commit a753173a10868b7d1acc2af71b7e9df4ed4c47b2
author Zuul <zuul@review.opendev.org> Mon Jul 25 10:30:13 2022 +0000
committer Gerrit Code Review <review@openstack.org> Mon Jul 25 10:30:13 2022 +0000
tree 66fed79d8c0a4c6e1ac4d45938b7394773c5faec
parent a66952e9628c1234fb549065863739e2fb4951e5
parent 2d795edea0ef23ce178228ade2038d43867df744

Merge "Remove install unnecessary packages"

octavia_tempest_plugin/common/cert_utils.py

diff --git a/octavia_tempest_plugin/common/cert_utils.py b/octavia_tempest_plugin/common/cert_utils.py
index f99ce88..753da6b 100644
--- a/octavia_tempest_plugin/common/cert_utils.py
+++ b/octavia_tempest_plugin/common/cert_utils.py
@@ -17,6 +17,8 @@
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.serialization import NoEncryption
+from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography import x509
 from cryptography.x509.oid import NameOID
 import OpenSSL
@@ -184,12 +186,29 @@
     :param server_key: A cryptography key (x509) object.
     :returns: A pkcs12 bundle.
     """
-    # TODO(johnsom) Replace with cryptography once it supports creating pkcs12
-    pkcs12 = OpenSSL.crypto.PKCS12()
-    pkcs12.set_privatekey(
-        OpenSSL.crypto.PKey.from_cryptography_key(server_key))
-    pkcs12.set_certificate(OpenSSL.crypto.X509.from_cryptography(server_cert))
-    return pkcs12.export()
+    # Use the PKCS12 serialization function from cryptography if it exists
+    # (>=3.0), otherwise use the pyOpenSSL module.
+    #
+    # The PKCS12 class of the pyOpenSSL module is not compliant with FIPS.
+    # It uses the SHA1 function [0] which is not allowed when generating
+    # digital signatures [1]
+    #
+    # [0] https://github.com/pyca/pyopenssl/blob/
+    #       65ca53a7a06a7c78c1749200a6b3a007e47d3214/src/OpenSSL/
+    #       crypto.py#L2748-L2749
+    # [1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
+    #       NIST.SP.800-131Ar1.pdf
+    if hasattr(pkcs12, 'serialize_key_and_certificates'):
+        p12 = pkcs12.serialize_key_and_certificates(
+            b'', server_key, server_cert,
+            cas=None, encryption_algorithm=NoEncryption())
+    else:
+        p12 = OpenSSL.crypto.PKCS12()
+        p12.set_privatekey(
+            OpenSSL.crypto.PKey.from_cryptography_key(server_key))
+        p12.set_certificate(OpenSSL.crypto.X509.from_cryptography(server_cert))
+        p12 = p12.export()
+    return p12
 
 
 def generate_certificate_revocation_list(ca_cert, ca_key, cert_to_revoke):