Remove support for cryptography < 3.4 (#878)

* Stop passing backend to cryptography. * Make public_bytes() fallback the default. * Remove compatibility code for older cryptography versions. * Require cryptography 3.4+. * Restrict to cryptography >= 3.4 in integration tests. * Remove Debian Bullseye from CI. It only supports cryptography 3.3. * Improve imports. * Remove no longer existing conditional.
2026-05-06 13:22:58 +00:00 · 2025-05-02 15:27:18 +02:00
parent e8fec768cc
commit 5231ac8f3f
102 changed files with 668 additions and 1217 deletions
--- a/plugins/module_utils/openssh/backends/keypair_backend.py
+++ b/plugins/module_utils/openssh/backends/keypair_backend.py
@@ -438,7 +438,7 @@ class KeypairBackendCryptography(KeypairBackend):
            if result == "SSH" and not HAS_OPENSSH_PRIVATE_FORMAT:
                self.module.fail_json(
                    msg=missing_required_lib(
-                        "cryptography >= 3.0",
+                        "cryptography >= 3.4",
                        reason="to load/dump private keys in the default OpenSSH format for OpenSSH >= 7.8 "
                        + "or for ed25519 keys",
                    )
@@ -549,7 +549,7 @@ def select_backend(module, backend):
        else:
            module.fail_json(
                msg="Cannot find either the OpenSSH binary in the PATH "
-                + "or cryptography >= 2.6 installed on this system"
+                + "or cryptography >= 3.4 installed on this system"
            )

    if backend == "opensshbin":
@@ -558,7 +558,7 @@ def select_backend(module, backend):
        return backend, KeypairBackendOpensshBin(module)
    elif backend == "cryptography":
        if not can_use_cryptography:
-            module.fail_json(msg=missing_required_lib("cryptography >= 2.6"))
+            module.fail_json(msg=missing_required_lib("cryptography >= 3.4"))
        return backend, KeypairBackendCryptography(module)
    else:
        raise ValueError(f"Unsupported value for backend: {backend}")
--- a/plugins/module_utils/openssh/cryptography.py
+++ b/plugins/module_utils/openssh/cryptography.py
@@ -25,7 +25,7 @@ try:
        Ed25519PublicKey,
    )

-    if LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion("3.0"):
+    if LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion("3.4"):
        HAS_OPENSSH_PRIVATE_FORMAT = True
    else:
        HAS_OPENSSH_PRIVATE_FORMAT = False