Skip to content

Fix broken pccsadmin command with latest pyOpenSSL and use more pycryptography #481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
berrange wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix broken pccsadmin command with latest pyOpenSSL and use more pycryptography #481

berrange wants to merge 4 commits into from

Conversation

@berrange
Copy link

@berrange berrange commented Dec 10, 2025

The pyOpenSSL release 24.3.0 has deleted all the CRL API functionality from its codebase. Their recommendatino is to use the equivalent APIs from pycryptography. pccsadmin is already using pycryptography to do the CRL verification, but was using pyOpenSSL to load the CRL and is thus broken on modern distros.

Furthermore pyOpenSSL docs indicate that they're considering deprecating the entire 'crypto' module, again with the recommendation to use pycryptography instead.

This set of patches does the following

  • fix the immediate regression with pyOpenSSL by using pycryptography to load the CRL
  • make more use of pycryptography for loading certificates only converting to pyOpenSSL objects for cert verification.
  • add an alternative cert verification code path based purely on pycryptography that is used if pycryptography >= 45.0.0 is available
  • add a fallback to 'openssl' command line tool when pycryptography is too old, but pyOpenSSL is not available - this is the case in RHEL9/RHEL10.

@berrange
pccsadmin: fully switch to pycryptography for CRL verification
ef84df6 
The pyopenssl 24.3.0 removed the CRL object and its related
methods. pccsadmin was already using the pycryptography CRL
object for the verification task, so fully switch to use it
for loading the CRL to begin with.

Signed-off-by: Daniel P. Berrangé <[email protected]>
@berrange
pccsadmin: use more of pycryptography instead of pyopenssl
437c7ab 
pyopenssl docs are indicating that the 'crypto' module is liable to
see further deprecation, suggesting use of pycryptography instead.
pccsadmin code already uses pycryptography for CRLs, so extend this
to use it for loading certificates too. They are converted back to
pyopenssl objects for verification.

Signed-off-by: Daniel P. Berrangé <[email protected]>
@berrange
pccsadmin: prefer pycryptography over pyopenssl
30c4c5f 
The only part of pccsadmin that still needs pyopenssl is certificate
verification. As of pycryptography 45.0.0, there are sufficient APIs
available to replace the remaining usage of pyopenssl.

Since new pycryptography is still not widely available in distros,
keep pyopenssl code as a fallback.

Signed-off-by: Daniel P. Berrangé <[email protected]>
@berrange
pccsadmin: add fallback for when pyopenssl is not available
f3d959d 
RHEL does not ship pyopenssl, however, the pycryptography that is
included is also too old to support certificate verification. Add
a further fallback that can invoke the 'openssl' command line tool
to verify certificates.

Signed-off-by: Daniel P. Berrangé <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@berrange