search

openSUSE / cepces

cepces is an application for enrolling certificates through CEP and CES.
GNU General Public License v3.0
30 stars 21 forks source link

AttributeError: '_RSAPublicKey' object has no attribute 'verifier' #41

Closed falencastro closed 1 month ago

falencastro commented 1 month ago

journalctl -u certmonger output:

Sep 17 16:33:49 server1.domain1.local certmonger[37970]: 2024-09-17 16:33:49,102 __main__:ERROR:Traceback (most recent call last):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/libexec/certmonger/cepces-submit", line 72, in main
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     result = operation()
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/certmonger/operation.py", line 254, in __call__
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     certs = list(self._service.certificate_chain or [])
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 161, in certificate_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     return reversed(self._resolve_chain(data))
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                     ^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 325, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     parent = self._resolve_chain(r.text, cert)
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 295, in _resolve_chain
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     elif self._verify_certificate_signature(child, cert):
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:   File "/usr/lib/python3/dist-packages/cepces/core.py", line 250, in _verify_certificate_signature
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:     verifier = issuer_public_key.verifier(
Sep 17 16:33:49 server1.domain1.local certmonger[37970]:                ^^^^^^^^^^^^^^^^^^^^^^^^^^
Sep 17 16:33:49 server1.domain1.local certmonger[37970]: AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

Environment:

OS:                     Ubuntu 24.04.1 LTS
Python:                 3.12.3
python3-cepces:         0.3.7-0ubuntu1
python3-cryptography:   41.0.7-4ubuntu0.1

Cryptography deprecated _RSAPublicKey.verifier method in release 2.0 and removed it in release 37 pr in favor of .verify, which also requires an additional parameter.

We managed to workaround with this patch:

diff --git a/cepces/core.py b/cepces/core.py
index d642f09..a54aeaa 100644
--- a/cepces/core.py
+++ b/cepces/core.py
@@ -243,25 +243,23 @@ class Service(Base):
         """
         sig_hash_alg = cert.signature_hash_algorithm
         sig_bytes = cert.signature
+        sig_data = cert.tbs_certificate_bytes
         issuer_public_key = issuer.public_key()

         # Check the type of public key
         if isinstance(issuer_public_key, rsa.RSAPublicKey):
-            verifier = issuer_public_key.verifier(
-                sig_bytes, padding.PKCS1v15(), sig_hash_alg,
+            verifier = issuer_public_key.verify(
+                sig_bytes, sig_data, padding.PKCS1v15(), sig_hash_alg,
             )
         elif isinstance(issuer_public_key, ec.EllipticCurvePublicKey):
-            verifier = issuer_public_key.verifier(
-                sig_bytes, ec.ECDSA(sig_hash_alg),
+            verifier = issuer_public_key.verify(
+                sig_bytes, sig_data, ec.ECDSA(sig_hash_alg),
             )
         else:
-            verifier = issuer_public_key.verifier(
-                sig_bytes, sig_hash_alg,
+            verifier = issuer_public_key.verify(
+                sig_bytes, sig_data, sig_hash_alg,
             )

-        verifier.update(cert.tbs_certificate_bytes)
-        verifier.verify()
-
         return True

     def _resolve_chain(self, data, child=None):
dmulder commented 1 month ago

Please submit your patches as an MR, and reference this issue.