HomeKit Controller can't add new device UnsupportedAlgorithm: ed25519

[nick2525]

The problem

I try to add Legrand Netatmo hub using HomeKit Controller, but I have error in HA logs.

cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.

Environment

• Home Assistant Core release with the issue: Home Assistant 2021.1.4
• Last working Home Assistant Core release (if known): never
• Operating environment (OS/Container/Supervised/Core): OS: Raspbian GNU/Linux 10 (buster), Container: Docker: 20.04.1 LTS (Focal Fossa) 5.4.83-v7+, Virtual Environment: Python Version | 3.9.0
• Integration causing this issue: homekit_controller
• Link to integration documentation on our website: https://www.home-assistant.io/integrations/homekit_controller/
• CPU Architecture:armv7l
• Development: false

Problem-relevant configuration.yaml

no yaml integration

Traceback/Error logs

File "/home/nick252/homeassistant/lib/python3.9/site-packages/homeassistant/components/homekit_controller/config_flow.py", line 310, in async_step_pair
    pairing = await self.finish_pairing(code)
  File "/home/nick252/homeassistant/lib/python3.9/site-packages/aiohomekit/controller/ip/discovery.py", line 99, in finish_pairing
    request, expected = state_machine.send(response)
  File "/home/nick252/homeassistant/lib/python3.9/site-packages/aiohomekit/protocol/__init__.py", line 187, in perform_pair_setup_part2
    ios_device_ltsk = ed25519.Ed25519PrivateKey.generate()
  File "/home/nick252/homeassistant/lib/python3.9/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py", line 52, in generate
    raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.

Additional information

My current version of cryptography is 3.2, OpenSSL (version 1.1.1f 31 Mar 2020) I found my bug on github postlund/pyatv#831 So, it tried to update cryptography to 3.3.1, also tried to build from source OpenSSL version 1.1.1i, also i tried on different version of OS Raspbian 10 and OS Raspbian 9, also I try different container with Ubuntu 18 and 20. I have raspberry 3 b+ I have always same error

[probot-home-assistant]

Hey there @Jc2k, mind taking a look at this issue as its been labeled with an integration (homekit_controller) you are listed as a codeowner for? Thanks!
_{^{(message by CodeOwnersMention)}}

[Jc2k]

Hi. This definitely works if you have the right version of openssl and cryptography, and the pyatv issue hits the nail on the head. I think you have the right version of cryptography but for whatever reason your underlying openssl does not support ed25519. You might have better luck on the forums, i'm not an expert in this part of the setup.

I can see the code in cryptography is still there like it has been for a while. They haven't removed it or anything. So this comes down to your openssl version.

I can reproduce it working on ubuntu 20.04 on x86_64 like this:

docker run --rm -it ubuntu:20.04 sh
apt update
apt install python3-pip
pip3 install cryptography==3.2
python3
>>> from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
>>> Ed25519PrivateKey.generate()
<cryptography.hazmat.backends.openssl.ed25519._Ed25519PrivateKey object at 0x7facae49fa00>

You can see that ubuntu 20.04 and cryptography 3.2 here work, and the function that errors for you returnns a private key object. This works for me, today.

Note that this will install a wheel which is precompiled with a sensible version of openssl - it will completely ignore the one on your host. You will see this:

Collecting cryptography==3.2
  Downloading cryptography-3.2-cp35-abi3-manylinux2010_x86_64.whl (2.6 MB)
     |████████████████████████████████| 2.6 MB 6.7 MB/s 

For a raspberry pi its likely that a wheel isn't available, and so it is picking up the version of openssl on the host. Piwheels does precompile wheels for raspbian though - see https://www.piwheels.org/project/cryptography/. But it is for python 3.5 and 3.7, not python 3.9 like in your example.

[nick2525]

Ed25519PrivateKey.generate()
Traceback (most recent call last):
File "", line 1, in
File "/home/nick252/homeassistant/lib/python3.9/site-packages/cryptography/hazmat/primitives/asymmetric/ed25519.py", line 52, in generate
raise UnsupportedAlgorithm(
cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported by this version of OpenSSL.
yes, this is on cryptography==3.2, so I will try again to update openssl

Maybe problem with install from source new version of openssl openssl/openssl#11227

[dony71]

I have OpenSSL 1.1.1g 21 Apr 2020 on armv7 platform
I have updated also cryptography 3.3.1, but has this cryptography.exceptions.UnsupportedAlgorithm: ed25519 is not supported

But I can generate certificate with ed25519
openssl genpkey -algorithm ed25519 -outform PEM -out test.pem
cat test.pem

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIHLId/sHNUqvA0vlCKEDQnzogNrIjBL0OdL0RSdeS3/O
-----END PRIVATE KEY-----

[Jc2k]

Can you confirm your os version, python version, cryptography version, etc. Which bits (if any) did you compile from source?

[dony71]

uname -a

Linux bananapim2plus 4.14.78-sunxi #28 SMP Mon Dec 17 18:39:08 PST 2018 armv7l GNU/Linux

python -V

Python 3.8.7

pip list | grep crypto

cryptography                          3.3.1

OpenSSL 1.1.1g is compiled with configuration
./config zlib shared no-ssl3

[Jc2k]

At the moment i'm still treating this as an environment issue.

Someone needs to show me this code:

# python3
>>> from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
>>> Ed25519PrivateKey.generate()
<cryptography.hazmat.backends.openssl.ed25519._Ed25519PrivateKey object at 0x7facae49fa00>

Working, but home-assistant not, for it to be something I can really do anything about. If you need help getting ^ to work you might have more luck in the forums, on the HA discord or with cryptography themselves.

The most likely scenario I have is that you have multiple opennssl versions on your system and cryptography has picked up the wrong one OR your os has a pip wheel repository (like pi does - piwheels.org). Wheels embed their own copy of openssl and that will have different compilation settinngs too.

I don't have a bananapi. And I use the docker container to avoid exactly these sorts of conflicts with self installed from source libs. Unfortunately theres not much else I can do.

[nick2525]

@Jc2k ed25519 used only once when connecting a device? If this is used once, perhaps you can take a python implementation in case of a breakdown and show the progress bar so that users wait. Or maybe it is possible to copy and paste the cipher and generate it on the computer, and then paste it into the input field?

[Jc2k]

Thanks for the suggestion, but I don't think I could accept either of those ideas.

While there are only 2 of you, the correct solution is to figure how to install cryptography properly on your devices.

If you document exactly how you go from fresh raspbian to this code:

# python3
>>> from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
>>> Ed25519PrivateKey.generate()
<cryptography.hazmat.backends.openssl.ed25519._Ed25519PrivateKey object at 0x7facae49fa00>

failing with the error you reported then maybe someone will be able to either spot the problem or reproduce the error and investigate.

The approach will be the same if more people come forward, but it might be a default config option has changed upstream recently and we can get that fixed or at least documented.

[DPAmes]

As requested, an error log showing the X25519 error.
This is a startup log from an early test I did of version 0.116 while I was trying to update from an old version of HA. Other things weren't working at the time as well, but it's the only log I can easily find that contains the X25519 error.

vers116 startup errors.txt

[Jc2k]

This is your first time commenting on this issue. Can you please provide some context. Arm? Pi? Banana Pi? Python version? Cryptography version?

Can you all provide detailed walkthroughs of everything you have done to get to this stage. If you followed some instructions online can you link to them.

Also has anyone tried the python code I posted?

[dony71]

I found the problem. Jc2k is right, cryptography has picked up the wrong openssl. What happened is, originally I have openssl 1.1.0l. At that time I tried many things including updating to cryptography 3.3.1. Then I found out openssl 1.1.0l doesn't support ed25519, so I compile openssl 1.1.1i and install it. After that I remove cryptography 3.3.1 and reinstall it, but in fact that cryptography binary is still bind to previous openssl 1.1.0l. Notice "pip install cryptography==3.3.1" will grab old cryptography from pip cache

Processing ./.cache/pip/wheels/9b/bd/12/c040f2df6b28138b66b0361cd218180a278b95763fc2466951/cryptography-3.3.1-cp38-cp38-linux_a        rmv7l.whl

I have to remove this cache and "pip install cryptography==3.3.1" will rebuild binary with up-to-date openssl 1.1.1i.

[dony71]

In fact there is no problem also using cryptography 3.2 as long binary built correctly with openssl which supports ed25519.
So this thread postlund/pyatv#831 mentioning using cryptography 3.3.1 for the solution is misleading.

[Jc2k]

That makes a lot of sense! I forgot that pip creates a wheel cache these days indeed. It also fits with my attempts to reproduce - I was starting in fresh environments for each test, so I didn't have a polluted wheel cache. Great work figuring it out @dony71 !

[nick2525]

OpenSSL 1.1.1f still has bug, it is bug of ubuntu 20.04 lts end of life 2025, so OpenSSL should fix version in LTS Ubuntu, or add new version to backports. Install from source is not recommended by openSSL, since this breaks operating system packages

[Jc2k]

Well, it's up to Ubuntu to fix their OpenSSL package if it contains a bug. OpenSSL themselves might not be in charge of that. And we at HA certainly can't. I think i'm going to close this soon unless the situation changes.

[nick2525]

@Jc2k Ok, close, now it is clear that this is not a problem of Home Assistant

[nick2525]

Yes, remove cache ./.cache/pip/wheels/ everywhere works