[Bug 2081751] Re: python3-cepces calling deprecated method from cryptography

Lukas Märdian 2081751 at bugs.launchpad.net
Tue Nov 19 16:12:31 UTC 2024 

Thank you for updating the SRU template (bug description)!

I've reviewed the Oracular & Noble patches, they're matching what we
have in Plucky and what is provided upstream. Changes seem reasonable.

I fixed some style issues in the debdiff (whitespace, typos) and adopted
the version string:

* the SRU is not a full backport of what we have in Plucky, due to specific versioned depdends on "python3-cryptography (>= 37.0.0)" (that version of python-cryptography is available in Oracular & Noble, though).
* therefore we shouldn't use the "-0ubuntu2.24.04.1" suffix ("-0ubuntu2~22.04.1", would work as that is smaller than the Plucky version)
* But I rather chose to use 0.3.7-0ubuntu1.24.04.1 (and 0.3.7-0ubuntu1.24.10.1) to indicate it being independent SRUs, carrying changes in debian/control

Sponsored into the Oracular & Noble UNAPPROVED queues for SRU review.

I'm unsubscribing ~ubuntu-sponsors, please re-subscribe if you need
another sponsor.

** Changed in: python-cepces (Ubuntu Noble)
       Status: Confirmed => In Progress

** Changed in: python-cepces (Ubuntu Oracular)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2081751

Title:
  python3-cepces calling deprecated method from cryptography

Status in python-cepces package in Ubuntu:
  Fix Released
Status in python-cepces source package in Noble:
  In Progress
Status in python-cepces source package in Oracular:
  In Progress

Bug description:
  [ Impact ]

  * This prevents the AD certificate auto-entrollment from working. Certificates will not be automatically enrolled from a AD controller to an Ubuntu client machine. Errors will be logged in the journal of the attempts.
   * python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed.
  * Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method.
  * The new API to use is  _RSAPublicKey.verify, which takes one extra parameter.
  * Versions prior to Noble still have cryptography with the .verifier method.

  [ Test Plan ]

  I was looking for a shorter way, but apparently cepces test suite does
  not cover this case and testing requires a AD controler.

  1. Configure a Windows AD controller to support certificate auto entrollment [1].
  2. Connect an ubuntu client to join the AD by following (either during installation or manually).
  3. Update policies with:
  sudo adsysctl update -m -v
  4. Get certificate list:
  sudo getcert list
  5. Check certmonger log for issues.
  6. Install the -proposed version of python3-cepces (enable -proposed if needed [2])
  7. Re-run steps 3 & 4.

  Expected result:
  All the certificate should be auto-entrolled with no errors.

  Actual result (with affected version):
  `journal -u certmonger` contains errors:

  Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
  Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     verifier = issuer_public_key.verifier(
  Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

  [1] https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-autoenrolment/#configure-the-auto-enrolment-policy
  [2] https://wiki.ubuntu.com/Testing/EnableProposed

  [ Where problems could occur ]

  The fix is minimal, sourced from upstream, and has been uploaded to
  the devel release (plucky).

  The patch makes cepces incompatible with "ancient" (pre-1.4) versions
  of python-cryptography, but this version is not present in any of the
  affected series, and thus should present no danger of incompatibility.

  [ Other Info ]

  Original bug description:

  This bug is opened to include the upstream patch by falencastro into
  the Ubuntu release of python3-cepces

  Upstream Bug report: https://github.com/openSUSE/cepces/issues/41

  python-cryptography version 37.0.0 dropped the `signer` and `verifier`
  methods, replacing them with `sign` and `verify`
  (https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700
  ---2022-04-26)

  From upstream report:

  1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
  2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center

  OS:                     Ubuntu 24.04.1 LTS
  Python:                 3.12.3
  python3-cepces:         0.3.7-0ubuntu1
  python3-cryptography:   41.0.7-4ubuntu0.1

  3) What you expected to happen:

  AD enrolled systems can auto-fetch certificates from the server

  4) What happened instead:

  Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
  Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     verifier = issuer_public_key.verifier(
  Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                ^^^^^^^^^^^^^^^^^^^^^^^^^^
  Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

  PR with fix:
  https://github.com/openSUSE/cepces/pull/42

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions

More information about the Ubuntu-sponsors mailing list