{KeyVault} Update test cert encryption to AES-256-CBC#32879
Conversation
️✔️AzureCLI-FullTest
|
️✔️AzureCLI-BreakingChangeTest
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
There was a problem hiding this comment.
Pull request overview
This PR upgrades two cryptography-related Python packages (cryptography and pyOpenSSL) across all three platform-specific requirements files (Linux, macOS/Darwin, Windows), and regenerates a test PEM certificate fixture to be compatible with the upgraded cryptography library.
Changes:
- Upgrades
cryptographyfrom44.0.1to46.0.5on all platforms, which drops support for legacy weak ciphers likeDES-CBCin PEM encryption. - Upgrades
pyOpenSSLfrom25.0.0to25.3.0on all platforms. - Regenerates
ec521pw.pem(the EC P-521 encrypted test key) fromDES-CBCtoAES-256-CBCto restore compatibility withcryptography==46.0.5.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
requirements.py3.Linux.txt |
Bumps cryptography to 46.0.5 and pyOpenSSL to 25.3.0 |
requirements.py3.Darwin.txt |
Bumps cryptography to 46.0.5 and pyOpenSSL to 25.3.0 |
requirements.py3.windows.txt |
Bumps cryptography to 46.0.5 and pyOpenSSL to 25.3.0 |
ec521pw.pem |
Regenerated using AES-256-CBC instead of removed DES-CBC to work with the new cryptography version |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| -----BEGIN EC PRIVATE KEY----- | ||
| Proc-Type: 4,ENCRYPTED | ||
| DEK-Info: DES-CBC,5A0C299B3F7E3BDD | ||
| DEK-Info: AES-256-CBC,B4F94D174FB9F1833836A3AFA1A6635B |
There was a problem hiding this comment.
The PR description is empty — the "Description", "Related command", "Testing Guide", and "History Notes" sections all contain only boilerplate template text without any actual content. At minimum, the Description should explain why the PEM certificate was regenerated (i.e., the cryptography library dropped support for DES-CBC in PEM encryption, requiring migration to AES-256-CBC), and the History Notes should reflect the actual version bump changes rather than the template placeholder text.
| -----BEGIN EC PRIVATE KEY----- | ||
| Proc-Type: 4,ENCRYPTED | ||
| DEK-Info: DES-CBC,5A0C299B3F7E3BDD | ||
| DEK-Info: AES-256-CBC,B4F94D174FB9F1833836A3AFA1A6635B |
There was a problem hiding this comment.
The mydomain.test.encrypted.pem file (used alongside ec521pw.pem in the same test contexts at test lines 1131–1138 and 1321–1329) still uses DES-EDE3-CBC encryption (DEK-Info: DES-EDE3-CBC,...). If the cryptography library version 46.x has also dropped support for Triple-DES (3DES) in legacy PEM encryption (as it has been on a deprecation path), this file would also fail to load, just like the original ec521pw.pem with DES-CBC. This should be verified to ensure that tests importing mydomain.test.encrypted.pem continue to pass with cryptography==46.0.5.
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
Please fix the title and history note. |
src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/ec521pw.pem
Show resolved
Hide resolved
notyashhh
changed the title
|
Nice PR description! |
Bumps cryptography from 44.0.1 to 46.0.5.
Bumps pyopenssl from 25.0.0 to 25.3.0
History Notes
This PR is replacing #32830
[Core] Resolve CVE-2026-26007
The test file ec521pw.pem was encrypted with DES-CBC (single DES), a weak cipher from the 1970s. When we upgraded cryptography from 44.0.1 to 46.0.5, the library dropped DES-CBC support entirely. This caused load_pem_private_key() to throw ValueError: Key encrypted with unknown cipher, which failed the test_keyvault_key test during the EC key import step.
We regenerated the file as a new EC P-521 key encrypted with AES-256-CBC — a modern cipher that cryptography 46 supports. Same password (pass1234), same curve (P-521), same file name. The test only checks key.kty == 'EC' and key.crv == 'P-521', not the actual key material, so a fresh key works fine.
TL;DR: Old test key used obsolete encryption → new library rejected it → we re-encrypted with a modern cipher. No code changes, just a test fixture update.
This checklist is used to make sure that common guidelines for a pull request are followed.