diff options
| author | James E. Blair <jim@acmegating.com> | 2023-01-11 10:10:29 -0800 |
|---|---|---|
| committer | Clark Boylan <clark.boylan@gmail.com> | 2023-01-11 10:37:24 -0800 |
| commit | 343904e1a4c85e664309b84d51fa46aff71acf13 (patch) | |
| tree | b78977b0a21e839716015d4fdb1f49fddb127abc | |
| parent | 647940925f04575b621b62273715efc287502f06 (diff) | |
| download | zuul-343904e1a4c85e664309b84d51fa46aff71acf13.tar.gz | |
Use unsafe_skip_rsa_key_validation with cryptography
This is a partial revert of c4476d1b6aebec0ea3198e0203c7d35bedbea57a
which added the use of a private flag to skip unecessary (for us)
cryptography checks. The cryptography package has now normalized
that flag into a parameter we can pass, so use the new param and
update the dependency to require the version that supports it.
Change-Id: I1dfa203525e85020ccf942422ad3cc7040b851dd
| -rw-r--r-- | requirements.txt | 2 | ||||
| -rw-r--r-- | zuul/lib/encryption.py | 21 |
2 files changed, 4 insertions, 19 deletions
diff --git a/requirements.txt b/requirements.txt index a4aeb7f09..7293a83a0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -20,7 +20,7 @@ netaddr kazoo>=2.8.0 sqlalchemy alembic -cryptography>=1.6 +cryptography>=39.0.0 cachecontrol<0.12.7 cachetools pyjwt>=2.0.0 diff --git a/zuul/lib/encryption.py b/zuul/lib/encryption.py index ea7e1f3b1..fd637b278 100644 --- a/zuul/lib/encryption.py +++ b/zuul/lib/encryption.py @@ -20,22 +20,6 @@ from cryptography.hazmat.primitives import hashes from functools import lru_cache -# OpenSSL 3.0.0 performs key validation in a very slow manner. Since -# our keys are internally generated and securely stored, we can skip -# validation. See https://github.com/pyca/cryptography/issues/7236 -backend = default_backend() -if hasattr(backend, '_rsa_skip_check_key'): - backend._rsa_skip_check_key = True -else: - import logging - # Use a specific logger here to avoid polluting the root logger - # with the default stderr stream handler. This is important in - # testing to ensure we don't over log and create noise. - logger = logging.getLogger("zuul.rsa_skip_check_warning") - logger.warning("Cryptography backend lacks _rsa_skip_check_key flag, " - "key loading may be slow") - - # https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#generation def generate_rsa_keypair(): """Generate an RSA keypair. @@ -46,7 +30,7 @@ def generate_rsa_keypair(): private_key = rsa.generate_private_key( public_exponent=65537, key_size=4096, - backend=backend, + backend=default_backend(), ) public_key = private_key.public_key() return (private_key, public_key) @@ -114,7 +98,8 @@ def deserialize_rsa_keypair(data, password=None): private_key = serialization.load_pem_private_key( data, password=password, - backend=backend, + backend=default_backend(), + unsafe_skip_rsa_key_validation=True, ) public_key = private_key.public_key() return (private_key, public_key) |