FIPS issue in aliyun-python-sdk-core

[oalbrigt]

• Python Version: 3.9.18
• aliyunsdkcore Version: 2.15.0
• API: client

The updated get_uuid() code using hashlib.md5() in aliyunsdkcore/utils/parameter_helper.py causes issues when used in a FIPS environment.

    response_str = conn.do_action_with_exception(request)                                    
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 500, in do_action_with_exception                                                                          
    status, headers, body, exception = self._implementation_of_do_action(acs_request)        
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 335, in _implementation_of_do_action                                                                      
    return self._handle_retry_and_timeout(endpoint, request, signer)                         
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 403, in _handle_retry_and_timeout                                                                         
    status, headers, body, exception = self._handle_single_request(endpoint,                 
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 425, in _handle_single_request                                                                            
    http_response = self._make_http_response(endpoint, request, read_timeout, connect_timeout,                                                                                            
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 287, in _make_http_response                                                                               
    signed_header, url = signer.sign(self._region_id, request)                               
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/auth/signers/access_key_signer.py", line 35, in sign                                                                       
    url = request.get_url(region_id, cred.access_key_id, cred.access_key_secret)             
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/request.py", line 324, in get_url                                                                                          
    url, string_to_sign = rpc_signer.get_signed_url(                                         
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/auth/composer/rpc_signature_composer.py", line 72, in get_signed_url                                                       
    url_params = __refresh_sign_parameters(params, ak, accept_format, signer)                
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/auth/composer/rpc_signature_composer.py", line 45, in __refresh_sign_parameters                                            
    parameters["SignatureNonce"] = helper.get_uuid()                                         
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/utils/parameter_helper.py", line 45, in get_uuid                                                                           
    md5 = hashlib.md5()                                                                      
ValueError: [digital envelope routines] unsupported

It used to work without issues in an earlier version, so I updated to the old code in the function, and it solves the issue:

--- /root/.local/lib/python3.9/site-packages/aliyunsdkcore/utils/parameter_helper.py.bak    2024-04-03 04:42:22.334110402 -0400
+++ /root/.local/lib/python3.9/site-packages/aliyunsdkcore/utils/parameter_helper.py    2024-04-03 04:43:11.100737965 -0400
@@ -35,16 +35,8 @@

 def get_uuid():
-    global _seqId
-    thread_id = threading.current_thread().ident
-    current_time = int(time.time() * 1000)
-    seq = _seqId
-    _seqId += 1
-    randNum = random.getrandbits(64)
-    msg = '%d-%d-%d-%d-%d' % (_process_start_time, thread_id, current_time, seq, randNum)
-    md5 = hashlib.md5()
-    md5.update(msg.encode('utf-8'))
-    return md5.hexdigest()
+    import uuid
+    return str(uuid.uuid4())

 def get_iso_8061_date():

[JacksonTian]

The old uuid will generate conflict nonce token. May be the real question is hashlib.md5() is not supported in your FIPS environment?

[oalbrigt]

FIPS is a security standard, and hashlib.md5() can only be used for non-secure purposes when it is enabled.

Here's an example of how to implement it: https://github.com/suds-community/suds/pull/72/files