Use unsafe_skip_rsa_key_validation with cryptography

This is a partial revert of c4476d1b6aebec0ea3198e0203c7d35bedbea57a which added the use of a private flag to skip unecessary (for us) cryptography checks. The cryptography package has now normalized that flag into a parameter we can pass, so use the new param and update the dependency to require the version that supports it. Change-Id: I1dfa203525e85020ccf942422ad3cc7040b851dd
2023-01-11 10:10:29 -08:00 · 2023-01-11 10:10:29 -08:00 · 343904e1a4
commit 343904e1a4
parent 647940925f
2 changed files with 4 additions and 19 deletions
--- a/requirements.txt
+++ b/requirements.txt
@ -20,7 +20,7 @@ netaddr
 kazoo>=2.8.0
 sqlalchemy
 alembic
-cryptography>=1.6
+cryptography>=39.0.0
 cachecontrol<0.12.7
 cachetools
 pyjwt>=2.0.0
--- a/zuul/lib/encryption.py
+++ b/zuul/lib/encryption.py
@ -20,22 +20,6 @@ from cryptography.hazmat.primitives import hashes
 from functools import lru_cache


-# OpenSSL 3.0.0 performs key validation in a very slow manner.  Since
-# our keys are internally generated and securely stored, we can skip
-# validation.  See https://github.com/pyca/cryptography/issues/7236
-backend = default_backend()
-if hasattr(backend, '_rsa_skip_check_key'):
-    backend._rsa_skip_check_key = True
-else:
-    import logging
-    # Use a specific logger here to avoid polluting the root logger
-    # with the default stderr stream handler. This is important in
-    # testing to ensure we don't over log and create noise.
-    logger = logging.getLogger("zuul.rsa_skip_check_warning")
-    logger.warning("Cryptography backend lacks _rsa_skip_check_key flag, "
-                   "key loading may be slow")
-
-
 # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#generation
 def generate_rsa_keypair():
    """Generate an RSA keypair.
@ -46,7 +30,7 @@ def generate_rsa_keypair():
    private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=4096,
-        backend=backend,
+        backend=default_backend(),
    )
    public_key = private_key.public_key()
    return (private_key, public_key)
@ -114,7 +98,8 @@ def deserialize_rsa_keypair(data, password=None):
    private_key = serialization.load_pem_private_key(
        data,
        password=password,
-        backend=backend,
+        backend=default_backend(),
+        unsafe_skip_rsa_key_validation=True,
    )
    public_key = private_key.public_key()
    return (private_key, public_key)