Public bug reported: Not all ECC curves we use in signature_utils are available on all platforms - e.g.
On RHEL 7.2 $ openssl ecparam -list_curves secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field On Fedora 23 ... $ openssl ecparam -list_curves secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field There's a long history surrounding the lack of ECC support in openssl in Fedora, RHEL, and CentOS because of legal issues - see https://bugzilla.redhat.com/show_bug.cgi?id=319901 Some ECC curves are now available, but each additional one requested will be considered individually - there is a tracker bug for this: https://bugzilla.redhat.com/showdependencytree.cgi?id=1019390&hide_resolved=0 This is the failure I'm seeing since https://review.openstack.org/#/c/256069/ was merged nova.tests.unit.test_signature_utils.TestSignatureUtils.test_verify_signature_ECC --------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/mock/mock.py", line 1305, in patched return func(*args, **keywargs) File "nova/tests/unit/test_signature_utils.py", line 178, in test_verify_signature_ECC default_backend()) File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 241, in generate_private_key return backend.generate_elliptic_curve_private_key(curve) File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 247, in generate_elliptic_curve_private_key _Reasons.UNSUPPORTED_ELLIPTIC_CURVE cryptography.exceptions.UnsupportedAlgorithm: This backend does not support this elliptic curve. ** Affects: nova Importance: Undecided Assignee: Mark McLoughlin (markmc) Status: In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1528393 Title: signature_utils tests fail on Fedora/RHEL/CentOS because not all ECC curves are available Status in OpenStack Compute (nova): In Progress Bug description: Not all ECC curves we use in signature_utils are available on all platforms - e.g. On RHEL 7.2 $ openssl ecparam -list_curves secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field On Fedora 23 ... $ openssl ecparam -list_curves secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field There's a long history surrounding the lack of ECC support in openssl in Fedora, RHEL, and CentOS because of legal issues - see https://bugzilla.redhat.com/show_bug.cgi?id=319901 Some ECC curves are now available, but each additional one requested will be considered individually - there is a tracker bug for this: https://bugzilla.redhat.com/showdependencytree.cgi?id=1019390&hide_resolved=0 This is the failure I'm seeing since https://review.openstack.org/#/c/256069/ was merged nova.tests.unit.test_signature_utils.TestSignatureUtils.test_verify_signature_ECC --------------------------------------------------------------------------------- Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/mock/mock.py", line 1305, in patched return func(*args, **keywargs) File "nova/tests/unit/test_signature_utils.py", line 178, in test_verify_signature_ECC default_backend()) File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 241, in generate_private_key return backend.generate_elliptic_curve_private_key(curve) File "/home/markmc/git/openstack/nova/.tox/py27/lib/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py", line 247, in generate_elliptic_curve_private_key _Reasons.UNSUPPORTED_ELLIPTIC_CURVE cryptography.exceptions.UnsupportedAlgorithm: This backend does not support this elliptic curve. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1528393/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
