Remove PyOpenSSL backends (except for openssl_pkcs12) (#273)

* Remove Ubuntu 16.04 (Xenial Xerus) from CI.

* Removing PyOpenSSL backend from everywhere but openssl_pkcs12.

* Remove PyOpenSSL support from module_utils that's not needed for openssl_pkcs12.

* Add changelog fragment.

plugins/module_utils/crypto/module_backends/privatekey_info.py

@@ -36,24 +36,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.math impor
 
 from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import (
     _get_cryptography_public_key_info,
-    _bigint_to_int,
-    _get_pyopenssl_public_key_info,
 )
 
 
 MINIMAL_CRYPTOGRAPHY_VERSION = '1.2.3'
-MINIMAL_PYOPENSSL_VERSION = '0.15'
-
-PYOPENSSL_IMP_ERR = None
-try:
-    import OpenSSL
-    from OpenSSL import crypto
-    PYOPENSSL_VERSION = LooseVersion(OpenSSL.__version__)
-except ImportError:
-    PYOPENSSL_IMP_ERR = traceback.format_exc()
-    PYOPENSSL_FOUND = False
-else:
-    PYOPENSSL_FOUND = True
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:
@@ -265,135 +251,10 @@ class PrivateKeyInfoRetrievalCryptography(PrivateKeyInfoRetrieval):
         return _is_cryptography_key_consistent(self.key, key_public_data, key_private_data)
 
 
-class PrivateKeyInfoRetrievalPyOpenSSL(PrivateKeyInfoRetrieval):
-    """validate the supplied private key."""
-
-    def __init__(self, module, content, **kwargs):
-        super(PrivateKeyInfoRetrievalPyOpenSSL, self).__init__(module, 'pyopenssl', content, **kwargs)
-
-    def _get_public_key(self, binary):
-        try:
-            return crypto.dump_publickey(
-                crypto.FILETYPE_ASN1 if binary else crypto.FILETYPE_PEM,
-                self.key
-            )
-        except AttributeError:
-            try:
-                # pyOpenSSL < 16.0:
-                bio = crypto._new_mem_buf()
-                if binary:
-                    rc = crypto._lib.i2d_PUBKEY_bio(bio, self.key._pkey)
-                else:
-                    rc = crypto._lib.PEM_write_bio_PUBKEY(bio, self.key._pkey)
-                if rc != 1:
-                    crypto._raise_current_error()
-                return crypto._bio_to_string(bio)
-            except AttributeError:
-                self.module.warn('Your pyOpenSSL version does not support dumping public keys. '
-                                 'Please upgrade to version 16.0 or newer, or use the cryptography backend.')
-
-    def _get_key_info(self):
-        key_type, key_public_data, try_fallback = _get_pyopenssl_public_key_info(self.key)
-        key_private_data = dict()
-        openssl_key_type = self.key.type()
-        if crypto.TYPE_RSA == openssl_key_type:
-            try:
-                # Use OpenSSL directly to extract key data
-                key = OpenSSL._util.lib.EVP_PKEY_get1_RSA(self.key._pkey)
-                key = OpenSSL._util.ffi.gc(key, OpenSSL._util.lib.RSA_free)
-                # OpenSSL 1.1 and newer have functions to extract the parameters
-                # from the EVP PKEY data structures. Older versions didn't have
-                # these getters, and it was common use to simply access the values
-                # directly. Since there's no guarantee that these data structures
-                # will still be accessible in the future, we use the getters for
-                # 1.1 and later, and directly access the values for 1.0.x and
-                # earlier.
-                if OpenSSL.SSL.OPENSSL_VERSION_NUMBER >= 0x10100000:
-                    # Get modulus and exponents
-                    n = OpenSSL._util.ffi.new("BIGNUM **")
-                    e = OpenSSL._util.ffi.new("BIGNUM **")
-                    d = OpenSSL._util.ffi.new("BIGNUM **")
-                    OpenSSL._util.lib.RSA_get0_key(key, n, e, d)
-                    key_private_data['exponent'] = _bigint_to_int(d[0])
-                    # Get factors
-                    p = OpenSSL._util.ffi.new("BIGNUM **")
-                    q = OpenSSL._util.ffi.new("BIGNUM **")
-                    OpenSSL._util.lib.RSA_get0_factors(key, p, q)
-                    key_private_data['p'] = _bigint_to_int(p[0])
-                    key_private_data['q'] = _bigint_to_int(q[0])
-                else:
-                    # Get private exponent
-                    key_private_data['exponent'] = _bigint_to_int(key.d)
-                    # Get factors
-                    key_private_data['p'] = _bigint_to_int(key.p)
-                    key_private_data['q'] = _bigint_to_int(key.q)
-            except AttributeError:
-                try_fallback = True
-        elif crypto.TYPE_DSA == openssl_key_type:
-            try:
-                # Use OpenSSL directly to extract key data
-                key = OpenSSL._util.lib.EVP_PKEY_get1_DSA(self.key._pkey)
-                key = OpenSSL._util.ffi.gc(key, OpenSSL._util.lib.DSA_free)
-                # OpenSSL 1.1 and newer have functions to extract the parameters
-                # from the EVP PKEY data structures. Older versions didn't have
-                # these getters, and it was common use to simply access the values
-                # directly. Since there's no guarantee that these data structures
-                # will still be accessible in the future, we use the getters for
-                # 1.1 and later, and directly access the values for 1.0.x and
-                # earlier.
-                if OpenSSL.SSL.OPENSSL_VERSION_NUMBER >= 0x10100000:
-                    # Get private key exponents
-                    y = OpenSSL._util.ffi.new("BIGNUM **")
-                    x = OpenSSL._util.ffi.new("BIGNUM **")
-                    OpenSSL._util.lib.DSA_get0_key(key, y, x)
-                    key_private_data['x'] = _bigint_to_int(x[0])
-                else:
-                    # Get private key exponents
-                    key_private_data['x'] = _bigint_to_int(key.priv_key)
-            except AttributeError:
-                try_fallback = True
-        else:
-            # Return 'unknown'
-            key_type = 'unknown ({0})'.format(self.key.type())
-        # If needed and if possible, fall back to cryptography
-        if try_fallback and PYOPENSSL_VERSION >= LooseVersion('16.1.0') and CRYPTOGRAPHY_FOUND:
-            return _get_cryptography_private_key_info(self.key.to_cryptography_key())
-        return key_type, key_public_data, key_private_data
-
-    def _is_key_consistent(self, key_public_data, key_private_data):
-        openssl_key_type = self.key.type()
-        if crypto.TYPE_RSA == openssl_key_type:
-            try:
-                return self.key.check()
-            except crypto.Error:
-                # OpenSSL error means that key is not consistent
-                return False
-        if crypto.TYPE_DSA == openssl_key_type:
-            result = _check_dsa_consistency(key_public_data, key_private_data)
-            if result is not None:
-                return result
-            signature = crypto.sign(self.key, SIGNATURE_TEST_DATA, 'sha256')
-            # Verify wants a cert (where it can get the public key from)
-            cert = crypto.X509()
-            cert.set_pubkey(self.key)
-            try:
-                crypto.verify(cert, signature, SIGNATURE_TEST_DATA, 'sha256')
-                return True
-            except crypto.Error:
-                return False
-        # If needed and if possible, fall back to cryptography
-        if PYOPENSSL_VERSION >= LooseVersion('16.1.0') and CRYPTOGRAPHY_FOUND:
-            return _is_cryptography_key_consistent(self.key.to_cryptography_key(), key_public_data, key_private_data)
-        return None
-
-
 def get_privatekey_info(module, backend, content, passphrase=None, return_private_key_data=False, prefer_one_fingerprint=False):
     if backend == 'cryptography':
         info = PrivateKeyInfoRetrievalCryptography(
             module, content, passphrase=passphrase, return_private_key_data=return_private_key_data)
-    elif backend == 'pyopenssl':
-        info = PrivateKeyInfoRetrievalPyOpenSSL(
-            module, content, passphrase=passphrase, return_private_key_data=return_private_key_data)
     return info.get_info(prefer_one_fingerprint=prefer_one_fingerprint)
 
 
@@ -401,30 +262,17 @@ def select_backend(module, backend, content, passphrase=None, return_private_key
     if backend == 'auto':
         # Detection what is possible
         can_use_cryptography = CRYPTOGRAPHY_FOUND and CRYPTOGRAPHY_VERSION >= LooseVersion(MINIMAL_CRYPTOGRAPHY_VERSION)
-        can_use_pyopenssl = PYOPENSSL_FOUND and PYOPENSSL_VERSION >= LooseVersion(MINIMAL_PYOPENSSL_VERSION)
 
-        # First try cryptography, then pyOpenSSL
+        # Try cryptography
         if can_use_cryptography:
             backend = 'cryptography'
-        elif can_use_pyopenssl:
-            backend = 'pyopenssl'
 
         # Success?
         if backend == 'auto':
-            module.fail_json(msg=("Can't detect any of the required Python libraries "
-                                  "cryptography (>= {0}) or PyOpenSSL (>= {1})").format(
-                                      MINIMAL_CRYPTOGRAPHY_VERSION,
-                                      MINIMAL_PYOPENSSL_VERSION))
+            module.fail_json(msg=("Can't detect the required Python library "
+                                  "cryptography (>= {0})").format(MINIMAL_CRYPTOGRAPHY_VERSION))
 
-    if backend == 'pyopenssl':
-        if not PYOPENSSL_FOUND:
-            module.fail_json(msg=missing_required_lib('pyOpenSSL >= {0}'.format(MINIMAL_PYOPENSSL_VERSION)),
-                             exception=PYOPENSSL_IMP_ERR)
-        module.deprecate('The module is using the PyOpenSSL backend. This backend has been deprecated',
-                         version='2.0.0', collection_name='community.crypto')
-        return backend, PrivateKeyInfoRetrievalPyOpenSSL(
-            module, content, passphrase=passphrase, return_private_key_data=return_private_key_data)
-    elif backend == 'cryptography':
+    if backend == 'cryptography':
         if not CRYPTOGRAPHY_FOUND:
             module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
                              exception=CRYPTOGRAPHY_IMP_ERR)