Bug 2171661 - python-cryptography: FTBFS in Fedora rawhide/f38
Summary: python-cryptography: FTBFS in Fedora rawhide/f38
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-cryptography
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Christian Heimes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F38FTBFS
TreeView+ depends on / blocked
 
Reported: 2023-02-20 11:59 UTC by Fedora Release Engineering
Modified: 2023-03-11 03:06 UTC (History)
3 users (show)

Fixed In Version: python-cryptography-37.0.2-8.fc39 python-cryptography-37.0.2-5.fc37 python-cryptography-36.0.0-4.fc36 python-cryptography-37.0.2-8.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-02-22 09:25:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-9482 0 None None None 2023-02-20 12:00:19 UTC

Description Fedora Release Engineering 2023-02-20 11:59:30 UTC
python-cryptography failed to build from source in Fedora rawhide/f38

https://koji.fedoraproject.org/koji/taskinfo?taskID=96419458


For details on the mass rebuild see:

https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Please fix python-cryptography at your earliest convenience and set the bug's status to
ASSIGNED when you start fixing it. If the bug remains in NEW state for 8 weeks,
python-cryptography will be orphaned. Before branching of Fedora 39,
python-cryptography will be retired, if it still fails to build.

For more details on the FTBFS policy, please visit:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fails_to_install/

Comment 1 Christian Heimes 2023-02-22 08:32:39 UTC
The test cases TestECDSAVectors.test_load_invalid_ec_key_from_pem and TestRSADecryption.test_decrypt_invalid_decrypt are failing. The problems are likely caused by recent updates or downstream patches in OpenSSL. I'm going to skip the tests.


=================================== FAILURES ===================================
______________ TestECDSAVectors.test_load_invalid_ec_key_from_pem ______________

self = <tests.hazmat.primitives.test_ec.TestECDSAVectors object at 0x7f29fd610290>
backend = <OpenSSLBackend(version: OpenSSL 3.0.8 7 Feb 2023, FIPS: False)>

    def test_load_invalid_ec_key_from_pem(self, backend):
        _skip_curve_unsupported(backend, ec.SECP256R1())
    
        # BoringSSL rejects infinity points before it ever gets to us, so it
        # uses a more generic error message.
        match = (
            "infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else None
        )
        with pytest.raises(ValueError, match=match):
>           serialization.load_pem_public_key(
                textwrap.dedent(
                    """
            -----BEGIN PUBLIC KEY-----
            MBkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDAgAA
            -----END PUBLIC KEY-----
            """
                ).encode(),
                backend=backend,
            )

tests/hazmat/primitives/test_ec.py:485: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
../../BUILDROOT/python-cryptography-37.0.2-7.fc39.x86_64/usr/lib64/python3.11/site-packages/cryptography/hazmat/primitives/serialization/base.py:30: in load_pem_public_key
    return ossl.load_pem_public_key(data)
../../BUILDROOT/python-cryptography-37.0.2-7.fc39.x86_64/usr/lib64/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py:926: in load_pem_public_key
    return self._evp_pkey_to_public_key(evp_pkey)
../../BUILDROOT/python-cryptography-37.0.2-7.fc39.x86_64/usr/lib64/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py:716: in _evp_pkey_to_public_key
    self.openssl_assert(ec_cdata != self._ffi.NULL)
../../BUILDROOT/python-cryptography-37.0.2-7.fc39.x86_64/usr/lib64/python3.11/site-packages/cryptography/hazmat/backends/openssl/backend.py:212: in openssl_assert
    return binding._openssl_assert(self._lib, ok, errors=errors)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

lib = <module 'lib'>, ok = False
errors = [<cryptography.hazmat.bindings.openssl.binding._OpenSSLError object at 0x7f29f8888c50>, <cryptography.hazmat.bindings.openssl.binding._OpenSSLError object at 0x7f29f888a450>]

    def _openssl_assert(
        lib, ok: bool, errors: typing.Optional[typing.List[_OpenSSLError]] = None
    ) -> None:
        if not ok:
            if errors is None:
                errors = _consume_errors(lib)
            errors_with_text = _errors_with_text(errors)
    
>           raise InternalError(
                "Unknown OpenSSL error. This error is commonly encountered when "
                "another library is not cleaning up the OpenSSL error stack. If "
                "you are using cryptography with another library that uses "
                "OpenSSL try disabling it before reporting a bug. Otherwise "
                "please file an issue at https://github.com/pyca/cryptography/"
                "issues with information on how to reproduce "
                "this. ({0!r})".format(errors_with_text),
                errors_with_text,
            )
E           cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=134217832, lib=16, reason=104, reason_text=b'error:08000068:elliptic curve routines::invalid form'), _OpenSSLErrorWithText(code=50331853, lib=6, reason=205, reason_text=b'error:030000CD:digital envelope routines::keymgmt export failure')])

../../BUILDROOT/python-cryptography-37.0.2-7.fc39.x86_64/usr/lib64/python3.11/site-packages/cryptography/hazmat/bindings/openssl/binding.py:90: InternalError
________________ TestRSADecryption.test_decrypt_invalid_decrypt ________________

self = <tests.hazmat.primitives.test_rsa.TestRSADecryption object at 0x7f29fcfaeb50>
backend = <OpenSSLBackend(version: OpenSSL 3.0.8 7 Feb 2023, FIPS: False)>

    @pytest.mark.supported(
        only_if=lambda backend: backend.rsa_padding_supported(
            padding.PKCS1v15()
        ),
        skip_message="Does not support PKCS1v1.5.",
    )
    def test_decrypt_invalid_decrypt(self, backend):
        private_key = RSA_KEY_2048.private_key(backend)
>       with pytest.raises(ValueError):
E       Failed: DID NOT RAISE <class 'ValueError'>

tests/hazmat/primitives/test_rsa.py:1675: Failed

Comment 2 Fedora Update System 2023-02-22 09:22:18 UTC
FEDORA-2023-51706f88e3 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-51706f88e3

Comment 3 Fedora Update System 2023-02-22 09:25:32 UTC
FEDORA-2023-51706f88e3 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2023-02-22 09:38:25 UTC
FEDORA-2023-672f668f51 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-672f668f51

Comment 5 Fedora Update System 2023-02-22 09:38:26 UTC
FEDORA-2023-fa5d0b461d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-fa5d0b461d

Comment 6 Fedora Update System 2023-02-22 09:38:27 UTC
FEDORA-2023-749dd47c79 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-749dd47c79

Comment 7 Fedora Update System 2023-02-23 01:59:51 UTC
FEDORA-2023-672f668f51 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-672f668f51`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-672f668f51

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-02-23 03:02:13 UTC
FEDORA-2023-fa5d0b461d has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-fa5d0b461d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-fa5d0b461d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2023-02-23 10:25:15 UTC
FEDORA-2023-749dd47c79 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-749dd47c79

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2023-02-27 01:44:05 UTC
FEDORA-2023-fa5d0b461d has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2023-03-10 01:37:07 UTC
FEDORA-2023-672f668f51 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2023-03-11 03:06:03 UTC
FEDORA-2023-749dd47c79 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.