Bug 1984046
| Summary: | python-oauthlib depends on jwt for RSA | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Scott Poore <spoore> |
| Component: | python-oauthlib | Assignee: | Tomas Halman <thalman> |
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | aboscatt, thalman |
| Target Milestone: | beta | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-oauthlib-3.1.1-5.el9 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 07:38:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2117590 | ||
| Bug Blocks: | |||
I think the only reasonable thing to do is to remove the rest of the RSA-* based signature methods. The RFC only prescribes RSA-SHA1 which is not permitted in RHEL-9. python-oauthlib adds also RSA-SHA256 and others, but those are not standard. In the real world, it's mostly HMAC-SHA1 that I've seen used anyway. Verified
Version ::
[root@hostname1 ~]# rpm -q python3-oauthlib
python3-oauthlib-3.1.1-5.el9.noarch
[root@hostname1 ~]# dnf list python3-oauthlib
Last metadata expiration check: 0:53:29 ago on Fri Nov 18 09:10:28 2022.
Installed Packages
python3-oauthlib.noarch 3.1.1-5.el9 @rhel-9.2-AppStream
Results ::
[root@hostname1 ~]# cat test-rsa-sha256.py
import oauthlib
from oauthlib.oauth1 import Client
Client('client_key',
signature_method='RSA-SHA256',
rsa_key='',
timestamp='1234567890',
nonce='abc').sign('http://example.com')
[root@hostname1 ~]# python test-rsa-sha256.py
Traceback (most recent call last):
File "/root/test-rsa-sha256.py", line 4, in <module>
Client('client_key',
File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 353, in sign
('oauth_signature', self.get_oauth_signature(request)))
File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 188, in get_oauth_signature
sig = self.SIGNATURE_METHODS[self.signature_method](base_string, self)
File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 755, in sign_rsa_sha256_with_client
return _sign_rsa('SHA-256', sig_base_str, client.rsa_key)
File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 626, in _sign_rsa
raise ValueError('Invalid signature method.')
ValueError: Invalid signature method.
Expected failure ^^
[root@hostname1 ~]# cat test-hmac-sha1.py
import oauthlib
from oauthlib.oauth1 import Client
Client('client_key',
signature_method='HMAC-SHA1',
timestamp='1234567890',
nonce='abc').sign('http://example.com')
[root@hostname1 ~]# python test-hmac-sha1.py
[root@hostname1 ~]# echo $?
0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (python-oauthlib bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2247 |
Description of problem: While testing another bug, we found that there is a leftover dependency on jwt still in python-oauthlib. Trying to sign with an RSA-SHA256 key fails because the missing dependency isn't installed: [root@rhel9 ~]# python test.py Traceback (most recent call last): File "/root/test.py", line 4, in <module> Client('client_key', File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 353, in sign ('oauth_signature', self.get_oauth_signature(request))) File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 188, in get_oauth_signature sig = self.SIGNATURE_METHODS[self.signature_method](base_string, self) File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 743, in sign_rsa_sha256_with_client return _sign_rsa('SHA-256', sig_base_str, client.rsa_key) File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 616, in _sign_rsa alg = _get_jwt_rsa_algorithm(hash_algorithm_name) File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 562, in _get_jwt_rsa_algorithm import jwt.algorithms as jwt_algorithms ModuleNotFoundError: No module named 'jwt' Version-Release number of selected component (if applicable): python3-oauthlib-3.1.1-1.el9.noarch How reproducible: always Steps to Reproduce: 1. dnf -y install python3-oauthlib 2. make simple test script using library [root@rhel9 ~]# cat test.py import oauthlib from oauthlib.oauth1 import Client Client('client_key', signature_method='RSA-SHA256', rsa_key='', timestamp='1234567890', nonce='abc').sign('http://example.com') 3. python test-rsa.py Actual results: returns module import error shown above. Expected results: this particular test won't do much but show this error. we can use a more complete test script to test that things work properly. FYI, this just means adding rsa_key into script. Additional info: