Build fails with Python 3.13 and python3-cryptography 43.0.0

[bkmgit]

Which version of python are you using?

3.13

What operating system and version of operating system are you using?

Fedora Rawhide (42)

What version of sewer are you using?

Current release

What did you do? (be as detailed as you can)

Tried to import installed package

What did you expect to see/happen/not happen?

Expected import to work ok

What did you actually see/happen?

AttributeError: module 'cryptography.hazmat.backends.openssl' has no attribute 'rsa'

Paste here the log output generated by sewer, if any. Please remember to remove any sensitive items from the log before pasting here.

If you can, run sewer with loglevel set to debug; eg sewer --loglevel DEBUG

Alternatively if you want to conribute to this repo, answer this questions instead in your issue:

What is it that you would like to propose to add/remove/change?

It seems a private API has been used:
pyca/cryptography#11147

Why do you want to add/remove/change that?

How do you want to go about adding/removing/changing that?

[komuw]

Hi Muite. Unfortunately, I no longer actively maintain the library (sewer). Your best bet would either be to use an alternative library, or fork sewer and fix the bug. Apologies. Thanks, Komu. https://www.komu.engineer/about

…

On Sun, 3 Nov 2024 at 07:36, Benson Muite ***@***.***> wrote: Which version of python are you using? 3.13 What operating system and version of operating system are you using? Fedora Rawhide (42) What version of sewer are you using? Current release What did you do? (be as detailed as you can) Tried to import installed package What did you expect to see/happen/not happen? Expected import to work ok What did you actually see/happen? AttributeError: module 'cryptography.hazmat.backends.openssl' has no attribute 'rsa' Paste here the log output generated by sewer, if any. Please remember to remove any sensitive items from the log before pasting here. If you can, run sewer with loglevel set to debug; eg sewer --loglevel DEBUG Alternatively if you want to conribute to this repo, answer this questions instead in your issue: What is it that you would like to propose to add/remove/change? It seems a private API has been used: pyca/cryptography#11147 <pyca/cryptography#11147> Why do you want to add/remove/change that? How do you want to go about adding/removing/changing that? — Reply to this email directly, view it on GitHub <#228>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABHMWULRG6KBNELBX33RLTLZ6WR5HAVCNFSM6AAAAABRCLSWA2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGYZTAOJWGAYDIOA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[bkmgit]

Thanks.

[mmaney]

@bkmgit Although I haven't done much to the codebase since 2020, I still use sewer, so I have some interest in seeing this fixed before cryptography's changes hit me. I've taken a look at it and it seems like it will be a pretty easy fix, but I need a tester who's using a more recent cryptography package. Are you still interested in sewer or have you moved on? And if the latter, where to? :-)

[bkmgit]

@mmaney Ok, will make a pull request to fix these issues. If you can test, that would be great.

[mmaney]

On Tue, Nov 12, 2024 at 04:54:45AM -0800, Benson Muite wrote: @mmaney Ok, will make a pull request to fix these issues. If you can test, that would be great.

First cut - got rid of openssl and a few related (default_backend(), mostly). Some mypy-driven cleanups as well, as this file at least is well-enough annotated for it to show up some things I might have overlooked (default_backend for one). NB: untested! I have to relearn how all this github stuff works... at least my account can still login despite four years of their changes. :-/ In fact, you're the one who needs to test it against the updated cryptography package. My motivation for sewer isn't high enough right now to mess with setting up an updated testing environment. From 9b335c3 Mon Sep 17 00:00:00 2001 From: Martin Maney ***@***.***> Date: Tue, 12 Nov 2024 10:58:40 -0600 Subject: [PATCH] crypto-cleanup - first pass, got rid of openssl and some obsolete comments, etc.

…

--- sewer/crypto.py | 25 ++++++++----------------- 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/sewer/crypto.py b/sewer/crypto.py index 42ecb2b..2b6abaa 100644 --- a/sewer/crypto.py +++ b/sewer/crypto.py @@ -10,7 +10,6 @@ from cryptography.hazmat.primitives.serialization import ( NoEncryption, PrivateFormat, ) -from cryptography.hazmat.backends import default_backend, openssl from typing import Any, Callable, Dict, List, Optional, Tuple, Union @@ -34,25 +33,17 @@ class AcmeKidError(AcmeKeyError): ### types for things defined here -### FIX ME ### what can we use for XxxKeyType? [[ not vital, just tightens up typing ]] - -# RsaKeyType = openssl.rsa._RSAPrivateKey -# EcKeyType = openssl.ec._EllipticCurvePrivateKey -# AcmeKeyType = Union[RsaKeyType, EcKeyType] - -# and why does this [seem] to work? -PrivateKeyType = Union[openssl.rsa._RSAPrivateKey, openssl.ec._EllipticCurvePrivateKey] +PrivateKeyType = Union[rsa.RSAPrivateKey, ec.EllipticCurvePrivateKey] ### low level key type table - class KeyDesc: def __init__( self, type_name: str, generate: Callable, - gen_arg, + gen_arg: Union[int, ec.EllipticCurve], pk_type, sign: Callable, sign_kwargs: Dict[str, Any], @@ -79,11 +70,11 @@ class KeyDesc: def rsa_gen(key_size: int) -> PrivateKeyType: - return rsa.generate_private_key(65537, key_size, default_backend()) + return rsa.generate_private_key(65537, key_size) def ec_gen(curve) -> PrivateKeyType: - return ec.generate_private_key(curve, default_backend()) + return ec.generate_private_key(curve) def rsa_sign(pk, message: bytes) -> bytes: @@ -216,7 +207,7 @@ class AcmeKey: NB: since it's not stored in the PEM, the kid is empty (None) """ - pk = load_pem_private_key(pem_data, None, default_backend()) + pk = load_pem_private_key(pem_data, None) kdl = [kd for kd in key_table if kd.match(pk)] if not kdl: raise AcmeKeyTypeError("Unknown pk type: %s", type(pk)) @@ -240,7 +231,7 @@ class AcmeKey: def to_pem(self) -> bytes: "return private key's serialized (PEM) form" - pem_data = self.pk.private_bytes( + pem_data = self.pk.private_bytes( # type: ignore[union-attr] encoding=Encoding.PEM, format=PrivateFormat.PKCS8, encryption_algorithm=NoEncryption() ) return pem_data @@ -276,7 +267,7 @@ class AcmeAccount(AcmeKey): raise AcmeKidError("Attempt to access a Key ID that hasn't been set. Register key?") return self.__kid - def set_kid(self, kid: str, timestamp: float = None) -> None: + def set_kid(self, kid: str, timestamp: Optional[float] = None) -> None: "The kid can be set only once, but we overlook exact duplicate set calls" if self.__kid and self.__kid != kid: @@ -348,7 +339,7 @@ class AcmeCsr: all_names = list(set([cn] + san)) SAN: List[x509.GeneralName] = [x509.DNSName(name) for name in all_names] csrb = csrb.add_extension(x509.SubjectAlternativeName(SAN), critical=False) - self.csr = csrb.sign(key.pk, hashes.SHA256(), default_backend()) + self.csr = csrb.sign(key.pk, hashes.SHA256()) def public_bytes(self) -> bytes: return self.csr.public_bytes(Encoding.DER) -- 2.39.5

[mmaney]

On Tue, Nov 12, 2024 at 04:54:45AM -0800, Benson Muite wrote: @mmaney Ok, will make a pull request to fix these issues. If you can test, that would be great.

Oh yeah, I believe there's a test runner setup on github that will apply a PR and run it. That's another thing I probably need to drag forwards to new versions...

…

-- Unlike some other template languages, you can not arbitrarily put Python code into a [Django] template. The language is intentionally limited so as to encourage you to properly separate your presentation logic from your business logic. -- Jeff Croft

[bkmgit]

Ok, will update the testing pipelines.

[mmaney]

@bkmgit Ignore the patch, I just realized that the local repo I was working in was NOT a clean copy master. I'll rework it in a clean copy after dinner...

[mmaney]

IT'S WORSE THAN THAT. Some of the work since 0.8.4 appears to be incomplete, quite possibly works only because of luck? At this point, I am no longer confident that it actually does work. All the "0.8.5" stuff OUGHT to have been sequestered in a dev branch, I think. The refactoring of crypto.py, in particular, actually makes it MORE entwined with those private bits that we need to disengage from. :-(

Telling: the installed copy I still use to update certs is 0.8.4 from pypi. And 0.8.4 was the base that the above patch applies on. Right, let's work on crypto-cleanup branch which has my (still untested... oh, need to fix the CI stuff, don't I?) changes. Crossing fingers...

[bkmgit]

Will examine code. Added basic pipeline
#229