Skip RSA key validation on load

OpenSSL 3.0.0 performs key validation in a very slow manner. Since our keys are internally generated and securely stored, we can skip validation. See https://github.com/pyca/cryptography/issues/7236 This reduces key loading time from 0.7 to 0.005 seconds/key in OpenDev. OpenSSL 1.1.1, which was being used until recently took a similarly short amount of time. Change-Id: Ie3841da2c9f7ca2da5b8de4bb619e8bad9c215af
2022-06-18 09:36:52 -07:00
parent c5b55e59c8
commit c4476d1b6a
1 changed files with 14 additions and 2 deletions
--- a/zuul/lib/encryption.py
+++ b/zuul/lib/encryption.py
@@ -20,6 +20,18 @@ from cryptography.hazmat.primitives import hashes
 from functools import lru_cache


+# OpenSSL 3.0.0 performs key validation in a very slow manner.  Since
+# our keys are internally generated and securely stored, we can skip
+# validation.  See https://github.com/pyca/cryptography/issues/7236
+backend = default_backend()
+if hasattr(backend, '_rsa_skip_check_key'):
+    backend._rsa_skip_check_key = True
+else:
+    import logging
+    logging.warning("Cryptography backend lacks _rsa_skip_check_key flag, "
+                    "key loading may be slow")
+
+
 # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#generation
 def generate_rsa_keypair():
    """Generate an RSA keypair.
@@ -30,7 +42,7 @@ def generate_rsa_keypair():
    private_key = rsa.generate_private_key(
        public_exponent=65537,
        key_size=4096,
-        backend=default_backend()
+        backend=backend,
    )
    public_key = private_key.public_key()
    return (private_key, public_key)
@@ -98,7 +110,7 @@ def deserialize_rsa_keypair(data, password=None):
    private_key = serialization.load_pem_private_key(
        data,
        password=password,
-        backend=default_backend()
+        backend=backend,
    )
    public_key = private_key.public_key()
    return (private_key, public_key)