Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / octavia-tempest-plugin / 25872b36de18a857b1ef36450980f52c8e08e97d^! / .
commit25872b36de18a857b1ef36450980f52c8e08e97d[log] [tgz]
authorTakashi Kajinami <kajinamit@oss.nttdata.com>Mon Nov 06 22:03:14 2023 +0900
committerTakashi Kajinami <kajinamit@oss.nttdata.com>Mon Nov 06 23:26:15 2023 +0900
tree7b4bf2b49e56998fa67022cca8d51f5f89c2537e
parentbacca6692696a79aa57f15c2815f8db41ff6adf3 [diff]
Drop implementation to use pyOpenSSL to manage pkcs12 certs

The cryptography library has been bumped to 3.1 in upper-constraints
file during Ussuri, which is quite old. So we no longer have to
maintain logic for cryptography < 3.0.

Change-Id: I1a463e320b94b0e99e92541581e1ee5feffd356a

diff --git a/octavia_tempest_plugin/common/cert_utils.py b/octavia_tempest_plugin/common/cert_utils.py
index 753da6b..34d0d7d 100644
--- a/octavia_tempest_plugin/common/cert_utils.py
+++ b/octavia_tempest_plugin/common/cert_utils.py

@@ -21,7 +21,6 @@
 from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography import x509
 from cryptography.x509.oid import NameOID
-import OpenSSL
 
 
 def generate_ca_cert_and_key():
@@ -176,38 +175,13 @@
 def generate_pkcs12_bundle(server_cert, server_key):
     """Creates a pkcs12 formated bundle.
 
-    Note: This uses pyOpenSSL as the cryptography package does not yet
-          support creating pkcs12 bundles. The currently un-released
-          2.5 version of cryptography supports reading pkcs12, but not
-          creation. This method should be updated to only use
-          cryptography once it supports creating pkcs12 bundles.
-
     :param server_cert: A cryptography certificate (x509) object.
     :param server_key: A cryptography key (x509) object.
     :returns: A pkcs12 bundle.
     """
-    # Use the PKCS12 serialization function from cryptography if it exists
-    # (>=3.0), otherwise use the pyOpenSSL module.
-    #
-    # The PKCS12 class of the pyOpenSSL module is not compliant with FIPS.
-    # It uses the SHA1 function [0] which is not allowed when generating
-    # digital signatures [1]
-    #
-    # [0] https://github.com/pyca/pyopenssl/blob/
-    #       65ca53a7a06a7c78c1749200a6b3a007e47d3214/src/OpenSSL/
-    #       crypto.py#L2748-L2749
-    # [1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
-    #       NIST.SP.800-131Ar1.pdf
-    if hasattr(pkcs12, 'serialize_key_and_certificates'):
-        p12 = pkcs12.serialize_key_and_certificates(
-            b'', server_key, server_cert,
-            cas=None, encryption_algorithm=NoEncryption())
-    else:
-        p12 = OpenSSL.crypto.PKCS12()
-        p12.set_privatekey(
-            OpenSSL.crypto.PKey.from_cryptography_key(server_key))
-        p12.set_certificate(OpenSSL.crypto.X509.from_cryptography(server_cert))
-        p12 = p12.export()
+    p12 = pkcs12.serialize_key_and_certificates(
+        b'', server_key, server_cert,
+        cas=None, encryption_algorithm=NoEncryption())
     return p12
 
 

diff --git a/requirements.txt b/requirements.txt
index 7b2f0a2..afa0565 100644
--- a/requirements.txt
+++ b/requirements.txt

@@ -2,7 +2,7 @@
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
 
-cryptography>=2.1 # BSD/Apache-2.0
+cryptography>=3.0 # BSD/Apache-2.0
 python-dateutil>=2.5.3 # BSD
 pbr!=2.1.0,>=2.0.0 # Apache-2.0
 oslo.config>=5.2.0 # Apache-2.0