-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build fails with Python 3.13 and python3-cryptography 43.0.0 #228
Comments
Hi Muite.
Unfortunately, I no longer actively maintain the library (sewer). Your best
bet would either be to use an alternative library, or fork sewer and fix
the bug. Apologies.
Thanks,
Komu.
https://www.komu.engineer/about
…On Sun, 3 Nov 2024 at 07:36, Benson Muite ***@***.***> wrote:
Which version of python are you using?
3.13
What operating system and version of operating system are you using?
Fedora Rawhide (42)
What version of sewer are you using?
Current release
What did you do? (be as detailed as you can)
Tried to import installed package
What did you expect to see/happen/not happen?
Expected import to work ok
What did you actually see/happen?
AttributeError: module 'cryptography.hazmat.backends.openssl' has no
attribute 'rsa'
Paste here the log output generated by sewer, if any. Please remember to
remove any sensitive items from the log before pasting here. If you can,
run sewer with loglevel set to debug; eg sewer --loglevel DEBUG
Alternatively if you want to conribute to this repo, answer this questions
instead in your issue:
What is it that you would like to propose to add/remove/change?
It seems a private API has been used:
pyca/cryptography#11147
<pyca/cryptography#11147>
Why do you want to add/remove/change that? How do you want to go about
adding/removing/changing that?
—
Reply to this email directly, view it on GitHub
<#228>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABHMWULRG6KBNELBX33RLTLZ6WR5HAVCNFSM6AAAAABRCLSWA2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGYZTAOJWGAYDIOA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Thanks. |
@bkmgit Although I haven't done much to the codebase since 2020, I still use sewer, so I have some interest in seeing this fixed before cryptography's changes hit me. I've taken a look at it and it seems like it will be a pretty easy fix, but I need a tester who's using a more recent cryptography package. Are you still interested in sewer or have you moved on? And if the latter, where to? :-) |
@mmaney Ok, will make a pull request to fix these issues. If you can test, that would be great. |
On Tue, Nov 12, 2024 at 04:54:45AM -0800, Benson Muite wrote:
@mmaney Ok, will make a pull request to fix these issues. If you can test, that would be great.
First cut - got rid of openssl and a few related (default_backend(),
mostly). Some mypy-driven cleanups as well, as this file at least is
well-enough annotated for it to show up some things I might have
overlooked (default_backend for one).
NB: untested! I have to relearn how all this github stuff works... at
least my account can still login despite four years of their changes. :-/
In fact, you're the one who needs to test it against the updated
cryptography package. My motivation for sewer isn't high enough right
now to mess with setting up an updated testing environment.
From 9b335c3 Mon Sep 17 00:00:00 2001
From: Martin Maney ***@***.***>
Date: Tue, 12 Nov 2024 10:58:40 -0600
Subject: [PATCH] crypto-cleanup - first pass, got rid of openssl and some
obsolete comments, etc.
…---
sewer/crypto.py | 25 ++++++++-----------------
1 file changed, 8 insertions(+), 17 deletions(-)
diff --git a/sewer/crypto.py b/sewer/crypto.py
index 42ecb2b..2b6abaa 100644
--- a/sewer/crypto.py
+++ b/sewer/crypto.py
@@ -10,7 +10,6 @@ from cryptography.hazmat.primitives.serialization import (
NoEncryption,
PrivateFormat,
)
-from cryptography.hazmat.backends import default_backend, openssl
from typing import Any, Callable, Dict, List, Optional, Tuple, Union
@@ -34,25 +33,17 @@ class AcmeKidError(AcmeKeyError):
### types for things defined here
-### FIX ME ### what can we use for XxxKeyType? [[ not vital, just tightens up typing ]]
-
-# RsaKeyType = openssl.rsa._RSAPrivateKey
-# EcKeyType = openssl.ec._EllipticCurvePrivateKey
-# AcmeKeyType = Union[RsaKeyType, EcKeyType]
-
-# and why does this [seem] to work?
-PrivateKeyType = Union[openssl.rsa._RSAPrivateKey, openssl.ec._EllipticCurvePrivateKey]
+PrivateKeyType = Union[rsa.RSAPrivateKey, ec.EllipticCurvePrivateKey]
### low level key type table
-
class KeyDesc:
def __init__(
self,
type_name: str,
generate: Callable,
- gen_arg,
+ gen_arg: Union[int, ec.EllipticCurve],
pk_type,
sign: Callable,
sign_kwargs: Dict[str, Any],
@@ -79,11 +70,11 @@ class KeyDesc:
def rsa_gen(key_size: int) -> PrivateKeyType:
- return rsa.generate_private_key(65537, key_size, default_backend())
+ return rsa.generate_private_key(65537, key_size)
def ec_gen(curve) -> PrivateKeyType:
- return ec.generate_private_key(curve, default_backend())
+ return ec.generate_private_key(curve)
def rsa_sign(pk, message: bytes) -> bytes:
@@ -216,7 +207,7 @@ class AcmeKey:
NB: since it's not stored in the PEM, the kid is empty (None)
"""
- pk = load_pem_private_key(pem_data, None, default_backend())
+ pk = load_pem_private_key(pem_data, None)
kdl = [kd for kd in key_table if kd.match(pk)]
if not kdl:
raise AcmeKeyTypeError("Unknown pk type: %s", type(pk))
@@ -240,7 +231,7 @@ class AcmeKey:
def to_pem(self) -> bytes:
"return private key's serialized (PEM) form"
- pem_data = self.pk.private_bytes(
+ pem_data = self.pk.private_bytes( # type: ignore[union-attr]
encoding=Encoding.PEM, format=PrivateFormat.PKCS8, encryption_algorithm=NoEncryption()
)
return pem_data
@@ -276,7 +267,7 @@ class AcmeAccount(AcmeKey):
raise AcmeKidError("Attempt to access a Key ID that hasn't been set. Register key?")
return self.__kid
- def set_kid(self, kid: str, timestamp: float = None) -> None:
+ def set_kid(self, kid: str, timestamp: Optional[float] = None) -> None:
"The kid can be set only once, but we overlook exact duplicate set calls"
if self.__kid and self.__kid != kid:
@@ -348,7 +339,7 @@ class AcmeCsr:
all_names = list(set([cn] + san))
SAN: List[x509.GeneralName] = [x509.DNSName(name) for name in all_names]
csrb = csrb.add_extension(x509.SubjectAlternativeName(SAN), critical=False)
- self.csr = csrb.sign(key.pk, hashes.SHA256(), default_backend())
+ self.csr = csrb.sign(key.pk, hashes.SHA256())
def public_bytes(self) -> bytes:
return self.csr.public_bytes(Encoding.DER)
--
2.39.5
|
On Tue, Nov 12, 2024 at 04:54:45AM -0800, Benson Muite wrote:
@mmaney Ok, will make a pull request to fix these issues. If you can test, that would be great.
Oh yeah, I believe there's a test runner setup on github that will
apply a PR and run it. That's another thing I probably need to drag
forwards to new versions...
…--
Unlike some other template languages, you can not arbitrarily put Python
code into a [Django] template. The language is intentionally limited so as
to encourage you to properly separate your presentation logic from your
business logic. -- Jeff Croft
|
Ok, will update the testing pipelines. |
@bkmgit Ignore the patch, I just realized that the local repo I was working in was NOT a clean copy master. I'll rework it in a clean copy after dinner... |
IT'S WORSE THAN THAT. Some of the work since 0.8.4 appears to be incomplete, quite possibly works only because of luck? At this point, I am no longer confident that it actually does work. All the "0.8.5" stuff OUGHT to have been sequestered in a dev branch, I think. The refactoring of crypto.py, in particular, actually makes it MORE entwined with those private bits that we need to disengage from. :-( Telling: the installed copy I still use to update certs is 0.8.4 from pypi. And 0.8.4 was the base that the above patch applies on. Right, let's work on crypto-cleanup branch which has my (still untested... oh, need to fix the CI stuff, don't I?) changes. Crossing fingers... |
Will examine code. Added basic pipeline |
Which version of python are you using?
3.13
What operating system and version of operating system are you using?
Fedora Rawhide (42)
What version of sewer are you using?
Current release
What did you do? (be as detailed as you can)
Tried to import installed package
What did you expect to see/happen/not happen?
Expected import to work ok
What did you actually see/happen?
AttributeError: module 'cryptography.hazmat.backends.openssl' has no attribute 'rsa'
Paste here the log output generated by
sewer
, if any. Please remember to remove any sensitive items from the log before pasting here.If you can, run sewer with loglevel set to debug; eg
sewer --loglevel DEBUG
Alternatively if you want to conribute to this repo, answer this questions instead in your issue:
What is it that you would like to propose to add/remove/change?
It seems a private API has been used:
pyca/cryptography#11147
Why do you want to add/remove/change that?
How do you want to go about adding/removing/changing that?
The text was updated successfully, but these errors were encountered: