[Bug 2081751] Re: python3-cepces calling deprecated method from cryptography
Dave Jones
2081751 at bugs.launchpad.net
Mon Nov 11 16:30:55 UTC 2024
This mostly looks good and I'm happy to sponsor the plucky upload. For
SRU, there's a couple of minor notes regarding the SRU template that
should be addressed:
1. Could the impact section list what the user impact is? Currently it's
describing what's *caused* the bug (and the remedy), but not the actual
impact to the user experience. My guess is this would include something
like "certmonger crashes preventing completion of certificate
enrolment"?
2. Could the test plan be made a little more specific? The ideal would
be to have a test plan that absolutely anyone could follow without
necessarily knowing anything about the package, but I realize that's
probably impossible in this case given the requirement of having an AD.
Still, the current instructions could specify *where* in the linked
procedure the test is expected to fail (the instructions already list
the expected failure message, which is good). That covers the
requirement to reproduce the bug. Then...
3. The next half of the test plan should be "upgrade to the proposed
version and re-test". Thankfully on noble and oracular that's pretty
trivial and just involves "sudo apt install -t $series-proposed
python3-cepces" (where $series is the affected series). Ideally, the
test plan should also include a demonstration that normal operation
(however basic) still works.
I realize the above sounds a bit nit-picky, but they're things the SRU
team is likely to highlight when checking the bug.
Finally, I've adjusted the "where problems could occur" section a bit
just to make it clear that, at the time of writing, there is no
possibility of regression with regard to old versions of cryptography
(because none of the affected). Once the test plan is updated, I would
recommend adding the following to the "where problems could occur"
section:
"The test plan ensures that the bug is reproducible, and that the
proposed patch fixes the issue. It also checks that normal operation is
unaffected."
** Description changed:
[ Impact ]
* python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed.
* Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method.
* The new API to use is _RSAPublicKey.verify, which takes one extra parameter.
* Versions prior to Noble still have cryptography with the .verifier method.
[ Test Plan ]
I was looking for a shorter way, but apparently cepces test suite does
not cover this case and testing requires a AD controler.
The issue happens occurs when following [1]. When a configured system
tries to automatically enroll certificates it fails with the following
messages:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
[1]
https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-
autoenrolment/
[ Where problems could occur ]
- * There is a very unlikely possibility that this fix will make cepces incompatible with "ancient" (pre-1.4) versions of python-cryptography, as this is where the "verify" method has been introduced. I don't think this is a concern, because probably there would be much more incompatibilities with a version over 8 years old.
- * Due to the fact that "verifier" has been deprecated for quite some time, I believe requiring version at least 37 with this patch (containing only "verify") would make sense in this case.
+ The fix is minimal, sourced from upstream, and has been uploaded to the
+ devel release (plucky).
+
+ The patch makes cepces incompatible with "ancient" (pre-1.4) versions of
+ python-cryptography, but this version is not present in any of the
+ affected series, and thus should present no danger of incompatibility.
[ Other Info ]
Original bug description:
This bug is opened to include the upstream patch by falencastro into the
Ubuntu release of python3-cepces
Upstream Bug report: https://github.com/openSUSE/cepces/issues/41
python-cryptography version 37.0.0 dropped the `signer` and `verifier`
methods, replacing them with `sign` and `verify`
(https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700---
2022-04-26)
From upstream report:
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
OS: Ubuntu 24.04.1 LTS
Python: 3.12.3
python3-cepces: 0.3.7-0ubuntu1
python3-cryptography: 41.0.7-4ubuntu0.1
3) What you expected to happen:
AD enrolled systems can auto-fetch certificates from the server
4) What happened instead:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
PR with fix:
https://github.com/openSUSE/cepces/pull/42
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2081751
Title:
python3-cepces calling deprecated method from cryptography
Status in python-cepces package in Ubuntu:
Confirmed
Status in python-cepces source package in Noble:
Confirmed
Status in python-cepces source package in Oracular:
Confirmed
Bug description:
[ Impact ]
* python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed.
* Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method.
* The new API to use is _RSAPublicKey.verify, which takes one extra parameter.
* Versions prior to Noble still have cryptography with the .verifier method.
[ Test Plan ]
I was looking for a shorter way, but apparently cepces test suite does
not cover this case and testing requires a AD controler.
The issue happens occurs when following [1]. When a configured system
tries to automatically enroll certificates it fails with the following
messages:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
[1]
https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-
autoenrolment/
[ Where problems could occur ]
The fix is minimal, sourced from upstream, and has been uploaded to
the devel release (plucky).
The patch makes cepces incompatible with "ancient" (pre-1.4) versions
of python-cryptography, but this version is not present in any of the
affected series, and thus should present no danger of incompatibility.
[ Other Info ]
Original bug description:
This bug is opened to include the upstream patch by falencastro into
the Ubuntu release of python3-cepces
Upstream Bug report: https://github.com/openSUSE/cepces/issues/41
python-cryptography version 37.0.0 dropped the `signer` and `verifier`
methods, replacing them with `sign` and `verify`
(https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700
---2022-04-26)
From upstream report:
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
OS: Ubuntu 24.04.1 LTS
Python: 3.12.3
python3-cepces: 0.3.7-0ubuntu1
python3-cryptography: 41.0.7-4ubuntu0.1
3) What you expected to happen:
AD enrolled systems can auto-fetch certificates from the server
4) What happened instead:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
PR with fix:
https://github.com/openSUSE/cepces/pull/42
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions
More information about the Ubuntu-sponsors
mailing list