pynitrokey is not working with openssl 3.0.10: Error detecting the version of libcrypto

Nitrokey / pynitrokey

Python client for Nitrokey devices

Apache License 2.0

93 stars 28 forks source link

pynitrokey is not working with openssl 3.0.10: Error detecting the version of libcrypto #431

Open SebastianHuettersen opened 10 months ago

SebastianHuettersen commented 10 months ago

Currently, pynitrokey does not work if the system uses an openssl version where a version part consists of more than one number, such as openssl 3.0.10 used by Debian 13 Trixie.

In this case pynitrokey aborts with the following error:

Critical error:
An unhandled exception occurred
    Exception encountered: LibraryNotFoundError('Error detecting the version of libcrypto')

The error is in the used library oscrypto where the regex to extract the version string has a fuzziness. An issue has already been raised here, but a new release that fixes this problem is still missing at the moment:

Workaround: Modify the regex in the file oscrypto/_openssl/_libcrypto_cffi.py:41 from

'\\b(\\d\\.\\d\\.\\d[a-z]*)\\b'

'\\b(\\d+\\.\\d+\\.\\d+[a-z]*)\\b'

4SH-gaupee commented 9 months ago

Hi, did you do any other step beside changing the regex ? I've tried on my venv and I still get the error

robin-nitrokey commented 9 months ago

@4SH-gaupee You should be able to install the fixed oscrypto version inside the virtual environment with:

$ pip install "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"

daringer commented 9 months ago

For this to be permanently fixed we have to wait for a release of: https://pypi.org/project/oscrypto/ (hopefully 1.3.1) also requested it here: https://github.com/wbond/oscrypto/issues/78. The dependency that is using it is spsdk (yay!) which pins it to <1.4 so lets hope for a 1.3.1 otherwise I don't see how we could solve that

karami-omid commented 9 months ago

@robin-nitrokey Thank you so much. It works for me whin run the command! (oscrypto)

DexterNemrod commented 8 months ago

As a workaround it is possible to run the app or nitropy (which is the cli-basis for the app) on older distros in distrobox. I tried it with Debian 11 All I had to do was to install pip Install pynitrokey via pip Download an move the udev-rules to /lib/udev/rules.d/

sudo apt install pip
pip install pynitrokey
wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /lib/udev/rules.d/

And restart the container

UndeadDevel commented 5 months ago

Would it be possible to apply a similar workaround to the released binaries as was applied to the pypy package (that can be installed with pipx)? This is relevant in connection with #495.

robin-nitrokey commented 5 months ago

AFAIK there is no workaround for the pypi package. You have to manually apply the fix described above. To fix the problem both for the pypi package and the binary we would have to fork and release oscrypto. I’d rather avoid that, but maybe we have to consider that option if there is no upstream release.

daringer commented 4 months ago

just for the sake of documentation, the issue should be solvable for a pipx installation like that:

pipx inject --pip-args="--upgrade --force" pynitrokey "oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3"