[Bug 2081751] Re: python3-cepces calling deprecated method from cryptography
Launchpad Bug Tracker
2081751 at bugs.launchpad.net
Mon Nov 11 19:36:13 UTC 2024
This bug was fixed in the package python-cepces - 0.3.7-0ubuntu2
---------------
python-cepces (0.3.7-0ubuntu2) plucky; urgency=medium
* d/p/lp2081751-replace-verifier-with-verify.patch (LP: #2081751)
- Replaces RSAPublicKey.verifier with RSAPublicKey.verify call
-- Dariusz Gadomski <dgadomski at ubuntu.com> Tue, 22 Oct 2024 11:11:55
+0200
** Changed in: python-cepces (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2081751
Title:
python3-cepces calling deprecated method from cryptography
Status in python-cepces package in Ubuntu:
Fix Released
Status in python-cepces source package in Noble:
Confirmed
Status in python-cepces source package in Oracular:
Confirmed
Bug description:
[ Impact ]
* python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed.
* Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method.
* The new API to use is _RSAPublicKey.verify, which takes one extra parameter.
* Versions prior to Noble still have cryptography with the .verifier method.
[ Test Plan ]
I was looking for a shorter way, but apparently cepces test suite does
not cover this case and testing requires a AD controler.
The issue happens occurs when following [1]. When a configured system
tries to automatically enroll certificates it fails with the following
messages:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
[1]
https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-
autoenrolment/
[ Where problems could occur ]
The fix is minimal, sourced from upstream, and has been uploaded to
the devel release (plucky).
The patch makes cepces incompatible with "ancient" (pre-1.4) versions
of python-cryptography, but this version is not present in any of the
affected series, and thus should present no danger of incompatibility.
[ Other Info ]
Original bug description:
This bug is opened to include the upstream patch by falencastro into
the Ubuntu release of python3-cepces
Upstream Bug report: https://github.com/openSUSE/cepces/issues/41
python-cryptography version 37.0.0 dropped the `signer` and `verifier`
methods, replacing them with `sign` and `verify`
(https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700
---2022-04-26)
From upstream report:
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
OS: Ubuntu 24.04.1 LTS
Python: 3.12.3
python3-cepces: 0.3.7-0ubuntu1
python3-cryptography: 41.0.7-4ubuntu0.1
3) What you expected to happen:
AD enrolled systems can auto-fetch certificates from the server
4) What happened instead:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
PR with fix:
https://github.com/openSUSE/cepces/pull/42
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions
More information about the Ubuntu-sponsors
mailing list