On 10/10/25 9:42 PM, Jeremy Stanley wrote:
On 2025-10-09 17:47:35 -0700 (-0700), melanie witt wrote: [...]
whether or not Nova supports the key types depends only on the version of the Python 'cryptography' library installed as it does not deal with the key types directly. [...]
What's the actual intent behind this check? Is it simply an attempt to prevent uploading bogus/malformed keys? If so, as Clark pointed out, the check has been trivially bypassable for years (in OpenDev we've been treating it as a feature).
Or is there some additional functionality in Nova that depends on being able to parse keys rather than just treating them as an opaque blob?
Looking at the code, it seems that the main objective of that logic is not validation but calculation of fingerprint from the provided public key data. Fingerprint is stored in DB associated when public key is created or imported, and then returned by the keypair API. https://docs.openstack.org/api-ref/compute/?expanded=list-keypairs-detail#ke... Technically we may be able to drop the fingeprint given the fact that the whole public key data is returned by the API, that change is a bit tricky due to API impact.