Remove more traces of PyOpenSSL, including from EE dependencies (#874)

* Remove PyOpenSSL backends. * Remove EOL ansible-core's from EE builds. * Update Pythons in EEs. * Remove pyopenssl tests.
2026-05-07 05:43:06 +00:00 · 2025-04-29 09:33:21 +02:00
parent 718021b714
commit 266082db72
8 changed files with 29 additions and 172 deletions
--- a/plugins/module_utils/crypto/support.py
+++ b/plugins/module_utils/crypto/support.py
@@ -30,14 +30,6 @@ from ansible_collections.community.crypto.plugins.module_utils.time import (  #
 )


-try:
-    from OpenSSL import crypto
-
-    HAS_PYOPENSSL = True
-except (ImportError, AttributeError):
-    # Error handled in the calling module.
-    HAS_PYOPENSSL = False
-
 try:
    from cryptography import x509
    from cryptography.hazmat.backends import default_backend as cryptography_backend
@@ -160,53 +152,7 @@ def load_privatekey(
    except (IOError, OSError) as exc:
        raise OpenSSLObjectError(exc)

-    if backend == "pyopenssl":
-
-        # First try: try to load with real passphrase (resp. empty string)
-        # Will work if this is the correct passphrase, or the key is not
-        # password-protected.
-        try:
-            result = crypto.load_privatekey(
-                crypto.FILETYPE_PEM, priv_key_detail, to_bytes(passphrase or "")
-            )
-        except crypto.Error as e:
-            if len(e.args) > 0 and len(e.args[0]) > 0:
-                if e.args[0][0][2] in ("bad decrypt", "bad password read"):
-                    # This happens in case we have the wrong passphrase.
-                    if passphrase is not None:
-                        raise OpenSSLBadPassphraseError(
-                            "Wrong passphrase provided for private key!"
-                        )
-                    else:
-                        raise OpenSSLBadPassphraseError(
-                            "No passphrase provided, but private key is password-protected!"
-                        )
-            raise OpenSSLObjectError("Error while deserializing key: {0}".format(e))
-        if check_passphrase:
-            # Next we want to make sure that the key is actually protected by
-            # a passphrase (in case we did try the empty string before, make
-            # sure that the key is not protected by the empty string)
-            try:
-                crypto.load_privatekey(
-                    crypto.FILETYPE_PEM,
-                    priv_key_detail,
-                    to_bytes("y" if passphrase == "x" else "x"),
-                )
-                if passphrase is not None:
-                    # Since we can load the key without an exception, the
-                    # key is not password-protected
-                    raise OpenSSLBadPassphraseError(
-                        "Passphrase provided, but private key is not password-protected!"
-                    )
-            except crypto.Error as e:
-                if passphrase is None and len(e.args) > 0 and len(e.args[0]) > 0:
-                    if e.args[0][0][2] in ("bad decrypt", "bad password read"):
-                        # The key is obviously protected by the empty string.
-                        # Do not do this at home (if it is possible at all)...
-                        raise OpenSSLBadPassphraseError(
-                            "No passphrase provided, but private key is password-protected!"
-                        )
-    elif backend == "cryptography":
+    if backend == "cryptography":
        try:
            result = load_pem_private_key(
                priv_key_detail,
@@ -255,14 +201,7 @@ def load_certificate(
            cert_content = content
    except (IOError, OSError) as exc:
        raise OpenSSLObjectError(exc)
-    if backend == "pyopenssl":
-        if der_support_enabled is False or identify_pem_format(cert_content):
-            return crypto.load_certificate(crypto.FILETYPE_PEM, cert_content)
-        elif der_support_enabled:
-            raise OpenSSLObjectError(
-                "Certificate in DER format is not supported by the pyopenssl backend."
-            )
-    elif backend == "cryptography":
+    if backend == "cryptography":
        if der_support_enabled is False or identify_pem_format(cert_content):
            try:
                return x509.load_pem_x509_certificate(
--- a/plugins/module_utils/time.py
+++ b/plugins/module_utils/time.py
@@ -143,11 +143,12 @@ def convert_relative_to_datetime(relative_time_string, with_timezone=False, now=
 def get_relative_time_option(
    input_string, input_name, backend="cryptography", with_timezone=False, now=None
 ):
-    """Return an absolute timespec if a relative timespec or an ASN1 formatted
+    """
+    Return an absolute timespec if a relative timespec or an ASN1 formatted
    string is provided.

-    The return value will be a datetime object for the cryptography backend,
-    and a ASN1 formatted string for the pyopenssl backend."""
+    The return value will be a datetime object for the cryptography backend.
+    """
    result = to_native(input_string)
    if result is None:
        raise OpenSSLObjectError(
@@ -158,14 +159,10 @@ def get_relative_time_option(
        result_datetime = convert_relative_to_datetime(
            result, with_timezone=with_timezone, now=now
        )
-        if backend == "pyopenssl":
-            return result_datetime.strftime("%Y%m%d%H%M%SZ")
-        elif backend == "cryptography":
+        if backend == "cryptography":
            return result_datetime
    # Absolute time
-    if backend == "pyopenssl":
-        return input_string
-    elif backend == "cryptography":
+    if backend == "cryptography":
        for date_fmt, length in [
            (
                "%Y%m%d%H%M%SZ",