1 This patch is for the removal of PyCrypto dependency in Nova. It

     2 consists of the result of two upstream changesets, one of which added

     3 support for Paramiko 2.0 and the other which removed support for

     4 earlier Paramiko versions and with that, the PyCrypto dependency.

     5 

     6 This patch can be removed in post-Mitaka releases.

     7 

     8 commit 6b1293fd6f5bcb35f317f36c540f543b1192928c

     9 Author: Sean Dague <[email protected]>

    10 Date:   Tue May 10 11:39:11 2016 -0400

    11 

    12     Drop paramiko < 2 compat code

    13     

    14     This drops the paramiko < 2 compatibility code so we only need to

    15     support one major version.

    16     

    17     Depends-On: I2369638282b4fefccd8484a5039fcfa9795069a7

    18     (global requirements change)

    19     

    20     Change-Id: Ife4df9e64299e1182d77d568d1deed5ec3b608b3

    21     Closes-Bug: #1483132

    22 

    23 commit c05b338f163e0bafbe564c6c7c593b819f2f2eac

    24 Author: Corey Wright <[email protected]>

    25 Date:   Tue May 3 23:13:24 2016 -0500

    26 

    27     crypto: Add support for Paramiko 2.x

    28     

    29     Only use PyCrypto/PyCryptodome work-around with Paramiko 1.x and use

    30     straight-forward Paramiko interface with 2.x.

    31     

    32     TODO: Revert this and PyCrypto/PyCryptodome work-around when Paramiko

    33     is upgraded to 2.x (ie replace `generate_keys(bits)` call with

    34     `paramiko.RSAKey.generate(bits)`).

    35     

    36     Change If88beeb3983705621fe736995939ac20b2daf1f3 added a work-around

    37     for the partially-PyCrypto-compatible PyCryptodome causing Paramiko,

    38     which has a dependency on PyCrypto, to break.  This work-around

    39     entails implementing Paramiko internals (ie how to generate a key) in

    40     Nova in a way compatible with both PyCrypto and PyCryptodom.

    41     

    42     This work-around is itself a source of failure with Paramiko 2 which

    43     has replaced the PyCrypto requirement with the cryptography Python

    44     package.  As Paramiko no longer depends on PyCrypto, Nova doesn't have

    45     an explicit PyCrypto requirement, and there's no implicit dependency

    46     on PyCrypto, when Nova tries to import PyCrypto it fails.  Even if

    47     PyCrypto was installed, the work-around would still fail because the

    48     Paramiko interface that Nova is using as part of the work-around

    49     changed with the major version change (ie 1.x => 2.x).

    50     

    51     Change-Id: I5d6543e690a3b4495476027fd8a4894ff8c42bf6

    52     Related-Bug: #1483132

    53 

    54 --- nova-13.1.0/nova/crypto.py.~1~	2016-06-14 08:45:49.000000000 -0700

    55 +++ nova-13.1.0/nova/crypto.py	2016-07-06 18:28:56.554038265 -0700

    56 @@ -26,7 +26,6 @@ import base64

    57  import binascii

    58  import os

    59  

    60 -from Crypto.PublicKey import RSA

    61  from cryptography import exceptions

    62  from cryptography.hazmat import backends

    63  from cryptography.hazmat.primitives.asymmetric import padding

    64 @@ -162,27 +161,8 @@ def generate_x509_fingerprint(pem_key):

    65                       'Error message: %s') % ex)

    66  

    67  

    68 -def generate_key(bits):

    69 -    """Generate a paramiko RSAKey"""

    70 -    # NOTE(dims): pycryptodome has changed the signature of the RSA.generate

    71 -    # call. specifically progress_func has been dropped. paramiko still uses

    72 -    # pycrypto. However some projects like latest pysaml2 have switched from

    73 -    # pycrypto to pycryptodome as pycrypto seems to have been abandoned.

    74 -    # paramiko project has started transition to pycryptodome as well but

    75 -    # there is no release yet with that support. So at the moment depending on

    76 -    # which version of pysaml2 is installed, Nova is likely to break. So we

    77 -    # call "RSA.generate(bits)" which works on both pycrypto and pycryptodome

    78 -    # and then wrap it into a paramiko.RSAKey

    79 -    rsa = RSA.generate(bits)

    80 -    key = paramiko.RSAKey(vals=(rsa.e, rsa.n))

    81 -    key.d = rsa.d

    82 -    key.p = rsa.p

    83 -    key.q = rsa.q

    84 -    return key

    85 -

    86 -

    87  def generate_key_pair(bits=2048):

    88 -    key = generate_key(bits)

    89 +    key = paramiko.RSAKey.generate(bits)

    90      keyout = six.StringIO()

    91      key.write_private_key(keyout)

    92      private_key = keyout.getvalue()

    93 --- nova-13.1.0/nova/tests/unit/test_crypto.py.~1~	2016-06-14 08:45:49.000000000 -0700

    94 +++ nova-13.1.0/nova/tests/unit/test_crypto.py	2016-07-06 18:28:56.554545025 -0700

    95 @@ -362,7 +362,7 @@ class KeyPairTest(test.NoDBTestCase):

    96          keyin.seek(0)

    97          key = paramiko.RSAKey.from_private_key(keyin)

    98  

    99 -        with mock.patch.object(crypto, 'generate_key') as mock_generate:

   100 +        with mock.patch.object(paramiko.RSAKey, 'generate') as mock_generate:

   101              mock_generate.return_value = key

   102              (private_key, public_key, fingerprint) = crypto.generate_key_pair()

   103              self.assertEqual(self.rsa_pub, public_key)

   104 --- nova-13.1.0/requirements.txt.~2~	2016-07-06 18:28:56.409131200 -0700

   105 +++ nova-13.1.0/requirements.txt	2016-07-06 18:28:56.555735710 -0700

   106 @@ -13,7 +13,6 @@ lxml>=2.3 # BSD

   107  Routes!=2.0,!=2.1,!=2.3.0,>=1.12.3;python_version=='2.7' # MIT

   108  Routes!=2.0,!=2.3.0,>=1.12.3;python_version!='2.7' # MIT

   109  cryptography!=1.3.0,>=1.0 # BSD/Apache-2.0

   110 -pycrypto>=2.6 # Public Domain

   111  WebOb>=1.2.3 # MIT

   112  greenlet>=0.3.2 # MIT

   113  PasteDeploy>=1.5.0 # MIT