I have a python script in the Zope (5.8.3) ZMI. When I was running Zope 5.5.1 this worked perfectly but since I upgraded to 5.8.3 and thus updated all the accompanying python modules, I am now getting the error:
Unauthorized: Cannot access verify in this context
verify is part of the cryptography library and more specifically the ed25519 module in this Ed25519 class. I have allowed both the module(s) and classes necessary and even the method from_public_bytes works fine. However, I need to allow the use of verify so this script works again and have spent the last two days reading code and trying a bunch of allow statements to no avail.
Hopefully someone can shed some light on this as right now, I've had to create an external method just for the verify line to get the API back and running. I would much rather be able to do this from within the ZMI like I did previously.
Here's what I've got in my init.py for the allow statements:
from Products.PythonScripts.Utility import allow_module, allow_class
from AccessControl import ModuleSecurityInfo, ClassSecurityInfo
allow_module("base64")
allow_module("Crypto")
allow_module("Crypto.Cipher")
allow_module("cryptography")
allow_module("cryptography.exceptions")
allow_module("cryptography.fernet")
allow_module("cryptography.hazmat")
allow_module("cryptography.hazmat.primitives")
allow_module("cryptography.hazmat.primitives.asymmetric")
allow_module("cryptography.hazmat.primitives.asymmetric.ed25519")
allow_module("cryptography.hazmat.primitives.asymmetric.x25519")
allow_module("cryptography.hazmat.primitives.kdf.hkdf")
allow_module("json")
allow_module("ZcPassword")
from Crypto.Cipher import ChaCha20_Poly1305
allow_class(ChaCha20_Poly1305)
from Crypto.Cipher.ChaCha20_Poly1305 import ChaCha20Poly1305Cipher
allow_class(ChaCha20Poly1305Cipher)
from cryptography.exceptions import InvalidSignature
allow_class(InvalidSignature)
from cryptography.fernet import Fernet
allow_class(Fernet)
from cryptography.hazmat.primitives import hashes
allow_class(hashes)
from cryptography.hazmat.primitives.asymmetric import ec
allow_class(ec)
from cryptography.hazmat.primitives.asymmetric import ed25519
allow_class(ed25519)
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
allow_class(Ed25519PublicKey)
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey
allow_class(X25519PrivateKey)
from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PublicKey
allow_class(X25519PublicKey)
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
allow_class(HKDF)
This is a sample script for testing:
import base64
import json
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.primitives.asymmetric import ed25519
json_data = '"data":{"userID":"1234567"}'
signature_key = 'KpHjhW7uQ0N8='
signature = '5mXx/ubEK+BfbgSSq8JwAw=='
# Get the digital signature
digital_signature = base64.b64decode(signature)
pubKey = base64.b64decode(signature_key)
public_key = ed25519.Ed25519PublicKey.from_public_bytes(pubKey)
# Verify signature if the device id has been verified
try:
public_key.verify(digital_signature, json_data.encode())
# print("Signature verified")
except Exception as e:
print(f"An error occurred: {e}")
return(printed)
Note: Obviously the values shown in the example are bogus values for testing. The script itself is fine. I just need to allow access so I can use verify from the ZMI in restricted python.