Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not work with latest pyOpenSSL #6

Open
pjrobertson opened this issue Dec 1, 2024 · 3 comments
Open

Does not work with latest pyOpenSSL #6

pjrobertson opened this issue Dec 1, 2024 · 3 comments

Comments

@pjrobertson
Copy link

See bellingcat/auto-archiver#155 for more info.

Here's the stack trace, when using pyOpenSSL==24.3.0

  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/auto_archiver/enrichers/timestamping_enricher.py", line 3, in <module>
    from tsp_client import TSPSigner, SigningSettings, TSPVerifier
  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/tsp_client/__init__.py", line 2, in <module>
    from .signer import SigningSettings, TSPSigner
  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/tsp_client/signer.py", line 12, in <module>
    from .verifier import TSPVerifier, VerifyResult
  File "/.virtualenvs/autoarchiver/lib/python3.11/site-packages/tsp_client/verifier.py", line 40, in <module>
    from OpenSSL.crypto import verify as openssl_verify
ImportError: cannot import name 'verify' from 'OpenSSL.crypto' (unknown location)

From pyOpenSSL docs, the crypto package is deprecated: https://www.pyopenssl.org/en/24.3.0/api/crypto.html

Screen Region 2024-12-01 at 13 43 04

But I can't seem to see any better solution as to how to do this. The recommended pyca/cryptography doesn't seem to make it any easier either. Submitting here to keep a record on this
@kislyuk
Copy link
Member

kislyuk commented Dec 1, 2024

Thanks for reporting! I will publish a new version shortly that restricts the PyOpenSSL dependency version range so that only versions that contain the required functionality are installed.

The certificate validation (verification) function is indeed deprecated in PyOpenSSL. Migrating it to Cryptography is possible but requires some effort (I have successfully completed this work in another package I maintain, SignXML, but not in tsp-client yet) and the validation criteria in Cryptography are much stricter and less flexible than in PyOpenSSL, so I'm not sure yet if they will work with all TSP applications.

@kislyuk
Copy link
Member

kislyuk commented Dec 1, 2024

OK, I have released tsp-client v0.2.1 which works around this issue. I will post another update here when I've made progress on migrating certificate validation to Cryptography.

@pjrobertson
Copy link
Author

Great, thanks for the quick update! Note that I've tested and confirms it still works with pyopenssl==24.2.1, so perhaps the package should be kept to this?

"pyOpenSSL >= 21.0.0, < 24.2.1"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pjrobertson @kislyuk