Credstash Throws RIPEMD160 Error

[andrewkrug]

AttributeError: 'module' object has no attribute 'RIPEMD160'

credstash==1.13.3
cryptography==2.1

CentOS Linux release 7.4.1708 (Core)

[root@329a265ae9c0 ]# credstash
Traceback (most recent call last):
File "/usr/bin/credstash", line 5, in
from pkg_resources import load_entry_point
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 3007, in
working_set.require(requires)
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 728, in require
needed = self.resolve(parse_requirements(requirements))
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 631, in resolve
requirements.extend(dist.requires(req.extras)[::-1])
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2489, in requires
dm = self._dep_map
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2700, in _dep_map
self.__dep_map = self._compute_dependencies()
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2733, in _compute_dependencies
common = frozenset(reqs_for_extra(None))
File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2730, in reqs_for_extra
if req.marker_fn(override={'extra':extra}):
File "/usr/lib/python2.7/site-packages/_markerlib/markers.py", line 113, in marker_fn
return eval(compiled_marker, environment)
File "", line 1, in
NameError: name 'python_implementation' is not defined

[sjwoodr]

I started getting this error on installations today

[tomyam1]

Got this too.
Seem to be because changes in cryptography 2.1

BACKWARDS INCOMPATIBLE: Whirlpool, RIPEMD160, and UnsupportedExtension have been removed in accordance with our :doc:/api-stability policy.

And this commit which allows to use latest cryptography.

You can use credstash v1.13.2 until this is fixed.

[artburkart]

Downgrading to v1.13.2 didn't resolve it for me. But this did:

pip install -I cryptography==2.0.3

[Hashfyre]

Can confirm that this error is appearing across our apps.
From https://cryptography.io/en/latest/changelog/#v2-1

2.1 - 2017-10-11
FINAL DEPRECATION Python 2.6 support is deprecated, and will be removed in the next release of cryptography.
BACKWARDS INCOMPATIBLE: Whirlpool, RIPEMD160, and UnsupportedExtension have been removed in accordance with our API stability policy.

[evanstachowiak]

Same here.

[jomunoz]

Solution without downgrading the cryptography library:
#176

[mfisher29]

Having same issue:

AttributeError: 'module' object has no attribute 'RIPEMD160'

@jomunoz is that safe though? Assuming these hash methods are there for good reason.

[jomunoz]

@mfisher29 The lines are there to expose what hash methods are supported by the cryptography library.
Since those two has methods are now longer supported, the lines can be removed.
The only downside I could see is for people that were using those hashing methods. But on the other side, the other solution is to lock to a particular version of the cryptography library, missing bug fixes that will be made to that library in the future. There is no complete happy solution.

[acejam]

I came across the same issue today in many of our Docker images. pip install credstash==1.13.2 solved it for me.

[alex]

Hi all, I'm one of the developer of pyca/cryptography.

Is there anything we could have done to have prevented this from breaking credstash suddenly? It's been deprecated for 5 months, so I'd have hoped someone would have seen the warning :-(

[mblakele]

Someone did: #165

Alex, can I ask why these hashes were deprecated? I've been unable to find a reason

[alex]

Almost zero usage combined with the fact that there's basically no reason to ever use them. We didn't see the value in offering a bunch of choices that no one should ever use -- all it would do is add extra confusion for users.

(Sorry this didn't get written down anywhere, I think we made the decision about this in person)

[CzarScar]

Hi
I just run pip install ansible credstash in a dockerfile to build a container with ansible and credstash.

But it failed and I just figure out that this is becasue ansible will install cryptography-2.1.1 first and credstash will not update change the cryptography to a lower version.

I have update the command to pip install cryptography==2.0.3 ansible credstash to force the cryptography to 2.0.3 and the issue has been solved.

Hope this will help.

[evanstachowiak]

@alex, despite pretty widespread adoption, credstash seems to be (mostly) abandoned at this point. How did you find this issue in the first place? It's not really your job to bug downstream dependencies, but maybe in the case of popular projects it might be worthwhile taking a peek at a few of them in the future.

[alex]

Someone pointed me to it, I honestly don't know how they found it :-)

We currently run the tests for some of our most popular downstreams in CI (current urllib3, twisted, pyopenssl, and paramiko).

[andrewkrug]

@evanstachowiak can you speak to why you think credstash is abandoned? It seems like a simple body of code that does the job it's supposed to do, be a lightweight wrapper around KMS and DynamoDb. I would expect there is a point where the project is done in this regard and shouldn't have too much active development beyond simple bug fixes.

[evanstachowiak]

@andrewkrug just look at all of the outstanding pull requests without any response. There are some bugs that are affecting a lot of people that have a potential to fix things and these have received no response from the project owner. Case in point, this cryptography deprecation which had several pull requests related to it.

[andrewkrug]

@evanstachowiak one of those has already merged and gone to release. Seems that the issue is more stale pull requests left open rather than a lack of action on the part of the maintainer(s). Maybe @alex-luminal would be willing to comment on this topic.

[evanstachowiak]

@andrewkrug yes, i see that now. Maybe I spoke a bit to quickly, but I would love to see more activity on this project as it is obvious a lot of people depend on it and are also willing to contribute back.

[andrewkrug]

@evanstachowiak maybe the answer might be to have a few more in the community with merge-ability and have them sync with @alex-luminal on future and direction. I know we have heavy dependence on credstash in our AWS infra and would love to give back to the project as well.

I bet @gene1wood has some thoughts on this as well.

[alex-luminal]

I haven't been able to give credstash the attention it needs over the last few months. Personal and professional obligations have just taken up all my time. We're working on having more people spend time on credstash, shepherding PRs through, making improvements, keeping credstash going. We (at Fugue) use credstash extensively, so in addition to wanting to be good stewards of the project, we have very real incentives to keep it going and working.

tl;dr: credstash has been a bit neglected, but we haven't forgotten about it and you should see more movement of PRs and improvements in the near future.

[evanstachowiak]

thanks for all the effort you've put into credstash, @alex-luminal !

[tomgoren]

FWIW this should fix it: #178

[wayne-luminal]

This is currently worked around in 1.13.4 and 1.14.0. I'll close this issue because of the workaround we placed with an upper bound on cryptography. The next major release (currently in development) will have this bound removed.

[mfisher29]

This error has surfaced again...

Using version 1.13.4,

Traceback (most recent call last):
  File "testConsumerLoop.py", line 5, in <module>
    import ec_lib_adx_consumer_fxns
  File "../../app/ecs/ec_lib_adx_consumer_fxns.py", line 3, in <module>
    import credstash
  File "/Users/mafisher/creatives-backend/services/eligibility-adx-consumer/QA/tests/credstash.py", line 55, in <module>
    'RIPEMD': hashes.RIPEMD160,
AttributeError: 'module' object has no attribute 'RIPEMD160'

Any suggestions?

[vikas027]

@mfisher29 Have you pinned down cryptography to version 2.0.3?

[qrkourier]

See issue #178

[soultech67]

I have credstash 1.15.0 installed and I'm receiving the error referenced above:

pip list ... credstash (1.15.0)

credstash --version
Traceback (most recent call last):
  File "/usr/local/bin/credstash", line 7, in <module>
    from credstash import main
  File "/usr/local/bin/credstash.py", line 55, in <module>
    'RIPEMD': hashes.RIPEMD160,
AttributeError: 'module' object has no attribute 'RIPEMD160'

I tried pinning the crypto lib but I get a dependency error back
pip install -I cryptography==2.0.3

credstash 1.15.0 has requirement cryptography>=2.1, but you'll have cryptography 2.0.3 which is incompatible.

I checked on my cryptography lib and I have version 2.4.2

I thought this issue was resolved per above commits?

EDIT: I just used pip install credstash==1.13.2 as a workaround

[tomgoren]

@soultech67 works for me...

08:51 $ mktmpenv
Using base prefix '/Users/motnerog/.pyenv/versions/3.6.6/Python.framework/Versions/3.6'
New python executable in /Users/motnerog/.venvs/tmp-e838fe62085658b/bin/python3.6
Also creating executable in /Users/motnerog/.venvs/tmp-e838fe62085658b/bin/python
Installing setuptools, pip, wheel...done.
virtualenvwrapper.user_scripts creating /Users/motnerog/.venvs/tmp-e838fe62085658b/bin/predeactivate
virtualenvwrapper.user_scripts creating /Users/motnerog/.venvs/tmp-e838fe62085658b/bin/postdeactivate
virtualenvwrapper.user_scripts creating /Users/motnerog/.venvs/tmp-e838fe62085658b/bin/preactivate
virtualenvwrapper.user_scripts creating /Users/motnerog/.venvs/tmp-e838fe62085658b/bin/postactivate
virtualenvwrapper.user_scripts creating /Users/motnerog/.venvs/tmp-e838fe62085658b/bin/get_env_details
This is a temporary environment. It will be deleted when you run 'deactivate'.

(tmp-e838fe62085658b) ✔ ~/.venvs/tmp-e838fe62085658b
08:51 $ pip install credstash
Looking in indexes: https://pypi.org/simple, https://classpassengineering.jfrog.io/classpassengineering/api/pypi/pypi-local/simple
Looking in links: file:///Users/motnerog/.cache/pip/wheelhouse
Collecting credstash
  Using cached https://files.pythonhosted.org/packages/82/fa/af723b1a0adb34b2a234abb8dea23de35fd6e3b7195ebdaf593faaacb756/credstash-1.15.0-py3-none-any.whl
Collecting cryptography>=2.1 (from credstash)
  Using cached https://files.pythonhosted.org/packages/18/d5/7f725ac9ff162c93f67087414961b8256019527093d31e4c1fa9c377170a/cryptography-2.4.2-cp34-abi3-macosx_10_6_intel.whl
Collecting boto3>=1.1.1 (from credstash)
  Using cached https://files.pythonhosted.org/packages/97/5e/d39501836d6b3a198fc8ca34ca058f82f555c0e48b7a929f972cfc066e99/boto3-1.9.53-py2.py3-none-any.whl
Collecting idna>=2.1 (from cryptography>=2.1->credstash)
  Using cached https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography>=2.1->credstash)
  Using cached https://files.pythonhosted.org/packages/ea/cd/35485615f45f30a510576f1a56d1e0a7ad7bd8ab5ed7cdc600ef7cd06222/asn1crypto-0.24.0-py2.py3-none-any.whl
Collecting cffi!=1.11.3,>=1.7 (from cryptography>=2.1->credstash)
  Using cached https://files.pythonhosted.org/packages/8e/be/40b1bc2c3221acdefeb9dab6773d43cda7543ed0d8c8df8768f05af2d01e/cffi-1.11.5-cp36-cp36m-macosx_10_6_intel.whl
Collecting six>=1.4.1 (from cryptography>=2.1->credstash)
  Using cached https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
Collecting s3transfer<0.2.0,>=0.1.10 (from boto3>=1.1.1->credstash)
  Using cached https://files.pythonhosted.org/packages/d7/14/2a0004d487464d120c9fb85313a75cd3d71a7506955be458eebfe19a6b1d/s3transfer-0.1.13-py2.py3-none-any.whl
Collecting jmespath<1.0.0,>=0.7.1 (from boto3>=1.1.1->credstash)
  Using cached https://files.pythonhosted.org/packages/b7/31/05c8d001f7f87f0f07289a5fc0fc3832e9a57f2dbd4d3b0fee70e0d51365/jmespath-0.9.3-py2.py3-none-any.whl
Collecting botocore<1.13.0,>=1.12.53 (from boto3>=1.1.1->credstash)
  Using cached https://files.pythonhosted.org/packages/1a/f6/1b481cef9ad9978b8c8e57713416af5b041d7742912087188fc46a638480/botocore-1.12.53-py2.py3-none-any.whl
Collecting pycparser (from cffi!=1.11.3,>=1.7->cryptography>=2.1->credstash)
Collecting python-dateutil<3.0.0,>=2.1; python_version >= "2.7" (from botocore<1.13.0,>=1.12.53->boto3>=1.1.1->credstash)
  Using cached https://files.pythonhosted.org/packages/74/68/d87d9b36af36f44254a8d512cbfc48369103a3b9e474be9bdfe536abfc45/python_dateutil-2.7.5-py2.py3-none-any.whl
Collecting docutils>=0.10 (from botocore<1.13.0,>=1.12.53->boto3>=1.1.1->credstash)
  Using cached https://files.pythonhosted.org/packages/36/fa/08e9e6e0e3cbd1d362c3bbee8d01d0aedb2155c4ac112b19ef3cae8eed8d/docutils-0.14-py3-none-any.whl
Collecting urllib3<1.25,>=1.20; python_version >= "3.4" (from botocore<1.13.0,>=1.12.53->boto3>=1.1.1->credstash)
  Using cached https://files.pythonhosted.org/packages/62/00/ee1d7de624db8ba7090d1226aebefab96a2c71cd5cfa7629d6ad3f61b79e/urllib3-1.24.1-py2.py3-none-any.whl
Installing collected packages: idna, asn1crypto, pycparser, cffi, six, cryptography, python-dateutil, docutils, jmespath, urllib3, botocore, s3transfer, boto3, credstash
Successfully installed asn1crypto-0.24.0 boto3-1.9.53 botocore-1.12.53 cffi-1.11.5 credstash-1.15.0 cryptography-2.4.2 docutils-0.14 idna-2.7 jmespath-0.9.3 pycparser-2.19 python-dateutil-2.7.5 s3transfer-0.1.13 six-1.11.0 urllib3-1.24.1

(tmp-e838fe62085658b) ✔ ~/.venvs/tmp-e838fe62085658b
08:51 $ pip list
Package         Version
--------------- -------
asn1crypto      0.24.0
boto3           1.9.53
botocore        1.12.53
cffi            1.11.5
credstash       1.15.0
cryptography    2.4.2
docutils        0.14
idna            2.7
jmespath        0.9.3
pip             18.1
pycparser       2.19
python-dateutil 2.7.5
s3transfer      0.1.13
setuptools      40.6.2
six             1.11.0
urllib3         1.24.1
wheel           0.32.3

(tmp-e838fe62085658b) ✔ ~/.venvs/tmp-e838fe62085658b
08:51 $ credstash --help
usage: credstash [-h] [-r REGION] [-t TABLE] [-p PROFILE | -n ARN]
                 {delete,get,getall,keys,list,put,putall,setup} ...

A credential/secret storage system

positional arguments:
  {delete,get,getall,keys,list,put,putall,setup}
                        Try commands like "/Users/motnerog/.venvs/tmp-e838fe6208
                        5658b/bin/credstash get -h" or "/Users/motnerog/.venvs/t
                        mp-e838fe62085658b/bin/credstash put --help" to get
                        each sub command's options
    delete              Delete a credential from the store
    get                 Get a credential from the store
    getall              Get all credentials from the store
    keys                List all keys in the store
    list                list credentials and their versions
    put                 Put a credential into the store
    putall              Put credentials from json into the store
    setup               setup the credential store

optional arguments:
  -h, --help            show this help message and exit
  -r REGION, --region REGION
                        the AWS region in which to operate. If a region is not
                        specified, credstash will use the value of the
                        AWS_DEFAULT_REGION env variable, or if that is not
                        set, the value in `~/.aws/config`. As a last resort,
                        it will use us-east-1
  -t TABLE, --table TABLE
                        DynamoDB table to use for credential storage
  -p PROFILE, --profile PROFILE
                        Boto config profile to use when connecting to AWS
  -n ARN, --arn ARN     AWS IAM ARN for AssumeRole

I suspect something is tainted in your environment, because my L51-L60 of credstash.py read:

_hash_classes = {
    'SHA': hashes.SHA1,
    'SHA224': hashes.SHA224,
    'SHA256': hashes.SHA256,
    'SHA384': hashes.SHA384,
    'SHA512': hashes.SHA512,
    'MD5': hashes.MD5,
}

DEFAULT_DIGEST = 'SHA256'
HASHING_ALGORITHMS = _hash_classes.keys()
LEGACY_NONCE = b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01'
DEFAULT_REGION = "us-east-1"
PAD_LEN = 19  # number of digits in sys.maxint
WILDCARD_CHAR = "*"
THREAD_POOL_MAX_SIZE = 64

No reference to 'RIPEMD': hashes.RIPEMD160, which you encountered. This suggests to me that perhaps you have some older version of the library installed, even if pip says otherwise.

I would try to repro from a fresh virtualenv and clear your pip cache even.