Remove PyOpenSSL backends (except for openssl_pkcs12) (#273)

* Remove Ubuntu 16.04 (Xenial Xerus) from CI. * Removing PyOpenSSL backend from everywhere but openssl_pkcs12. * Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12. * Add changelog fragment.
2026-05-07 05:43:06 +00:00 · 2021-09-28 17:46:35 +02:00
parent 24e7d07973
commit f644db3c79
72 changed files with 227 additions and 2638 deletions
--- a/plugins/doc_fragments/acme.py
+++ b/plugins/doc_fragments/acme.py
@@ -33,7 +33,7 @@ options:
         key."
      - "Private keys can be created with the
         M(community.crypto.openssl_privatekey) or M(community.crypto.openssl_privatekey_pipe)
-         modules. If the requisites (pyOpenSSL or cryptography) are not available,
+         modules. If the requisite (cryptography) is not available,
         keys can also be created directly with the C(openssl) command line tool:
         RSA keys can be created with C(openssl genrsa ...). Elliptic curve keys
         can be created with C(openssl ecparam -genkey ...). Any other tool creating
--- a/plugins/doc_fragments/module_certificate.py
+++ b/plugins/doc_fragments/module_certificate.py
@@ -14,12 +14,9 @@ class ModuleDocFragment(object):
    DOCUMENTATION = r'''
 description:
    - This module allows one to (re)generate OpenSSL certificates.
-    - It uses the pyOpenSSL or cryptography python library to interact with OpenSSL.
-    - If both the cryptography and PyOpenSSL libraries are available (and meet the minimum version requirements)
-      cryptography will be preferred as a backend over PyOpenSSL (unless the backend is forced with C(select_crypto_backend)).
-      Please note that the PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0.
+    - It uses the cryptography python library to interact with OpenSSL.
 requirements:
-    - PyOpenSSL >= 0.15 or cryptography >= 1.6 (if using C(selfsigned), C(ownca) or C(assertonly) provider)
+    - cryptography >= 1.6 (if using C(selfsigned), C(ownca) or C(assertonly) provider)
 options:
    force:
        description:
@@ -58,14 +55,11 @@ options:
    select_crypto_backend:
        description:
            - Determines which crypto backend to use.
-            - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl).
-            - If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
+            - The default choice is C(auto), which tries to use C(cryptography) if available.
            - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
-            - Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0.
-              From that point on, only the C(cryptography) backend will be available.
        type: str
        default: auto
-        choices: [ auto, cryptography, pyopenssl ]
+        choices: [ auto, cryptography ]

 notes:
    - All ASN.1 TIME values should be specified following the YYYYMMDDHHMMSSZ pattern.
--- a/plugins/doc_fragments/module_csr.py
+++ b/plugins/doc_fragments/module_csr.py
@@ -15,13 +15,8 @@ description:
    - This module allows one to (re)generate OpenSSL certificate signing requests.
    - This module supports the subjectAltName, keyUsage, extendedKeyUsage, basicConstraints and OCSP Must Staple
      extensions.
-    - "The module can use the cryptography Python library, or the pyOpenSSL Python
-      library. By default, it tries to detect which one is available. This can be
-      overridden with the I(select_crypto_backend) option. Please note that the
-      PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0."
 requirements:
-    - Either cryptography >= 1.3
-    - Or pyOpenSSL >= 0.15
+    - cryptography >= 1.3
 options:
    digest:
        description:
@@ -196,14 +191,11 @@ options:
    select_crypto_backend:
        description:
            - Determines which crypto backend to use.
-            - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl).
-            - If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
+            - The default choice is C(auto), which tries to use C(cryptography) if available.
            - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
-            - Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0.
-              From that point on, only the C(cryptography) backend will be available.
        type: str
        default: auto
-        choices: [ auto, cryptography, pyopenssl ]
+        choices: [ auto, cryptography ]
    create_subject_key_identifier:
        description:
            - Create the Subject Key Identifier from the public key.
--- a/plugins/doc_fragments/module_privatekey.py
+++ b/plugins/doc_fragments/module_privatekey.py
@@ -22,13 +22,8 @@ description:
      (or specify none), change the keysize, etc., the private key will be
      regenerated. If you are concerned that this could B(overwrite your private key),
      consider using the I(backup) option."
-    - "The module can use the cryptography Python library, or the pyOpenSSL Python
-      library. By default, it tries to detect which one is available. This can be
-      overridden with the I(select_crypto_backend) option. Please note that the
-      PyOpenSSL backend was deprecated in Ansible 2.9 and will be removed in community.crypto 2.0.0."
 requirements:
-    - Either cryptography >= 1.2.3 (older versions might work as well)
-    - Or pyOpenSSL
+    - cryptography >= 1.2.3 (older versions might work as well)
 options:
    size:
        description:
@@ -80,22 +75,16 @@ options:
        type: str
    cipher:
        description:
-            - The cipher to encrypt the private key. (Valid values can be found by
-              running `openssl list -cipher-algorithms` or `openssl list-cipher-algorithms`,
-              depending on your OpenSSL version.)
-            - When using the C(cryptography) backend, use C(auto).
+            - The cipher to encrypt the private key. Must be C(auto).
        type: str
    select_crypto_backend:
        description:
            - Determines which crypto backend to use.
-            - The default choice is C(auto), which tries to use C(cryptography) if available, and falls back to C(pyopenssl).
-            - If set to C(pyopenssl), will try to use the L(pyOpenSSL,https://pypi.org/project/pyOpenSSL/) library.
+            - The default choice is C(auto), which tries to use C(cryptography) if available.
            - If set to C(cryptography), will try to use the L(cryptography,https://cryptography.io/) library.
-            - Please note that the C(pyopenssl) backend has been deprecated in Ansible 2.9, and will be removed in community.crypto 2.0.0.
-              From that point on, only the C(cryptography) backend will be available.
        type: str
        default: auto
-        choices: [ auto, cryptography, pyopenssl ]
+        choices: [ auto, cryptography ]
    format:
        description:
            - Determines which format the private key is written in. By default, PKCS1 (traditional OpenSSL format)
@@ -105,8 +94,6 @@ options:
              selected one for generation.
            - Note that if the format for an existing private key mismatches, the key is B(regenerated) by default.
              To change this behavior, use the I(format_mismatch) option.
-            - The I(format) option is only supported by the C(cryptography) backend. The C(pyopenssl) backend will
-              fail if a value different from C(auto_ignore) is used.
        type: str
        default: auto_ignore
        choices: [ pkcs1, pkcs8, raw, auto, auto_ignore ]