Remove support for cryptography < 3.4 (#878)

* Stop passing backend to cryptography.

* Make public_bytes() fallback the default.

* Remove compatibility code for older cryptography versions.

* Require cryptography 3.4+.

* Restrict to cryptography >= 3.4 in integration tests.

* Remove Debian Bullseye from CI.

It only supports cryptography 3.3.

* Improve imports.

* Remove no longer existing conditional.

tests/integration/targets/acme_account/tasks/main.yml

@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_account_info/tasks/main.yml

@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_ari_info/tasks/main.yml

@@ -41,4 +41,4 @@
 
         - import_tasks: ../tests/validate.yml
 
-      when: cryptography_version.stdout is version('1.5', '>=')
+      when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_certificate/tasks/impl.yml

@@ -364,7 +364,6 @@
       set_fact:
         cert_8_obtain_results: "{{ certificate_obtain_result }}"
         cert_8_alternate: "{{ 0 if select_crypto_backend == 'cryptography' else 0 }}"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 ## DISSECT CERTIFICATES #######################################################################
 # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
@@ -402,7 +401,6 @@
   command: '{{ openssl_binary }} verify -CAfile "{{ remote_tmp_dir }}/cert-8-root.pem" -untrusted "{{ remote_tmp_dir }}/cert-8-chain.pem" "{{ remote_tmp_dir }}/cert-8.pem"'
   ignore_errors: true
   register: cert_8_valid
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 # Dump certificate info
 - name: Dumping cert 1
@@ -431,7 +429,6 @@
 - name: Dumping cert 8
   command: '{{ openssl_binary }} x509 -in "{{ remote_tmp_dir }}/cert-8.pem" -noout -text'
   register: cert_8_text
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 # Dump certificate info
 - name: Dumping cert 1
@@ -468,7 +465,6 @@
   x509_certificate_info:
     path: "{{ remote_tmp_dir }}/cert-8.pem"
   register: cert_8_info
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 ## GET ACCOUNT ORDERS #########################################################################
 - name: Don't retrieve orders

tests/integration/targets/acme_certificate/tasks/main.yml

@@ -118,4 +118,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_certificate/tests/validate.yml

@@ -159,7 +159,6 @@
       assert:
         that:
           - "'IP Address:127.0.0.1' in cert_8_text.stdout or 'IP:127.0.0.1' in cert_8_text.stdout"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Validate that orders were not retrieved
   assert:

tests/integration/targets/acme_certificate_deactivate_authz/tasks/main.yml

@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_certificate_order/tasks/impl.yml

@@ -147,11 +147,6 @@
       - validate_1 is changed
       - validate_1.account_uri == account.account_uri
 
-- name: "({{ select_crypto_backend }}) Wait until we know that the challenges have been validated for ansible-core <= 2.11"
-  pause:
-    seconds: 5
-  when: ansible_version.full is version('2.12', '<')
-
 - name: "({{ select_crypto_backend }}) Get order information"
   acme_certificate_order_info:
     acme_directory: "{{ acme_directory_url }}"

tests/integration/targets/acme_certificate_order/tasks/main.yml

@@ -33,4 +33,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_certificate_renewal_info/tasks/main.yml

@@ -40,4 +40,4 @@
 
         - import_tasks: ../tests/validate.yml
 
-      when: cryptography_version.stdout is version('1.5', '>=')
+      when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_certificate_revoke/tasks/main.yml

@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_challenge_cert_helper/tasks/main.yml

@@ -35,4 +35,4 @@
         terms_agreed: true
         account_email: "example@example.org"
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/acme_inspect/tasks/main.yml

@@ -37,4 +37,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/certificate_complete_chain/tasks/main.yml

@@ -10,11 +10,6 @@
 
 - block:
 
-    - name: Make sure testhost directory exists
-      file:
-        path: '{{ remote_tmp_dir }}/files/'
-        state: directory
-      when: ansible_version.string is version('2.10', '<')
     - name: Copy test files to testhost
       copy:
         src: '{{ role_path }}/files/'
@@ -29,4 +24,4 @@
     - name: Run tests with created certificates
       import_tasks: created.yml
 
-  when: cryptography_version.stdout is version('1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/filter_openssl_csr_info/tasks/impl.yml

@@ -27,7 +27,7 @@
       - result.extensions_by_oid['2.5.29.15'].critical == true
       - result.extensions_by_oid['2.5.29.15'].value in ['AwMA/4A=', 'AwMH/4A=']
       # Subject Alternative Names
-      - result.subject_alt_name[1] == ("DNS:âņsïbłè.com" if cryptography_version.stdout is version('2.1', '<') else "DNS:xn--sb-oia0a7a53bya.com")
+      - result.subject_alt_name[1] == "DNS:xn--sb-oia0a7a53bya.com"
       - result_unicode.subject_alt_name[1] == "DNS:âņsïbłè.com"
       - result_idna.subject_alt_name[1] == "DNS:xn--sb-oia0a7a53bya.com"
       - result.extensions_by_oid['2.5.29.17'].critical == false
@@ -54,7 +54,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: "Get CSR info"
   set_fact:
@@ -76,7 +75,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: "Get CSR info"
   set_fact:
@@ -89,7 +87,6 @@
       - result.authority_key_identifier == "44:55:66:77"
       - result.authority_cert_issuer is none
       - result.authority_cert_serial_number is none
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Get invalid certificate info
   set_fact:

tests/integration/targets/filter_openssl_csr_info/tasks/main.yml

@@ -84,10 +84,10 @@
       - "pathlen:23"
     basic_constraints_critical: true
     ocsp_must_staple: true
-    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    subject_key_identifier: "00:11:22:33"
+    authority_key_identifier: "44:55:66:77"
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -113,8 +113,8 @@
       - "IP:DEAD:BEEF::1"
     basic_constraints:
       - "CA:FALSE"
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -125,8 +125,8 @@
     path: '{{ remote_tmp_dir }}/csr_4.csr'
     privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     useCommonNameForSAN: false
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_key_identifier: "44:55:66:77"
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('1.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/filter_openssl_privatekey_info/tasks/main.yml

@@ -39,4 +39,4 @@
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('1.2.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/filter_openssl_publickey_info/tasks/main.yml

@@ -44,4 +44,4 @@
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('1.2.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/filter_x509_certificate_info/tasks/impl.yml

@@ -25,8 +25,8 @@
       - result.public_key_data.size == (default_rsa_key_size_certificates | int)
       - "result.subject_alt_name == [
           'DNS:www.ansible.com',
-          'DNS:' ~ ('öç' if cryptography_version.stdout is version('2.1', '<') else 'xn--7ca3a') ~ '.com',
-          'DNS:' ~ ('www.öç' if cryptography_version.stdout is version('2.1', '<') else 'xn--74h') ~ '.com',
+          'DNS:xn--7ca3a.com',
+          'DNS:xn--74h.com',
           'IP:1.2.3.4',
           'IP:::1',
           'email:test@example.org',
@@ -35,7 +35,7 @@
       - "result_idna.subject_alt_name == [
           'DNS:www.ansible.com',
           'DNS:xn--7ca3a.com',
-          'DNS:' ~ ('www.xn--7ca3a' if cryptography_version.stdout is version('2.1', '<') else 'xn--74h') ~ '.com',
+          'DNS:xn--74h.com',
           'IP:1.2.3.4',
           'IP:::1',
           'email:test@example.org',
@@ -44,7 +44,7 @@
       - "result_unicode.subject_alt_name == [
           'DNS:www.ansible.com',
           'DNS:öç.com',
-          'DNS:' ~ ('www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺') ~ '.com',
+          'DNS:☺.com',
           'IP:1.2.3.4',
           'IP:::1',
           'email:test@example.org',
@@ -60,8 +60,6 @@
       - result.extensions_by_oid['2.5.29.17'].critical == false
       - >
         result.extensions_by_oid['2.5.29.17'].value == (
-          'MIGCgg93d3cuYW5zaWJsZS5jb22CDXhuLS03Y2EzYS5jb22CEXd3dy54bi0tN2NhM2EuY29thwQBAgMEhxAAAAAAAAAAAAAAAAAAAAABgRB0ZXN0QGV4YW1wbGUub3JnhiNodHRwczovL2V4YW1wbGUub3JnL3Rlc3QvaW5kZXguaHRtbA=='
-          if cryptography_version.stdout is version('2.1', '<') else
           'MHyCD3d3dy5hbnNpYmxlLmNvbYINeG4tLTdjYTNhLmNvbYILeG4tLTc0aC5jb22HBAECAwSHEAAAAAAAAAAAAAAAAAAAAAGBEHRlc3RAZXhhbXBsZS5vcmeGI2h0dHBzOi8vZXhhbXBsZS5vcmcvdGVzdC9pbmRleC5odG1s'
         )
       # Basic Constraints
@@ -86,7 +84,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Get certificate info
   set_fact:
@@ -108,7 +105,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Get certificate info
   set_fact:
@@ -121,7 +117,6 @@
       - result.authority_key_identifier == "44:55:66:77"
       - result.authority_cert_issuer is none
       - result.authority_cert_serial_number is none
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Get certificate info for packaged cert 1
   set_fact:

tests/integration/targets/filter_x509_certificate_info/tasks/main.yml

@@ -76,8 +76,7 @@
     subject_alt_name:
       - "DNS:www.ansible.com"
       - "DNS:öç.com"
-      # cryptography < 2.1 cannot handle certain Unicode characters
-      - "DNS:{{ 'www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺' }}.com"
+      - "DNS:☺.com"
       - "IP:1.2.3.4"
       - "IP:::1"
       - "email:test@example.org"
@@ -87,10 +86,10 @@
       - "pathlen:23"
     basic_constraints_critical: true
     ocsp_must_staple: true
-    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    subject_key_identifier: "00:11:22:33"
+    authority_key_identifier: "44:55:66:77"
+    authority_cert_issuer: "{{ value_for_authority_cert_issuer }}"
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -116,8 +115,8 @@
       - "IP:DEAD:BEEF::1"
     basic_constraints:
       - "CA:FALSE"
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -128,7 +127,7 @@
     path: '{{ remote_tmp_dir }}/csr_4.csr'
     privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     useCommonNameForSAN: false
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_key_identifier: "44:55:66:77"
 
 - name: Generate selfsigned certificates
   x509_certificate:
@@ -147,4 +146,4 @@
 
 - name: Running tests
   include_tasks: impl.yml
-  when: cryptography_version.stdout is version('1.6', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/filter_x509_crl_info/tasks/impl.yml

@@ -94,13 +94,6 @@
     src: "{{ remote_tmp_dir }}/ca-crl1.crl"
   register: content
 
-- name: Retrieve CRL 1 infos from DER (raw bytes)
-  set_fact:
-    crl_1_info_4: >-
-      {{ content.content | b64decode | community.crypto.x509_crl_info }}
-  # Ansible 2.9 and ansible-base 2.10 on Python 2 mangle bytes, so do not run this on these versions
-  when: ansible_version.string is version('2.11', '>=') or ansible_python.version.major > 2
-
 - name: Retrieve CRL 1 infos from DER (Base64 encoded)
   set_fact:
     crl_1_info_5: >-
@@ -109,9 +102,7 @@
 - name: Validate CRL 1
   assert:
     that:
-      - crl_1_info_4 is not defined or crl_1_info_4.format == 'der'
       - crl_1_info_5.format == 'der'
-      - crl_1_info_4 is not defined or crl_1_info_4 == crl_1_info_5
 
 - name: Create CRL 2
   x509_crl:
@@ -195,22 +186,15 @@
     revoked_certificates:
       - serial_number: 1234
         revocation_date: 20191001000000Z
-        # * cryptography < 2.1 strips username and password from URIs. To avoid problems, we do
-        #   not pass usernames and passwords for URIs when the cryptography version is < 2.1.
-        # * Python 3.5 before 3.5.8 rc 1 has a bug in urllib.parse.urlparse() that results in an
-        #   error if a Unicode netloc has a username or password included.
-        #   (https://github.com/ansible-collections/community.crypto/pull/436#issuecomment-1101737134)
-        #   This affects the Python 3.5 included in Ansible 2.9's default test container; to avoid
-        #   this, we also do not pass usernames and passwords for Python 3.5.
         issuer:
           - "DNS:ca.example.org"
           - "DNS:ffóò.ḃâŗ.çøṁ"
           - "email:foo@ḃâŗ.çøṁ"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de"
+          - "URI:https://admin:hunter2@ffóò.ḃâŗ.çøṁ/baz?foo=bar"
+          - "URI:https://goo@www.straße.de"
           - "URI:https://straße.de:8080"
           - "URI:http://gefäß.org"
-          - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1"
+          - "URI:http://a:b@ä:1"
         issuer_critical: true
   register: crl_3
 
@@ -229,11 +213,11 @@
           - "DNS:ca.example.org"
           - "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n"
           - "email:foo@xn--2ca8uh37e.xn--7ca8a981n"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.xn--strae-oqa.de"
+          - "URI:https://admin:hunter2@xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar"
+          - "URI:https://goo@www.xn--strae-oqa.de"
           - "URI:https://xn--strae-oqa.de:8080"
           - "URI:http://xn--gef-7kay.org"
-          - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}xn--4ca:1"
+          - "URI:http://a:b@xn--4ca:1"
         issuer_critical: true
     ignore_timestamps: true
     name_encoding: idna
@@ -254,11 +238,11 @@
           - "DNS:ca.example.org"
           - "DNS:ffóò.ḃâŗ.çøṁ"
           - "email:foo@ḃâŗ.çøṁ"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de"
+          - "URI:https://admin:hunter2@ffóò.ḃâŗ.çøṁ/baz?foo=bar"
+          - "URI:https://goo@www.straße.de"
           - "URI:https://straße.de:8080"
           - "URI:http://gefäß.org"
-          - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1"
+          - "URI:http://a:b@ä:1"
         issuer_critical: true
     ignore_timestamps: true
     name_encoding: unicode

tests/integration/targets/filter_x509_crl_info/tasks/main.yml

@@ -88,4 +88,4 @@
     - name: Running tests
       include_tasks: impl.yml
 
-  when: cryptography_version.stdout is version('1.2', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/get_certificate/tasks/main.yml

@@ -37,7 +37,7 @@
         that:
           - result is success or skip_tests
 
-  when: cryptography_version.stdout is version('1.6', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')
 
 - block:
 

tests/integration/targets/openssh_keypair/tasks/main.yml

@@ -19,7 +19,7 @@
 
 - set_fact:
     backends: "{{ backends + ['cryptography'] }}"
-  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
 
 - include_tasks: ../tests/core.yml
   loop: "{{ backends }}"
@@ -47,4 +47,4 @@
     loop_var: backend
 
 - include_tasks: ../tests/cryptography_backend.yml
-  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')

tests/integration/targets/openssl_csr/tasks/impl.yml

@@ -884,7 +884,7 @@
     select_crypto_backend: '{{ select_crypto_backend }}'
   register: everything_info
 
-- name: "({{ select_crypto_backend }}) Ed25519 and Ed448 tests (for cryptography >= 2.6)"
+- name: "({{ select_crypto_backend }}) Ed25519 and Ed448 tests"
   block:
     - name: "({{ select_crypto_backend }}) Generate privatekeys"
       openssl_privatekey:
@@ -926,9 +926,9 @@
           register: generate_csr_ed25519_ed448_idempotent
           ignore_errors: true
 
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')
+  when: select_crypto_backend == 'cryptography'
 
-- name: "({{ select_crypto_backend }}) CRL distribution endpoints (for cryptography >= 1.6)"
+- name: "({{ select_crypto_backend }}) CRL distribution endpoints"
   block:
     - name: "({{ select_crypto_backend }}) Create CSR with CRL distribution endpoints"
       openssl_csr:
@@ -1015,4 +1015,4 @@
         select_crypto_backend: '{{ select_crypto_backend }}'
       register: crl_distribution_endpoints_5
 
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.6', '>=')
+  when: select_crypto_backend == 'cryptography'

tests/integration/targets/openssl_csr/tasks/main.yml

@@ -29,4 +29,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('1.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_csr/tests/validate.yml

@@ -77,15 +77,6 @@
       - generate_csr_invalid_san is failed
       - "'Subject Alternative Name' in generate_csr_invalid_san.msg"
 
-- name: "({{ select_crypto_backend }}) Validate invalid SAN (2/2)"
-  # Note that modern cryptography versions simply accept this name.
-  # The error has been observed with cryptography 1.7.2 and 1.9, but not with 2.3 and newer.
-  assert:
-    that:
-      - generate_csr_invalid_san_2 is failed
-      - "'The label system:kube-controller-manager is not a valid A-label' in generate_csr_invalid_san_2.msg"
-  when: cryptography_version.stdout is version('2.0', '<')
-
 - name: "({{ select_crypto_backend }}) Validate OCSP Must Staple CSR (test - everything)"
   shell: "{{ openssl_binary }} req -noout -in {{ remote_tmp_dir }}/csr_ocsp.csr -text"
   register: csr_ocsp
@@ -313,18 +304,7 @@
           "IP:::1:0:0/112",
         ]
 
-- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)"
-  assert:
-    that:
-      - generate_csr_ed25519_ed448.results[0] is failed
-      - generate_csr_ed25519_ed448.results[1] is failed
-      - generate_csr_ed25519_ed448.results[0].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
-      - generate_csr_ed25519_ed448.results[1].msg == 'Signing with Ed25519 and Ed448 keys requires cryptography 2.8 or newer.'
-      - generate_csr_ed25519_ed448_idempotent.results[0] is failed
-      - generate_csr_ed25519_ed448_idempotent.results[1] is failed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and generate_csr_ed25519_ed448_privatekey is not failed
-
-- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)"
+- name: "({{ select_crypto_backend }}) Verify Ed25519 and Ed448 tests"
   assert:
     that:
       - generate_csr_ed25519_ed448 is succeeded
@@ -333,9 +313,9 @@
       - generate_csr_ed25519_ed448_idempotent is succeeded
       - generate_csr_ed25519_ed448_idempotent.results[0] is not changed
       - generate_csr_ed25519_ed448_idempotent.results[1] is not changed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and generate_csr_ed25519_ed448_privatekey is not failed
+  when: select_crypto_backend == 'cryptography' and generate_csr_ed25519_ed448_privatekey is not failed
 
-- name: "({{ select_crypto_backend }}) Verify CRL distribution endpoints (for cryptography >= 1.6)"
+- name: "({{ select_crypto_backend }}) Verify CRL distribution endpoints"
   assert:
     that:
       - crl_distribution_endpoints_1 is changed
@@ -343,4 +323,4 @@
       - crl_distribution_endpoints_3 is changed
       - crl_distribution_endpoints_4 is changed
       - crl_distribution_endpoints_5 is changed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.6', '>=')
+  when: select_crypto_backend == 'cryptography'

tests/integration/targets/openssl_csr_info/tasks/impl.yml

@@ -41,7 +41,7 @@
       - result.extensions_by_oid['2.5.29.15'].critical == true
       - result.extensions_by_oid['2.5.29.15'].value in ['AwMA/4A=', 'AwMH/4A=']
       # Subject Alternative Names
-      - result.subject_alt_name[1] == ("DNS:âņsïbłè.com" if cryptography_version.stdout is version('2.1', '<') else "DNS:xn--sb-oia0a7a53bya.com")
+      - result.subject_alt_name[1] == "DNS:xn--sb-oia0a7a53bya.com"
       - result_unicode.subject_alt_name[1] == "DNS:âņsïbłè.com"
       - result_idna.subject_alt_name[1] == "DNS:xn--sb-oia0a7a53bya.com"
       - result.extensions_by_oid['2.5.29.17'].critical == false
@@ -68,7 +68,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: "({{ select_crypto_backend }}) Read CSR"
   slurp:
@@ -111,7 +110,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: "({{ select_crypto_backend }}) Get CSR info"
   openssl_csr_info:
@@ -125,4 +123,3 @@
       - result.authority_key_identifier == "44:55:66:77"
       - result.authority_cert_issuer is none
       - result.authority_cert_serial_number is none
-  when: cryptography_version.stdout is version('1.3', '>=')

tests/integration/targets/openssl_csr_info/tasks/main.yml

@@ -85,10 +85,10 @@
       - "pathlen:23"
     basic_constraints_critical: true
     ocsp_must_staple: true
-    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    subject_key_identifier: "00:11:22:33"
+    authority_key_identifier: "44:55:66:77"
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -114,8 +114,8 @@
       - "IP:DEAD:BEEF::1"
     basic_constraints:
       - "CA:FALSE"
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -126,10 +126,10 @@
     path: '{{ remote_tmp_dir }}/csr_4.csr'
     privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     useCommonNameForSAN: false
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_key_identifier: "44:55:66:77"
 
 - name: Running tests with cryptography backend
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('1.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_csr_pipe/tasks/main.yml

@@ -24,4 +24,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('1.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_dhparam/tasks/main.yml

@@ -44,4 +44,4 @@
 
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('2.0', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_pkcs12/tasks/main.yml

@@ -68,7 +68,7 @@
           vars:
             select_crypto_backend: cryptography
 
-      when: cryptography_version.stdout is version('3.0', '>=')
+      when: cryptography_version.stdout is version('3.4', '>=')
 
   when: >-
-    cryptography_version.stdout is version('3.0', '>=')
+    cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_privatekey/tasks/impl.yml

@@ -534,7 +534,7 @@
           - privatekey_fmt_2_step_6.privatekey == (slurp.content | b64decode)
       when: privatekey_fmt_2_step_1 is not failed
 
-  when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
+  when: select_crypto_backend == "cryptography"
 
 
 # Test regenerate option
@@ -871,4 +871,4 @@
           - result.results[0].fingerprint == result.results[2].fingerprint
           - result.results[0].fingerprint == result.results[3].fingerprint
           - result.results[0].fingerprint != result.results[4].fingerprint
-  when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=")'
+  when: select_crypto_backend == "cryptography"

tests/integration/targets/openssl_privatekey/tasks/main.yml

@@ -50,4 +50,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('0.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_privatekey/tests/validate.yml

@@ -213,7 +213,7 @@
       - system_potentially_has_no_algorithm_support
       - privatekey_fmt_2_step_1 is failed
       - "'Cryptography backend does not support the algorithm required for ' in privatekey_fmt_2_step_1.msg"
-  when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is failed'
+  when: 'select_crypto_backend == "cryptography" and privatekey_fmt_2_step_1 is failed'
 
 - name: "({{ select_crypto_backend }}) Validate format 2"
   assert:
@@ -224,4 +224,4 @@
       - privatekey_fmt_2_step_4 is succeeded and privatekey_fmt_2_step_4 is not changed
       - privatekey_fmt_2_step_5 is succeeded and privatekey_fmt_2_step_5 is not changed
       - privatekey_fmt_2_step_6 is succeeded and privatekey_fmt_2_step_6 is changed
-  when: 'select_crypto_backend == "cryptography" and cryptography_version.stdout is version("2.6", ">=") and privatekey_fmt_2_step_1 is not failed'
+  when: 'select_crypto_backend == "cryptography" and privatekey_fmt_2_step_1 is not failed'

tests/integration/targets/openssl_privatekey_convert/tasks/impl.yml

@@ -331,60 +331,58 @@
           - convert_idem is not changed
           - convert_file_info is not changed
 
-- when: supports_x25519 | bool
-  block:
-    - name: Convert (change format to raw, check mode)
-      openssl_privatekey_convert:
-        src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
-        dest_path: '{{ remote_tmp_dir }}/output_3.pem'
-        format: raw
-        # select_crypto_backend: '{{ select_crypto_backend }}'
-      register: convert_not_idem_check
-      check_mode: true
+- name: Convert (change format to raw, check mode)
+  openssl_privatekey_convert:
+    src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
+    dest_path: '{{ remote_tmp_dir }}/output_3.pem'
+    format: raw
+    # select_crypto_backend: '{{ select_crypto_backend }}'
+  register: convert_not_idem_check
+  check_mode: true
 
-    - name: Convert (change format to raw)
-      openssl_privatekey_convert:
-        src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
-        dest_path: '{{ remote_tmp_dir }}/output_3.pem'
-        format: raw
-        # select_crypto_backend: '{{ select_crypto_backend }}'
-      register: convert_not_idem
+- name: Convert (change format to raw)
+  openssl_privatekey_convert:
+    src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
+    dest_path: '{{ remote_tmp_dir }}/output_3.pem'
+    format: raw
+    # select_crypto_backend: '{{ select_crypto_backend }}'
+  register: convert_not_idem
 
-    - assert:
-        that:
-          - convert_not_idem_check is changed
-          - convert_not_idem is changed
+- assert:
+    that:
+      - convert_not_idem_check is changed
+      - convert_not_idem is changed
 
-    - name: "({{ select_crypto_backend }}) Collect file information"
-      community.internal_test_tools.files_collect:
-        files:
-          - path: '{{ remote_tmp_dir }}/output_3.pem'
-      register: convert_file_info_data
+- name: "({{ select_crypto_backend }}) Collect file information"
+  community.internal_test_tools.files_collect:
+    files:
+      - path: '{{ remote_tmp_dir }}/output_3.pem'
+  register: convert_file_info_data
 
-    - name: Convert (idempotent, check mode)
-      openssl_privatekey_convert:
-        src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
-        dest_path: '{{ remote_tmp_dir }}/output_3.pem'
-        format: raw
-        # select_crypto_backend: '{{ select_crypto_backend }}'
-      register: convert_idem_check
-      check_mode: true
+- name: Convert (idempotent, check mode)
+  openssl_privatekey_convert:
+    src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
+    dest_path: '{{ remote_tmp_dir }}/output_3.pem'
+    format: raw
+    # select_crypto_backend: '{{ select_crypto_backend }}'
+  register: convert_idem_check
+  check_mode: true
 
-    - name: Convert (idempotent)
-      openssl_privatekey_convert:
-        src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
-        dest_path: '{{ remote_tmp_dir }}/output_3.pem'
-        format: raw
-        # select_crypto_backend: '{{ select_crypto_backend }}'
-      register: convert_idem
+- name: Convert (idempotent)
+  openssl_privatekey_convert:
+    src_path: '{{ remote_tmp_dir }}/privatekey_x25519.pem'
+    dest_path: '{{ remote_tmp_dir }}/output_3.pem'
+    format: raw
+    # select_crypto_backend: '{{ select_crypto_backend }}'
+  register: convert_idem
 
-    - name: "({{ select_crypto_backend }}) Check whether file changed"
-      community.internal_test_tools.files_diff:
-        state: '{{ convert_file_info_data }}'
-      register: convert_file_info
+- name: "({{ select_crypto_backend }}) Check whether file changed"
+  community.internal_test_tools.files_diff:
+    state: '{{ convert_file_info_data }}'
+  register: convert_file_info
 
-    - assert:
-        that:
-          - convert_idem_check is not changed
-          - convert_idem is not changed
-          - convert_file_info is not changed
+- assert:
+    that:
+      - convert_idem_check is not changed
+      - convert_idem is not changed
+      - convert_file_info is not changed

tests/integration/targets/openssl_privatekey_convert/tasks/main.yml

@@ -10,11 +10,9 @@
 
 - name: Determine capabilities
   set_fact:
-    supports_x25519: '{{ cryptography_version.stdout is version("2.5", ">=") }}'
     supports_ed25519: >-
       {{
-        cryptography_version.stdout is version("2.6", ">=")
-        and not (
+        not (
           ansible_os_family == "FreeBSD" and
           ansible_facts.distribution_version is version("12.1", ">=") and
           ansible_facts.distribution_version is version("12.2", "<")
@@ -45,7 +43,6 @@
       format: pkcs8
       type: X25519
       size: '{{ default_rsa_key_size }}'
-      condition: '{{ supports_x25519 }}'
 
 - name: Run module with backend autodetection
   openssl_privatekey_convert:
@@ -61,4 +58,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('1.2.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_privatekey_info/tasks/main.yml

@@ -43,4 +43,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('1.2.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_privatekey_pipe/tasks/main.yml

@@ -18,4 +18,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('0.5', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_publickey/tasks/impl.yml

@@ -56,7 +56,7 @@
     privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     format: OpenSSH
     select_crypto_backend: '{{ select_crypto_backend }}'
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=')
+  when: select_crypto_backend == 'cryptography'
 
 - name: "({{ select_crypto_backend }}) Generate publickey - OpenSSH format - test idempotence (issue 33256)"
   openssl_publickey:
@@ -64,7 +64,7 @@
     privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     format: OpenSSH
     select_crypto_backend: '{{ select_crypto_backend }}'
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=')
+  when: select_crypto_backend == 'cryptography'
   register: publickey_ssh_idempotence
 
 - name: "({{ select_crypto_backend }}) Generate publickey2 - standard"

tests/integration/targets/openssl_publickey/tasks/main.yml

@@ -28,4 +28,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('1.2.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_publickey/tests/validate.yml

@@ -32,25 +32,25 @@
 - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format (test - privatekey's publickey)"
   shell: 'ssh-keygen -y -f {{ remote_tmp_dir }}/privatekey.pem'
   register: privatekey_publickey
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=')
+  when: select_crypto_backend == 'cryptography'
 
 - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format  (test - publickey)"
   slurp:
     src: '{{ remote_tmp_dir }}/publickey-ssh.pub'
   register: publickey
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=')
+  when: select_crypto_backend == 'cryptography'
 
 - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format (assert)"
   assert:
     that:
       - privatekey_publickey.stdout == publickey.content | b64decode
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=')
+  when: select_crypto_backend == 'cryptography'
 
 - name: "({{ select_crypto_backend }}) Validate public key - OpenSSH format - test idempotence (issue 33256)"
   assert:
     that:
       - publickey_ssh_idempotence is not changed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('1.4.0', '>=')
+  when: select_crypto_backend == 'cryptography'
 
 - name: "({{ select_crypto_backend }}) Validate publickey2 (test - Ensure key has been removed)"
   stat:

tests/integration/targets/openssl_publickey_info/tasks/main.yml

@@ -46,4 +46,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('1.2.3', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/openssl_signature/tasks/main.yml

@@ -26,18 +26,15 @@
 - name: Add cryptography backend
   set_fact:
     backends: "{{ backends + [ { 'backend': 'cryptography' } ] }}"
-  when: cryptography_version.stdout is version('1.4', '>=')
 
 - name: Add RSA tests
   set_fact:
     key_types: "{{ key_types + [ { 'type': 'RSA', 'size': default_rsa_key_size } ] }}"
-  when: cryptography_version.stdout is version('1.4', '>=')
 
 - name: Add DSA + ECDSA tests
   set_fact:
     key_types: "{{ key_types + [ { 'type': 'DSA', 'size': 2048 }, { 'type': 'ECC', 'curve': 'secp256r1' } ] }}"
   when:
-    - cryptography_version.stdout is version('1.5', '>=')
     # FreeBSD 11 fails on secp256r1 keys
     - not ansible_os_family == 'FreeBSD'
 
@@ -45,8 +42,6 @@
   set_fact:
     key_types: "{{ key_types + [ { 'type': 'Ed25519' }, { 'type': 'Ed448' } ] }}"
   when:
-    # The module under tests works with >= 2.6, but we also need to be able to create a certificate which requires 2.8
-    - cryptography_version.stdout is version('2.8', '>=')
     # FreeBSD doesn't have support for Ed448/25519
     - not ansible_os_family == 'FreeBSD'
 

tests/integration/targets/setup_pkg_mgr/tasks/main.yml

@@ -12,16 +12,10 @@
     pkg_mgr: community.general.pkgng
     ansible_pkg_mgr: community.general.pkgng
     cacheable: true
-  when: ansible_os_family == 'FreeBSD' and ansible_version.string is version('2.10', '>=')
+  when: ansible_os_family == 'FreeBSD'
 
 - set_fact:
     pkg_mgr: community.general.zypper
     ansible_pkg_mgr: community.general.zypper
     cacheable: true
-  when: ansible_os_family == 'Suse' and ansible_version.string is version('2.10', '>=')
-
-- shell:
-    cmd: |
-      sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo
-      sed -i 's%#baseurl=http://mirror.centos.org/%baseurl=https://vault.centos.org/%g' /etc/yum.repos.d/*.repo
-  when: ansible_distribution in 'CentOS' and ansible_distribution_major_version == '7'
+  when: ansible_os_family == 'Suse'

tests/integration/targets/x509_certificate-acme/tasks/main.yml

@@ -141,4 +141,4 @@
 - name: Running tests
   include_tasks: impl.yml
   # Make x509_certificate module happy
-  when: cryptography_version.stdout is version('1.6', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/x509_certificate/tasks/main.yml

@@ -12,4 +12,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('1.6', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/x509_certificate/tasks/ownca.yml

@@ -658,6 +658,6 @@
           register: ownca_certificate_ed25519_ed448_2_idempotence
           ignore_errors: true
 
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.4', '>=')
 
 - import_tasks: ../tests/validate_ownca.yml

tests/integration/targets/x509_certificate/tasks/selfsigned.yml

@@ -480,6 +480,6 @@
           register: selfsigned_certificate_ed25519_ed448_idempotence
           ignore_errors: true
 
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=')
+  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('3.4', '>=')
 
 - import_tasks: ../tests/validate_selfsigned.yml

tests/integration/targets/x509_certificate/tests/validate_ownca.yml

@@ -165,20 +165,7 @@
       - ownca_authority_key_identifier_4 is not changed
       - ownca_authority_key_identifier_5 is changed
 
-- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
-  assert:
-    that:
-      - ownca_certificate_ed25519_ed448.results[0] is failed
-      - ownca_certificate_ed25519_ed448.results[1] is failed
-      - ownca_certificate_ed25519_ed448_idempotence.results[0] is failed
-      - ownca_certificate_ed25519_ed448_idempotence.results[1] is failed
-      - ownca_certificate_ed25519_ed448_2.results[0] is failed
-      - ownca_certificate_ed25519_ed448_2.results[1] is failed
-      - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is failed
-      - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is failed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ownca_certificate_ed25519_ed448_privatekey is not failed
-
-- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
+- name: (OwnCA validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests
   assert:
     that:
       - ownca_certificate_ed25519_ed448 is succeeded
@@ -193,4 +180,4 @@
       - ownca_certificate_ed25519_ed448_2_idempotence is succeeded
       - ownca_certificate_ed25519_ed448_2_idempotence.results[0] is not changed
       - ownca_certificate_ed25519_ed448_2_idempotence.results[1] is not changed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and ownca_certificate_ed25519_ed448_privatekey is not failed
+  when: select_crypto_backend == 'cryptography' and ownca_certificate_ed25519_ed448_privatekey is not failed

tests/integration/targets/x509_certificate/tests/validate_selfsigned.yml

@@ -195,16 +195,7 @@
       - selfsigned_subject_key_identifier_4 is not changed
       - selfsigned_subject_key_identifier_5 is changed
 
-- name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
-  assert:
-    that:
-      - selfsigned_certificate_ed25519_ed448.results[0] is failed
-      - selfsigned_certificate_ed25519_ed448.results[1] is failed
-      - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is failed
-      - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is failed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and selfsigned_certificate_ed25519_ed448_privatekey is not failed
-
-- name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
+- name: (Selfsigned validation, {{select_crypto_backend}}) Verify Ed25519 and Ed448 tests
   assert:
     that:
       - selfsigned_certificate_ed25519_ed448 is succeeded
@@ -213,4 +204,4 @@
       - selfsigned_certificate_ed25519_ed448_idempotence is succeeded
       - selfsigned_certificate_ed25519_ed448_idempotence.results[0] is not changed
       - selfsigned_certificate_ed25519_ed448_idempotence.results[1] is not changed
-  when: select_crypto_backend == 'cryptography' and cryptography_version.stdout is version('2.8', '>=') and selfsigned_certificate_ed25519_ed448_privatekey is not failed
+  when: select_crypto_backend == 'cryptography' and selfsigned_certificate_ed25519_ed448_privatekey is not failed

tests/integration/targets/x509_certificate_convert/tasks/main.yml

@@ -70,7 +70,7 @@
       - "DNS:www.ansible.com"
       - "DNS:öç.com"
       # cryptography < 2.1 cannot handle certain Unicode characters
-      - "DNS:{{ 'www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺' }}.com"
+      - "DNS:☺.com"
       - "IP:1.2.3.4"
       - "IP:::1"
       - "email:test@example.org"
@@ -80,10 +80,10 @@
       - "pathlen:23"
     basic_constraints_critical: true
     ocsp_must_staple: true
-    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    subject_key_identifier: "00:11:22:33"
+    authority_key_identifier: "44:55:66:77"
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -108,8 +108,8 @@
       - "IP:DEAD:BEEF::1"
     basic_constraints:
       - "CA:FALSE"
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"

tests/integration/targets/x509_certificate_info/tasks/impl.yml

@@ -39,8 +39,8 @@
       - result.public_key_data.size == (default_rsa_key_size_certificates | int)
       - "result.subject_alt_name == [
           'DNS:www.ansible.com',
-          'DNS:' ~ ('öç' if cryptography_version.stdout is version('2.1', '<') else 'xn--7ca3a') ~ '.com',
-          'DNS:' ~ ('www.öç' if cryptography_version.stdout is version('2.1', '<') else 'xn--74h') ~ '.com',
+          'DNS:xn--7ca3a.com',
+          'DNS:xn--74h.com',
           'IP:1.2.3.4',
           'IP:::1',
           'email:test@example.org',
@@ -49,7 +49,7 @@
       - "result_idna.subject_alt_name == [
           'DNS:www.ansible.com',
           'DNS:xn--7ca3a.com',
-          'DNS:' ~ ('www.xn--7ca3a' if cryptography_version.stdout is version('2.1', '<') else 'xn--74h') ~ '.com',
+          'DNS:xn--74h.com',
           'IP:1.2.3.4',
           'IP:::1',
           'email:test@example.org',
@@ -58,7 +58,7 @@
       - "result_unicode.subject_alt_name == [
           'DNS:www.ansible.com',
           'DNS:öç.com',
-          'DNS:' ~ ('www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺') ~ '.com',
+          'DNS:☺.com',
           'IP:1.2.3.4',
           'IP:::1',
           'email:test@example.org',
@@ -74,8 +74,6 @@
       - result.extensions_by_oid['2.5.29.17'].critical == false
       - >
         result.extensions_by_oid['2.5.29.17'].value == (
-          'MIGCgg93d3cuYW5zaWJsZS5jb22CDXhuLS03Y2EzYS5jb22CEXd3dy54bi0tN2NhM2EuY29thwQBAgMEhxAAAAAAAAAAAAAAAAAAAAABgRB0ZXN0QGV4YW1wbGUub3JnhiNodHRwczovL2V4YW1wbGUub3JnL3Rlc3QvaW5kZXguaHRtbA=='
-          if cryptography_version.stdout is version('2.1', '<') else
           'MHyCD3d3dy5hbnNpYmxlLmNvbYINeG4tLTdjYTNhLmNvbYILeG4tLTc0aC5jb22HBAECAwSHEAAAAAAAAAAAAAAAAAAAAAGBEHRlc3RAZXhhbXBsZS5vcmeGI2h0dHBzOi8vZXhhbXBsZS5vcmcvdGVzdC9pbmRleC5odG1s'
         )
       # Basic Constraints
@@ -100,7 +98,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: ({{select_crypto_backend}}) Read file
   slurp:
@@ -152,7 +149,6 @@
     expected_authority_cert_issuer:
       - "DNS:ca.example.org"
       - "IP:1.2.3.4"
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: ({{select_crypto_backend}}) Get certificate info
   x509_certificate_info:
@@ -166,7 +162,6 @@
       - result.authority_key_identifier == "44:55:66:77"
       - result.authority_cert_issuer is none
       - result.authority_cert_serial_number is none
-  when: cryptography_version.stdout is version('1.3', '>=')
 
 - name: Copy packed cert 1 to remote
   copy:

tests/integration/targets/x509_certificate_info/tasks/main.yml

@@ -77,7 +77,7 @@
       - "DNS:www.ansible.com"
       - "DNS:öç.com"
       # cryptography < 2.1 cannot handle certain Unicode characters
-      - "DNS:{{ 'www.öç' if cryptography_version.stdout is version('2.1', '<') else '☺' }}.com"
+      - "DNS:☺.com"
       - "IP:1.2.3.4"
       - "IP:::1"
       - "email:test@example.org"
@@ -87,10 +87,10 @@
       - "pathlen:23"
     basic_constraints_critical: true
     ocsp_must_staple: true
-    subject_key_identifier: '{{ "00:11:22:33" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    subject_key_identifier: "00:11:22:33"
+    authority_key_identifier: "44:55:66:77"
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -116,8 +116,8 @@
       - "IP:DEAD:BEEF::1"
     basic_constraints:
       - "CA:FALSE"
-    authority_cert_issuer: '{{ value_for_authority_cert_issuer if cryptography_version.stdout is version("1.3", ">=") else omit }}'
-    authority_cert_serial_number: '{{ 12345 if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_cert_issuer: '{{ value_for_authority_cert_issuer }}'
+    authority_cert_serial_number: 12345
   vars:
     value_for_authority_cert_issuer:
       - "DNS:ca.example.org"
@@ -128,7 +128,7 @@
     path: '{{ remote_tmp_dir }}/csr_4.csr'
     privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
     useCommonNameForSAN: false
-    authority_key_identifier: '{{ "44:55:66:77" if cryptography_version.stdout is version("1.3", ">=") else omit }}'
+    authority_key_identifier: "44:55:66:77"
 
 - name: Generate selfsigned certificates
   x509_certificate:
@@ -149,4 +149,4 @@
   include_tasks: impl.yml
   vars:
     select_crypto_backend: cryptography
-  when: cryptography_version.stdout is version('1.6', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/x509_certificate_pipe/tasks/main.yml

@@ -23,4 +23,4 @@
       vars:
         select_crypto_backend: cryptography
 
-  when: cryptography_version.stdout is version('1.6', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/x509_crl/tasks/impl.yml

@@ -553,11 +553,11 @@
           - "DNS:ca.example.org"
           - "DNS:ffóò.ḃâŗ.çøṁ"
           - "email:foo@ḃâŗ.çøṁ"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de"
+          - "URI:https://admin:hunter2@ffóò.ḃâŗ.çøṁ/baz?foo=bar"
+          - "URI:https://goo@www.straße.de"
           - "URI:https://straße.de:8080"
           - "URI:http://gefäß.org"
-          - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1"
+          - "URI:http://a:b@ä:1"
         issuer_critical: true
   register: crl_3
 
@@ -576,11 +576,11 @@
           - "DNS:ca.example.org"
           - "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n"
           - "email:foo@xn--2ca8uh37e.xn--7ca8a981n"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.xn--strae-oqa.de"
+          - "URI:https://admin:hunter2@xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar"
+          - "URI:https://goo@www.xn--strae-oqa.de"
           - "URI:https://xn--strae-oqa.de:8080"
           - "URI:http://xn--gef-7kay.org"
-          - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}xn--4ca:1"
+          - "URI:http://a:b@xn--4ca:1"
         issuer_critical: true
     ignore_timestamps: true
     name_encoding: idna
@@ -601,11 +601,11 @@
           - "DNS:ca.example.org"
           - "DNS:ffóò.ḃâŗ.çøṁ"
           - "email:foo@ḃâŗ.çøṁ"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'admin:hunter2@' }}ffóò.ḃâŗ.çøṁ/baz?foo=bar"
-          - "URI:https://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'goo@' }}www.straße.de"
+          - "URI:https://admin:hunter2@ffóò.ḃâŗ.çøṁ/baz?foo=bar"
+          - "URI:https://goo@www.straße.de"
           - "URI:https://straße.de:8080"
           - "URI:http://gefäß.org"
-          - "URI:http://{{ '' if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else 'a:b@' }}ä:1"
+          - "URI:http://a:b@ä:1"
         issuer_critical: true
     ignore_timestamps: true
     name_encoding: unicode
@@ -694,4 +694,4 @@
             - Ed448
           ignore_errors: true
 
-  when: cryptography_version.stdout is version('2.6', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/x509_crl/tasks/main.yml

@@ -90,4 +90,4 @@
 
     - import_tasks: ../tests/validate.yml
 
-  when: cryptography_version.stdout is version('1.2', '>=')
+  when: cryptography_version.stdout is version('3.4', '>=')

tests/integration/targets/x509_crl/tests/validate.yml

@@ -111,25 +111,7 @@
   assert:
     that:
       - crl_3.revoked_certificates == crl_3_info.revoked_certificates
-      - crl_3.revoked_certificates[0].issuer == ([
-          "DNS:ca.example.org",
-          "DNS:ffóò.ḃâŗ.çøṁ",
-          "email:foo@ḃâŗ.çøṁ",
-          "URI:https://ffóò.ḃâŗ.çøṁ/baz?foo=bar",
-          "URI:https://www.straße.de",
-          "URI:https://straße.de:8080",
-          "URI:http://gefäß.org",
-          "URI:http://ä:1",
-        ] if cryptography_version.stdout is version('2.1', '<') else [
-          "DNS:ca.example.org",
-          "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n",
-          "email:foo@xn--2ca8uh37e.xn--7ca8a981n",
-          "URI:https://xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar",
-          "URI:https://www.xn--strae-oqa.de",
-          "URI:https://xn--strae-oqa.de:8080",
-          "URI:http://xn--gef-7kay.org",
-          "URI:http://xn--4ca:1",
-        ] if ansible_facts.python.version.minor == 5 else [
+      - crl_3.revoked_certificates[0].issuer == [
           "DNS:ca.example.org",
           "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n",
           "email:foo@xn--2ca8uh37e.xn--7ca8a981n",
@@ -138,19 +120,10 @@
           "URI:https://xn--strae-oqa.de:8080",
           "URI:http://xn--gef-7kay.org",
           "URI:http://a:b@xn--4ca:1",
-        ])
+        ]
       - crl_3_idna is not changed
       - crl_3_idna.revoked_certificates == crl_3_info_idna.revoked_certificates
-      - crl_3_idna.revoked_certificates[0].issuer == ([
-          "DNS:ca.example.org",
-          "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n",
-          "email:foo@xn--2ca8uh37e.xn--7ca8a981n",
-          "URI:https://xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n/baz?foo=bar",
-          "URI:https://www.xn--strae-oqa.de",
-          "URI:https://xn--strae-oqa.de:8080",
-          "URI:http://xn--gef-7kay.org",
-          "URI:http://xn--4ca:1",
-        ] if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else [
+      - crl_3_idna.revoked_certificates[0].issuer == [
           "DNS:ca.example.org",
           "DNS:xn--ff-3jad.xn--2ca8uh37e.xn--7ca8a981n",
           "email:foo@xn--2ca8uh37e.xn--7ca8a981n",
@@ -159,19 +132,10 @@
           "URI:https://xn--strae-oqa.de:8080",
           "URI:http://xn--gef-7kay.org",
           "URI:http://a:b@xn--4ca:1",
-        ])
+        ]
       - crl_3_unicode is not changed
       - crl_3_unicode.revoked_certificates == crl_3_info_unicode.revoked_certificates
-      - crl_3_unicode.revoked_certificates[0].issuer == ([
-          "DNS:ca.example.org",
-          "DNS:ffóò.ḃâŗ.çøṁ",
-          "email:foo@ḃâŗ.çøṁ",
-          "URI:https://ffóò.ḃâŗ.çøṁ/baz?foo=bar",
-          "URI:https://www.straße.de",
-          "URI:https://straße.de:8080",
-          "URI:http://gefäß.org",
-          "URI:http://ä:1",
-        ] if cryptography_version.stdout is version('2.1', '<') or ansible_facts.python.version.minor == 5 else [
+      - crl_3_unicode.revoked_certificates[0].issuer == [
           "DNS:ca.example.org",
           "DNS:ffóò.ḃâŗ.çøṁ",
           "email:foo@ḃâŗ.çøṁ",
@@ -180,18 +144,9 @@
           "URI:https://straße.de:8080",
           "URI:http://gefäß.org",
           "URI:http://a:b@ä:1",
-        ])
+        ]
 
-- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.6, < 2.8)
-  assert:
-    that:
-      - ed25519_ed448_crl.results[0] is failed
-      - ed25519_ed448_crl.results[1] is failed
-      - ed25519_ed448_crl_idempotence.results[0] is failed
-      - ed25519_ed448_crl_idempotence.results[1] is failed
-  when: cryptography_version.stdout is version('2.6', '>=') and cryptography_version.stdout is version('2.8', '<') and ed25519_ed448_privatekey is not failed
-
-- name: Verify Ed25519 and Ed448 tests (for cryptography >= 2.8)
+- name: Verify Ed25519 and Ed448 tests
   assert:
     that:
       - ed25519_ed448_crl is succeeded
@@ -200,4 +155,4 @@
       - ed25519_ed448_crl_idempotence is succeeded
       - ed25519_ed448_crl_idempotence.results[0] is not changed
       - ed25519_ed448_crl_idempotence.results[1] is not changed
-  when: cryptography_version.stdout is version('2.8', '>=') and ed25519_ed448_privatekey is not failed
+  when: ed25519_ed448_privatekey is not failed