[Bug 2081751] Re: python3-cepces calling deprecated method from cryptography
Dariusz Gadomski
2081751 at bugs.launchpad.net
Tue Oct 22 09:15:37 UTC 2024
updated fix proposal for oracular
** Patch removed: "noble.debdiff"
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+attachment/5823764/+files/noble.debdiff
** Patch removed: "oracular.debdiff"
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+attachment/5823763/+files/oracular.debdiff
** Patch added: "oracular.debdiff"
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+attachment/5830668/+files/oracular.debdiff
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2081751
Title:
python3-cepces calling deprecated method from cryptography
Status in python-cepces package in Ubuntu:
Confirmed
Status in python-cepces source package in Noble:
New
Status in python-cepces source package in Oracular:
New
Bug description:
[ Impact ]
* python3-cepces has been using _RSAPublicKey.verifier from python3-cryptography. This method has been marked deprecated for a few years now, but recently (in version 37) has been completely removed.
* Updating system to a 37+ version of python3-cryptography will cause trouble due to cepces trying to call the removed method.
* The new API to use is _RSAPublicKey.verify, which takes one extra parameter.
* Versions prior to Noble still have cryptography with the .verifier method.
[ Test Plan ]
I was looking for a shorter way, but apparently cepces test suite does
not cover this case and testing requires a AD controler.
The issue happens occurs when following [1]. When a configured system
tries to automatically enroll certificates it fails with the following
messages:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
[1]
https://documentation.ubuntu.com/adsys/en/stable/tutorial/certificates-
autoenrolment/
[ Where problems could occur ]
* There is a very unlikely possibility that this fix will make cepces incompatible with "ancient" (pre-1.4) versions of python-cryptography, as this is where the "verify" method has been introduced. I don't think this is a concern, because probably there would be much more incompatibilities with a version over 8 years old.
* Due to the fact that "verifier" has been deprecated for quite some time, I believe requiring version at least 37 with this patch (containing only "verify") would make sense in this case.
[ Other Info ]
Original bug description:
This bug is opened to include the upstream patch by falencastro into
the Ubuntu release of python3-cepces
Upstream Bug report: https://github.com/openSUSE/cepces/issues/41
python-cryptography version 37.0.0 dropped the `signer` and `verifier`
methods, replacing them with `sign` and `verify`
(https://github.com/pyca/cryptography/blob/43.0.x/CHANGELOG.rst#3700
---2022-04-26)
From upstream report:
1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu
2) The version of the package you are using, via 'apt-cache policy pkgname' or by checking in Software Center
OS: Ubuntu 24.04.1 LTS
Python: 3.12.3
python3-cepces: 0.3.7-0ubuntu1
python3-cryptography: 41.0.7-4ubuntu0.1
3) What you expected to happen:
AD enrolled systems can auto-fetch certificates from the server
4) What happened instead:
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'
PR with fix:
https://github.com/openSUSE/cepces/pull/42
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-cepces/+bug/2081751/+subscriptions
More information about the Ubuntu-sponsors
mailing list