|
1 This patch is for the removal of PyCrypto dependency in Nova. It |
|
2 consists of the result of two upstream changesets, one of which added |
|
3 support for Paramiko 2.0 and the other which removed support for |
|
4 earlier Paramiko versions and with that, the PyCrypto dependency. |
|
5 |
|
6 This patch can be removed in post-Mitaka releases. |
|
7 |
|
8 commit 6b1293fd6f5bcb35f317f36c540f543b1192928c |
|
9 Author: Sean Dague <[email protected]> |
|
10 Date: Tue May 10 11:39:11 2016 -0400 |
|
11 |
|
12 Drop paramiko < 2 compat code |
|
13 |
|
14 This drops the paramiko < 2 compatibility code so we only need to |
|
15 support one major version. |
|
16 |
|
17 Depends-On: I2369638282b4fefccd8484a5039fcfa9795069a7 |
|
18 (global requirements change) |
|
19 |
|
20 Change-Id: Ife4df9e64299e1182d77d568d1deed5ec3b608b3 |
|
21 Closes-Bug: #1483132 |
|
22 |
|
23 commit c05b338f163e0bafbe564c6c7c593b819f2f2eac |
|
24 Author: Corey Wright <[email protected]> |
|
25 Date: Tue May 3 23:13:24 2016 -0500 |
|
26 |
|
27 crypto: Add support for Paramiko 2.x |
|
28 |
|
29 Only use PyCrypto/PyCryptodome work-around with Paramiko 1.x and use |
|
30 straight-forward Paramiko interface with 2.x. |
|
31 |
|
32 TODO: Revert this and PyCrypto/PyCryptodome work-around when Paramiko |
|
33 is upgraded to 2.x (ie replace `generate_keys(bits)` call with |
|
34 `paramiko.RSAKey.generate(bits)`). |
|
35 |
|
36 Change If88beeb3983705621fe736995939ac20b2daf1f3 added a work-around |
|
37 for the partially-PyCrypto-compatible PyCryptodome causing Paramiko, |
|
38 which has a dependency on PyCrypto, to break. This work-around |
|
39 entails implementing Paramiko internals (ie how to generate a key) in |
|
40 Nova in a way compatible with both PyCrypto and PyCryptodom. |
|
41 |
|
42 This work-around is itself a source of failure with Paramiko 2 which |
|
43 has replaced the PyCrypto requirement with the cryptography Python |
|
44 package. As Paramiko no longer depends on PyCrypto, Nova doesn't have |
|
45 an explicit PyCrypto requirement, and there's no implicit dependency |
|
46 on PyCrypto, when Nova tries to import PyCrypto it fails. Even if |
|
47 PyCrypto was installed, the work-around would still fail because the |
|
48 Paramiko interface that Nova is using as part of the work-around |
|
49 changed with the major version change (ie 1.x => 2.x). |
|
50 |
|
51 Change-Id: I5d6543e690a3b4495476027fd8a4894ff8c42bf6 |
|
52 Related-Bug: #1483132 |
|
53 |
|
54 --- nova-13.1.0/nova/crypto.py.~1~ 2016-06-14 08:45:49.000000000 -0700 |
|
55 +++ nova-13.1.0/nova/crypto.py 2016-07-06 18:28:56.554038265 -0700 |
|
56 @@ -26,7 +26,6 @@ import base64 |
|
57 import binascii |
|
58 import os |
|
59 |
|
60 -from Crypto.PublicKey import RSA |
|
61 from cryptography import exceptions |
|
62 from cryptography.hazmat import backends |
|
63 from cryptography.hazmat.primitives.asymmetric import padding |
|
64 @@ -162,27 +161,8 @@ def generate_x509_fingerprint(pem_key): |
|
65 'Error message: %s') % ex) |
|
66 |
|
67 |
|
68 -def generate_key(bits): |
|
69 - """Generate a paramiko RSAKey""" |
|
70 - # NOTE(dims): pycryptodome has changed the signature of the RSA.generate |
|
71 - # call. specifically progress_func has been dropped. paramiko still uses |
|
72 - # pycrypto. However some projects like latest pysaml2 have switched from |
|
73 - # pycrypto to pycryptodome as pycrypto seems to have been abandoned. |
|
74 - # paramiko project has started transition to pycryptodome as well but |
|
75 - # there is no release yet with that support. So at the moment depending on |
|
76 - # which version of pysaml2 is installed, Nova is likely to break. So we |
|
77 - # call "RSA.generate(bits)" which works on both pycrypto and pycryptodome |
|
78 - # and then wrap it into a paramiko.RSAKey |
|
79 - rsa = RSA.generate(bits) |
|
80 - key = paramiko.RSAKey(vals=(rsa.e, rsa.n)) |
|
81 - key.d = rsa.d |
|
82 - key.p = rsa.p |
|
83 - key.q = rsa.q |
|
84 - return key |
|
85 - |
|
86 - |
|
87 def generate_key_pair(bits=2048): |
|
88 - key = generate_key(bits) |
|
89 + key = paramiko.RSAKey.generate(bits) |
|
90 keyout = six.StringIO() |
|
91 key.write_private_key(keyout) |
|
92 private_key = keyout.getvalue() |
|
93 --- nova-13.1.0/nova/tests/unit/test_crypto.py.~1~ 2016-06-14 08:45:49.000000000 -0700 |
|
94 +++ nova-13.1.0/nova/tests/unit/test_crypto.py 2016-07-06 18:28:56.554545025 -0700 |
|
95 @@ -362,7 +362,7 @@ class KeyPairTest(test.NoDBTestCase): |
|
96 keyin.seek(0) |
|
97 key = paramiko.RSAKey.from_private_key(keyin) |
|
98 |
|
99 - with mock.patch.object(crypto, 'generate_key') as mock_generate: |
|
100 + with mock.patch.object(paramiko.RSAKey, 'generate') as mock_generate: |
|
101 mock_generate.return_value = key |
|
102 (private_key, public_key, fingerprint) = crypto.generate_key_pair() |
|
103 self.assertEqual(self.rsa_pub, public_key) |
|
104 --- nova-13.1.0/requirements.txt.~2~ 2016-07-06 18:28:56.409131200 -0700 |
|
105 +++ nova-13.1.0/requirements.txt 2016-07-06 18:28:56.555735710 -0700 |
|
106 @@ -13,7 +13,6 @@ lxml>=2.3 # BSD |
|
107 Routes!=2.0,!=2.1,!=2.3.0,>=1.12.3;python_version=='2.7' # MIT |
|
108 Routes!=2.0,!=2.3.0,>=1.12.3;python_version!='2.7' # MIT |
|
109 cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0 |
|
110 -pycrypto>=2.6 # Public Domain |
|
111 WebOb>=1.2.3 # MIT |
|
112 greenlet>=0.3.2 # MIT |
|
113 PasteDeploy>=1.5.0 # MIT |