yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1528393] [NEW] signature_utils tests fail on Fedora/RHEL/CentOS because not all ECC curves are available

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Mark McLoughlin <markmc@xxxxxxxxxx>
Date: Tue, 22 Dec 2015 00:11:23 -0000
Reply-to: Bug 1528393 <1528393@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

Not all ECC curves we use in signature_utils are available on all
platforms - e.g.

On RHEL 7.2

  $ openssl ecparam -list_curves
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

On Fedora 23 ...

  $ openssl ecparam -list_curves
  secp256k1 : SECG curve over a 256 bit prime field
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

There's a long history surrounding the lack of ECC support in openssl in
Fedora, RHEL, and CentOS because of legal issues - see
https://bugzilla.redhat.com/show_bug.cgi?id=319901

Some ECC curves are now available, but each additional one requested
will be considered individually - there is a tracker bug for this:
https://bugzilla.redhat.com/showdependencytree.cgi?id=1019390&hide_resolved=0

This is the failure I'm seeing since
https://review.openstack.org/#/c/256069/ was merged

nova.tests.unit.test_signature_utils.TestSignatureUtils.test_verify_signature_ECC
---------------------------------------------------------------------------------

Captured traceback:
~~~~~~~~~~~~~~~~~~~
    Traceback (most recent call last):
      File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/mock/mock.py", line 1305, in patched
        return func(*args, **keywargs)
      File "nova/tests/unit/test_signature_utils.py", line 178, in test_verify_signature_ECC
        default_backend())
      File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 241, in generate_private_key
        return backend.generate_elliptic_curve_private_key(curve)
      File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 247, in generate_elliptic_curve_private_key
        _Reasons.UNSUPPORTED_ELLIPTIC_CURVE
    cryptography.exceptions.UnsupportedAlgorithm: This backend does not support this elliptic curve.

** Affects: nova
     Importance: Undecided
     Assignee: Mark McLoughlin (markmc)
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1528393

Title:
  signature_utils tests fail on Fedora/RHEL/CentOS because not all ECC
  curves are available

Status in OpenStack Compute (nova):
  In Progress

Bug description:
  Not all ECC curves we use in signature_utils are available on all
  platforms - e.g.

  On RHEL 7.2

    $ openssl ecparam -list_curves
    secp384r1 : NIST/SECG curve over a 384 bit prime field
    secp521r1 : NIST/SECG curve over a 521 bit prime field
    prime256v1: X9.62/SECG curve over a 256 bit prime field

  On Fedora 23 ...

    $ openssl ecparam -list_curves
    secp256k1 : SECG curve over a 256 bit prime field
    secp384r1 : NIST/SECG curve over a 384 bit prime field
    secp521r1 : NIST/SECG curve over a 521 bit prime field
    prime256v1: X9.62/SECG curve over a 256 bit prime field

  There's a long history surrounding the lack of ECC support in openssl
  in Fedora, RHEL, and CentOS because of legal issues - see
  https://bugzilla.redhat.com/show_bug.cgi?id=319901

  Some ECC curves are now available, but each additional one requested
  will be considered individually - there is a tracker bug for this:
  https://bugzilla.redhat.com/showdependencytree.cgi?id=1019390&hide_resolved=0

  This is the failure I'm seeing since
  https://review.openstack.org/#/c/256069/ was merged

  nova.tests.unit.test_signature_utils.TestSignatureUtils.test_verify_signature_ECC
  ---------------------------------------------------------------------------------

  Captured traceback:
  ~~~~~~~~~~~~~~~~~~~
      Traceback (most recent call last):
        File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/mock/mock.py", line 1305, in patched
          return func(*args, **keywargs)
        File "nova/tests/unit/test_signature_utils.py", line 178, in test_verify_signature_ECC
          default_backend())
        File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 241, in generate_private_key
          return backend.generate_elliptic_curve_private_key(curve)
        File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 247, in generate_elliptic_curve_private_key
          _Reasons.UNSUPPORTED_ELLIPTIC_CURVE
      cryptography.exceptions.UnsupportedAlgorithm: This backend does not support this elliptic curve.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1528393/+subscriptions
Follow ups

[Bug 1528393] Re: signature_utils tests fail on Fedora/RHEL/CentOS because not all ECC curves are available
From: OpenStack Infra, 2015-12-30