fix: #1108 - Replace ecdsa with cryptography

dacevedo12 · dacevedo12 · commit 9b875714c0bc · 2025-08-06T11:10:10.000-05:00
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -26,7 +26,7 @@ We welcome direct contributions to the sendgrid-python code base. Thank you!
 
 - Python version 2.7, 3.5, 3.6, 3.7, or 3.8
 - [python_http_client](https://github.com/sendgrid/python-http-client)
-- [ecdsa_python](https://github.com/starkbank/ecdsa-python)
+- [cryptography](https://github.com/pyca/cryptography)
 - [pyenv](https://github.com/yyuu/pyenv)
 - [tox](https://pypi.python.org/pypi/tox)
 
diff --git a/README.md b/README.md
@@ -70,7 +70,7 @@ pip install sendgrid
 ## Dependencies
 
 - [Python-HTTP-Client](https://github.com/sendgrid/python-http-client)
-- [ECDSA-Python](https://github.com/starkbank/ecdsa-python)
+- [Cryptography](https://github.com/pyca/cryptography)
 
 
 <a name="quick-start"></a>
diff --git a/README.rst b/README.rst
@@ -90,7 +90,7 @@ Dependencies
 ------------
 
 -  `Python-HTTP-Client`_
--  `ECDSA-Python`_
+-  `Cryptography`_
 
 Quick Start
 ===========
@@ -259,7 +259,7 @@ License
 .. _Twilio account: https://www.twilio.com/try-twilio?source=sendgrid-python
 .. _SENDGRID_API_KEY: https://app.sendgrid.com/settings/api_keys
 .. _Python-HTTP-Client: https://github.com/sendgrid/python-http-client
-.. _ECDSA-Python: https://github.com/starkbank/ecdsa-python
+.. _Cryptography: https://github.com/pyca/cryptography
 .. _/mail/send Helper: https://github.com/sendgrid/sendgrid-python/tree/HEAD/sendgrid/helpers/mail
 .. _personalization object: https://sendgrid.com/docs/Classroom/Send/v3_Mail_Send/personalizations.html
 .. _Fluent Interface: https://sendgrid.com/blog/using-python-to-implement-a-fluent-interface-to-any-rest-api/
diff --git a/requirements.txt b/requirements.txt
@@ -2,5 +2,5 @@ Flask==3.1.0
 PyYAML>=4.2b1
 python-http-client>=3.2.1
 six==1.17.0
-ecdsa>=0.19.1,<1
+cryptography>=45.0.6
 more-itertools==5.0.0
diff --git a/sendgrid/helpers/eventwebhook/__init__.py b/sendgrid/helpers/eventwebhook/__init__.py
@@ -1,8 +1,8 @@
-from ecdsa import VerifyingKey, BadSignatureError
-from ecdsa.util import sigdecode_der
+from cryptography.exceptions import InvalidSignature
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.primitives.serialization import load_pem_public_key
 import base64
-import hashlib
-from .eventwebhook_header import EventWebhookHeader
 
 class EventWebhook:
     """
@@ -20,15 +20,15 @@ def __init__(self, public_key=None):
 
     def convert_public_key_to_ecdsa(self, public_key):
         """
-        Convert the public key string to a VerifyingKey object.
+        Convert the public key string to a EllipticCurvePublicKey object.
 
         :param public_key: verification key under Mail Settings
         :type public_key string
-        :return: VerifyingKey object using the ECDSA algorithm
-        :rtype VerifyingKey
+        :return: EllipticCurvePublicKey object using the ECDSA algorithm
+        :rtype EllipticCurvePublicKey
         """
         pem_key = "-----BEGIN PUBLIC KEY-----\n" + public_key + "\n-----END PUBLIC KEY-----"
-        return VerifyingKey.from_pem(pem_key)
+        return load_pem_public_key(pem_key.encode("utf-8"))
 
     def verify_signature(self, payload, signature, timestamp, public_key=None):
         """
@@ -41,15 +41,15 @@ def verify_signature(self, payload, signature, timestamp, public_key=None):
         :param timestamp: value obtained from the 'X-Twilio-Email-Event-Webhook-Timestamp' header
         :type timestamp: string
         :param public_key: elliptic curve public key
-        :type public_key: VerifyingKey
+        :type public_key: EllipticCurvePublicKey
         :return: true or false if signature is valid
         """
         timestamped_payload = (timestamp + payload).encode('utf-8')
         decoded_signature = base64.b64decode(signature)
 
         key = public_key or self.public_key
         try:
-            key.verify(decoded_signature, timestamped_payload, hashfunc=hashlib.sha256, sigdecode=sigdecode_der)
+            key.verify(decoded_signature, timestamped_payload, ec.ECDSA(hashes.SHA256()))
             return True
-        except BadSignatureError:
+        except InvalidSignature:
             return False
diff --git a/setup.py b/setup.py
@@ -10,7 +10,7 @@
 def getRequires():
     deps = [
         'python_http_client>=3.2.1',
-        'ecdsa>=0.19.1,<1',
+        'cryptography>=45.0.6',
         "werkzeug>=0.11.15,<1.0.0 ; python_version < '3.0'",
         "werkzeug>=0.15.0,<2.0.0 ; python_version >= '3.0' and python_version < '3.7'",
         "werkzeug>=0.15.0,<2.3.0 ; python_version >= '3.0' and python_version < '3.8'", # version 2.3.0 dropped support for Python 3.7
