Backport support for newer cryptography sign/verify APIs.crypto-1.5-agnostisicm

Implements #1292.

4 files changed, 61 insertions, 22 deletions

diff --git a/paramiko/dsskey.py b/paramiko/dsskey.py
index 489e08f0..7139daf5 100644
--- a/paramiko/dsskey.py
+++ b/paramiko/dsskey.py
@@ -118,9 +118,14 @@ class DSSKey(PKey):
                 ),
             ),
         ).private_key(backend=default_backend())
-        signer = key.signer(hashes.SHA1())
-        signer.update(data)
-        r, s = decode_dss_signature(signer.finalize())
+        algo = hashes.SHA1()
+        if hasattr(key, "sign"):  # Cryptography 1.5+
+            sig = key.sign(data, algo)
+        else:
+            signer = key.signer(algo)
+            signer.update(data)
+            sig = signer.finalize()
+        r, s = decode_dss_signature(sig)
 
         m = Message()
         m.add_string("ssh-dss")
@@ -156,10 +161,14 @@ class DSSKey(PKey):
                 p=self.p, q=self.q, g=self.g
             ),
         ).public_key(backend=default_backend())
-        verifier = key.verifier(signature, hashes.SHA1())
-        verifier.update(data)
+        algo = hashes.SHA1()
         try:
-            verifier.verify()
+            if hasattr(key, "verify"):
+                key.verify(signature, data, algo)
+            else:
+                verifier = key.verifier(signature, algo)
+                verifier.update(data)
+                verifier.verify()
         except InvalidSignature:
             return False
         else:
diff --git a/paramiko/ecdsakey.py b/paramiko/ecdsakey.py
index b6c00f6f..0f8c8994 100644
--- a/paramiko/ecdsakey.py
+++ b/paramiko/ecdsakey.py
@@ -195,9 +195,12 @@ class ECDSAKey(PKey):
 
     def sign_ssh_data(self, data):
         ecdsa = ec.ECDSA(self.ecdsa_curve.hash_object())
-        signer = self.signing_key.signer(ecdsa)
-        signer.update(data)
-        sig = signer.finalize()
+        if hasattr(self.signing_key, "sign"):
+            sig = self.signing_key.sign(data, ecdsa)
+        else:
+            signer = self.signing_key.signer(ecdsa)
+            signer.update(data)
+            sig = signer.finalize()
         r, s = decode_dss_signature(sig)
 
         m = Message()
@@ -212,12 +215,14 @@ class ECDSAKey(PKey):
         sigR, sigS = self._sigdecode(sig)
         signature = encode_dss_signature(sigR, sigS)
 
-        verifier = self.verifying_key.verifier(
-            signature, ec.ECDSA(self.ecdsa_curve.hash_object())
-        )
-        verifier.update(data)
+        algo = ec.ECDSA(self.ecdsa_curve.hash_object())
         try:
-            verifier.verify()
+            if hasattr(self.verifying_key, "verify"):
+                self.verifying_key.verify(signature, data, algo)
+            else:
+                verifier = self.verifying_key.verifier(signature, algo)
+                verifier.update(data)
+                verifier.verify()
         except InvalidSignature:
             return False
         else:
diff --git a/paramiko/rsakey.py b/paramiko/rsakey.py
index 7e8f101c..31bb4716 100644
--- a/paramiko/rsakey.py
+++ b/paramiko/rsakey.py
@@ -112,11 +112,13 @@ class RSAKey(PKey):
         return isinstance(self.key, rsa.RSAPrivateKey)
 
     def sign_ssh_data(self, data):
-        signer = self.key.signer(
-            padding=padding.PKCS1v15(), algorithm=hashes.SHA1()
-        )
-        signer.update(data)
-        sig = signer.finalize()
+        kwargs = dict(padding=padding.PKCS1v15(), algorithm=hashes.SHA1())
+        if hasattr(self.key, "sign"):
+            sig = self.key.sign(data, **kwargs)
+        else:
+            signer = self.key.signer(**kwargs)
+            signer.update(data)
+            sig = signer.finalize()
 
         m = Message()
         m.add_string("ssh-rsa")
@@ -130,14 +132,23 @@ class RSAKey(PKey):
         if isinstance(key, rsa.RSAPrivateKey):
             key = key.public_key()
 
-        verifier = key.verifier(
+        kwargs = dict(
             signature=msg.get_binary(),
             padding=padding.PKCS1v15(),
             algorithm=hashes.SHA1(),
         )
-        verifier.update(data)
         try:
-            verifier.verify()
+            if hasattr(key, "verify"):
+                key.verify(
+                    kwargs["signature"],
+                    data,
+                    kwargs["padding"],
+                    kwargs["algorithm"],
+                )
+            else:
+                verifier = key.verifier(**kwargs)
+                verifier.update(data)
+                verifier.verify()
         except InvalidSignature:
             return False
         else:
diff --git a/sites/www/changelog.rst b/sites/www/changelog.rst
index 3b1a9467..b00f03f0 100644
--- a/sites/www/changelog.rst
+++ b/sites/www/changelog.rst
@@ -2,6 +2,20 @@
 Changelog
 =========
 
+- :support:`1292 backported` Backport changes from :issue:`979` (added in
+  Paramiko 2.3) to Paramiko 2.0-2.2, using duck-typing to preserve backwards
+  compatibility. This allows these older versions to use newer Cryptography
+  sign/verify APIs when available, without requiring them (as is the case with
+  Paramiko 2.3+).
+
+  Practically speaking, this change prevents spamming of
+  ``CryptographyDeprecationWarning`` notices which pop up in the above scenario
+  (older Paramiko, newer Cryptography).
+
+  .. note::
+    This is a no-op for Paramiko 2.3+, which have required newer Cryptography
+    releases since they were released.
+
 - :support:`1291 backported` Backport pytest support and application of the
   ``black`` code formatter (both of which previously only existed in the 2.4
   branch and above) to everything 2.0 and newer. This makes back/forward