Remove support for cryptography < 3.4 (#878)

* Stop passing backend to cryptography. * Make public_bytes() fallback the default. * Remove compatibility code for older cryptography versions. * Require cryptography 3.4+. * Restrict to cryptography >= 3.4 in integration tests. * Remove Debian Bullseye from CI. It only supports cryptography 3.3. * Improve imports. * Remove no longer existing conditional.
2026-05-08 14:22:56 +00:00 · 2025-05-02 15:27:18 +02:00
parent e8fec768cc
commit 5231ac8f3f
102 changed files with 668 additions and 1217 deletions
--- a/plugins/doc_fragments/acme.py
+++ b/plugins/doc_fragments/acme.py
@@ -18,7 +18,7 @@ notes:
    another ACME server, please L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose)
    to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
 requirements:
-  - either openssl or L(cryptography,https://cryptography.io/) >= 1.5
+  - either openssl or L(cryptography,https://cryptography.io/) >= 3.4
 options:
  acme_version:
    description:
--- a/plugins/doc_fragments/module_certificate.py
+++ b/plugins/doc_fragments/module_certificate.py
@@ -22,7 +22,7 @@ attributes:
      - If relative timestamps are used and O(ignore_timestamps=false), the module is not idempotent.
      - The option O(force=true) generally disables idempotency.
 requirements:
-  - cryptography >= 1.6 (if using V(selfsigned) or V(ownca) provider)
+  - cryptography >= 3.4 (if using V(selfsigned) or V(ownca) provider)
 options:
  force:
    description:
@@ -304,7 +304,6 @@ options:
        ignored.
      - A value of V(never_create) never creates a SKI. If the CSR provides one, that one is used.
      - This is only used by the V(ownca) provider.
-      - Note that this is only supported if the C(cryptography) backend is used!
    type: str
    choices: [create_if_not_provided, always_create, never_create]
    default: create_if_not_provided
@@ -316,7 +315,6 @@ options:
      - The Authority Key Identifier is generated from the CA certificate's Subject Key Identifier,
        if available. If it is not available, the CA certificate's public key will be used.
      - This is only used by the V(ownca) provider.
-      - Note that this is only supported if the C(cryptography) backend is used!
    type: bool
    default: true
 """
@@ -403,7 +401,6 @@ options:
        ignored.
      - A value of V(never_create) never creates a SKI. If the CSR provides one, that one is used.
      - This is only used by the V(selfsigned) provider.
-      - Note that this is only supported if the C(cryptography) backend is used!
    type: str
    choices: [create_if_not_provided, always_create, never_create]
    default: create_if_not_provided
--- a/plugins/doc_fragments/module_csr.py
+++ b/plugins/doc_fragments/module_csr.py
@@ -18,7 +18,7 @@ attributes:
  idempotent:
    support: full
 requirements:
-  - cryptography >= 1.3
+  - cryptography >= 3.4
 options:
  digest:
    description:
@@ -237,7 +237,6 @@ options:
      - Create the Subject Key Identifier from the public key.
      - Please note that commercial CAs can ignore the value, respectively use a value of their own choice instead. Specifying
        this option is mostly useful for self-signed certificates or for own CAs.
-      - Note that this is only supported if the C(cryptography) backend is used!
    type: bool
    default: false
  subject_key_identifier:
@@ -247,7 +246,6 @@ options:
      - Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option
        is mostly useful for self-signed certificates or for own CAs.
      - Note that this option can only be used if O(create_subject_key_identifier) is V(false).
-      - Note that this is only supported if the C(cryptography) backend is used!
    type: str
  authority_key_identifier:
    description:
@@ -255,7 +253,6 @@ options:
      - 'Example: V(00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33).'
      - Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option
        is mostly useful for self-signed certificates or for own CAs.
-      - Note that this is only supported if the C(cryptography) backend is used!
      - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier), O(authority_cert_issuer)
        and O(authority_cert_serial_number) is specified.
    type: str
@@ -268,7 +265,6 @@ options:
      - If specified, O(authority_cert_serial_number) must also be specified.
      - Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option
        is mostly useful for self-signed certificates or for own CAs.
-      - Note that this is only supported if the C(cryptography) backend is used!
      - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier), O(authority_cert_issuer)
        and O(authority_cert_serial_number) is specified.
    type: list
@@ -277,7 +273,6 @@ options:
    description:
      - The authority cert serial number.
      - If specified, O(authority_cert_issuer) must also be specified.
-      - Note that this is only supported if the C(cryptography) backend is used!
      - Please note that commercial CAs ignore this value, respectively use a value of their own choice. Specifying this option
        is mostly useful for self-signed certificates or for own CAs.
      - The C(AuthorityKeyIdentifier) extension will only be added if at least one of O(authority_key_identifier), O(authority_cert_issuer)
@@ -288,7 +283,6 @@ options:
  crl_distribution_points:
    description:
      - Allows to specify one or multiple CRL distribution points.
-      - Only supported by the C(cryptography) backend.
    type: list
    elements: dict
    suboptions:
@@ -304,7 +298,6 @@ options:
          - Describes how the CRL can be retrieved relative to the CRL issuer.
          - Mutually exclusive with O(crl_distribution_points[].full_name).
          - 'Example: V(/CN=example.com).'
-          - Can only be used when cryptography >= 1.6 is installed.
        type: list
        elements: str
      crl_issuer:
--- a/plugins/doc_fragments/module_privatekey.py
+++ b/plugins/doc_fragments/module_privatekey.py
@@ -22,7 +22,7 @@ attributes:
    details:
      - The option O(regenerate=always) generally disables idempotency.
 requirements:
-  - cryptography >= 1.2.3 (older versions might work as well)
+  - cryptography >= 3.4
 options:
  size:
    description:
@@ -32,9 +32,6 @@ options:
  type:
    description:
      - The algorithm used to generate the TLS/SSL private key.
-      - Note that V(ECC), V(X25519), V(X448), V(Ed25519), and V(Ed448) require the C(cryptography) backend. V(X25519) needs
-        cryptography 2.5 or newer, while V(X448), V(Ed25519), and V(Ed448) require cryptography 2.6 or newer. For V(ECC),
-        the minimal cryptography version required depends on the O(curve) option.
    type: str
    default: RSA
    choices: [DSA, ECC, Ed25519, Ed448, RSA, X25519, X448]
@@ -101,7 +98,6 @@ options:
        parameters are as expected.
      - If set to V(regenerate) (default), generates a new private key.
      - If set to V(convert), the key will be converted to the new format instead.
-      - Only supported by the C(cryptography) backend.
    type: str
    default: regenerate
    choices: [regenerate, convert]
--- a/plugins/doc_fragments/module_privatekey_convert.py
+++ b/plugins/doc_fragments/module_privatekey_convert.py
@@ -10,7 +10,7 @@ class ModuleDocFragment:
    # Standard files documentation fragment
    DOCUMENTATION = r"""
 requirements:
-  - cryptography >= 1.2.3 (older versions might work as well)
+  - cryptography >= 3.4
 attributes:
  diff_mode:
    support: none