Remove paramiko for FIPS

paramiko is not approved for FIPS, but we only use it here to generate ssh keys. We can do the same with OpenSSL and cryptography. Doing this allows a FIPS enrollment on the undercloud to continue. Change-Id: Iaee1b95f1537b937591e269f9bdb22a955a854be
2020-11-06 15:51:49 -05:00 · 2020-11-06 15:51:49 -05:00 · 6d6a2fd612
parent f27786254a
commit 6d6a2fd612
3 changed files with 15 additions and 8 deletions
--- a/requirements.txt
+++ b/requirements.txt
@ -19,7 +19,7 @@ Jinja2>=2.10 # BSD License (3 clause)
 python-novaclient>=9.1.0 # Apache-2.0
 passlib>=1.7.0 # BSD
 netifaces>=0.10.4 # MIT
-paramiko>=2.7.1 # LGPLv2.1+
+cryptography>=3.4.7 # BSD/Apache-2.0
 netaddr>=0.7.18 # BSD
 python-zaqarclient>=1.0.0 # Apache-2.0
 python-keystoneclient>=3.8.0 # Apache-2.0
--- a/tox.ini
+++ b/tox.ini
@ -19,7 +19,6 @@ setenv =
    ANSIBLE_STDOUT_CALLBACK=debug
    PY_COLORS=1
    # pip: Avoid 2020-01-01 warnings: https://github.com/pypa/pip/issues/6207
-    # paramiko CryptographyDeprecationWarning: https://github.com/ansible/ansible/issues/52598
    PYTHONWARNINGS=ignore:DEPRECATION::pip._internal.cli.base_command,ignore::UserWarning
    PIP_DISABLE_PIP_VERSION_CHECK=1
 passenv =
--- a/tripleo_common/utils/passwords.py
+++ b/tripleo_common/utils/passwords.py
@ -13,11 +13,13 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 import base64
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.backends import default_backend
 import hashlib
 import hmac
 import logging
 import os
-import paramiko
 import struct
 import time
 import uuid
@ -155,11 +157,17 @@ def create_ssh_keypair(comment=None, bits=2048):
    """Generate an ssh keypair for use on the overcloud"""
    if comment is None:
        comment = "Generated by TripleO"
-    key = paramiko.RSAKey.generate(bits)
-    keyout = six.StringIO()
-    key.write_private_key(keyout)
-    private_key = keyout.getvalue()
-    public_key = '{} {} {}'.format(key.get_name(), key.get_base64(), comment)
+    key = rsa.generate_private_key(public_exponent=65537,
+                                   key_size=bits,
+                                   backend=default_backend())
+    private_key = key.private_bytes(
+        serialization.Encoding.PEM,
+        serialization.PrivateFormat.PKCS8,
+        serialization.NoEncryption()).decode('utf-8')
+    public_key = key.public_key().public_bytes(
+        serialization.Encoding.OpenSSH,
+        serialization.PublicFormat.OpenSSH).decode('utf-8')
+    public_key = '{} {}'.format(public_key, comment)
    return {
        'private_key': private_key,
        'public_key': public_key,