Remove support for cryptography < 3.4 (#878)

* Stop passing backend to cryptography. * Make public_bytes() fallback the default. * Remove compatibility code for older cryptography versions. * Require cryptography 3.4+. * Restrict to cryptography >= 3.4 in integration tests. * Remove Debian Bullseye from CI. It only supports cryptography 3.3. * Improve imports. * Remove no longer existing conditional.
2026-05-07 05:43:06 +00:00 · 2025-05-02 15:27:18 +02:00
parent e8fec768cc
commit 5231ac8f3f
102 changed files with 668 additions and 1217 deletions
--- a/plugins/module_utils/crypto/module_backends/privatekey_convert.py
+++ b/plugins/module_utils/crypto/module_backends/privatekey_convert.py
@@ -14,10 +14,6 @@ from ansible_collections.community.crypto.plugins.module_utils.argspec import (
    ArgumentSpec,
 )
 from ansible_collections.community.crypto.plugins.module_utils.crypto.basic import (
-    CRYPTOGRAPHY_HAS_ED448,
-    CRYPTOGRAPHY_HAS_ED25519,
-    CRYPTOGRAPHY_HAS_X448,
-    CRYPTOGRAPHY_HAS_X25519,
    OpenSSLObjectError,
 )
 from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
@@ -32,7 +28,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )


-MINIMAL_CRYPTOGRAPHY_VERSION = "1.2.3"
+MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"

 CRYPTOGRAPHY_IMP_ERR = None
 try:
@@ -41,8 +37,12 @@ try:
    import cryptography.hazmat.backends
    import cryptography.hazmat.primitives.asymmetric.dsa
    import cryptography.hazmat.primitives.asymmetric.ec
+    import cryptography.hazmat.primitives.asymmetric.ed448
+    import cryptography.hazmat.primitives.asymmetric.ed25519
    import cryptography.hazmat.primitives.asymmetric.rsa
    import cryptography.hazmat.primitives.asymmetric.utils
+    import cryptography.hazmat.primitives.asymmetric.x448
+    import cryptography.hazmat.primitives.asymmetric.x25519
    import cryptography.hazmat.primitives.serialization

    CRYPTOGRAPHY_VERSION = LooseVersion(cryptography.__version__)
@@ -136,8 +136,6 @@ class PrivateKeyConvertCryptographyBackend(PrivateKeyConvertBackend):
            module=module, backend="cryptography"
        )

-        self.cryptography_backend = cryptography.hazmat.backends.default_backend()
-
    def get_private_key_data(self):
        """Return bytes for self.src_private_key in output format"""
        # Select export format and encoding
@@ -199,14 +197,14 @@ class PrivateKeyConvertCryptographyBackend(PrivateKeyConvertBackend):
            if format == "raw":
                if passphrase is not None:
                    raise PrivateKeyError("Cannot load raw key with passphrase")
-                if len(data) == 56 and CRYPTOGRAPHY_HAS_X448:
+                if len(data) == 56:
                    return (
                        format,
                        cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.from_private_bytes(
                            data
                        ),
                    )
-                if len(data) == 57 and CRYPTOGRAPHY_HAS_ED448:
+                if len(data) == 57:
                    return (
                        format,
                        cryptography.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey.from_private_bytes(
@@ -214,54 +212,39 @@ class PrivateKeyConvertCryptographyBackend(PrivateKeyConvertBackend):
                        ),
                    )
                if len(data) == 32:
-                    if CRYPTOGRAPHY_HAS_X25519 and not CRYPTOGRAPHY_HAS_ED25519:
-                        return (
-                            format,
-                            cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(
-                                data
-                            ),
-                        )
-                    if CRYPTOGRAPHY_HAS_ED25519 and not CRYPTOGRAPHY_HAS_X25519:
-                        return (
-                            format,
-                            cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(
-                                data
-                            ),
-                        )
-                    if CRYPTOGRAPHY_HAS_X25519 and CRYPTOGRAPHY_HAS_ED25519:
-                        if isinstance(
-                            current_hint,
-                            cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey,
-                        ):
-                            try:
-                                return (
-                                    format,
-                                    cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(
-                                        data
-                                    ),
-                                )
-                            except Exception:
-                                return (
-                                    format,
-                                    cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(
-                                        data
-                                    ),
-                                )
-                        else:
-                            try:
-                                return (
-                                    format,
-                                    cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(
-                                        data
-                                    ),
-                                )
-                            except Exception:
-                                return (
-                                    format,
-                                    cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(
-                                        data
-                                    ),
-                                )
+                    if isinstance(
+                        current_hint,
+                        cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey,
+                    ):
+                        try:
+                            return (
+                                format,
+                                cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(
+                                    data
+                                ),
+                            )
+                        except Exception:
+                            return (
+                                format,
+                                cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(
+                                    data
+                                ),
+                            )
+                    else:
+                        try:
+                            return (
+                                format,
+                                cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey.from_private_bytes(
+                                    data
+                                ),
+                            )
+                        except Exception:
+                            return (
+                                format,
+                                cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.from_private_bytes(
+                                    data
+                                ),
+                            )
                raise PrivateKeyError("Cannot load raw key")
            else:
                return (
@@ -269,7 +252,6 @@ class PrivateKeyConvertCryptographyBackend(PrivateKeyConvertBackend):
                    cryptography.hazmat.primitives.serialization.load_pem_private_key(
                        data,
                        None if passphrase is None else to_bytes(passphrase),
-                        backend=self.cryptography_backend,
                    ),
                )
        except Exception as e: