core: HomeKit Controller can't add new device UnsupportedAlgorithm: ed25519

The problem

I try to add Legrand Netatmo hub using HomeKit Controller, but I have error in HA logs.

cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.

Environment

  • Home Assistant Core release with the issue: Home Assistant 2021.1.4
  • Last working Home Assistant Core release (if known): never
  • Operating environment (OS/Container/Supervised/Core): OS: Raspbian GNU/Linux 10 (buster), Container: Docker: 20.04.1 LTS (Focal Fossa) 5.4.83-v7+, Virtual Environment: Python Version | 3.9.0
  • Integration causing this issue: homekit_controller
  • Link to integration documentation on our website: https://www.home-assistant.io/integrations/homekit_controller/
  • CPU Architecture:armv7l
  • Development: false

Problem-relevant configuration.yaml

no yaml integration

Traceback/Error logs

File "/home/nick252/homeassistant/lib/python3.9/site-packages/homeassistant/components/homekit_controller/config_flow.py", line 310, in async_step_pair
    pairing = await self.finish_pairing(code)
  File "/home/nick252/homeassistant/lib/python3.9/site-packages/aiohomekit/controller/ip/discovery.py", line 99, in finish_pairing
    request, expected = state_machine.send(response)
  File "/home/nick252/homeassistant/lib/python3.9/site-packages/aiohomekit/protocol/__init__.py", line 187, in perform_pair_setup_part2
    ios_device_ltsk = ed25519.Ed25519PrivateKey.generate()
  File "/home/nick252/homeassistant/lib/python3.9/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py", line 52, in generate
    raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.

Additional information

My current version of cryptography is 3.2, OpenSSL (version 1.1.1f 31 Mar 2020) I found my bug on github https://github.com/postlund/pyatv/issues/831 So, it tried to update cryptography to 3.3.1, also tried to build from source OpenSSL version 1.1.1i, also i tried on different version of OS Raspbian 10 and OS Raspbian 9, also I try different container with Ubuntu 18 and 20. I have raspberry 3 b+ I have always same error

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (7 by maintainers)

Most upvoted comments

I found the problem. Jc2k is right, cryptography has picked up the wrong openssl. What happened is, originally I have openssl 1.1.0l. At that time I tried many things including updating to cryptography 3.3.1. Then I found out openssl 1.1.0l doesn’t support ed25519, so I compile openssl 1.1.1i and install it. After that I remove cryptography 3.3.1 and reinstall it, but in fact that cryptography binary is still bind to previous openssl 1.1.0l. Notice “pip install cryptography==3.3.1” will grab old cryptography from pip cache

Processing ./.cache/pip/wheels/9b/bd/12/c040f2df6b28138b66b0361cd218180a278b95763fc2466951/cryptography-3.3.1-cp38-cp38-linux_a        rmv7l.whl

I have to remove this cache and “pip install cryptography==3.3.1” will rebuild binary with up-to-date openssl 1.1.1i.

+5
dony71 on Jan 27, 2021

As requested, an error log showing the X25519 error. This is a startup log from an early test I did of version 0.116 while I was trying to update from an old version of HA. Other things weren’t working at the time as well, but it’s the only log I can easily find that contains the X25519 error.

vers116 startup errors.txt

+2
DPAmes on Jan 25, 2021

Hi. This definitely works if you have the right version of openssl and cryptography, and the pyatv issue hits the nail on the head. I think you have the right version of cryptography but for whatever reason your underlying openssl does not support ed25519. You might have better luck on the forums, i’m not an expert in this part of the setup.

I can see the code in cryptography is still there like it has been for a while. They haven’t removed it or anything. So this comes down to your openssl version.

I can reproduce it working on ubuntu 20.04 on x86_64 like this:

docker run --rm -it ubuntu:20.04 sh
apt update
apt install python3-pip
pip3 install cryptography==3.2
python3
>>> from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
>>> Ed25519PrivateKey.generate()
<cryptography.hazmat.backends.openssl.ed25519._Ed25519PrivateKey object at 0x7facae49fa00>

You can see that ubuntu 20.04 and cryptography 3.2 here work, and the function that errors for you returnns a private key object. This works for me, today.

Note that this will install a wheel which is precompiled with a sensible version of openssl - it will completely ignore the one on your host. You will see this:

Collecting cryptography==3.2
  Downloading cryptography-3.2-cp35-abi3-manylinux2010_x86_64.whl (2.6 MB)
     |████████████████████████████████| 2.6 MB 6.7 MB/s

For a raspberry pi its likely that a wheel isn’t available, and so it is picking up the version of openssl on the host. Piwheels does precompile wheels for raspbian though - see https://www.piwheels.org/project/cryptography/. But it is for python 3.5 and 3.7, not python 3.9 like in your example.

+1
Jc2k on Jan 20, 2021
Read more comments on GitHub
← core: Homekit Controller - Netatmo Relay - Error doing job: Task exception was never retrieved
core: HomeKit Controller Climate Integration Cannot Set Temp →