MD5 - set usedforsecurity-parameter for all uses (#5190)

moto/cognitoidp/models.py

@@ -1,5 +1,4 @@
 import datetime
-import hashlib
 import json
 import os
 import time
@@ -31,6 +30,7 @@ from .utils import (
     PAGINATION_MODEL,
 )
 from moto.utilities.paginator import paginate
+from moto.utilities.utils import md5_hash
 
 
 class UserStatus(str, enum.Enum):
@@ -595,11 +595,11 @@ class CognitoIdpUserPoolDomain(BaseModel):
 
     def _distribution_name(self):
         if self.custom_domain_config and "CertificateArn" in self.custom_domain_config:
-            unique_hash = hashlib.md5(
+            unique_hash = md5_hash(
                 self.custom_domain_config["CertificateArn"].encode("utf-8")
             ).hexdigest()
             return f"{unique_hash[:16]}.cloudfront.net"
-        unique_hash = hashlib.md5(self.user_pool_id.encode("utf-8")).hexdigest()
+        unique_hash = md5_hash(self.user_pool_id.encode("utf-8")).hexdigest()
         return f"{unique_hash[:16]}.amazoncognito.com"
 
     def to_json(self, extended=True):

moto/ec2/utils.py

@@ -1,5 +1,4 @@
 import base64
-import hashlib
 import fnmatch
 import random
 import re
@@ -12,6 +11,7 @@ from cryptography.hazmat.primitives.asymmetric import rsa
 
 from moto.core import get_account_id
 from moto.iam import iam_backends
+from moto.utilities.utils import md5_hash
 
 EC2_RESOURCE_TO_PREFIX = {
     "customer-gateway": "cgw",
@@ -651,7 +651,7 @@ def rsa_public_key_fingerprint(rsa_public_key):
         encoding=serialization.Encoding.DER,
         format=serialization.PublicFormat.SubjectPublicKeyInfo,
     )
-    fingerprint_hex = hashlib.md5(key_data).hexdigest()
+    fingerprint_hex = md5_hash(key_data).hexdigest()
     fingerprint = re.sub(r"([a-f0-9]{2})(?!$)", r"\1:", fingerprint_hex)
     return fingerprint
 

moto/efs/models.py

@@ -7,7 +7,6 @@ https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html
 import json
 import time
 from copy import deepcopy
-from hashlib import md5
 
 from moto.core import get_account_id, BaseBackend, BaseModel, CloudFormationModel
 from moto.core.utils import (
@@ -32,6 +31,7 @@ from moto.efs.exceptions import (
     SecurityGroupLimitExceeded,
 )
 from moto.utilities.tagging_service import TaggingService
+from moto.utilities.utils import md5_hash
 
 
 def _lookup_az_id(az_name):
@@ -382,7 +382,7 @@ class EFSBackend(BaseBackend):
         if max_items < len(corpus):
             new_corpus = corpus[max_items:]
             new_corpus_dict = [c.info_json() for c in new_corpus]
-            new_hash = md5(json.dumps(new_corpus_dict).encode("utf-8"))
+            new_hash = md5_hash(json.dumps(new_corpus_dict).encode("utf-8"))
             next_marker = new_hash.hexdigest()
             self.next_markers[next_marker] = new_corpus
         else:

moto/glacier/models.py

@@ -4,6 +4,7 @@ import datetime
 
 from moto.core import get_account_id, BaseBackend, BaseModel
 from moto.core.utils import BackendDict
+from moto.utilities.utils import md5_hash
 
 from .utils import get_job_id
 
@@ -117,7 +118,7 @@ class Vault(BaseModel):
         return d
 
     def create_archive(self, body, description):
-        archive_id = hashlib.md5(body).hexdigest()
+        archive_id = md5_hash(body).hexdigest()
         self.archives[archive_id] = {}
         self.archives[archive_id]["archive_id"] = archive_id
         self.archives[archive_id]["body"] = body

moto/iam/models.py

@@ -1,5 +1,4 @@
 import base64
-import hashlib
 import os
 import random
 import string
@@ -22,6 +21,7 @@ from moto.core.utils import (
     iso_8601_datetime_with_milliseconds,
 )
 from moto.iam.policy_validation import IAMPolicyDocumentValidator
+from moto.utilities.utils import md5_hash
 
 from .aws_managed_policies import aws_managed_policies_data
 from .exceptions import (
@@ -1014,7 +1014,7 @@ class SshPublicKey(BaseModel):
         self.user_name = user_name
         self.ssh_public_key_body = ssh_public_key_body
         self.ssh_public_key_id = "APKA" + random_access_key()
-        self.fingerprint = hashlib.md5(ssh_public_key_body.encode()).hexdigest()
+        self.fingerprint = md5_hash(ssh_public_key_body.encode()).hexdigest()
         self.status = "Active"
         self.upload_date = datetime.utcnow()
 

moto/kinesis/models.py

@@ -4,12 +4,12 @@ import re
 import itertools
 
 from operator import attrgetter
-from hashlib import md5
 
 from moto.core import BaseBackend, BaseModel, CloudFormationModel
 from moto.core.utils import unix_time, BackendDict
 from moto.core import get_account_id
 from moto.utilities.paginator import paginate
+from moto.utilities.utils import md5_hash
 from .exceptions import (
     ConsumerNotFound,
     StreamNotFoundError,
@@ -363,7 +363,7 @@ class Stream(CloudFormationModel):
                 raise InvalidArgumentError("explicit_hash_key")
 
         else:
-            key = int(md5(partition_key.encode("utf-8")).hexdigest(), 16)
+            key = int(md5_hash(partition_key.encode("utf-8")).hexdigest(), 16)
 
         for shard in self.shards.values():
             if shard.starting_hash <= key < shard.ending_hash:

moto/s3/models.py

@@ -2,7 +2,6 @@ import json
 import os
 import base64
 import datetime
-import hashlib
 import copy
 import itertools
 import codecs
@@ -33,7 +32,7 @@ from moto.core.utils import (
 )
 from moto.cloudwatch.models import MetricDatum
 from moto.utilities.tagging_service import TaggingService
-from moto.utilities.utils import LowercaseDict
+from moto.utilities.utils import LowercaseDict, md5_hash
 from moto.s3.exceptions import (
     AccessDeniedByLock,
     BucketAlreadyExists,
@@ -213,7 +212,7 @@ class FakeKey(BaseModel):
     @property
     def etag(self):
         if self._etag is None:
-            value_md5 = hashlib.md5()
+            value_md5 = md5_hash()
             self._value_buffer.seek(0)
             while True:
                 block = self._value_buffer.read(16 * 1024 * 1024)  # read in 16MB chunks
@@ -376,7 +375,7 @@ class FakeMultipart(BaseModel):
         if count == 0:
             raise MalformedXML
 
-        etag = hashlib.md5()
+        etag = md5_hash()
         etag.update(bytes(md5s))
         return total, "{0}-{1}".format(etag.hexdigest(), count)
 

moto/sqs/models.py

@@ -20,6 +20,7 @@ from moto.core.utils import (
     tags_from_cloudformation_tags_list,
     BackendDict,
 )
+from moto.utilities.utils import md5_hash
 from .utils import generate_receipt_handle
 from .exceptions import (
     MessageAttributesInvalid,
@@ -85,14 +86,14 @@ class Message(BaseModel):
 
     @property
     def body_md5(self):
-        md5 = hashlib.md5()
+        md5 = md5_hash()
         md5.update(self._body.encode("utf-8"))
         return md5.hexdigest()
 
     @property
     def attribute_md5(self):
 
-        md5 = hashlib.md5()
+        md5 = md5_hash()
 
         for attrName in sorted(self.message_attributes.keys()):
             self.validate_attribute_name(attrName)

moto/utilities/utils.py

@@ -1,4 +1,5 @@
 import json
+import hashlib
 import random
 import string
 import pkgutil
@@ -57,6 +58,19 @@ def filter_resources(resources, filters, attr_pairs):
     return result
 
 
+def md5_hash(data=None):
+    """
+    MD5-hashing for non-security usecases.
+    Required for Moto to work in FIPS-enabled systems
+    """
+    args = (data,) if data else ()
+    try:
+        return hashlib.md5(*args, usedforsecurity=False)
+    except TypeError:
+        # The usedforsecurity-parameter is only available as of Python 3.9
+        return hashlib.md5(*args)
+
+
 class LowercaseDict(MutableMapping):
     """A dictionary that lowercases all keys"""