bpo-38271: encrypt private key test files with AES256 #16385

tiran · 2019-09-25T11:12:41Z

The private keys for test_ssl were encrypted with 3DES in traditional
PKCS#5 format. 3DES and the digest algorithm of PKCS#5 are blocked by
some strict crypto policies. Use PKCS#8 format with AES256 encryption
instead.

Signed-off-by: Christian Heimes christian@python.org

https://bugs.python.org/issue38271

Automerge-Triggered-By: @tiran

Lib/test/make_ssl_certs.py

encukou

Aside from that nitpick, this looks legit

The private keys for test_ssl were encrypted with 3DES in traditional PKCS#5 format. 3DES and the digest algorithm of PKCS#5 are blocked by some strict crypto policies. Use PKCS#8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org>

miss-islington · 2019-09-25T15:55:01Z

@tiran: Status check is done, and it's a success ✅ .

miss-islington · 2019-09-25T15:55:06Z

Thanks @tiran for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7, 3.8.
🐍🍒⛏🤖

@tiran

The private keys for test_ssl were encrypted with 3DES in traditional PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by some strict crypto policies. Use PKCSGH-8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38271 Automerge-Triggered-By: @tiran (cherry picked from commit bfd0c96) Co-authored-by: Christian Heimes <christian@python.org>

bedevere-bot · 2019-09-25T15:55:17Z

GH-16395 is a backport of this pull request to the 3.8 branch.

bedevere-bot · 2019-09-25T15:55:25Z

GH-16396 is a backport of this pull request to the 3.7 branch.

@tiran

The private keys for test_ssl were encrypted with 3DES in traditional PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by some strict crypto policies. Use PKCSGH-8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38271 Automerge-Triggered-By: @tiran (cherry picked from commit bfd0c96) Co-authored-by: Christian Heimes <christian@python.org>

@tiran

The private keys for test_ssl were encrypted with 3DES in traditional PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by some strict crypto policies. Use PKCSGH-8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38271 Automerge-Triggered-By: @tiran (cherry picked from commit bfd0c96) Co-authored-by: Christian Heimes <christian@python.org>

@tiran

The private keys for test_ssl were encrypted with 3DES in traditional PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by some strict crypto policies. Use PKCSGH-8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38271 Automerge-Triggered-By: @tiran (cherry picked from commit bfd0c96) Co-authored-by: Christian Heimes <christian@python.org>

@tiran

The private keys for test_ssl were encrypted with 3DES in traditional PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by some strict crypto policies. Use PKCSGH-8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38271 Automerge-Triggered-By: @tiran (cherry picked from commit bfd0c96) Co-authored-by: Christian Heimes <christian@python.org>

@tiran

The private keys for test_ssl were encrypted with 3DES in traditional PKCS#5 format. 3DES and the digest algorithm of PKCS#5 are blocked by some strict crypto policies. Use PKCS#8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38271 Automerge-Triggered-By: @tiran

@tiran

The private keys for test_ssl were encrypted with 3DES in traditional PKCSGH-5 format. 3DES and the digest algorithm of PKCSGH-5 are blocked by some strict crypto policies. Use PKCSGH-8 format with AES256 encryption instead. Signed-off-by: Christian Heimes <christian@python.org> https://bugs.python.org/issue38271 Automerge-Triggered-By: @tiran (cherry picked from commit bfd0c96) Co-authored-by: Christian Heimes <christian@python.org>

tiran added tests Tests in the Lib/test dir needs backport to 3.7 needs backport to 3.8 labels Sep 25, 2019

the-knights-who-say-ni added the CLA signed label Sep 25, 2019

bedevere-bot added the awaiting core review label Sep 25, 2019

tiran force-pushed the bpo38271-pkey-aes branch 2 times, most recently from 328354a to ab145b2 Compare Sep 25, 2019

encukou reviewed Sep 25, 2019

View changes

Lib/test/make_ssl_certs.py Outdated Show resolved Hide resolved

encukou approved these changes Sep 25, 2019

View changes

bedevere-bot added awaiting merge and removed awaiting core review labels Sep 25, 2019

tiran force-pushed the bpo38271-pkey-aes branch from ab145b2 to bb8ffc9 Compare Sep 25, 2019

tiran added the 🤖 automerge PR will be merged once it's been approved and all CI passed label Sep 25, 2019

miss-islington merged commit bfd0c96 into python:master Sep 25, 2019

bedevere-bot removed the awaiting merge label Sep 25, 2019

bedevere-bot removed needs backport to 3.8 needs backport to 3.7 labels Sep 25, 2019

bpo-38271: encrypt private key test files with AES256 #16385

bpo-38271: encrypt private key test files with AES256 #16385

tiran commented Sep 25, 2019 •

edited by miss-islington

encukou left a comment

miss-islington commented Sep 25, 2019

miss-islington commented Sep 25, 2019

bedevere-bot commented Sep 25, 2019

bedevere-bot commented Sep 25, 2019

bpo-38271: encrypt private key test files with AES256 #16385

bpo-38271: encrypt private key test files with AES256 #16385

Conversation

tiran commented Sep 25, 2019 • edited by miss-islington

encukou left a comment

miss-islington commented Sep 25, 2019

miss-islington commented Sep 25, 2019

bedevere-bot commented Sep 25, 2019

bedevere-bot commented Sep 25, 2019

tiran commented Sep 25, 2019 •

edited by miss-islington