Migrate from PyCrypto to pyca/cryptography

privacyidea/api/lib/postpolicy.py

@@ -41,11 +41,10 @@
 """
 import datetime
 import logging
-log = logging.getLogger(__name__)
+import traceback
 from privacyidea.lib.error import PolicyError
 from flask import g, current_app, make_response
 from privacyidea.lib.policy import SCOPE, ACTION, AUTOASSIGNVALUE
-from privacyidea.lib.user import get_user_from_param
 from privacyidea.lib.token import get_tokens, assign_token, get_realms_of_token, get_one_token
 from privacyidea.lib.machine import get_hostname, get_auth_items
 from .prepolicy import check_max_token_user, check_max_token_realm
@@ -60,6 +59,7 @@
 from privacyidea.lib.realm import get_default_realm
 from privacyidea.lib.subscriptions import subscription_status
 
+log = logging.getLogger(__name__)
 
 optional = True
 required = False
@@ -148,9 +148,17 @@ def after_request(response):
     if current_app.config.get("PI_NO_RESPONSE_SIGN"):
         return response
 
-    priv_file = current_app.config.get("PI_AUDIT_KEY_PRIVATE")
-    pub_file = current_app.config.get("PI_AUDIT_KEY_PUBLIC")
-    sign_object = Sign(priv_file, pub_file)
+    priv_file_name = current_app.config.get("PI_AUDIT_KEY_PRIVATE")
+    try:
+        with open(priv_file_name, 'rb') as priv_file:
+            priv_key = priv_file.read()
+        sign_object = Sign(priv_key, public_key=None)
+    except (IOError, ValueError, TypeError) as e:
+        log.info('Could not load private key from '
+                 'file {0!s}: {1!r}!'.format(priv_file_name, e))
+        log.debug(traceback.format_exc())
+        return response
+
     request.all_data = get_all_params(request.values, request.data)
     # response can be either a Response object or a Tuple (Response, ErrorID)
     response_value = 200

privacyidea/lib/auditmodules/sqlaudit.py

@@ -45,23 +45,21 @@
 from privacyidea.lib.utils import censor_connect_string
 from privacyidea.lib.lifecycle import register_finalizer
 from privacyidea.lib.utils import truncate_comma_list
+from privacyidea.lib.framework import get_app_config_value
 from sqlalchemy import MetaData, cast, String
 from sqlalchemy import asc, desc, and_, or_
 import datetime
 import traceback
 from six import string_types
-
-
-log = logging.getLogger(__name__)
-
-metadata = MetaData()
-
 from privacyidea.models import audit_column_length as column_length
-from privacyidea.models import AUDIT_TABLE_NAME as TABLE_NAME
 from privacyidea.models import Audit as LogEntry
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker, scoped_session
 
+log = logging.getLogger(__name__)
+
+metadata = MetaData()
+
 
 class Audit(AuditBase):
     """
@@ -271,7 +269,16 @@ def read_keys(self, pub, priv):
         :type priv: string with filename
         :return: None
         """
-        self.sign_object = Sign(priv, pub)
+        try:
+            with open(priv, "rb") as privkey_file:
+                private_key = privkey_file.read()
+            with open(pub, 'rb') as pubkey_file:
+                public_key = pubkey_file.read()
+            self.sign_object = Sign(private_key, public_key)
+        except Exception as e:
+            log.error("Error reading key file: {0!r})".format(e))
+            log.debug(traceback.format_exc())
+            raise e
 
     def _check_missing(self, audit_id):
         """
@@ -481,9 +488,10 @@ def clear(self):
 
     def audit_entry_to_dict(self, audit_entry):
         sig = None
+        verify_old_sig = get_app_config_value('PI_CHECK_OLD_SIGNATURES', False)
         if self.sign_data:
             sig = self.sign_object.verify(self._log_to_string(audit_entry),
-                                          audit_entry.signature)
+                                          audit_entry.signature, verify_old_sig)
 
         is_not_missing = self._check_missing(int(audit_entry.id))
         # is_not_missing = True