Get rid of backend parameter whenever possible (#883)

* Get rid of backend parameter whenever possible. * Always auto-detect if backend choices are 'cryptography' and 'auto', resp. always check cryptography version. * Improve error message. * Update documentation.
2026-05-06 13:22:58 +00:00 · 2025-05-03 10:46:53 +02:00
parent fbcb89f092
commit 645b7bf9ed
50 changed files with 502 additions and 1093 deletions
--- a/plugins/module_utils/openssh/backends/keypair_backend.py
+++ b/plugins/module_utils/openssh/backends/keypair_backend.py
@@ -22,6 +22,7 @@ from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.
    parse_private_key_format,
 )
 from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography import (
+    CRYPTOGRAPHY_VERSION,
    HAS_OPENSSH_SUPPORT,
    InvalidCommentError,
    InvalidPassphraseError,
@@ -346,8 +347,7 @@ class KeypairBackendOpensshBin(KeypairBackend):

        if self.module.params["private_key_format"] != "auto":
            self.module.fail_json(
-                msg="'auto' is the only valid option for "
-                + "'private_key_format' when 'backend' is not 'cryptography'"
+                msg="'auto' is the only valid option for 'private_key_format' when 'backend' is not 'cryptography'"
            )

        self.ssh_keygen = KeygenCommand(self.module)
@@ -531,7 +531,9 @@ class KeypairBackendCryptography(KeypairBackend):


 def select_backend(module, backend):
-    can_use_cryptography = HAS_OPENSSH_SUPPORT
+    can_use_cryptography = HAS_OPENSSH_SUPPORT and LooseVersion(
+        CRYPTOGRAPHY_VERSION
+    ) >= LooseVersion(COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION)
    can_use_opensshbin = bool(module.get_bin_path("ssh-keygen"))

    if backend == "auto":
@@ -550,14 +552,13 @@ def select_backend(module, backend):
    if backend == "opensshbin":
        if not can_use_opensshbin:
            module.fail_json(msg="Cannot find the OpenSSH binary in the PATH")
-        return backend, KeypairBackendOpensshBin(module)
-    elif backend == "cryptography":
+        return KeypairBackendOpensshBin(module)
+    if backend == "cryptography":
        if not can_use_cryptography:
            module.fail_json(
                msg=missing_required_lib(
                    f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
                )
            )
-        return backend, KeypairBackendCryptography(module)
-    else:
-        raise ValueError(f"Unsupported value for backend: {backend}")
+        return KeypairBackendCryptography(module)
+    raise ValueError(f"Unsupported value for backend: {backend}")
--- a/plugins/module_utils/openssh/cryptography.py
+++ b/plugins/module_utils/openssh/cryptography.py
@@ -13,7 +13,6 @@ from socket import gethostname
 try:
    from cryptography import __version__ as CRYPTOGRAPHY_VERSION
    from cryptography.exceptions import InvalidSignature, UnsupportedAlgorithm
-    from cryptography.hazmat.backends.openssl import backend
    from cryptography.hazmat.primitives import hashes, serialization
    from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding, rsa
    from cryptography.hazmat.primitives.asymmetric.ed25519 import (
@@ -149,19 +148,16 @@ class AsymmetricKeypair:
                # if improper padding is used during signing
                public_exponent=65537,
                key_size=size,
-                backend=backend,
            )
        elif keytype == "dsa":
            privatekey = dsa.generate_private_key(
                key_size=size,
-                backend=backend,
            )
        elif keytype == "ed25519":
            privatekey = Ed25519PrivateKey.generate()
        elif keytype == "ecdsa":
            privatekey = ec.generate_private_key(
                _ALGORITHM_PARAMETERS["ecdsa"]["curves"][size],
-                backend=backend,
            )

        publickey = privatekey.public_key()
@@ -574,7 +570,6 @@ def load_privatekey(path, passphrase, key_format):
            privatekey = privatekey_loader(
                data=content,
                password=passphrase,
-                backend=backend,
            )

    except ValueError as e:
@@ -584,7 +579,6 @@ def load_privatekey(path, passphrase, key_format):
                privatekey = privatekey_loaders["PEM"](
                    data=content,
                    password=passphrase,
-                    backend=backend,
                )
            except ValueError as e:
                raise InvalidPrivateKeyFileError(e)
@@ -625,7 +619,6 @@ def load_publickey(path, key_format):

            publickey = publickey_loader(
                data=content,
-                backend=backend,
            )
    except ValueError as e:
        raise InvalidPublicKeyFileError(e)
@@ -692,7 +685,7 @@ def extract_comment(path):


 def calculate_fingerprint(openssh_publickey):
-    digest = hashes.Hash(hashes.SHA256(), backend=backend)
+    digest = hashes.Hash(hashes.SHA256())
    decoded_pubkey = b64decode(openssh_publickey.split(b" ")[1])
    digest.update(decoded_pubkey)