#9641 support for python cryptography 43.0.0
Closed: fixed 5 months ago by frenaud. Opened 6 months ago by slev.

Recently released cryptography 43.0.0 (https://cryptography.io/en/latest/changelog/#v43-0-0)

Added Certificate public_key_algorithm_oid and Certificate Signing Request public_key_algorithm_oid to determine the PublicKeyAlgorithmOID Object Identifier of the public key found inside the certificate.

https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.public_key_algorithm_oid

This caught by pylint:

************* Module ipalib.x509
ipalib/x509.py:453: [E0110(abstract-class-instantiated), load_pem_x509_certificate] Abstract class 'IPACertificate' with abstract methods instantiated)
ipalib/x509.py:465: [E0110(abstract-class-instantiated), load_der_x509_certificate] Abstract class 'IPACertificate' with abstract methods instantiated)

and by unit tests, for example:

______________________ test_x509.test_1_load_base64_cert _______________________

self = <ipatests.test_ipalib.test_x509.test_x509 object at 0x7faee8551520>

    def test_1_load_base64_cert(self):
        """
        Test loading a base64-encoded certificate.
        """

        # Load a good cert
>       x509.load_pem_x509_certificate(goodcert_headers)

test_ipalib/test_x509.py:205: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

data = b'-----BEGIN CERTIFICATE-----\nMIICAjCCAWugAwIBAgICBEUwDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGU...h6m7TCp0eDgRpo77zNuvd3U4Qpm0Qk+KEjtHQDjNNG6N4ZnCQPmjFPScElvc/GgW7XMbywJy2euF+3/Uip8cnPgSH4=\n-----END CERTIFICATE-----'

    def load_pem_x509_certificate(data):
        """
        Load an X.509 certificate in PEM format.

        :returns: a ``IPACertificate`` object.
        :raises: ``ValueError`` if unable to load the certificate.
        """
>       return IPACertificate(
            crypto_x509.load_pem_x509_certificate(data, backend=default_backend())
        )
E       TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract method 'public_key_algorithm_oid'

../ipalib/x509.py:453: TypeError

Moved TripleDES and ARC4 into Decrepit cryptography and deprecated them in the cipher module. They will be removed from the cipher module in 48.0.0.

causes:

/usr/lib64/python3/site-packages/ipalib/constants.py:380: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.

(actually there is other usage of TripleDES in IPA code)

Metadata Update from @ftrivino:
- Issue assigned to ftrivino

6 months ago

Submitted https://github.com/freeipa/freeipa/pull/7469

I am still on vacation this week so if somebody can take over this and Fedora updates, would be great.

master:

  • 3b9ac93 ipalib/x509.py: support Cryptography 43
  • fc57288 ipalib/x509.py: get rid of unicode helper
  • cb008bc ipalib/constants.py: factor out TripleDES use
  • af316dd Get rid of unicode and long helpers in ipa-otptoken-import

ipa-4-12:

  • 531bd05 ipalib/x509.py: support Cryptography 43
  • 7f9c890 ipalib/x509.py: get rid of unicode helper
  • fc02904 ipalib/constants.py: factor out TripleDES use
  • 7b5f3d7 Get rid of unicode and long helpers in ipa-otptoken-import

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 months ago
  • the warning is still here and it's very spammy tbh
  • public_key_algorithm_oid is property of underlying Certificate object that is not supposed to be callable (forgot to drop ()? ), e.g.
load_pem_x509_certificate(cert).public_key_algorithm_oid
...
    load_pem_x509_certificate(cert).public_key_algorithm_oid
  File "/usr/src/RPM/BUILD/freeipa-4.11.2/ipalib/x509.py", line 304, in public_key_algorithm_oid
    return self._cert.public_key_algorithm_oid()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: 'cryptography.hazmat.bindings._rust.ObjectIdentifier' object is not callable

See for details:
https://github.com/pyca/cryptography/blob/817a1f451508ec8306242ec81a1fba7c75e3e5f1/src/cryptography/x509/base.py#L190-L192
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certificate.public_key_algorithm_oid

Metadata Update from @ftrivino:
- Assignee reset

5 months ago

Metadata Update from @rcritten:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue status updated to: Open (was: Closed)

5 months ago

I'll fix up the public_key_algorithm_oid property. I totally missed that and during verification only confirmed that the property was there but didn't call it.

I'll see what I can do about suppressing the TripleDES error. I don't think it will be a problem.

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-54304

5 months ago

master:

  • 1ef3396 Correct usage of public_key_algorithm_oid in ipalib/x509
  • 2aa4942 Ignore TripleDES python-cryptography import warnings

ipa-4-12:

  • 5cc7941 Correct usage of public_key_algorithm_oid in ipalib/x509
  • d0684a7 Ignore TripleDES python-cryptography import warnings

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Metadata Update from @rcritten:
- Custom field changelog adjusted to Added support for python-cryptography up to 43.0.0

5 months ago

Log in to comment on this ticket.

Metadata