1476150 – Custodia does not work in Python 3

Bug 1476150 - Custodia does not work in Python 3

Summary: Custodia does not work in Python 3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python-jwcrypto
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Patrick Uiterwijk
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-28 07:09 UTC by Standa Laznicka
Modified:	2017-11-03 13:54 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-03 13:54:08 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Standa Laznicka 2017-07-28 07:09:34 UTC

Description of problem:
When using the KEMClient from the custodia.message.kem, it's impossible to get KEMClient.parse_reply() working since its second positional argument throws exception when either bytes or string instance is passed to it.


Version-Release number of selected component (if applicable):
custodia-0.5.0-1.fc26.noarch

How reproducible:
Always

Steps to Reproduce:
1. Have your own KEMClient set up and get yourself a reply from custodia
2a. Try to parse the reply using KEMClient.parse_reply()
2b. Try to parse the raw reply (bytes) using KEMClient.parse_reply()

Actual results:
str passed as the second argument:
```  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 221, in parse_reply
    self.server_keys[KEY_USAGE_SIG])
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 245, in decode_enc_kem
    jwe = JWT(jwt=message, key=enc_key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 204, in __init__
    self.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 460, in deserialize
    self.token.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwe.py", line 1239, in deserialize
    raise InvalidJWEData('Invalid format', repr(e))
```


bytes passed:
```
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 221, in parse_reply
    self.server_keys[KEY_USAGE_SIG])
  File "/usr/lib/python3.6/site-packages/custodia/message/kem.py", line 245, in decode_enc_kem
    jwe = JWT(jwt=message, key=enc_key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 204, in __init__
    self.deserialize(jwt, key)
  File "/usr/lib/python3.6/site-packages/jwcrypto/jwt.py", line 443, in deserialize
    c = jwt.count('.')
```
Expected results: 
The string or bytes or whatever needs to be passed to the parse_reply() method get properly parsed.

Additional info:
This happens during FreeIPA ipa-replica-install on domain level 1 which for me is the easiest way to reproduce this. Contact me for a patched version of FreeIPA which would allow you getting to the spot if you need.

Note that this is BLOCKING FreeIPA Python 3 adoption in Fedora 27, thus the severity.

Comment 2 Christian Heimes 2017-07-31 15:05:12 UTC

I found and fixes a couple of Python 3 issues, see https://github.com/freeipa/freeipa/pull/946. However I'm unable to reproduce the exact error that you are running into. In my tests I'm using python3-ipaserver-4.5.3-1.fc26 + fixes from PR 946.

Comment 3 Standa Laznicka 2017-08-01 06:24:09 UTC

Christian,

I should have noted this before - try running the script with the `-bb` switch.

Comment 4 Christian Heimes 2017-08-01 08:49:40 UTC

I'm able to reproduce the problem with -bb switch. It's a bug in jwcrypto. At some point it compares bytes with str. I filed https://github.com/latchset/jwcrypto/pull/84/commits/61825d34594bde12d018865afb36ff4391430ef7 to address the issue.

Comment 5 Christian Heimes 2017-08-01 16:05:24 UTC

I have released python-jwcrypto 0.4.2. It contains the fix fix https://github.com/latchset/jwcrypto/commit/323327b688e4d1c969a3eb8d3e571454071c9e2e which addresses the Python 3 bytes/str comparison bugs. The latest release uses -bb to check for further issues and is tested with Python 3.6, too.

I'm going to release new versions for Fedora 26 and 27 next.

Comment 6 Fedora Update System 2017-08-01 16:17:40 UTC

python-jwcrypto-0.4.2-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f21978b7d8

Comment 7 Christian Heimes 2017-08-01 16:19:52 UTC

Stanislav, I have pushed 0.4.2 to F27 and requested an upgrade for F26. Please test the upgrade and give karma.

Comment 8 Fedora Update System 2017-08-02 08:16:08 UTC

python-jwcrypto-0.4.2-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c25388f731

Comment 9 Fedora Update System 2017-08-02 11:04:45 UTC

python-jwcrypto-0.4.2-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8bc93b5692

Comment 10 Fedora Update System 2017-08-02 21:55:09 UTC

python-jwcrypto-0.4.2-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8bc93b5692

Comment 11 Fedora Update System 2017-08-03 00:53:14 UTC

python-jwcrypto-0.4.2-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c25388f731

Comment 13 Standa Laznicka 2017-08-04 05:35:03 UTC

Tested and added the karma.

Note You need to log in before you can comment on or make changes to this bug.