From 0d45b19d0756972470c2c96e4662f40e9cc3356b Mon Sep 17 00:00:00 2001 From: Adrian Vollmer Date: Tue, 5 Dec 2023 19:38:36 +0100 Subject: [PATCH] Avoid module-level imports of oscrypt Many dependents of minikerberos don't need `PKINIT`, so it makes sense to import `oscrypt` only when needed. Especially because `oscrypt<=1.3.0` does not work when `openssl>=3.0.10`. See: https://github.com/wbond/oscrypto/issues/78 --- minikerberos/pkinit.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/minikerberos/pkinit.py b/minikerberos/pkinit.py index d2bb2ca..83b2b00 100644 --- a/minikerberos/pkinit.py +++ b/minikerberos/pkinit.py @@ -19,9 +19,6 @@ from asn1crypto import x509 from asn1crypto import keys -from oscrypto.keys import parse_pkcs12 -from oscrypto.asymmetric import rsa_pkcs1v15_sign, load_private_key - from minikerberos.protocol.constants import NAME_TYPE, MESSAGE_TYPE, PaDataType from minikerberos.protocol.encryption import Enctype, _checksum_table, _enctype_table, Key from minikerberos.protocol.structures import AuthenticatorChecksum @@ -113,6 +110,8 @@ def from_windows_certstore(username, certstore_name = 'MY', cert_serial = None, @staticmethod def from_pfx(pfxfile, pfxpass, dh_params = None): + from oscrypto.keys import parse_pkcs12 + from oscrypto.asymmetric import load_private_key pkinit = PKINIT() #print('Loading pfx12') if isinstance(pfxpass, str): @@ -330,6 +329,8 @@ def sign_authpack_native(self, data, wrap_signed = False): 2. the certificate used to sign the data blob 3. the singed 'signed_attrs' structure (ASN1) which points to the "data" structure (in point 1) """ + + from oscrypto.asymmetric import rsa_pkcs1v15_sign da = {} da['algorithm'] = algos.DigestAlgorithmId('1.3.14.3.2.26') # for sha1 @@ -456,4 +457,4 @@ def get_metadata(self, target = None): md['Info'] = Info(info) md['1'] = [CertIssuer({'data' : ci.dump()})] - return MetaData(md).dump() \ No newline at end of file + return MetaData(md).dump()