Remove support for cryptography < 3.4 (#878)

* Stop passing backend to cryptography. * Make public_bytes() fallback the default. * Remove compatibility code for older cryptography versions. * Require cryptography 3.4+. * Restrict to cryptography >= 3.4 in integration tests. * Remove Debian Bullseye from CI. It only supports cryptography 3.3. * Improve imports. * Remove no longer existing conditional.
2026-05-06 21:33:00 +00:00 · 2025-05-02 15:27:18 +02:00
parent e8fec768cc
commit 5231ac8f3f
102 changed files with 668 additions and 1217 deletions
--- a/plugins/module_utils/crypto/module_backends/certificate_info.py
+++ b/plugins/module_utils/crypto/module_backends/certificate_info.py
@@ -18,7 +18,6 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
    cryptography_decode_name,
    cryptography_get_extensions_from_cert,
    cryptography_oid_to_name,
-    cryptography_serial_number_of_cert,
    get_not_valid_after,
    get_not_valid_before,
 )
@@ -37,7 +36,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )


-MINIMAL_CRYPTOGRAPHY_VERSION = "1.6"
+MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"

 CRYPTOGRAPHY_IMP_ERR = None
 try:
@@ -341,20 +340,12 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval):

    def _get_ocsp_must_staple(self):
        try:
-            try:
-                # This only works with cryptography >= 2.1
-                tlsfeature_ext = self.cert.extensions.get_extension_for_class(
-                    x509.TLSFeature
-                )
-                value = (
-                    cryptography.x509.TLSFeatureType.status_request
-                    in tlsfeature_ext.value
-                )
-            except AttributeError:
-                # Fallback for cryptography < 2.1
-                oid = x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.1.24")
-                tlsfeature_ext = self.cert.extensions.get_extension_for_oid(oid)
-                value = tlsfeature_ext.value.value == b"\x30\x03\x02\x01\x05"
+            tlsfeature_ext = self.cert.extensions.get_extension_for_class(
+                x509.TLSFeature
+            )
+            value = (
+                cryptography.x509.TLSFeatureType.status_request in tlsfeature_ext.value
+            )
            return value, tlsfeature_ext.critical
        except cryptography.x509.ExtensionNotFound:
            return None, False
@@ -416,7 +407,7 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval):
            return None, None, None

    def _get_serial_number(self):
-        return cryptography_serial_number_of_cert(self.cert)
+        return self.cert.serial_number

    def _get_all_extensions(self):
        return cryptography_get_extensions_from_cert(self.cert)