python library cryptography

[damon-atkins]

Consider using python library "cryptography" as its parent project is openstack
See
https://cryptography.io/en/latest/
https://lwn.net/Articles/595790/

It appears its only dependency is openSSL

Given a lot of vendors want to support openstack, you may find "cryptography" on new releases of OS. But this does not help with older releases of OS.

[jfindlay]

@damon-atkins, thanks for the feature request. This would be a great option to have.

[damon-atkins]

https://cryptography.io/en/latest/installation/

Currently we test cryptography on Python 2.6, 2.7, 3.3, 3.4, 3.5, and PyPy 2.6+ on these operating systems.

x86-64 CentOS 7.x, 6.4 and CentOS 5.x
x86-64 FreeBSD 10
OS X 10.11 El Capitan, 10.10 Yosemite, 10.9 Mavericks, 10.8 Mountain Lion, and 10.7 Lion
x86-64 Ubuntu 12.04 LTS and Ubuntu 14.04 LTS
x86-64 Debian Wheezy (7.x), Jessie (8.x), and Debian Sid (unstable)
32-bit and 64-bit Python on 64-bit Windows Server 2012

[akissa]

@damon-atkins You are wrong on the dependencies, it has a ton of dependencies and is not installable on CentOS 6 so i doubt it would be installable on CentOS5

[damon-atkins]

Salt already provides extra rpm's for older OS... python-cryptography is included in CentOS 7 & Solaris 11 and others which want to support openstack.

from http://pkgs.fedoraproject.org/cgit/rpms/python-cryptography.git/tree/python-cryptography.spec

Requires:       openssl
Requires:       python-idna >= 2.0
Requires:       python-pyasn1 >= 0.1.8
Requires:       python-six >= 1.4.1
Requires:       python-cffi >= 1.4.1
Requires:       python-enum34
Requires:       python-ipaddress

%description -n python2-cryptography
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.

%if 0%{?with_python3}
%package -n  python3-cryptography
Group:          Development/Libraries
Summary:        PyCA's cryptography library
%{?python_provide:%python_provide python3-cryptography}

Requires:       openssl
Requires:       python3-idna >= 2.0
Requires:       python3-pyasn1 >= 0.1.8
Requires:       python3-six >= 1.4.1
Requires:       python3-cffi >= 1.4.1

[akissa]

@damon-atkins I cannot find any python-cryptography rpms provided by salt here https://repo.saltstack.com/yum/redhat/6.8/x86_64/2016.3/ could you be so kind to point to where they are located ?

[damon-atkins]

That would be upto the salt stack staff to do if and when they decided to head in the same direction as open stack. There is no point installing it as salt currently does not use it.

[akissa]

Goes back to the point i am making.

[lorengordon]

I'll second the request to use the cryptography library. We have some experience on our team using the various crypto implementations in python and find cryptography to be quite an improvement in ease of use.

[damon-atkins]

https://cryptography.io/en/latest/installation/

Currently we test cryptography on Python 2.7, 3.4, 3.5, 3.6, and PyPy 5.3+ on these operating systems.

• x86-64 CentOS 7.x
• x86-64 FreeBSD 11
• macOS 10.12 Sierra, 10.11 El Capitan
• x86-64 Ubuntu 14.04, 16.04, and rolling
• x86-64 Debian Wheezy (7.x), Jessie (8.x), Stretch (9.x), and Sid (unstable)
• x86-64 Alpine (latest)
• 32-bit and 64-bit Python on 64-bit Windows Server 2012

Given cryptography is sponsored/needed by OpenStack the following is also supported
From https://en.wikipedia.org/wiki/OpenStack#Distributions

• Bright Computing
• Canonical (Ubuntu)
• HPE
• IBM
• Mirantis
• Oracle OpenStack for Oracle Linux, or O3L
• Oracle OpenStack for Oracle Solaris
• Red Hat
• Stratoscale
• SUSE
• VMware Integrated OpenStack (VIO)

[damon-atkins]

Also suggest its benchmark. To ensure its faster or the same speed.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[damon-atkins]

@saltstack/team-core should this stay open, is this a long term plan to move to this.

[stale]

Thank you for updating this issue. It is no longer marked as stale.

[waynew]

Yeah, we've been discussing this and I think there's a general consensus that cryptography is probably the best offering around crypto for Python. It does have a different API than those libraries that we're currently using, so it's a non-trivial change (unfortunately).

Finding the time to handle all the fiddly bits here to make sure we have a solid crypto story here is definitely our biggest challenge.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

[stale]

Thank you for updating this issue. It is no longer marked as stale.

[thatch45]

I should say that with the revival of M2Crypto, we will be recommending using it moving forward it is very fast and ties in cleanly.

[damon-atkins]

The benefit of https://cryptography.io/en/latest/faq/#why-use-cryptography is a high level API and default settings it uses. Seems @lorengordon used it before.

[damon-atkins]

Notice this today Comparing the Usability of Cryptographic APIs

[akissa]

I should say that with the revival of M2Crypto, we will be recommending using it moving forward it is very fast and ties in cleanly.

+1 For continued use of M2Crypto

[twangboy]

I believe Salt is now using the pycryptodomex library.

pycryptodomex on all platforms: #56625