Fix broken pcsclient command with latest pyOpenSSL and use more pycryptography#492
Open
berrange wants to merge 4 commits intointel:mainfrom
Open
Fix broken pcsclient command with latest pyOpenSSL and use more pycryptography#492berrange wants to merge 4 commits intointel:mainfrom
berrange wants to merge 4 commits intointel:mainfrom
Conversation
The pyopenssl 24.3.0 removed the CRL object and its related methods. pccsadmin was already using the pycryptography CRL object for the verification task, so fully switch to use it for loading the CRL to begin with. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
pyopenssl docs are indicating that the 'crypto' module is liable to see further deprecation, suggesting use of pycryptography instead. pccsadmin code already uses pycryptography for CRLs, so extend this to use it for loading certificates too. They are converted back to pyopenssl objects for verification. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The only part of pcsclient that still needs pyopenssl is certificate verification. As of pycryptography 45.0.0, there are sufficient APIs available to replace the remaining usage of pyopenssl. Since new pycryptography is still not widely available in distros, keep pyopenssl code as a fallback. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
RHEL does not ship pyopenssl, however, the pycryptography that is included is also too old to support certificate verification. Add a further fallback that can invoke the 'openssl' command line tool to verify certificates. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The pyOpenSSL release 24.3.0 has deleted all the CRL API functionality from its codebase. Their recommendation is to use the equivalent APIs from pycryptography. pcsclient is already using pycryptography to do the CRL verification, but was using pyOpenSSL to load the CRL and is thus broken on modern distros.
Furthermore pyOpenSSL docs indicate that they're considering deprecating the entire 'crypto' module, again with the recommendation to use pycryptography instead.
This set of patches does the following
This was previously submitted as #481 for pccsadmin, but since that was split out into separate git it doesn't use crypto code anymore. The new pcsclient tool, however, uses the same crypto logic as old pccsadmin, hence this new PR.