Migrate from deprecated pyopenssl calls

Fixes:

    DeprecationWarning: CSR support in pyOpenSSL is deprecated. You should use the APIs in cryptography.

Cryptography does not support the insecure md5 hash algorithm. It is
unclear whether AFIP supports any secure algorithm; this needs to be
tested by registering a new certificate on the web UI.

Author: WhyNotHugo

django_afip/crypto.py

@@ -2,14 +2,18 @@
 
 from typing import IO
 
+from cryptography import x509
 from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.serialization import Encoding
+from cryptography.hazmat.primitives.serialization import NoEncryption
+from cryptography.hazmat.primitives.serialization import PrivateFormat
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.hazmat.primitives.serialization.pkcs7 import PKCS7Options
 from cryptography.hazmat.primitives.serialization.pkcs7 import PKCS7SignatureBuilder
 from cryptography.x509 import load_pem_x509_certificate
-from OpenSSL import crypto
+from cryptography.x509.oid import NameOID
 
 from django_afip import exceptions
 
@@ -41,10 +45,18 @@ def create_embeded_pkcs7_signature(data: bytes, cert: bytes, key: bytes) -> byte
 
 def create_key(file_: IO[bytes]) -> None:
     """Create a key and write it into ``file_``."""
-    pkey = crypto.PKey()
-    pkey.generate_key(crypto.TYPE_RSA, 2048)
+    private_key = rsa.generate_private_key(
+        public_exponent=65537,
+        key_size=2048,
+    )
 
-    file_.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey))
+    file_.write(
+        private_key.private_bytes(
+            encoding=Encoding.PEM,
+            format=PrivateFormat.PKCS8,
+            encryption_algorithm=NoEncryption(),
+        )
+    )
     file_.flush()
 
 
@@ -56,16 +68,20 @@ def create_csr(
     file_: IO[bytes],
 ) -> None:
     """Create a certificate signing request and write it into ``file_``."""
-    key = crypto.load_privatekey(crypto.FILETYPE_PEM, key_file.read())
-
-    req = crypto.X509Req()
-    subj = req.get_subject()
-
-    subj.O = organization_name
-    subj.CN = common_name
-    subj.serialNumber = serial_number  # type: ignore[attr-defined]
-
-    req.set_pubkey(key)
-    req.sign(key, "md5")
+    private_key = load_pem_private_key(key_file.read(), password=None)
+
+    csr = (
+        x509.CertificateSigningRequestBuilder()
+        .subject_name(
+            x509.Name(
+                [
+                    x509.NameAttribute(NameOID.ORGANIZATION_NAME, organization_name),
+                    x509.NameAttribute(NameOID.COMMON_NAME, common_name),
+                    x509.NameAttribute(NameOID.SERIAL_NUMBER, serial_number),
+                ]
+            )
+        )
+        .sign(private_key, hashes.SHA256())  # type: ignore[arg-type]
+    )
 
-    file_.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
+    file_.write(csr.public_bytes(Encoding.PEM))

tests/test_taxpayer.py

@@ -3,9 +3,12 @@
 from datetime import datetime
 
 import pytest
+from cryptography import x509
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+from cryptography.x509.oid import NameOID
 from factory.django import FileField
 from freezegun import freeze_time
-from OpenSSL import crypto
+from OpenSSL.crypto import X509
 
 from django_afip import factories
 
@@ -20,8 +23,8 @@ def test_key_generation() -> None:
     assert key.splitlines()[0] == "-----BEGIN PRIVATE KEY-----"
     assert key.splitlines()[-1] == "-----END PRIVATE KEY-----"
 
-    loaded_key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
-    assert isinstance(loaded_key, crypto.PKey)
+    loaded_key = load_pem_private_key(key.encode(), password=None)
+    assert loaded_key is not None
 
 
 def test_dont_overwrite_keys() -> None:
@@ -48,8 +51,8 @@ def test_overwrite_keys_force() -> None:
     assert key.splitlines()[0] == "-----BEGIN PRIVATE KEY-----"
     assert key.splitlines()[-1] == "-----END PRIVATE KEY-----"
 
-    loaded_key = crypto.load_privatekey(crypto.FILETYPE_PEM, key)
-    assert isinstance(loaded_key, crypto.PKey)
+    loaded_key = load_pem_private_key(key.encode(), password=None)
+    assert loaded_key is not None
 
 
 @freeze_time(datetime.fromtimestamp(1489537017))
@@ -62,26 +65,31 @@ def test_csr_generation() -> None:
     csr = csr_file.read().decode()
 
     assert csr.splitlines()[0] == "-----BEGIN CERTIFICATE REQUEST-----"
-
     assert csr.splitlines()[-1] == "-----END CERTIFICATE REQUEST-----"
 
-    loaded_csr = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr.encode())
-    assert isinstance(loaded_csr, crypto.X509Req)
-
-    expected_components = [
-        (b"O", b"John Smith"),
-        (b"CN", b"djangoafip1489537017"),
-        (b"serialNumber", b"CUIT 20329642330"),
-    ]
+    loaded_csr = x509.load_pem_x509_csr(csr.encode())
+    assert isinstance(loaded_csr, x509.CertificateSigningRequest)
 
-    assert expected_components == loaded_csr.get_subject().get_components()
+    subject = loaded_csr.subject
+    assert (
+        subject.get_attributes_for_oid(NameOID.ORGANIZATION_NAME)[0].value
+        == "John Smith"
+    )
+    assert (
+        subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value
+        == "djangoafip1489537017"
+    )
+    assert (
+        subject.get_attributes_for_oid(NameOID.SERIAL_NUMBER)[0].value
+        == "CUIT 20329642330"
+    )
 
 
 def test_certificate_object() -> None:
     taxpayer = factories.TaxPayerFactory.build()
     cert = taxpayer.certificate_object
 
-    assert isinstance(cert, crypto.X509)
+    assert isinstance(cert, X509)
 
 
 def test_null_certificate_object() -> None: