Bug 1873581
| Summary: | Rebase python-cryptography to 2.6+ for ed25519 support | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Mauro Oddi <moddi> |
| Component: | python-cryptography | Assignee: | Christian Heimes <cheimes> |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.2 | CC: | amore, cheimes, ipetrova, kchamart, moddi, mwitt, ndehadra, pgm-rhel-tools, sorlov, ssidhaye |
| Target Milestone: | rc | Keywords: | Rebase |
| Target Release: | 8.4 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-cryptography-3.2.1-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:52:08 UTC | Type: | Feature Request |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1891947, 1907429 | ||
| Bug Blocks: | 1668318, 1669539, 1778939, 1889988, 1908879, 2011720, 2011721 | ||
|
Description
Mauro Oddi
2020-08-28 16:40:03 UTC
RHEL 8 ships PyCA cryptography 2.3, which does not support ed25519. In order to support ed25519 python-cryptography has to be rebased to 2.6 or newer. Version 2.6 contains some backwards incompatible changes [1], which I would have to revert. I can do a rebase for RHEL 8.4 earliest. [1] https://cryptography.io/en/latest/changelog/#v2-6 Hi Christian, Thanks for the confirmation. Best Regards, Mauro You are welcome! Do you need a rebase for 8.4? It would be a good idea to start the rebase process early by filing a rebase request RHBZ with a business case. I recommend to rebase to either 2.6 (ed25519 support), 2.9 (Poly1305 and fixed rfc4514_string function), or 3.0 (OpenSSH serialization format for private keys) python-cryptography depends on python-cryptography-vectors for testing. The vector package must be updated in sync. It is an internal development package and not shipped with RHEL. python-cryptography 2.6 has removed three deprecated features. The features can be easily re-added: * cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature() and decode_rfc6979_signature() functions. The functions were removed in 2.6. Both are simple aliases for encode_dss_signature() and decode_dss_signature() in the same name space * cryptography.hazmat.backends.openssl.x509._Certificate.serial. The property was removed in 2.6. It's a simple alias for Certificate.serial_number 2.7 removed cryptography.hazmat.primitives.mac.MACContext The backwards incompatible changed to rfc4514_string() in 2.9 is not an issue for RHEL. The function is not available in RHEL 8 because it was added in 2.5. 3.0 removed support for passing an Extension instance to from_issuer_subject_key_identifier(). This feature can be patched back easily, too. Using version: python3-cryptography-3.2.1-1.el8.x86_64 ipa-server-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 Sanity check performed by executing: bash: ipa-getcert pytest: ipa-getcert pytest: ipa-cert 2020-12-17T08:32:26 [ci-vm-10-0-153-197.h] | ipa-client-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.x86_64 2020-12-17T08:32:26 [ci-vm-10-0-153-197.h] | ipa-client-common-4.9.0-0.5.rc3.module+el8.4.0+9124+ced20601.noarch 2020-12-17T08:32:26 [ci-vm-10-0-153-197.h] | sssd-ipa-2.4.0-3.el8.x86_64 2020-12-17T08:32:26 [ci-vm-10-0-153-197.h] ------------------------------------------------------------------------------------------ 2020-12-17T08:32:26 [ci-vm-10-0-153-197.h] +-----------------------------------------------------------------------------------------+ 2020-12-17T08:32:26 [ci-vm-10-0-153-197.h] Test:[/ipa-server/rhel80/ipa-getcert/root]: [ Pass(242/242): 100% ] 2020-12-17T08:32:26 [ci-vm-10-0-153-197.h] +-----------------------------------------------------------------------------------------+ 2020-12-17T08:47:47+0000 --------- generated xml file: /home/jenkins/tews/ipa-getcert/junit.xml --------- 2020-12-17T08:47:47+0000 ---- generated html file: file:///home/jenkins/tews/ipa-getcert/report.html ---- 2020-12-17T08:47:47+0000 ========================== 1 passed in 323.62 seconds ========================== 2020-12-17T08:45:42+0000 ---------- generated xml file: /home/jenkins/tews/ipa-cert/junit.xml ----------- 2020-12-17T08:45:42+0000 ----- generated html file: file:///home/jenkins/tews/ipa-cert/report.html ------ 2020-12-17T08:45:42+0000 ========================== 3 passed in 397.12 seconds ========================== Based on this marking bug as verified. *** Bug 1669539 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: python-cryptography security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:1608 *** Bug 2011720 has been marked as a duplicate of this bug. *** *** Bug 2003742 has been marked as a duplicate of this bug. *** |