Bug 1476150 - Custodia does not work in Python 3
Custodia does not work in Python 3
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: python-jwcrypto (Show other bugs)
26
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: Patrick Uiterwijk
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-28 03:09 EDT by Stanislav Laznicka
Modified: 2017-11-03 09:54 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-03 09:54:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stanislav Laznicka 2017-07-28 03:09:34 EDT
Description of problem:
When using the KEMClient from the custodia.message.kem, it's impossible to get KEMClient.parse_reply() working since its second positional argument throws exception when either bytes or string instance is passed to it.


Version-Release number of selected component (if applicable):
custodia-0.5.0-1.fc26.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have your own KEMClient set up and get yourself a reply from custodia
2a. Try to parse the reply using KEMClient.parse_reply()
2b. Try to parse the raw reply (bytes) using KEMClient.parse_reply()

Actual results:
str passed as the second argument:
```  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 221, in parse_reply
    self.server_keys[KEY_USAGE_SIG])
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 245, in decode_enc_kem
    jwe = JWT(jwt=message, key=enc_key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 204, in __init__
    self.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 460, in deserialize
    self.token.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwe.py", line 1239, in deserialize
    raise InvalidJWEData('Invalid format', repr(e))
```


bytes passed:
```
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 221, in parse_reply
    self.server_keys[KEY_USAGE_SIG])
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 245, in decode_enc_kem
    jwe = JWT(jwt=message, key=enc_key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 204, in __init__
    self.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 443, in deserialize
    c = jwt.count('.')
```
Expected results: 
The string or bytes or whatever needs to be passed to the parse_reply() method get properly parsed.

Additional info:
This happens during FreeIPA ipa-replica-install on domain level 1 which for me is the easiest way to reproduce this. Contact me for a patched version of FreeIPA which would allow you getting to the spot if you need.

Note that this is BLOCKING FreeIPA Python 3 adoption in Fedora 27, thus the severity.
Comment 2 Christian Heimes 2017-07-31 11:05:12 EDT
I found and fixes a couple of Python 3 issues, see https://github.com/freeipa/freeipa/pull/946. However I'm unable to reproduce the exact error that you are running into. In my tests I'm using python3-ipaserver-4.5.3-1.fc26 + fixes from PR 946.
Comment 3 Stanislav Laznicka 2017-08-01 02:24:09 EDT
Christian,

I should have noted this before - try running the script with the `-bb` switch.
Comment 4 Christian Heimes 2017-08-01 04:49:40 EDT
I'm able to reproduce the problem with -bb switch. It's a bug in jwcrypto. At some point it compares bytes with str. I filed https://github.com/latchset/jwcrypto/pull/84/commits/61825d34594bde12d018865afb36ff4391430ef7 to address the issue.
Comment 5 Christian Heimes 2017-08-01 12:05:24 EDT
I have released python-jwcrypto 0.4.2. It contains the fix fix https://github.com/latchset/jwcrypto/commit/323327b688e4d1c969a3eb8d3e571454071c9e2e which addresses the Python 3 bytes/str comparison bugs. The latest release uses -bb to check for further issues and is tested with Python 3.6, too.

I'm going to release new versions for Fedora 26 and 27 next.
Comment 6 Fedora Update System 2017-08-01 12:17:40 EDT
python-jwcrypto-0.4.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f21978b7d8
Comment 7 Christian Heimes 2017-08-01 12:19:52 EDT
Stanislav, I have pushed 0.4.2 to F27 and requested an upgrade for F26. Please test the upgrade and give karma.
Comment 8 Fedora Update System 2017-08-02 04:16:08 EDT
python-jwcrypto-0.4.2-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c25388f731
Comment 9 Fedora Update System 2017-08-02 07:04:45 EDT
python-jwcrypto-0.4.2-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8bc93b5692
Comment 10 Fedora Update System 2017-08-02 17:55:09 EDT
python-jwcrypto-0.4.2-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8bc93b5692
Comment 11 Fedora Update System 2017-08-02 20:53:14 EDT
python-jwcrypto-0.4.2-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c25388f731
Comment 13 Stanislav Laznicka 2017-08-04 01:35:03 EDT
Tested and added the karma.

Note You need to log in before you can comment on or make changes to this bug.