Drop pycrypto from utility genpwd.py

pycrypto is unmaintained for a while and requirements team advises using pycryptodome or cryptography libraries instead (see openstack-dev thread [0]). genpwd.py uses pycrypto to generate RSA keypair. This commit rewrite generate_RSA function using python-cryptography while keeping strict 1:1 compatibility with previous code. [0] http://lists.openstack.org/pipermail/openstack-dev/2017-March/113568.html Change-Id: I13f468c35adb7b2cf76b3d04d9d700aa8ea54a85
2017-07-18 22:47:36 +02:00 · 2017-07-18 22:47:36 +02:00 · 307d543761
parent 2b8479b88d
commit 307d543761
2 changed files with 18 additions and 9 deletions
--- a/kolla_kubernetes/commands/genpwd.py
+++ b/kolla_kubernetes/commands/genpwd.py
@ -19,7 +19,12 @@ import random
 import string
 import sys

-from Crypto.PublicKey import RSA
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import Encoding
+from cryptography.hazmat.primitives.serialization import NoEncryption
+from cryptography.hazmat.primitives.serialization import PrivateFormat
+from cryptography.hazmat.primitives.serialization import PublicFormat
 from hashlib import md5
 from hashlib import sha256
 from oslo_utils import uuidutils
@ -35,9 +40,17 @@ if PROJECT_ROOT not in sys.path:


 def generate_RSA(bits=4096):
-    new_key = RSA.generate(bits, os.urandom)
-    private_key = new_key.exportKey("PEM")
-    public_key = new_key.publickey().exportKey("OpenSSH")
+    # public_exponent set to 655537 is what pyCA recommends
+    new_key = rsa.generate_private_key(public_exponent=65537,
+                                       key_size=bits,
+                                       backend=default_backend())
+    # we strip trailing space for 1:1 compat with previous implementation
+    private_key = new_key.private_bytes(
+        encoding=Encoding.PEM,
+        format=PrivateFormat.PKCS8,
+        encryption_algorithm=NoEncryption())
+    public_key = new_key.public_key().public_bytes(encoding=Encoding.OpenSSH,
+                                                   format=PublicFormat.OpenSSH)
    return private_key, public_key


--- a/tools/setup_kubernetes.sh
+++ b/tools/setup_kubernetes.sh
@ -13,11 +13,7 @@ repo_gpgcheck=1
 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 EOEF
-#
-# NOTE(sbezverk) docker-1.12.6-28.git1398f24.el7.centos.x86_64 breaks several gate jobs.
-# Version pinning needs to be removed after docker fixes it.
-#
-yum install -y docker-1.12.6-16.el7.centos kubeadm kubelet kubectl kubernetes-cni ebtables
+yum install -y docker kubeadm kubelet kubectl kubernetes-cni ebtables
 sed -i 's/10.96.0.10/172.16.128.10/g' /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
 EOF
 else