1668318 – [RFE][TestOnly] - For inclusion of ed25519 type key pairs in nova

Bug 1668318 - [RFE][TestOnly] - For inclusion of ed25519 type key pairs in nova

Summary: [RFE][TestOnly] - For inclusion of ed25519 type key pairs in nova

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	14.0 (Rocky)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	Alpha
Target Release:	16.2 (Train on RHEL 8.4)
Assignee:	OSP DFG:Compute
QA Contact:	OSP DFG:Compute
Docs Contact:
URL:
Whiteboard:
Depends On:	1669539 1873581
Blocks:
TreeView+	depends on / blocked

Reported:	2019-01-22 12:42 UTC by Ketan Mehta
Modified:	2023-03-21 19:10 UTC (History)
CC List:	17 users (show)
Fixed In Version:	openstack-nova-20.4.2-2.20201114104928
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1669539 (view as bug list)
Environment:
Last Closed:	2021-10-14 15:55:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	pyca cryptography pull 4114	'None'	closed	ed25519 support	2021-02-16 02:20:43 UTC
Launchpad	1555521	None	None	None	2019-01-24 17:56:38 UTC
Red Hat Issue Tracker	OSP-2482	None	None	None	2022-03-13 17:21:45 UTC

Description Ketan Mehta 2019-01-22 12:42:51 UTC

Description of problem:

While trying to import public key of type 'ed25519' in nova, the import fails with exception "Keypair data is invalid".

---Actual error logs---

2019-01-22 12:06:13.164 15 INFO nova.api.openstack.wsgi [req-5fadb4f9-565f-41a7-a1f3-8e4a49af8046 3dade9ba54ee47c2bb4012e24d84fe09 d8ac454e969c45b788d96d3445adafe4 - default default] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint
2019-01-22 12:12:08.656 14 INFO nova.api.openstack.wsgi [req-a6aecfd6-bf36-48cb-ad71-d5fa786d9ba1 3dade9ba54ee47c2bb4012e24d84fe09 d8ac454e969c45b788d96d3445adafe4 - default default] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint
2019-01-22 12:13:17.715 14 INFO nova.api.openstack.wsgi [req-bc3c2dfc-0f9e-4e83-a67d-3ebb86c8b7ca 3dade9ba54ee47c2bb4012e24d84fe09 d8ac454e969c45b788d96d3445adafe4 - default default] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint
2019-01-22 12:13:41.072 14 INFO nova.api.openstack.wsgi [req-bdb362ee-72f0-43a4-894c-23d52dcbe165 3dade9ba54ee47c2bb4012e24d84fe09 d8ac454e969c45b788d96d3445adafe4 - default default] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint
2019-01-22 12:14:10.933 15 INFO nova.api.openstack.wsgi [req-c6d182b8-36d2-4c3b-93d2-2a060af4a61a 3dade9ba54ee47c2bb4012e24d84fe09 d8ac454e969c45b788d96d3445adafe4 - default default] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint
2019-01-22 12:18:31.012 14 INFO nova.api.openstack.wsgi [req-3c901055-1a8f-4cf5-9d97-9ad0514c773b 3dade9ba54ee47c2bb4012e24d84fe09 d8ac454e969c45b788d96d3445adafe4 - default default] HTTP exception thrown: Keypair data is invalid: failed to generate fingerprint

---------------

Version-Release number of selected component (if applicable):


How reproducible:

Try importing the the public key into nova with a ssh key type of 'ed25519' architecture and not rsa/ecdsa.

Steps to Reproduce:
1.
2.
3.

Actual results:

Keypair data is invalid: failed to generate fingerprint

Expected results:

Keypair should have been created, with the specified public key import.

Additional info:

Comment 2 melanie witt 2019-01-24 17:56:39 UTC

This has been reported upstream as well, for some time:

https://bugs.launchpad.net/nova/+bug/1555521

but support for ed25519 keys needs to be added to the upstream python cryptography package first before we can consume it in nova.

The pull request tracking that work is located here:

https://github.com/pyca/cryptography/pull/4114

Once support is available in the cryptography package, we should be able to use the keys in nova.

Comment 5 Jon Schlueter 2019-02-22 15:02:26 UTC

git hub pull request not yet merged 2019-02-22

Comment 6 melanie witt 2019-02-27 16:35:00 UTC

The github pull request has merged and version 2.6 of python-cryptography has been released today. The changelog states that support for ed25519 keys is now available when using OpenSSL 1.1.1b or newer:

https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

Comment 10 Thierry Vignaud 2021-10-14 15:55:23 UTC

According to our records, this should be resolved by openstack-nova-20.6.2-2.20210607104828.el8ost.4.  This build is available now.

Note You need to log in before you can comment on or make changes to this bug.