- Updated code to remove dependency on Cryptodome, which has not been active for a lot of time. Using Cryptography instead.

Author: rvelaVenafi

requirements.txt

@@ -7,4 +7,3 @@ enum34;python_version<'3.4'
 future
 ruamel.yaml<0.17
 pynacl>=1.4.0
-pycryptodome>=3.11.0

tests/test_vaas.py

@@ -27,43 +27,9 @@
 from test_env import CLOUD_ZONE, CLOUD_APIKEY, CLOUD_URL, RANDOM_DOMAIN
 from test_utils import random_word, enroll, renew, renew_by_thumbprint, renew_without_key_reuse, simple_enroll
 from vcert import CloudConnection, KeyType, CertificateRequest, CustomField, logger, CSR_ORIGIN_SERVICE
-from vcert.pem import pkcs8_to_pem_private_key
 
 log = logger.get_child("test-vaas")
 
-p8_key = """
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIPLsOsD8egf4CAicQ
-MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBCGU0yCgxPiFpL/l+F5/wmzBIIE
-0B2QHY6GoIj204ovABzvhgu6DPt3qvMtxWUhparQoOirf6IWpgPs5yIEVYzm33vb
-I0yWb4DTTLQc0k+s1e1whDkhEDyeZ0GGHzHu2LHnsLLUKbUW9wsod9GlQ61IACnr
-i8ehxgAAyYAB/PIcwpuF+nzyRHx9bud/916DYQ7Y/DWmCpSHB1/O9vkY1RZJjOqc
-XrmzVqL+FBWjPzXk5FfWkRoVIUWsB/yWaP4ZYb5o8xgcAvvyXeofhum9vmiRlRB+
-ii6SH7lgFE7BL1qZPnNCjFeBbDv9OryR1h3FbGnNaKJGOrlA1sirg0lMyi2zsaBe
-M0B8y8AVnU8q5JnToIFFo4BnimK7jXPspQ/opu9IaZDWKf3wbwUiC+IfytlelVpT
-lMTLvYPPypsjqhInDRrPbdlmx1WN9bfHdkwzRm3x4UuAKTcQKX/5s8AdNDTRx4Kv
-UZ2wLylEQcCWYWm3m+YL0PcsnUX301dmKHGG0ub/CwIFO1GYI9+Eb1azsS3h+fx7
-Ec4rOzZ4Q5h1HWnV3P7CVqyq4hSqJ3f7DMThCgW0up2woCMZnZqQcg4+VUYH1oFg
-YvrCV0N4W9woHWS6v0HDhMAR9HadUAvDetljrp1ygiPGAe+giNF9AZ+7+MTVwT/M
-YEcDzxCrKWQ57KdxnZL2cVELx0pihmqEs0jvh++YShszE39S/Pk58BqFLaS+/eAy
-42fXlih2FE+Pj5dTrxY3wY759SOZy+AlHytd3PkYHvCd7qgYTCUo+y8Gd2tIVW2g
-pwx59953QhCoyPFMvm97pkHi9IMLLoBobdngV2FKzj3lch1V8iujqNdA8W0Zny0S
-6KQgSn6GvW/EVVVIckS41uoKxTJVnCNsI8jpBa4/bUvZzx8s6gDHSZqTFgh+jssu
-8rI8nGRsFa3+ynoR3rFcaRFi733BjPHdCYlEYLxfPwhpQ5wYAU2NCMJbCkiakPSR
-ywNbIhxJhdmhD8zbNifLaXUB/iFhbW4e+QcZZNo8im/ty0J3OSj9OqNIAAP8k7CV
-MdQbI4yu09hDPKIw7YBS+R5pmOjiuQOL4mzeOb8MN4i4AHCUiH/K63pVDqkT1yNM
-rIIFjljg1loosubHTU59vWKE/OPuY+BFviK49rw0xGyPdHECgkpS6/CPfzIEkr8U
-RsNxRVW/fjTdSw3YaqlrTNEN6tLuddq2R/rMvyXlzhcGB2H81V8ZgJ4bqTgfUdH4
-iAv49PCCIClPQYD4W1HzuSFlNwT4Cy29QgSjw0bHFmvmNvfInidBH5DoJeMovMsy
-OROtIuCG0QZjfIcsreU7gcbUvwPNB+nQaDA3IA7fkYmE1xvj38YMIimDRWFKN5Q6
-f67kAGgkFcBlKGh6J+iGNIMscGkRbPRlNHtefE/vaAMHNUBfNxuVk6ylf2Hj2YC9
-gXSp4S0pq5RUvt8KPzeba0mtNlmuFSK9ZfOOu/eBIGvHwA7+HWG4ogTpER1IXbnE
-ZzcdVwYponiGL/dtKZIyibxxEUOHjoM9XyoopE9wFq/kQXEgVDCFLdyPAxFS7WA+
-NRqtgX8X41i/zQ72ZvM+bHrq2gk2OnDJ4jyDTBLBQezdOX4rLrWvzIcqh7hmWC1L
-KrcsYl3EZcK4zmMgSTTCgEJGKJsgClqUh6TS7atxgIjr
------END ENCRYPTED PRIVATE KEY-----
-"""
-
 
 class TestCloudMethods(unittest.TestCase):
     def __init__(self, *args, **kwargs):
@@ -198,9 +164,4 @@ def test_cloud_enroll_service_generated_csr(self):
         assert t1 == t2
 
         output = cert_object.as_pkcs12('FooBarPass123')
-        log.info("PKCS12 created successfully:\n%s" % output)
-
-    def test_cloud_parse_key_p8_to_p12(self):
-        passphrase = 'FooBarPass123'
-        pem_pk = pkcs8_to_pem_private_key(self.p8_key, passphrase)
-        log.info("PEM Private Key is: %s" % pem_pk)
+        log.info("PKCS12 created successfully for certificate with CN: %s" % cn)

vcert/connection_cloud.py

@@ -33,7 +33,7 @@
                      CertificateRenewError, VenafiError, RetrieveCertificateTimeoutError)
 from .http import HTTPStatus
 from .logger import get_child
-from .pem import parse_pem, pkcs8_to_pem_private_key, Certificate
+from .pem import parse_pem, Certificate
 from .policy import PolicySpecification
 from .policy.pm_cloud import (build_policy_spec, validate_policy_spec, AccountDetails, build_cit_request, build_user,
                               UserDetails, build_company, build_apikey, build_app_update_request, get_ca_info,
@@ -864,5 +864,4 @@ def _retrieve_service_generated_cert(self, request, dek_info):
             raise VenafiError
 
         cert, chain, private_key = zip_to_pem(data, request.chain_option)
-        pem_private_key = pkcs8_to_pem_private_key(private_key=private_key, passphrase=request.key_password)
-        return Certificate(cert=cert, chain=chain, key=pem_private_key)
+        return Certificate(cert=cert, chain=chain, key=private_key)

vcert/pem.py

@@ -21,7 +21,6 @@
 import string
 import random
 
-from Crypto.IO import PKCS8, PEM
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
@@ -122,27 +121,6 @@ def as_pkcs12(self, passphrase=None):
         return output
 
 
-def pkcs8_to_pem_private_key(private_key, passphrase):
-    """
-
-    :param str private_key:
-    :param str passphrase:
-    :rtype: str
-    """
-    b_passphrase = passphrase.encode()
-
-    b_pem, marker, decrypted = PEM.decode(private_key.encode(), b_passphrase)
-    oid, private_key_der, _ = PKCS8.unwrap(b_pem, b_passphrase)
-    key = serialization.load_der_private_key(data=private_key_der, password=None, backend=default_backend())
-    encryption = serialization.BestAvailableEncryption(b_passphrase)
-    private_key_pem = key.private_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PrivateFormat.TraditionalOpenSSL,
-        encryption_algorithm=encryption
-    )
-    return private_key_pem.decode()
-
-
 def random_word(length):
     letters = string.ascii_lowercase
     return ''.join(random.choice(letters) for _ in range(length))  # nosec