1984046 – python-oauthlib depends on jwt for RSA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1984046 - python-oauthlib depends on jwt for RSA

Summary: python-oauthlib depends on jwt for RSA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	python-oauthlib
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Tomas Halman
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:	2117590
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-20 13:52 UTC by Scott Poore
Modified:	2023-05-09 08:42 UTC (History)
CC List:	2 users (show)
Fixed In Version:	python-oauthlib-3.1.1-5.el9
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-09 07:38:28 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SSSD-3703	0	None	None	None	2021-08-04 12:03:57 UTC
Red Hat Product Errata	RHBA-2023:2247	0	None	None	None	2023-05-09 07:38:32 UTC

Description Scott Poore 2021-07-20 13:52:50 UTC

Description of problem:

While testing another bug, we found that there is a leftover dependency on jwt still in python-oauthlib.

Trying to sign with an RSA-SHA256 key fails because the missing dependency isn't installed:

[root@rhel9 ~]# python test.py 
Traceback (most recent call last):
  File "/root/test.py", line 4, in <module>
    Client('client_key',
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 353, in sign
    ('oauth_signature', self.get_oauth_signature(request)))
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 188, in get_oauth_signature
    sig = self.SIGNATURE_METHODS[self.signature_method](base_string, self)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 743, in sign_rsa_sha256_with_client
    return _sign_rsa('SHA-256', sig_base_str, client.rsa_key)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 616, in _sign_rsa
    alg = _get_jwt_rsa_algorithm(hash_algorithm_name)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 562, in _get_jwt_rsa_algorithm
    import jwt.algorithms as jwt_algorithms
ModuleNotFoundError: No module named 'jwt'


Version-Release number of selected component (if applicable):
python3-oauthlib-3.1.1-1.el9.noarch

How reproducible:
always

Steps to Reproduce:
1.  dnf -y install python3-oauthlib
2.  make simple test script using library

[root@rhel9 ~]# cat test.py
import oauthlib
from oauthlib.oauth1 import Client

Client('client_key',
       signature_method='RSA-SHA256',
       rsa_key='',
       timestamp='1234567890',
       nonce='abc').sign('http://example.com')

3.  python test-rsa.py

Actual results:
returns module import error shown above.

Expected results:
this particular test won't do much but show this error.  we can use a more complete test script to test that things work properly.  FYI, this just means adding rsa_key into script.

Additional info:

Comment 1 Jakub Hrozek 2021-07-28 13:44:47 UTC

I think the only reasonable thing to do is to remove the rest of the RSA-* based signature methods. The RFC only prescribes RSA-SHA1 which is not permitted in RHEL-9. python-oauthlib adds also RSA-SHA256 and others, but those are not standard. In the real world, it's mostly HMAC-SHA1 that I've seen used anyway.

Comment 7 Scott Poore 2022-11-18 15:08:13 UTC

Verified

Version ::

[root@hostname1 ~]# rpm -q python3-oauthlib
python3-oauthlib-3.1.1-5.el9.noarch

[root@hostname1 ~]# dnf list python3-oauthlib
Last metadata expiration check: 0:53:29 ago on Fri Nov 18 09:10:28 2022.
Installed Packages
python3-oauthlib.noarch                         3.1.1-5.el9                         @rhel-9.2-AppStream

Results ::

[root@hostname1 ~]# cat test-rsa-sha256.py 
import oauthlib
from oauthlib.oauth1 import Client

Client('client_key',
       signature_method='RSA-SHA256',
       rsa_key='',
       timestamp='1234567890',
       nonce='abc').sign('http://example.com')

[root@hostname1 ~]# python test-rsa-sha256.py 
Traceback (most recent call last):
  File "/root/test-rsa-sha256.py", line 4, in <module>
    Client('client_key',
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 353, in sign
    ('oauth_signature', self.get_oauth_signature(request)))
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/__init__.py", line 188, in get_oauth_signature
    sig = self.SIGNATURE_METHODS[self.signature_method](base_string, self)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 755, in sign_rsa_sha256_with_client
    return _sign_rsa('SHA-256', sig_base_str, client.rsa_key)
  File "/usr/lib/python3.9/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 626, in _sign_rsa
    raise ValueError('Invalid signature method.')
ValueError: Invalid signature method.


Expected failure ^^

[root@hostname1 ~]# cat test-hmac-sha1.py 
import oauthlib
from oauthlib.oauth1 import Client

Client('client_key',
       signature_method='HMAC-SHA1',
       timestamp='1234567890',
       nonce='abc').sign('http://example.com')
[root@hostname1 ~]# python test-hmac-sha1.py 
[root@hostname1 ~]# echo $?
0

Comment 10 errata-xmlrpc 2023-05-09 07:38:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (python-oauthlib bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2247

Note You need to log in before you can comment on or make changes to this bug.