Bump cryptography for CVE-2024-12797

Iain Powrierequested to merge
sec/bump-cryptography into dev

What does this MR do and why?

  • Bump cryptography 43.0.1 > 44.0.1
  • Refactor self-signed cert creation from OpenSSL.crypto.X509 to pyca/cryptography's X.509 APIs.

Resolves:

Notes:

  • Major bump, required change log analysis. Breaking changes in change log should not affect Crafty.
  • Self signed certificate creation refactor was required, pyOpenSSL requires bumping to support the cryptography version we are moving to, But as a side effect of that the APIs that we are using to generate self-signed certificates through pyOpenSSL are deprecated, pyOpenSSL advises using cryptography APIs instead, Removing our need to have pyOpenSSL as a requirement.

    OpenSSL.crypto.X509. These should have been deprecated at the same time X509Extension was. Users should use pyca/cryptography's X.509 APIs instead.

ref. https://gitlab.com/crafty-controller/crafty-4/-/issues/532

How to set up and validate locally

  • Clone and switch to branch.
  • Ensure pem files do not exist from previous test build.
  • Launch Crafty.
  • Once craft he is fully started deck certificates are present in config folder.
  • Restart crafty and ensure crafty can boot with the certificates existing.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • Have you checked this doesn't interfere/conflict/duplicate someone elses work?
  • Have you fully tested your changes?
  • Have you resolved any lint issues?
  • Have you assigned a reviewer?
  • Have you applied correct labels?
Edited by Iain Powrie

Merge request reports