crypto: Add support for Paramiko 2.x
Only use PyCrypto/PyCryptodome work-around with Paramiko 1.x and use straight-forward Paramiko interface with 2.x. TODO: Revert this and PyCrypto/PyCryptodome work-around when Paramiko is upgraded to 2.x (ie replace `generate_keys(bits)` call with `paramiko.RSAKey.generate(bits)`). Change If88beeb3983705621fe736995939ac20b2daf1f3 added a work-around for the partially-PyCrypto-compatible PyCryptodome causing Paramiko, which has a dependency on PyCrypto, to break. This work-around entails implementing Paramiko internals (ie how to generate a key) in Nova in a way compatible with both PyCrypto and PyCryptodom. This work-around is itself a source of failure with Paramiko 2 which has replaced the PyCrypto requirement with the cryptography Python package. As Paramiko no longer depends on PyCrypto, Nova doesn't have an explicit PyCrypto requirement, and there's no implicit dependency on PyCrypto, when Nova tries to import PyCrypto it fails. Even if PyCrypto was installed, the work-around would still fail because the Paramiko interface that Nova is using as part of the work-around changed with the major version change (ie 1.x => 2.x). Change-Id: I5d6543e690a3b4495476027fd8a4894ff8c42bf6 Related-Bug: #1483132
This commit is contained in:
parent
4f100c1819
commit
c05b338f16
|
@ -26,7 +26,6 @@ import base64
|
||||||
import binascii
|
import binascii
|
||||||
import os
|
import os
|
||||||
|
|
||||||
from Crypto.PublicKey import RSA
|
|
||||||
from cryptography import exceptions
|
from cryptography import exceptions
|
||||||
from cryptography.hazmat import backends
|
from cryptography.hazmat import backends
|
||||||
from cryptography.hazmat.primitives.asymmetric import padding
|
from cryptography.hazmat.primitives.asymmetric import padding
|
||||||
|
@ -140,11 +139,23 @@ def generate_key(bits):
|
||||||
# which version of pysaml2 is installed, Nova is likely to break. So we
|
# which version of pysaml2 is installed, Nova is likely to break. So we
|
||||||
# call "RSA.generate(bits)" which works on both pycrypto and pycryptodome
|
# call "RSA.generate(bits)" which works on both pycrypto and pycryptodome
|
||||||
# and then wrap it into a paramiko.RSAKey
|
# and then wrap it into a paramiko.RSAKey
|
||||||
rsa = RSA.generate(bits)
|
#
|
||||||
key = paramiko.RSAKey(vals=(rsa.e, rsa.n))
|
# NOTE(coreywright): Paramiko 2 avoids this conundrum by migrating from
|
||||||
key.d = rsa.d
|
# PyCrypto/PyCryptodome to cryptography.
|
||||||
key.p = rsa.p
|
#
|
||||||
key.q = rsa.q
|
# TODO(coreywright): When Paramiko constraint is upgraded to 2.x, then
|
||||||
|
# remove this abstraction and replace the call to this function with a call
|
||||||
|
# to `paramiko.RSAKey.generate(bits)`.
|
||||||
|
|
||||||
|
if paramiko.__version_info__[0] == 2:
|
||||||
|
key = paramiko.RSAKey.generate(bits)
|
||||||
|
else: # paramiko 1.x
|
||||||
|
from Crypto.PublicKey import RSA
|
||||||
|
rsa = RSA.generate(bits)
|
||||||
|
key = paramiko.RSAKey(vals=(rsa.e, rsa.n))
|
||||||
|
key.d = rsa.d
|
||||||
|
key.p = rsa.p
|
||||||
|
key.q = rsa.q
|
||||||
return key
|
return key
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue