wolfi-dev
`py3-cryptography` does not indicate dependency on `openssl-provider-legacy` or needs `CRYPTOGRAPHY_OPENSSL_NO_LEGACY`
A simple 'import' test of py3-cryptography will fail with a stacktrace shown below.
# apk list --installed py3-cryptography
py3-cryptography-42.0.8-r0 x86_64 {py3-cryptography} (Apache-2.0 OR BSD-3-Clause) [installed]
# python3 -c 'from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python3.12/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 11, in <module>
from cryptography.hazmat._oid import ObjectIdentifier
File "/usr/lib/python3.12/site-packages/cryptography/hazmat/_oid.py", line 7, in <module>
from cryptography.hazmat.bindings._rust import (
RuntimeError: OpenSSL 3.0's legacy provider failed to load.
This is a fatal error by default, but cryptography supports running without
legacy algorithms by setting the environment variable
CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have
likely made a mistake with your OpenSSL configuration.
In discussions, @xnox says:
ok, bad. imho we shouldn't require legacy cryptography out of the box or use it by default.
and i hate need for environment variable to be secure, i'd rather that be automatic (try, but don't fail, upon missing legacy provider). Or we need to add py3-cryptography dependency on openssl-provider-legacy. Or we need to build it differently / patch it / contact upstream.
i think for now, we should add runtime dep on openssl-provider-legacy as otherwise this is like a hidden pit-fall / trap for now.
https://cryptography.io/en/latest/openssl/#legacy-provider-in-openssl-3-x is the gist of it..... sort of hate that it is opt-out, not an opt-in
