Bug 1476150

Summary: Custodia does not work in Python 3
Product: [Fedora] Fedora Reporter: Standa Laznicka <slaznick>
Component: python-jwcryptoAssignee: Patrick Uiterwijk <puiterwijk>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 26CC: cheimes, pcech, puiterwijk, slaznick, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-03 13:54:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Standa Laznicka 2017-07-28 07:09:34 UTC 
Description of problem:
When using the KEMClient from the custodia.message.kem, it's impossible to get KEMClient.parse_reply() working since its second positional argument throws exception when either bytes or string instance is passed to it.


Version-Release number of selected component (if applicable):
custodia-0.5.0-1.fc26.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have your own KEMClient set up and get yourself a reply from custodia
2a. Try to parse the reply using KEMClient.parse_reply()
2b. Try to parse the raw reply (bytes) using KEMClient.parse_reply()

Actual results:
str passed as the second argument:
```  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 221, in parse_reply
    self.server_keys[KEY_USAGE_SIG])
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 245, in decode_enc_kem
    jwe = JWT(jwt=message, key=enc_key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 204, in __init__
    self.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 460, in deserialize
    self.token.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwe.py", line 1239, in deserialize
    raise InvalidJWEData('Invalid format', repr(e))
```


bytes passed:
```
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 221, in parse_reply
    self.server_keys[KEY_USAGE_SIG])
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 245, in decode_enc_kem
    jwe = JWT(jwt=message, key=enc_key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 204, in __init__
    self.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 443, in deserialize
    c = jwt.count('.')
```
Expected results: 
The string or bytes or whatever needs to be passed to the parse_reply() method get properly parsed.

Additional info:
This happens during FreeIPA ipa-replica-install on domain level 1 which for me is the easiest way to reproduce this. Contact me for a patched version of FreeIPA which would allow you getting to the spot if you need.

Note that this is BLOCKING FreeIPA Python 3 adoption in Fedora 27, thus the severity.
Comment 2 Christian Heimes 2017-07-31 15:05:12 UTC 
I found and fixes a couple of Python 3 issues, see https://github.com/freeipa/freeipa/pull/946. However I'm unable to reproduce the exact error that you are running into. In my tests I'm using python3-ipaserver-4.5.3-1.fc26 + fixes from PR 946.
Comment 3 Standa Laznicka 2017-08-01 06:24:09 UTC 
Christian,

I should have noted this before - try running the script with the `-bb` switch.
Comment 4 Christian Heimes 2017-08-01 08:49:40 UTC 
I'm able to reproduce the problem with -bb switch. It's a bug in jwcrypto. At some point it compares bytes with str. I filed https://github.com/latchset/jwcrypto/pull/84/commits/61825d34594bde12d018865afb36ff4391430ef7 to address the issue.
Comment 5 Christian Heimes 2017-08-01 16:05:24 UTC 
I have released python-jwcrypto 0.4.2. It contains the fix fix https://github.com/latchset/jwcrypto/commit/323327b688e4d1c969a3eb8d3e571454071c9e2e which addresses the Python 3 bytes/str comparison bugs. The latest release uses -bb to check for further issues and is tested with Python 3.6, too.

I'm going to release new versions for Fedora 26 and 27 next.
Comment 6 Fedora Update System 2017-08-01 16:17:40 UTC 
python-jwcrypto-0.4.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f21978b7d8
Comment 7 Christian Heimes 2017-08-01 16:19:52 UTC 
Stanislav, I have pushed 0.4.2 to F27 and requested an upgrade for F26. Please test the upgrade and give karma.
Comment 8 Fedora Update System 2017-08-02 08:16:08 UTC 
python-jwcrypto-0.4.2-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c25388f731
Comment 9 Fedora Update System 2017-08-02 11:04:45 UTC 
python-jwcrypto-0.4.2-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8bc93b5692
Comment 10 Fedora Update System 2017-08-02 21:55:09 UTC 
python-jwcrypto-0.4.2-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8bc93b5692
Comment 11 Fedora Update System 2017-08-03 00:53:14 UTC 
python-jwcrypto-0.4.2-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c25388f731
Comment 13 Standa Laznicka 2017-08-04 05:35:03 UTC 
Tested and added the karma.