pyopenssl_signer: Use cryptography

per pyopenssl deprecation noteice, the crypto module is being deprecated. Per the pyopenssl documentation, the cryptography module is the recommended replacement. This commit updates the pyopenssl_signer to use the cryptography module.
tianocore · Jan 6, 2025 · cb20250 · cb20250
1 parent 3786f40
commit cb20250
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/edk2toolext/capsule/pyopenssl_signer.py b/edk2toolext/capsule/pyopenssl_signer.py
@@ -17,8 +17,9 @@
 import logging
 import warnings
 
-from cryptography.hazmat.primitives.serialization.pkcs12 import load_pkcs12
-from OpenSSL import crypto
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.serialization import pkcs12
 
 
 def sign(data: bytes, signature_options: dict, signer_options: dict) -> bytes:
@@ -78,9 +79,12 @@ def sign(data: bytes, signature_options: dict, signer_options: dict) -> bytes:
         if not isinstance(password, bytes):
             password = password.encode()
 
+    private_key, _, _ = pkcs12.load_key_and_certificates(signer_options["key_data"], password)
+
+    if not private_key:
+        raise ValueError("Failed to load private key from PKCS12 data")
+
     # TODO: Figure out OIDs.
     # TODO: Figure out EKU.
 
-    pkcs12 = load_pkcs12(signer_options["key_data"], password)
-    pkey = crypto.PKey.from_cryptography_key(pkcs12.key)
-    return crypto.sign(pkey, data, signature_options["hash_alg"])
+    return private_key.sign(data, padding.PKCS1v15(), hashes.SHA256())