On 21. 07. 24 11:21, Paul Howarth wrote:
Hi all,
python-paramiko failed to build in the mass rebuild and I'm wondering
if there's incorrect code in paramiko (or its dependency cryptography),
or whether it's a regression in the current Python beta.
The failures are in the test suite and the failing tests all involve
this error:
cryptography.exceptions.UnsupportedAlgorithm: sha1 is not supported by
this backend for RSA signing.
Now I know that sha1 signing has recently been disabled in Rawhide: the
upstream test suite is supposed to skip the tests that require sha1
signing, which is implemented using a decorator @requires_sha1_signing.
This was done following a PR I made upstream in 2022
(https://github.com/paramiko/paramiko/pull/2011) in order to get the test
suite to pass in EPEL-9, where the same crypto policy has been in
effect for a long time.
The @requires_sha1_signing decorator is implemented using a function
that attempts sha1 signing, catches the UnsupportedAlgorithm exception
from cryptography and checks that the reason code is
_Reasons.UNSUPPORTED_HASH.
_Reasons is an enum class in cryptography. The pythonic way of checking
enum identities is to use "is", since enums are singletons in Python.
Hence the check is:
except UnsupportedAlgorithm as e:
return e._reason is _Reasons.UNSUPPORTED_HASH
Except that doesn't work in Rawhide. The exception is being raised
exactly as expected but the identity test fails. However, it passes if
I change it to this:
except UnsupportedAlgorithm as e:
return e._reason == _Reasons.UNSUPPORTED_HASH
With that change, the test suite passes.
So my question is: is the python code wrong (test check, enum
implementation in cryptography?) or is this a regression in the latest
Python beta? The latter seems unlikely to me given how this affects
something quite fundamental.
Hey Paul.
I just tried this with pip-installed cryptography in Python 3.13 venv:
>>> from cryptography.exceptions import _Reasons
>>> from cryptography.hazmat.primitives.kdf.kbkdf import KBKDFHMAC
>>> try:
... KBKDFHMAC(None, None, None, None, None, None, None, None, None)
... except Exception as e:
... ex = e
...
>>> ex
UnsupportedAlgorithm('Algorithm supplied is not a supported hash algorithm.')
>>> ex._reason
_Reasons.UNSUPPORTED_HASH
>>> ex._reason is _Reasons.UNSUPPORTED_HASH
True
dnf-installed cryptography behaves the same in Rawhide mock.
How can I raise the exception that has a _reason that equals but is not
identical to _Reasons.UNSUPPORTED_HASH?
--
Miro Hrončok
--
Phone: +420777974800
Fedora Matrix: mhroncok
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
