[Bug 2081751] Re: python3-cepces calling deprecated method from cryptography
Dariusz Gadomski
2081751 at bugs.launchpad.net
Thu Nov 14 13:53:10 UTC 2024
** Description changed:
[ Impact ]
+ * This prevents the AD certificate auto-entrollment from working. Certificates will not be automatically enrolled from a AD controller to an Ubuntu client machine. Errors will be logged in the journal of the attempts.
* python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed.
* Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method.
* The new API to use is _RSAPublicKey.verify, which takes one extra parameter.
* Versions prior to Noble still have cryptography with the .verifier method.
[ Test Plan ]
I was looking for a shorter way, but apparently cepces test suite does
not cover this case and testing requires a AD controler.
- The issue happens occurs when following [1]. When a configured system
- tries to automatically enroll certificates it fails with the following
- messages:
+ 1. Configure a Windows AD controller to support certificate auto entrollment [1].
+ 2. Connect an ubuntu client to join the AD by following (either during installation or manually).
+ 3. Update policies with:
+ sudo adsysctl update -m -v
+ 4. Get certificate list:
+ sudo getcert list
+ 5. Check certmonger log for issues.
+ 6. Install the -proposed version of python3-cepces (enable -proposed if needed [2])
+ 7. Re-run steps 3 & 4.
+
+ Expected result:
+ All the certificate should be auto-entrolled with no errors.
+
+ Actual result (with affected version):
+ `journal -u certmonger` contains errors:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
- [1]
- https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-
- autoenrolment/
+ [1] https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-autoenrolment/#configure-the-auto-enrolment-policy
+ [2] https://wiki.ubuntu.com/Testing/EnableProposed
[ Where problems could occur ]
The fix is minimal, sourced from upstream, and has been uploaded to the
devel release (plucky).
The patch makes cepces incompatible with "ancient" (pre-1.4) versions of
python-cryptography, but this version is not present in any of the
affected series, and thus should present no danger of incompatibility.
[ Other Info ]
Original bug description:
This bug is opened to include the upstream patch by falencastro into the
Ubuntu release of python3-cepces
Upstream Bug report: https://github.com/openSUSE/cepces/issues/41
python-cryptography version 37.0.0 dropped the `signer` and `verifier`
methods, replacing them with `sign` and `verify`
(https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700---
2022-04-26)
From upstream report:
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
OS: Ubuntu 24.04.1 LTS
Python: 3.12.3
python3-cepces: 0.3.7-0ubuntu1
python3-cryptography: 41.0.7-4ubuntu0.1
3) What you expected to happen:
AD enrolled systems can auto-fetch certificates from the server
4) What happened instead:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
PR with fix:
https://github.com/openSUSE/cepces/pull/42
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2081751
Title:
python3-cepces calling deprecated method from cryptography
Status in python-cepces package in Ubuntu:
Fix Released
Status in python-cepces source package in Noble:
Confirmed
Status in python-cepces source package in Oracular:
Confirmed
Bug description:
[ Impact ]
* This prevents the AD certificate auto-entrollment from working. Certificates will not be automatically enrolled from a AD controller to an Ubuntu client machine. Errors will be logged in the journal of the attempts.
* python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed.
* Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method.
* The new API to use is _RSAPublicKey.verify, which takes one extra parameter.
* Versions prior to Noble still have cryptography with the .verifier method.
[ Test Plan ]
I was looking for a shorter way, but apparently cepces test suite does
not cover this case and testing requires a AD controler.
1. Configure a Windows AD controller to support certificate auto entrollment [1].
2. Connect an ubuntu client to join the AD by following (either during installation or manually).
3. Update policies with:
sudo adsysctl update -m -v
4. Get certificate list:
sudo getcert list
5. Check certmonger log for issues.
6. Install the -proposed version of python3-cepces (enable -proposed if needed [2])
7. Re-run steps 3 & 4.
Expected result:
All the certificate should be auto-entrolled with no errors.
Actual result (with affected version):
`journal -u certmonger` contains errors:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
[1] https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-autoenrolment/#configure-the-auto-enrolment-policy
[2] https://wiki.ubuntu.com/Testing/EnableProposed
[ Where problems could occur ]
The fix is minimal, sourced from upstream, and has been uploaded to
the devel release (plucky).
The patch makes cepces incompatible with "ancient" (pre-1.4) versions
of python-cryptography, but this version is not present in any of the
affected series, and thus should present no danger of incompatibility.
[ Other Info ]
Original bug description:
This bug is opened to include the upstream patch by falencastro into
the Ubuntu release of python3-cepces
Upstream Bug report: https://github.com/openSUSE/cepces/issues/41
python-cryptography version 37.0.0 dropped the `signer` and `verifier`
methods, replacing them with `sign` and `verify`
(https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700
---2022-04-26)
From upstream report:
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
OS: Ubuntu 24.04.1 LTS
Python: 3.12.3
python3-cepces: 0.3.7-0ubuntu1
python3-cryptography: 41.0.7-4ubuntu0.1
3) What you expected to happen:
AD enrolled systems can auto-fetch certificates from the server
4) What happened instead:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
PR with fix:
https://github.com/openSUSE/cepces/pull/42
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions
More information about the Ubuntu-sponsors
mailing list