenssl==24.2.1, so perhaps the package should be kept to this?

"pyOpenSSL >= 21.0.0, < 24.2.1"