zuul/zuul
Code Issues Proposed changes

Use unsafe_skip_rsa_key_validation with cryptography

Browse Source 
This is a partial revert of c4476d1b6a
which added the use of a private flag to skip unecessary (for us)
cryptography checks.  The cryptography package has now normalized
that flag into a parameter we can pass, so use the new param and
update the dependency to require the version that supports it.

Change-Id: I1dfa203525e85020ccf942422ad3cc7040b851dd
This commit is contained in:
James E. Blair
2023-01-11 10:10:29 -08:00
committed by Clark Boylan
parent 647940925f
commit 343904e1a4
2 changed files with 4 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
zuul/lib/encryption.py
View File

@@ -20,22 +20,6 @@ from cryptography.hazmat.primitives import hashes
from functools import lru_cache
# OpenSSL 3.0.0 performs key validation in a very slow manner. Since
# our keys are internally generated and securely stored, we can skip
# validation. See https://github.com/pyca/cryptography/issues/7236
backend = default_backend()
if hasattr(backend, '_rsa_skip_check_key'):
backend._rsa_skip_check_key = True
else:
import logging
# Use a specific logger here to avoid polluting the root logger
# with the default stderr stream handler. This is important in
# testing to ensure we don't over log and create noise.
logger = logging.getLogger("zuul.rsa_skip_check_warning")
logger.warning("Cryptography backend lacks _rsa_skip_check_key flag, "
"key loading may be slow")
# https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#generation
def generate_rsa_keypair():
"""Generate an RSA keypair.
@@ -46,7 +30,7 @@ def generate_rsa_keypair():
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=4096,
backend=backend,
backend=default_backend(),
)
public_key = private_key.public_key()
return (private_key, public_key)
@@ -114,7 +98,8 @@ def deserialize_rsa_keypair(data, password=None):
private_key = serialization.load_pem_private_key(
data,
password=password,
backend=backend,
backend=default_backend(),
unsafe_skip_rsa_key_validation=True,
)
public_key = private_key.public_key()
return (private_key, public_key)