Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS issue in aliyun-python-sdk-core #529

Open
oalbrigt opened this issue Apr 3, 2024 · 2 comments
Open

FIPS issue in aliyun-python-sdk-core #529

oalbrigt opened this issue Apr 3, 2024 · 2 comments

Comments

@oalbrigt
Copy link

oalbrigt commented Apr 3, 2024

  • Python Version: 3.9.18
  • aliyunsdkcore Version: 2.15.0
  • API: client

The updated get_uuid() code using hashlib.md5() in aliyunsdkcore/utils/parameter_helper.py causes issues when used in a FIPS environment.

    response_str = conn.do_action_with_exception(request)                                    
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 500, in do_action_with_exception                                                                          
    status, headers, body, exception = self._implementation_of_do_action(acs_request)        
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 335, in _implementation_of_do_action                                                                      
    return self._handle_retry_and_timeout(endpoint, request, signer)                         
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 403, in _handle_retry_and_timeout                                                                         
    status, headers, body, exception = self._handle_single_request(endpoint,                 
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 425, in _handle_single_request                                                                            
    http_response = self._make_http_response(endpoint, request, read_timeout, connect_timeout,                                                                                            
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/client.py", line 287, in _make_http_response                                                                               
    signed_header, url = signer.sign(self._region_id, request)                               
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/auth/signers/access_key_signer.py", line 35, in sign                                                                       
    url = request.get_url(region_id, cred.access_key_id, cred.access_key_secret)             
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/request.py", line 324, in get_url                                                                                          
    url, string_to_sign = rpc_signer.get_signed_url(                                         
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/auth/composer/rpc_signature_composer.py", line 72, in get_signed_url                                                       
    url_params = __refresh_sign_parameters(params, ak, accept_format, signer)                
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/auth/composer/rpc_signature_composer.py", line 45, in __refresh_sign_parameters                                            
    parameters["SignatureNonce"] = helper.get_uuid()                                         
  File "/root/.local/lib/python3.9/site-packages/aliyunsdkcore/utils/parameter_helper.py", line 45, in get_uuid                                                                           
    md5 = hashlib.md5()                                                                      
ValueError: [digital envelope routines] unsupported

It used to work without issues in an earlier version, so I updated to the old code in the function, and it solves the issue:

--- /root/.local/lib/python3.9/site-packages/aliyunsdkcore/utils/parameter_helper.py.bak	2024-04-03 04:42:22.334110402 -0400
+++ /root/.local/lib/python3.9/site-packages/aliyunsdkcore/utils/parameter_helper.py	2024-04-03 04:43:11.100737965 -0400
@@ -35,16 +35,8 @@
 
 
 def get_uuid():
-    global _seqId
-    thread_id = threading.current_thread().ident
-    current_time = int(time.time() * 1000)
-    seq = _seqId
-    _seqId += 1
-    randNum = random.getrandbits(64)
-    msg = '%d-%d-%d-%d-%d' % (_process_start_time, thread_id, current_time, seq, randNum)
-    md5 = hashlib.md5()
-    md5.update(msg.encode('utf-8'))
-    return md5.hexdigest()
+    import uuid
+    return str(uuid.uuid4())
 
 
 def get_iso_8061_date():
@JacksonTian
Copy link
Contributor

The old uuid will generate conflict nonce token. May be the real question is hashlib.md5() is not supported in your FIPS environment?

@oalbrigt
Copy link
Author

oalbrigt commented Jul 2, 2024

FIPS is a security standard, and hashlib.md5() can only be used for non-secure purposes when it is enabled.

Here's an example of how to implement it:
https://github.com/suds-community/suds/pull/72/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JacksonTian @oalbrigt