Oxidize SequesterCrypto

.github/workflows/ci.yml

@@ -459,6 +459,14 @@ jobs:
         shell: bash
         run: cargo test --workspace --profile ${{ env.CARGO_PROFILE }} --no-run
 
+      # Building OpenSSL requires a perl interpreter.
+      # The default one does not provide windows-style filesystem
+      # paths so we have to switch to Strawberry.
+      - name: Use strawberry perl
+        if: startsWith(matrix.os, 'windows')
+        shell: bash
+        run: echo OPENSSL_SRC_PERL=C:/Strawberry/perl/bin/perl >> $GITHUB_ENV
+
       - name: Test rust codebase
         if: steps.rust-changes.outputs.run == 'true'
         shell: bash

oxidation/libparsec/crates/client_types/Cargo.toml

@@ -14,7 +14,7 @@ path = "tests/mod.rs"
 [dependencies]
 libparsec_crypto = { path = "../crypto" }
 libparsec_types = { path = "../types" }
-serialization_format = { path = "../serialization_format" }
+libparsec_serialization_format = { path = "../serialization_format" }
 
 flate2 = "1.0.24"
 serde = { version = "1.0.147", features = ["derive"] }

oxidation/libparsec/crates/client_types/src/local_device.rs

@@ -2,10 +2,10 @@
 
 use serde::{Deserialize, Serialize};
 use serde_with::*;
-use serialization_format::parsec_data;
 use sha2::Digest;
 
 use libparsec_crypto::prelude::*;
+use libparsec_serialization_format::parsec_data;
 use libparsec_types::*;
 
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]

oxidation/libparsec/crates/client_types/src/local_manifest.rs

@@ -9,8 +9,8 @@ use std::{
 };
 
 use libparsec_crypto::{HashDigest, SecretKey};
+use libparsec_serialization_format::parsec_data;
 use libparsec_types::*;
-use serialization_format::parsec_data;
 
 use crate as libparsec_client_types;
 

oxidation/libparsec/crates/protocol/Cargo.toml

@@ -14,7 +14,7 @@ path = "tests/mod.rs"
 [dependencies]
 libparsec_crypto = { path = "../crypto" }
 libparsec_types = { path = "../types" }
-serialization_format = { path = "../serialization_format" }
+libparsec_serialization_format = { path = "../serialization_format" }
 
 paste = "1.0.9"
 rand = "0.8.5"

oxidation/libparsec/crates/protocol/src/lib.rs

@@ -6,7 +6,7 @@ mod handshake;
 use serde::{Deserialize, Serialize};
 use std::num::NonZeroU8;
 
-use serialization_format::parsec_protocol;
+use libparsec_serialization_format::parsec_protocol;
 
 pub use error::*;
 pub use handshake::*;

oxidation/libparsec/crates/serialization_format/Cargo.toml

@@ -1,5 +1,5 @@
 [package]
-name = "serialization_format"
+name = "libparsec_serialization_format"
 version = "0.0.0"
 edition = "2021"
 license = " BUSL-1.1"

oxidation/libparsec/crates/serialization_format/src/old_parser/utils.rs

@@ -35,6 +35,8 @@ pub(crate) fn _inspect_type(ty: &Type, types: &HashMap<String, String>) -> Strin
                 "PrivateKey" => "libparsec_crypto::PrivateKey",
                 "SecretKey" => "libparsec_crypto::SecretKey",
                 "HashDigest" => "libparsec_crypto::HashDigest",
+                "SequesterVerifyKeyDer" => "libparsec_crypto::SequesterVerifyKeyDer",
+                "SequesterPublicKeyDer" => "libparsec_crypto::SequesterPublicKeyDer",
                 "DateTime" => "libparsec_types::DateTime",
                 "BlockID" => "libparsec_types::BlockID",
                 "DeviceID" => "libparsec_types::DeviceID",

oxidation/libparsec/crates/types/Cargo.toml

@@ -12,7 +12,7 @@ path = "tests/mod.rs"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-serialization_format = { path = "../serialization_format" }
+libparsec_serialization_format = { path = "../serialization_format" }
 libparsec_crypto = { path = "../crypto" }
 libparsec_platform_async = { path = "../platform_async" }
 

oxidation/libparsec/crates/types/src/certif.rs

@@ -7,7 +7,7 @@ use serde_with::*;
 use std::io::{Read, Write};
 
 use libparsec_crypto::{PublicKey, SigningKey, VerifyKey};
-use serialization_format::parsec_data;
+use libparsec_serialization_format::parsec_data;
 
 use crate as libparsec_types;
 use crate::data_macros::impl_transparent_data_format_conversion;

oxidation/libparsec/crates/types/src/invite.rs

@@ -7,7 +7,7 @@ use serde_with::*;
 use std::str::FromStr;
 
 use libparsec_crypto::{PrivateKey, PublicKey, SecretKey, VerifyKey};
-use serialization_format::parsec_data;
+use libparsec_serialization_format::parsec_data;
 
 use crate::{
     self as libparsec_types, data_macros::impl_transparent_data_format_conversion, DeviceID,

oxidation/libparsec/crates/types/src/manifest.rs

@@ -12,7 +12,7 @@ use std::{
 use unicode_normalization::UnicodeNormalization;
 
 use libparsec_crypto::{HashDigest, SecretKey, SigningKey, VerifyKey};
-use serialization_format::parsec_data;
+use libparsec_serialization_format::parsec_data;
 
 use crate::{
     self as libparsec_types, data_macros::impl_transparent_data_format_conversion, BlockID,

oxidation/libparsec/crates/types/src/pki.rs

@@ -6,7 +6,7 @@ use flate2::{read::ZlibDecoder, write::ZlibEncoder, Compression};
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 
 use libparsec_crypto::{PublicKey, VerifyKey};
-use serialization_format::parsec_data;
+use libparsec_serialization_format::parsec_data;
 
 use crate::{
     self as libparsec_types, impl_transparent_data_format_conversion, DataError, DataResult,

parsec/__init__.py

@@ -1,24 +1,8 @@
 # Parsec Cloud (https://parsec.cloud) Copyright (c) AGPL-3.0 2016-present Scille SAS
 from __future__ import annotations
 
-import os
-
 from parsec._version import __version__
 
-# The oscrypto library relies on `ctypes.util.find_library`,
-# which doesn't work for snap classic environments.
-# Hence, we rely on env variables similar to `FUSE_LIBRARY_PATH`
-# to configure oscrypto correctly if those variables are provided.
-SSL_LIBRARY_PATH = os.environ.get("SSL_LIBRARY_PATH")
-CRYPTO_LIBRARY_PATH = os.environ.get("CRYPTO_LIBRARY_PATH")
-if SSL_LIBRARY_PATH and CRYPTO_LIBRARY_PATH:
-    import oscrypto
-
-    oscrypto.use_openssl(
-        libcrypto_path=CRYPTO_LIBRARY_PATH,
-        libssl_path=SSL_LIBRARY_PATH,
-    )
-
 # The parsec.utils module includes a bit of patching, let's make sure it is imported
 __import__("parsec.utils")
 

parsec/_parsec.pyi

@@ -24,6 +24,10 @@ from parsec._parsec_pyi.crypto import (
     PrivateKey,
     PublicKey,
     SecretKey,
+    SequesterPrivateKeyDer,
+    SequesterPublicKeyDer,
+    SequesterSigningKeyDer,
+    SequesterVerifyKeyDer,
     SigningKey,
     VerifyKey,
     generate_nonce,
@@ -510,6 +514,10 @@ __all__ = [
     "VerifyKey",
     "PrivateKey",
     "PublicKey",
+    "SequesterPrivateKeyDer",
+    "SequesterPublicKeyDer",
+    "SequesterSigningKeyDer",
+    "SequesterVerifyKeyDer",
     "generate_nonce",
     # Enumerate
     "ClientType",

parsec/api/data/certif.py

@@ -5,10 +5,9 @@
 
 import attr
 
-from parsec._parsec import DateTime
+from parsec._parsec import DateTime, SequesterPublicKeyDer, SequesterVerifyKeyDer
 from parsec.api.data.base import BaseAPIData, BaseAPISignedData, BaseSignedDataSchema
 from parsec.api.protocol import SequesterServiceID, SequesterServiceIDField
-from parsec.sequester_crypto import SequesterEncryptionKeyDer, SequesterVerifyKeyDer
 from parsec.serde import fields, post_load
 from parsec.serde.schema import BaseSchema
 
@@ -41,7 +40,7 @@ class SCHEMA_CLS(BaseSchema):
         timestamp = fields.DateTime(required=True)
         service_id = SequesterServiceIDField(required=True)
         service_label = fields.String(required=True)
-        encryption_key_der = fields.SequesterEncryptionKeyDerField(required=True)
+        encryption_key_der = fields.SequesterPublicKeyDerField(required=True)
 
         @post_load
         def make_obj(self, data: Dict[str, Any]) -> "SequesterServiceCertificate":  # type: ignore[misc]
@@ -51,4 +50,4 @@ def make_obj(self, data: Dict[str, Any]) -> "SequesterServiceCertificate":  # ty
     timestamp: DateTime
     service_id: SequesterServiceID
     service_label: str
-    encryption_key_der: SequesterEncryptionKeyDer
+    encryption_key_der: SequesterPublicKeyDer

parsec/backend/cli/sequester.py

@@ -8,11 +8,15 @@
 
 import attr
 import click
-import oscrypto
 from async_generator import asynccontextmanager
-from oscrypto.asymmetric import PrivateKey
 
-from parsec._parsec import DateTime
+from parsec._parsec import (
+    DateTime,
+    SequesterPrivateKeyDer,
+    SequesterPublicKeyDer,
+    SequesterSigningKeyDer,
+    SequesterVerifyKeyDer,
+)
 from parsec.api.data import DataError, SequesterServiceCertificate
 from parsec.api.protocol import HumanHandle, OrganizationID, RealmID, SequesterServiceID, UserID
 from parsec.backend.blockstore import blockstore_factory
@@ -33,13 +37,8 @@
 )
 from parsec.backend.user import User
 from parsec.cli_utils import cli_exception_handler, debug_config_options, operation
+from parsec.crypto import CryptoError
 from parsec.event_bus import EventBus
-from parsec.sequester_crypto import (
-    CryptoError,
-    SequesterEncryptionKeyDer,
-    SequesterVerifyKeyDer,
-    sequester_authority_sign,
-)
 from parsec.sequester_export_reader import RealmExportProgress, extract_workspace
 from parsec.utils import open_service_nursery, trio_run
 
@@ -50,11 +49,9 @@
 
 def dump_sequester_service_certificate_pem(
     certificate_data: SequesterServiceCertificate,
-    authority_signing_key: PrivateKey,
+    authority_signing_key: SequesterSigningKeyDer,
 ) -> str:
-    certificate = sequester_authority_sign(
-        signing_key=authority_signing_key, data=certificate_data.dump()
-    )
+    certificate = authority_signing_key.sign(certificate_data.dump())
     return "\n".join(
         (
             SEQUESTER_SERVICE_CERTIFICATE_PEM_HEADER,
@@ -217,8 +214,8 @@ def generate_service_certificate(
 ) -> None:
     with cli_exception_handler(debug):
         # Load key files
-        service_key = SequesterEncryptionKeyDer(service_public_key.read_bytes())
-        authority_key = oscrypto.asymmetric.load_private_key(authority_private_key.read_bytes())
+        service_key = SequesterPublicKeyDer.load_pem(service_public_key.read_text())
+        authority_key = SequesterSigningKeyDer.load_pem(authority_private_key.read_text())
 
         # Generate data schema
         service_id = SequesterServiceID.new()
@@ -427,8 +424,8 @@ def create_service(
                 "Webhook sequester service requires webhook_url argument"
             )
         # Load key files
-        service_key = SequesterEncryptionKeyDer(service_public_key.read_bytes())
-        authority_key = oscrypto.asymmetric.load_private_key(authority_private_key.read_bytes())
+        service_key = SequesterPublicKeyDer.load_pem(service_public_key.read_text())
+        authority_key = SequesterSigningKeyDer.load_pem(authority_private_key.read_text())
         # Generate data schema
         service_id = SequesterServiceID.new()
         now = DateTime.now()
@@ -438,7 +435,7 @@ def create_service(
             service_label=service_label,
             encryption_key_der=service_key,
         )
-        certificate = sequester_authority_sign(signing_key=authority_key, data=certif_data.dump())
+        certificate = authority_key.sign(certif_data.dump())
 
         sequester_service: BaseSequesterService
         if cooked_service_type == SequesterServiceType.STORAGE:
@@ -797,7 +794,7 @@ def extract_realm_export(
         # Finally a command that is not async !
         # This is because here we do only a single thing at a time and sqlite3 provide
         # a synchronous api anyway
-        decryption_key = oscrypto.asymmetric.load_private_key(service_decryption_key.read_bytes())
+        decryption_key = SequesterPrivateKeyDer.load_pem(service_decryption_key.read_text())
 
         # Convert filter_date from click.Datetime to parsec.Datetime
         date: DateTime

parsec/backend/organization.py

@@ -18,7 +18,9 @@
     OrganizationStatsRepNotFound,
     OrganizationStatsRepOk,
     OrganizationStatsReq,
+    SequesterVerifyKeyDer,
     UsersPerProfileDetailItem,
+    VerifyKey,
 )
 from parsec.api.data import (
     DataError,
@@ -41,8 +43,6 @@
 from parsec.backend.user import Device, User
 from parsec.backend.utils import Unset, UnsetType, api, api_typed_msg_adapter, catch_protocol_errors
 from parsec.backend.webhooks import WebhooksComponent
-from parsec.crypto import VerifyKey
-from parsec.sequester_crypto import SequesterVerifyKeyDer
 from parsec.utils import timestamps_in_the_ballpark