yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #43832
[Bug 1528393] Re: signature_utils tests fail on Fedora/RHEL/CentOS because not all ECC curves are available
Reviewed: https://review.openstack.org/260277
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=291e71990a0866836d1becea6d519df9abaaa186
Submitter: Jenkins
Branch: master
commit 291e71990a0866836d1becea6d519df9abaaa186
Author: Mark McLoughlin <markmc@xxxxxxxxxx>
Date: Mon Dec 21 23:54:17 2015 +0000
signature_utils: handle ECC curve unavailability
Some ECC curves are unavailable on some platforms (like Fedora, RHEL,
and CentOS) because of legal concerns. See the bug report for more
details and history.
The cryptography backend has a elliptic_curve_supported() method
which we can use to avoid curves which are unavailable on the current
platform.
If an image signature uses one of these curves, we will return an
"Invalid signature key type" error.
Use the warnings module in the unit tests to avoid silently ignoring
this issue during testing. This warning will be captured from the
test's stderr and reported by testr.
Closes-Bug: #1528393
Change-Id: Ie25311c48b276f300fadaf1815fc4df4cb89cf8d
Signed-off-by: Mark McLoughlin <markmc@xxxxxxxxxx>
** Changed in: nova
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1528393
Title:
signature_utils tests fail on Fedora/RHEL/CentOS because not all ECC
curves are available
Status in OpenStack Compute (nova):
Fix Released
Bug description:
Not all ECC curves we use in signature_utils are available on all
platforms - e.g.
On RHEL 7.2
$ openssl ecparam -list_curves
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
On Fedora 23 ...
$ openssl ecparam -list_curves
secp256k1 : SECG curve over a 256 bit prime field
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
There's a long history surrounding the lack of ECC support in openssl
in Fedora, RHEL, and CentOS because of legal issues - see
https://bugzilla.redhat.com/show_bug.cgi?id=319901
Some ECC curves are now available, but each additional one requested
will be considered individually - there is a tracker bug for this:
https://bugzilla.redhat.com/showdependencytree.cgi?id=1019390&hide_resolved=0
This is the failure I'm seeing since
https://review.openstack.org/#/c/256069/ was merged
nova.tests.unit.test_signature_utils.TestSignatureUtils.test_verify_signature_ECC
---------------------------------------------------------------------------------
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/mock/mock.py", line 1305, in patched
return func(*args, **keywargs)
File "nova/tests/unit/test_signature_utils.py", line 178, in test_verify_signature_ECC
default_backend())
File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 241, in generate_private_key
return backend.generate_elliptic_curve_private_key(curve)
File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 247, in generate_elliptic_curve_private_key
_Reasons.UNSUPPORTED_ELLIPTIC_CURVE
cryptography.exceptions.UnsupportedAlgorithm: This backend does not support this elliptic curve.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1528393/+subscriptions
References
