StackStorm · Kami · Jun 13, 2018 · Jun 5, 2018 · Jun 5, 2018 · Jun 5, 2018
diff --git a/conf/st2.conf.sample b/conf/st2.conf.sample
@@ -155,7 +155,7 @@ action_executions_output_ttl = 7
 collection_interval = 600
 
 [keyvalue]
-# Location of the symmetric encryption key for encrypting values in kvstore. This key should be in JSON and should've been generated using keyczar.
+# Location of the symmetric encryption key for encrypting values in kvstore. This key should be in JSON and should've been generated using st2-generate-symmetric-crypto-key tool.
 encryption_key_path = 
 # Allow encryption of values in key value stored qualified as "secret".
 enable_encryption = True

diff --git a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py
@@ -21,7 +21,6 @@
 
 import six
 import mock
-import unittest2
 from oslo_config import cfg
 
 from python_runner import python_runner
@@ -200,7 +199,6 @@ def test_simple_action_no_status_backward_compatibility(self):
         self.assertTrue(output is not None)
         self.assertEqual(output['result'], [1, 2])
 
-    @unittest2.skipIf(six.PY3, 'keyczar doesn\'t work under Python 3')
     def test_simple_action_config_value_provided_overriden_in_datastore(self):
         pack = 'dummy_pack_5'
         user = 'joe'

diff --git a/fixed-requirements.txt b/fixed-requirements.txt
@@ -34,6 +34,7 @@ stevedore==1.28.0
 paramiko==2.4.1
 networkx==1.11
 python-keyczar==0.716
+cryptography==2.2.2
 retrying==1.3.3
 # Note: We use latest version of virtualenv which uses pip 9.0
 virtualenv==15.1.0

diff --git a/requirements.txt b/requirements.txt
@@ -3,6 +3,7 @@ RandomWords
 apscheduler==3.5.1
 argcomplete
 bcrypt
+cryptography==2.2.2
 eventlet==0.23.0
 flex==6.13.1
 git+https://github.com/Kami/logshipper.git@stackstorm_patched#egg=logshipper
@@ -37,7 +38,6 @@ python-dateutil
 python-editor==1.0.3
 python-gnupg==0.4.2
 python-json-logger
-python-keyczar==0.716
 python-statsd==2.1.0
 pytz==2018.4
 pyyaml<4.0,>=3.12

diff --git a/st2common/bin/st2-generate-symmetric-crypto-key b/st2common/bin/st2-generate-symmetric-crypto-key
@@ -1,14 +1,31 @@
-#!/usr/bin/env python2.7
+#!/usr/bin/env python
+# Licensed to the StackStorm, Inc ('StackStorm') under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 
 import argparse
 import os
 import sys
 
-from keyczar.keys import AesKey
+from st2common.util.crypto import AESKey
 
 
 def main(key_path, force=False):
+    key_path = os.path.abspath(key_path)
     base_path = os.path.dirname(key_path)
+
     if not os.access(base_path, os.W_OK):
         print('ERROR: You do not have sufficient permissions to write to path: %s.' % key_path)
         print('Try setting up permissions correctly and then run this tool.')
@@ -23,9 +40,11 @@ def main(key_path, force=False):
 
         print('WARNING: Rewriting existing key with new key!')
 
+    # Explicitly chose large key size
+    aes_key = AESKey.generate(key_size=256)
+
     with open(key_path, 'w') as key_file:
-        k = AesKey.Generate()
-        key_file.write(str(k))
+        key_file.write(aes_key.to_json())
         key_file.flush()
 
     msg = ('Key written to %s. ' % key_path + 'Secure the permissions so only StackStorm API ' +

diff --git a/st2common/in-requirements.txt b/st2common/in-requirements.txt
@@ -13,7 +13,7 @@ oslo.config
 paramiko
 pyyaml
 pymongo
-python-keyczar
+cryptography
 requests
 retrying
 semver

diff --git a/st2common/requirements.txt b/st2common/requirements.txt
@@ -1,5 +1,6 @@
 # Don't edit this file. It's generated automatically!
 apscheduler==3.5.1
+cryptography==2.2.2
 eventlet==0.23.0
 flex==6.13.1
 greenlet==0.4.13
@@ -15,7 +16,6 @@ paramiko==2.4.1
 prometheus_client==0.1.1
 pymongo==3.6.1
 python-dateutil
-python-keyczar==0.716
 python-statsd==2.1.0
 pyyaml<4.0,>=3.12
 requests[security]<2.15,>=2.14.1

diff --git a/st2common/st2common/config.py b/st2common/st2common/config.py
@@ -273,7 +273,8 @@ def register_opts(ignore_errors=False):
         cfg.StrOpt(
             'encryption_key_path', default='',
             help='Location of the symmetric encryption key for encrypting values in kvstore. '
-                 'This key should be in JSON and should\'ve been generated using keyczar.')
+                 'This key should be in JSON and should\'ve been generated using '
+                 'st2-generate-symmetric-crypto-key tool.')
     ]
 
     do_register_opts(keyvalue_opts, group='keyvalue')