I am using FreeIPA 4.12.2 with python3-cryptography 44.0.1 on Python 3.12.8.
The ipa-client-install command fails on me, and I have tracked down the reason. A simple way to reproduce:
import ipalib.x509
..... gives a warning about TripleDES which is unrelated ..... File "/usr/lib/python3.12/site-packages/ipalib/ipalib/x509.py", line 91, in <module> class IPACertificate(crypto_x509.Certificate): (warning) TypeError: type 'cryptography.hazmat.bindings._rust.x509.Certificate' is not an acceptable base type
The reason is that the class cryptography.x509.Certificate is not meant to be instantiated from the python side. To demonstrate:
from cryptography.x509 import Certificate c = Certificate()
Traceback (most recent call last): File "<stdin>", line 1, in <module> TypeError: No constructor defined for Certificate
from cryptography.x509 import Certificate class X(Certificate):
... pass ... Traceback (most recent call last): File "<stdin>", line 1, in <module> TypeError: type 'cryptography.hazmat.bindings._rust.x509.Certificate' is not an acceptable base type
To fix this, IPACertificate would need to be rewritten to use composition instead of inheritance.
So my questions: Am I missing something? Which version of FreeIPA is known to work with what version of python3-cryptography?
Thanks, Wolfgang
Wolfgang Eder via FreeIPA-devel wrote:
I am using FreeIPA 4.12.2 with python3-cryptography 44.0.1 on Python 3.12.8.
The ipa-client-install command fails on me, and I have tracked down the reason. A simple way to reproduce:
import ipalib.x509
..... gives a warning about TripleDES which is unrelated ..... File "/usr/lib/python3.12/site-packages/ipalib/ipalib/x509.py", line 91, in <module> class IPACertificate(crypto_x509.Certificate): (warning) TypeError: type 'cryptography.hazmat.bindings._rust.x509.Certificate' is not an acceptable base type
The reason is that the class cryptography.x509.Certificate is not meant to be instantiated from the python side. To demonstrate:
from cryptography.x509 import Certificate c = Certificate()
Traceback (most recent call last): File "<stdin>", line 1, in <module> TypeError: No constructor defined for Certificate
from cryptography.x509 import Certificate class X(Certificate):
... pass ... Traceback (most recent call last): File "<stdin>", line 1, in <module> TypeError: type 'cryptography.hazmat.bindings._rust.x509.Certificate' is not an acceptable base type
To fix this, IPACertificate would need to be rewritten to use composition instead of inheritance.
So my questions: Am I missing something? Which version of FreeIPA is known to work with what version of python3-cryptography?
It is fixed in the ipa-4-12 branch in https://github.com/freeipa/freeipa/commit/d4d56a6705c870901bc73882e4804367f7... but it hasn't landed in a release yet.
rob
freeipa-devel@lists.fedorahosted.org
-
Rob Crittenden -
Wolfgang Eder