URL: https://github.com/freeipa/freeipa/pull/5005 Author: rcritten Title: #5005: [Backport][ipa-4-8] ipatests: Add compatibility against python-cryptography 3.0 Action: opened
PR body: """ This PR was opened automatically because PR #4936 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5005/head:pr5005 git checkout pr5005
From 2cdda9869df14eee00c8a91a249bf68b29327603 Mon Sep 17 00:00:00 2001 From: Stanislav Levin <s...@altlinux.org> Date: Thu, 23 Jul 2020 15:04:49 +0300 Subject: [PATCH] ipatests: Add compatibility against python-cryptography 3.0 The recently released python-cryptography 3.0 has backward incompatible changes. One of them [0] breaks FreeIPA self-tests. Note: this requires python-cryptography 2.7+. [0] https://github.com/pyca/cryptography/commit/3b2102af549c1095d5478bb1243ee4cf76b9762b Fixes: https://pagure.io/freeipa/issue/8428 Signed-off-by: Stanislav Levin <s...@altlinux.org> --- .../integration/create_caless_pki.py | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py index f2a98f5a78..930661b5cd 100644 --- a/ipatests/pytest_ipa/integration/create_caless_pki.py +++ b/ipatests/pytest_ipa/integration/create_caless_pki.py @@ -20,11 +20,13 @@ import os.path import six +from cryptography import __version__ as cryptography_version from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.x509.oid import NameOID +from pkg_resources import parse_version from pyasn1.type import univ, char, namedtype, tag from pyasn1.codec.der import encoder as der_encoder from pyasn1.codec.native import decoder as native_decoder @@ -150,13 +152,22 @@ def profile_ca(builder, ca_nick, ca): critical=False, ) else: - ski = ca.cert.extensions.get_extension_for_class( - x509.SubjectKeyIdentifier) - builder = builder.add_extension( - x509.AuthorityKeyIdentifier - .from_issuer_subject_key_identifier(ski), - critical=False, + ski_ext = ca.cert.extensions.get_extension_for_class( + x509.SubjectKeyIdentifier ) + auth_keyidentifier = (x509.AuthorityKeyIdentifier + .from_issuer_subject_key_identifier) + ''' + cryptography < 2.7 accepts only Extension object. + Remove this workaround when all supported platforms update + python-cryptography. + ''' + if (parse_version(cryptography_version) >= parse_version('2.7')): + extension = auth_keyidentifier(ski_ext.value) + else: + extension = auth_keyidentifier(ski_ext) + + builder = builder.add_extension(extension, critical=False) return builder
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org