Fix errors caused by cryptography>=35.0.0
- _OID_NAMES was moved to a different module by [1]. - default_backend() is silently ignored, so should be dropped[2]. - The new Rust backend does not accept mocked private keys which caused failures with invalid private keys for tests. [1]:7b5634911c
[2]: https://cryptography.io/en/latest/faq/#faq-missing-backend Change-Id: I44407703fbcf2da97c29a28043520c781ef4c3b2 (cherry picked from commit0bf324278a
)
This commit is contained in:
parent
5044138d27
commit
cbd8bb35de
|
@ -16,7 +16,6 @@ import datetime
|
||||||
import six
|
import six
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from cryptography.hazmat.backends import default_backend
|
|
||||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
from cryptography.hazmat.primitives import hashes
|
from cryptography.hazmat.primitives import hashes
|
||||||
from cryptography.hazmat.primitives import serialization
|
from cryptography.hazmat.primitives import serialization
|
||||||
|
@ -112,8 +111,7 @@ def _generate_certificate(issuer_name, subject_name, extensions,
|
||||||
|
|
||||||
private_key = rsa.generate_private_key(
|
private_key = rsa.generate_private_key(
|
||||||
public_exponent=65537,
|
public_exponent=65537,
|
||||||
key_size=CONF.x509.rsa_key_size,
|
key_size=CONF.x509.rsa_key_size
|
||||||
backend=default_backend()
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# subject name is set as common name
|
# subject name is set as common name
|
||||||
|
@ -132,7 +130,7 @@ def _generate_certificate(issuer_name, subject_name, extensions,
|
||||||
ca_key = private_key
|
ca_key = private_key
|
||||||
ca_key_password = encryption_password
|
ca_key_password = encryption_password
|
||||||
|
|
||||||
csr = csr.sign(private_key, hashes.SHA256(), default_backend())
|
csr = csr.sign(private_key, hashes.SHA256())
|
||||||
|
|
||||||
if six.PY3 and isinstance(encryption_password, six.text_type):
|
if six.PY3 and isinstance(encryption_password, six.text_type):
|
||||||
encryption_password = encryption_password.encode()
|
encryption_password = encryption_password.encode()
|
||||||
|
@ -170,8 +168,7 @@ def _load_pem_private_key(ca_key, ca_key_password=None):
|
||||||
|
|
||||||
ca_key = serialization.load_pem_private_key(
|
ca_key = serialization.load_pem_private_key(
|
||||||
ca_key,
|
ca_key,
|
||||||
password=ca_key_password,
|
password=ca_key_password
|
||||||
backend=default_backend()
|
|
||||||
)
|
)
|
||||||
|
|
||||||
return ca_key
|
return ca_key
|
||||||
|
@ -198,7 +195,7 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
|
||||||
csr = six.b(str(csr))
|
csr = six.b(str(csr))
|
||||||
if not isinstance(csr, x509.CertificateSigningRequest):
|
if not isinstance(csr, x509.CertificateSigningRequest):
|
||||||
try:
|
try:
|
||||||
csr = x509.load_pem_x509_csr(csr, backend=default_backend())
|
csr = x509.load_pem_x509_csr(csr)
|
||||||
except ValueError:
|
except ValueError:
|
||||||
LOG.exception("Received invalid csr %s.", csr)
|
LOG.exception("Received invalid csr %s.", csr)
|
||||||
raise exception.InvalidCsr(csr=csr)
|
raise exception.InvalidCsr(csr=csr)
|
||||||
|
@ -229,7 +226,6 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
|
||||||
|
|
||||||
certificate = builder.sign(
|
certificate = builder.sign(
|
||||||
private_key=ca_key, algorithm=hashes.SHA256(),
|
private_key=ca_key, algorithm=hashes.SHA256(),
|
||||||
backend=default_backend()
|
|
||||||
).public_bytes(serialization.Encoding.PEM).strip()
|
).public_bytes(serialization.Encoding.PEM).strip()
|
||||||
|
|
||||||
return certificate
|
return certificate
|
||||||
|
@ -239,14 +235,14 @@ def generate_csr_and_key(common_name):
|
||||||
"""Return a dict with a new csr, public key and private key."""
|
"""Return a dict with a new csr, public key and private key."""
|
||||||
private_key = rsa.generate_private_key(
|
private_key = rsa.generate_private_key(
|
||||||
public_exponent=65537,
|
public_exponent=65537,
|
||||||
key_size=2048,
|
key_size=2048
|
||||||
backend=default_backend())
|
)
|
||||||
|
|
||||||
public_key = private_key.public_key()
|
public_key = private_key.public_key()
|
||||||
|
|
||||||
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
|
csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
|
||||||
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, common_name),
|
x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, common_name),
|
||||||
])).sign(private_key, hashes.SHA256(), default_backend())
|
])).sign(private_key, hashes.SHA256())
|
||||||
|
|
||||||
result = {
|
result = {
|
||||||
'csr': csr.public_bytes(
|
'csr': csr.public_bytes(
|
||||||
|
|
|
@ -18,6 +18,12 @@ from magnum.common import exception
|
||||||
from magnum.common.x509 import extensions
|
from magnum.common.x509 import extensions
|
||||||
import magnum.conf
|
import magnum.conf
|
||||||
|
|
||||||
|
try:
|
||||||
|
# for cryptography >= 35.0.0
|
||||||
|
from cryptography.hazmat._oid import _OID_NAMES as OID_NAMES
|
||||||
|
except ImportError:
|
||||||
|
from cryptography.x509.oid import _OID_NAMES as OID_NAMES
|
||||||
|
|
||||||
_CA_KEY_USAGES = [
|
_CA_KEY_USAGES = [
|
||||||
extensions.KeyUsages.KEY_CERT_SIGN.value[0],
|
extensions.KeyUsages.KEY_CERT_SIGN.value[0],
|
||||||
extensions.KeyUsages.CRL_SIGN.value[0]
|
extensions.KeyUsages.CRL_SIGN.value[0]
|
||||||
|
@ -50,7 +56,7 @@ def filter_allowed_extensions(extensions, allowed_extensions=None):
|
||||||
allowed_extensions = allowed_extensions or []
|
allowed_extensions = allowed_extensions or []
|
||||||
|
|
||||||
for ext in extensions:
|
for ext in extensions:
|
||||||
ext_name = x509.oid._OID_NAMES.get(ext.oid, None)
|
ext_name = OID_NAMES.get(ext.oid, None)
|
||||||
if ext_name in allowed_extensions:
|
if ext_name in allowed_extensions:
|
||||||
yield ext
|
yield ext
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -25,10 +25,9 @@ class TestX509Operations(base.BaseTestCase):
|
||||||
super(TestX509Operations, self).setUp()
|
super(TestX509Operations, self).setUp()
|
||||||
|
|
||||||
@mock.patch.object(serialization, 'NoEncryption')
|
@mock.patch.object(serialization, 'NoEncryption')
|
||||||
@mock.patch.object(operations, 'default_backend')
|
|
||||||
@mock.patch.object(operations, '_load_pem_private_key')
|
@mock.patch.object(operations, '_load_pem_private_key')
|
||||||
def test_decrypt_key(self, mock_load_pem_private_key,
|
def test_decrypt_key(self, mock_load_pem_private_key,
|
||||||
mock_default_backend, mock_no_encryption_class):
|
mock_no_encryption_class):
|
||||||
mock_private_key = mock.MagicMock()
|
mock_private_key = mock.MagicMock()
|
||||||
mock_load_pem_private_key.return_value = mock_private_key
|
mock_load_pem_private_key.return_value = mock_private_key
|
||||||
mock_private_key.private_bytes.return_value = mock.sentinel.decrypted
|
mock_private_key.private_bytes.return_value = mock.sentinel.decrypted
|
||||||
|
@ -45,11 +44,7 @@ class TestX509Operations(base.BaseTestCase):
|
||||||
)
|
)
|
||||||
self.assertEqual(mock.sentinel.decrypted, actual_decrypted)
|
self.assertEqual(mock.sentinel.decrypted, actual_decrypted)
|
||||||
|
|
||||||
@mock.patch.object(operations, 'default_backend')
|
def test_generate_csr_and_key(self):
|
||||||
@mock.patch.object(rsa, 'generate_private_key')
|
|
||||||
def test_generate_csr_and_key(self, mock_generate_private_key,
|
|
||||||
mock_default_backend):
|
|
||||||
mock_generate_private_key.return_value = mock.MagicMock()
|
|
||||||
csr_keys = operations.generate_csr_and_key(u"Test")
|
csr_keys = operations.generate_csr_and_key(u"Test")
|
||||||
self.assertIsNotNone(csr_keys)
|
self.assertIsNotNone(csr_keys)
|
||||||
self.assertTrue("public_key" in csr_keys)
|
self.assertTrue("public_key" in csr_keys)
|
||||||
|
|
|
@ -12,7 +12,6 @@
|
||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
from cryptography.hazmat.backends import default_backend
|
|
||||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
from cryptography.hazmat.primitives import hashes
|
from cryptography.hazmat.primitives import hashes
|
||||||
from cryptography.hazmat.primitives import serialization
|
from cryptography.hazmat.primitives import serialization
|
||||||
|
@ -40,11 +39,10 @@ class TestX509(base.BaseTestCase):
|
||||||
def _load_pems(self, keypairs, encryption_password):
|
def _load_pems(self, keypairs, encryption_password):
|
||||||
private_key = serialization.load_pem_private_key(
|
private_key = serialization.load_pem_private_key(
|
||||||
keypairs['private_key'],
|
keypairs['private_key'],
|
||||||
password=encryption_password,
|
password=encryption_password
|
||||||
backend=default_backend(),
|
|
||||||
)
|
)
|
||||||
certificate = c_x509.load_pem_x509_certificate(
|
certificate = c_x509.load_pem_x509_certificate(
|
||||||
keypairs['certificate'], default_backend())
|
keypairs['certificate'])
|
||||||
|
|
||||||
return certificate, private_key
|
return certificate, private_key
|
||||||
|
|
||||||
|
@ -85,8 +83,7 @@ class TestX509(base.BaseTestCase):
|
||||||
def _generate_private_key(self):
|
def _generate_private_key(self):
|
||||||
return rsa.generate_private_key(
|
return rsa.generate_private_key(
|
||||||
public_exponent=65537,
|
public_exponent=65537,
|
||||||
key_size=2048,
|
key_size=2048
|
||||||
backend=default_backend()
|
|
||||||
)
|
)
|
||||||
|
|
||||||
def _build_csr(self, private_key):
|
def _build_csr(self, private_key):
|
||||||
|
@ -95,7 +92,7 @@ class TestX509(base.BaseTestCase):
|
||||||
c_x509.NameAttribute(NameOID.COMMON_NAME, self.subject_name)
|
c_x509.NameAttribute(NameOID.COMMON_NAME, self.subject_name)
|
||||||
]))
|
]))
|
||||||
|
|
||||||
return csr.sign(private_key, hashes.SHA256(), default_backend())
|
return csr.sign(private_key, hashes.SHA256())
|
||||||
|
|
||||||
def assertHasPublicKey(self, keypairs):
|
def assertHasPublicKey(self, keypairs):
|
||||||
key = keypairs[1]
|
key = keypairs[1]
|
||||||
|
|
Loading…
Reference in New Issue