Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-64923

awscli2: FTBFS due to small RSA key

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • None
    • rhel-10.0
    • awscli2
    • None
    • No
    • Moderate
    • 456bf3f4429628df0ed48a69f05e977d3dcf422c
    • rhel-cloud-exp
    • 8
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None

      Build fails with:

      =================================== FAILURES ===================================
_____________ TestSha256RSADigestValidator.test_validates_digests ______________
self = <tests.unit.customizations.cloudtrail.test_validation.TestSha256RSADigestValidator testMethod=test_validates_digests>
    def test_validates_digests(self):
>       private_key = rsa.generate_private_key(65537, 512, default_backend())
tests/unit/customizations/cloudtrail/test_validation.py:365: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
/usr/lib64/python3.12/site-packages/cryptography/hazmat/primitives/asymmetric/rsa.py:142: in generate_private_key
    _verify_rsa_parameters(public_exponent, key_size)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
public_exponent = 65537, key_size = 512
    def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None:
        if public_exponent not in (3, 65537):
            raise ValueError(
                "public_exponent must be either 3 (for legacy compatibility) or "
                "65537. Almost everyone should choose 65537 here!"
            )
    
        if key_size < 1024:
>           raise ValueError("key_size must be at least 1024-bits.")
E           ValueError: key_size must be at least 1024-bits.
/usr/lib64/python3.12/site-packages/cryptography/hazmat/primitives/asymmetric/rsa.py:154: ValueError

      Upstream commit: https://github.com/aws/aws-cli/commit/456bf3f4429628df0ed48a69f05e977d3dcf422c

      From 456bf3f4429628df0ed48a69f05e977d3dcf422c Mon Sep 17 00:00:00 2001
From: Kenneth Daily <kdaily@amazon.com>
Date: Fri, 6 Sep 2024 12:11:47 -0700
Subject: [PATCH] Update RSA private key size to 2048 in test.

This is required to unblock updating our
`cryptography` pin:

https://github.com/aws/aws-cli/pull/8895

This test was ported 5 years ago as is using a key
size of 512:

https://github.com/aws/aws-cli/pull/4846

As of `cryptography==43.0.0` the minimum key size
allowed is 512:

https://github.com/pyca/cryptography/commit/83dcbc190165ad5c1f86bddaee76e0b288803c43

This change bumps it up to a more reasonable value
of 2048. This has only a couple hundredths of a
second time difference to generate as tested on my
Mac.

              rh-ee-fkolwa Felix Kolwa
              fweimer@redhat.com Florian Weimer
              Conor Cowman Conor Cowman (Inactive)
              Nicolas Munoz Nicolas Munoz
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: