Support cryptography 3.3 (#882)

* Re-add Debian Bullseye to CI.

* Support cryptography 3.3 as well.

plugins/doc_fragments/acme.py

@@ -18,7 +18,8 @@ notes:
     another ACME server, please L(create an issue,https://github.com/ansible-collections/community.crypto/issues/new/choose)
     to help us supporting it. Feedback that an ACME server not mentioned does work is also appreciated.
 requirements:
-  - either openssl or L(cryptography,https://cryptography.io/) >= 3.4
+  - either C(openssl)
+  - or L(cryptography,https://cryptography.io/) >= 3.3
 options:
   acme_version:
     description:

plugins/doc_fragments/cryptography_dep.py

@@ -0,0 +1,20 @@
+# Copyright (c) 2025 Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+
+class ModuleDocFragment:
+    """
+    Doc fragments for cryptography requirements.
+
+    Must be kept in sync with plugins/module_utils/cryptography_dep.py.
+    """
+
+    # Corresponds to the plugins.module_utils.cryptography_dep.COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION constant
+    MINIMUM = r"""
+requirements:
+  - cryptography >= 3.3
+options: {}
+"""

plugins/doc_fragments/module_certificate.py

@@ -22,7 +22,7 @@ attributes:
       - If relative timestamps are used and O(ignore_timestamps=false), the module is not idempotent.
       - The option O(force=true) generally disables idempotency.
 requirements:
-  - cryptography >= 3.4 (if using V(selfsigned) or V(ownca) provider)
+  - cryptography >= 3.3 (if using V(selfsigned) or V(ownca) provider)
 options:
   force:
     description:

plugins/doc_fragments/module_csr.py

@@ -18,7 +18,7 @@ attributes:
   idempotent:
     support: full
 requirements:
-  - cryptography >= 3.4
+  - cryptography >= 3.3
 options:
   digest:
     description:

plugins/doc_fragments/module_privatekey.py

@@ -22,7 +22,7 @@ attributes:
     details:
       - The option O(regenerate=always) generally disables idempotency.
 requirements:
-  - cryptography >= 3.4
+  - cryptography >= 3.3
 options:
   size:
     description:

plugins/doc_fragments/module_privatekey_convert.py

@@ -10,7 +10,7 @@ class ModuleDocFragment:
     # Standard files documentation fragment
     DOCUMENTATION = r"""
 requirements:
-  - cryptography >= 3.4
+  - cryptography >= 3.3
 attributes:
   diff_mode:
     support: none

plugins/module_utils/crypto/module_backends/certificate.py

@@ -30,12 +30,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     load_certificate_request,
     load_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 CRYPTOGRAPHY_VERSION = None

plugins/module_utils/crypto/module_backends/certificate_info.py

@@ -28,6 +28,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     get_fingerprint_of_bytes,
     load_certificate,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.time import (
     get_now_datetime,
 )
@@ -36,7 +39,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/crl_info.py

@@ -19,6 +19,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
 from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
     identify_pem_format,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
@@ -26,7 +29,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 
 # crypto_utils
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/csr.py

@@ -40,12 +40,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     parse_ordered_name_field,
     select_message_digest,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/csr_info.py

@@ -24,12 +24,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     load_certificate_request,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/privatekey.py

@@ -29,12 +29,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     get_fingerprint_of_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/privatekey_convert.py

@@ -22,13 +22,16 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
 from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
     identify_private_key_format,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.io import load_file
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/privatekey_info.py

@@ -26,12 +26,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     get_fingerprint_of_bytes,
     load_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/publickey_info.py

@@ -16,12 +16,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     get_fingerprint_of_bytes,
     load_publickey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/cryptography_dep.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2025 Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+Module utils for cryptography requirements.
+
+Must be kept in sync with plugins/doc_fragments/cryptography_dep.py.
+"""
+
+from __future__ import annotations
+
+
+# Corresponds to the community.crypto.cryptography_dep.minimum doc fragment
+COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION = "3.3"

plugins/module_utils/openssh/backends/keypair_backend.py

@@ -11,6 +11,9 @@ import os
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes, to_text
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.common import (
     KeygenCommand,
     OpensshModule,
@@ -19,7 +22,6 @@ from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.
     parse_private_key_format,
 )
 from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography import (
-    HAS_OPENSSH_PRIVATE_FORMAT,
     HAS_OPENSSH_SUPPORT,
     InvalidCommentError,
     InvalidPassphraseError,
@@ -434,15 +436,6 @@ class KeypairBackendCryptography(KeypairBackend):
                 # OpenSSH made SSH formatted private keys available in version 6.5,
                 # but still defaulted to PKCS1 format with the exception of ed25519 keys
                 result = "PKCS1"
-
-            if result == "SSH" and not HAS_OPENSSH_PRIVATE_FORMAT:
-                self.module.fail_json(
-                    msg=missing_required_lib(
-                        "cryptography >= 3.4",
-                        reason="to load/dump private keys in the default OpenSSH format for OpenSSH >= 7.8 "
-                        + "or for ed25519 keys",
-                    )
-                )
         else:
             result = key_format.upper()
 
@@ -548,8 +541,10 @@ def select_backend(module, backend):
             backend = "cryptography"
         else:
             module.fail_json(
-                msg="Cannot find either the OpenSSH binary in the PATH "
-                + "or cryptography >= 3.4 installed on this system"
+                msg=(
+                    "Cannot find either the OpenSSH binary in the PATH "
+                    f"or cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION} installed on this system"
+                )
             )
 
     if backend == "opensshbin":
@@ -558,7 +553,11 @@ def select_backend(module, backend):
         return backend, KeypairBackendOpensshBin(module)
     elif backend == "cryptography":
         if not can_use_cryptography:
-            module.fail_json(msg=missing_required_lib("cryptography >= 3.4"))
+            module.fail_json(
+                msg=missing_required_lib(
+                    f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
+                )
+            )
         return backend, KeypairBackendCryptography(module)
     else:
         raise ValueError(f"Unsupported value for backend: {backend}")

plugins/module_utils/openssh/cryptography.py

@@ -9,10 +9,6 @@ from base64 import b64decode, b64encode
 from getpass import getuser
 from socket import gethostname
 
-from ansible_collections.community.crypto.plugins.module_utils.version import (
-    LooseVersion,
-)
-
 
 try:
     from cryptography import __version__ as CRYPTOGRAPHY_VERSION
@@ -25,11 +21,6 @@ try:
         Ed25519PublicKey,
     )
 
-    if LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion("3.4"):
-        HAS_OPENSSH_PRIVATE_FORMAT = True
-    else:
-        HAS_OPENSSH_PRIVATE_FORMAT = False
-
     HAS_OPENSSH_SUPPORT = True
 
     _ALGORITHM_PARAMETERS = {
@@ -70,7 +61,6 @@ try:
         },
     }
 except ImportError:
-    HAS_OPENSSH_PRIVATE_FORMAT = False
     HAS_OPENSSH_SUPPORT = False
     CRYPTOGRAPHY_VERSION = "0.0"
     _ALGORITHM_PARAMETERS = {}
@@ -413,11 +403,7 @@ class OpensshKeypair:
         """
 
         if key_format == "SSH":
-            # Default to PEM format if SSH not available
-            if not HAS_OPENSSH_PRIVATE_FORMAT:
-                privatekey_format = serialization.PrivateFormat.PKCS8
-            else:
-                privatekey_format = serialization.PrivateFormat.OpenSSH
+            privatekey_format = serialization.PrivateFormat.OpenSSH
         elif key_format == "PKCS8":
             privatekey_format = serialization.PrivateFormat.PKCS8
         elif key_format == "PKCS1":

plugins/modules/acme_challenge_cert_helper.py

@@ -21,10 +21,9 @@ seealso:
   - name: ACME TLS ALPN Challenge Extension
     description: The specification of the C(tls-alpn-01) challenge (RFC 8737).
     link: https://www.rfc-editor.org/rfc/rfc8737.html
-requirements:
-  - "cryptography >= 3.4"
 extends_documentation_fragment:
   - community.crypto.attributes
+  - community.crypto.cryptography_dep.minimum
 attributes:
   check_mode:
     support: none
@@ -163,6 +162,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
     set_not_valid_after,
     set_not_valid_before,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.time import (
     get_now_datetime,
 )
@@ -184,7 +186,9 @@ try:
     import cryptography.x509
     import cryptography.x509.oid
 
-    HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion("3.4")
+    HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion(
+        COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
+    )
 except ImportError:
     CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
     HAS_CRYPTOGRAPHY = False
@@ -215,10 +219,16 @@ def main():
         # Some callbacks die when exception is provided with value None
         if CRYPTOGRAPHY_IMP_ERR:
             module.fail_json(
-                msg=missing_required_lib("cryptography >= 3.4"),
+                msg=missing_required_lib(
+                    f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
+                ),
                 exception=CRYPTOGRAPHY_IMP_ERR,
             )
-        module.fail_json(msg=missing_required_lib("cryptography >= 3.4"))
+        module.fail_json(
+            msg=missing_required_lib(
+                f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
+            )
+        )
 
     try:
         # Get parameters

plugins/modules/certificate_complete_chain.py

@@ -17,11 +17,10 @@ description:
   - Note that this module does I(not) check for validity of the chains. It only checks that issuer and subject match, and
     that the signature is correct. It ignores validity dates and key usage completely. If you need to verify that a generated
     chain is valid, please use C(openssl verify ...).
-requirements:
-  - "cryptography >= 3.4"
 extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
 attributes:
   check_mode:
     support: full
@@ -129,6 +128,9 @@ from ansible.module_utils.common.text.converters import to_bytes
 from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
     split_pem_list,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
@@ -148,7 +150,9 @@ try:
     import cryptography.x509
     import cryptography.x509.oid
 
-    HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion("3.4")
+    HAS_CRYPTOGRAPHY = LooseVersion(cryptography.__version__) >= LooseVersion(
+        COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
+    )
 except ImportError:
     CRYPTOGRAPHY_IMP_ERR = traceback.format_exc()
     HAS_CRYPTOGRAPHY = False
@@ -331,7 +335,9 @@ def main():
 
     if not HAS_CRYPTOGRAPHY:
         module.fail_json(
-            msg=missing_required_lib("cryptography >= 3.4"),
+            msg=missing_required_lib(
+                f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
+            ),
             exception=CRYPTOGRAPHY_IMP_ERR,
         )
 

plugins/modules/ecs_certificate.py

@@ -19,11 +19,10 @@ description:
     validated in the ECS system. It is I(not) the responsibility of this module to perform those steps.
 notes:
   - O(path) must be specified as the output location of the certificate.
-requirements:
-  - cryptography >= 3.4
 extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.files
+  - community.crypto.cryptography_dep.minimum
   - community.crypto.ecs_credential
 attributes:
   check_mode:
@@ -558,6 +557,9 @@ from ansible.module_utils.common.text.converters import to_bytes
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     load_certificate,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.ecs.api import (
     ECSClient,
     RestOperationException,
@@ -581,7 +583,7 @@ except ImportError:
 else:
     CRYPTOGRAPHY_FOUND = True
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 
 def validate_cert_expiry(cert_expiry):

plugins/modules/get_certificate.py

@@ -16,6 +16,7 @@ description:
 extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
 attributes:
   check_mode:
     support: none
@@ -121,7 +122,6 @@ notes:
   - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
 requirements:
   - "Python >= 3.10 when O(get_certificate_chain=true)"
-  - "cryptography >= 3.4"
 
 seealso:
   - plugin: community.crypto.to_serial
@@ -284,6 +284,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
     get_not_valid_after,
     get_not_valid_before,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.time import (
     get_now_datetime,
 )
@@ -292,7 +295,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/openssh_keypair.py

@@ -15,7 +15,7 @@ description:
     V(rsa), V(dsa), V(rsa1), V(ed25519) or V(ecdsa) private keys.
 requirements:
   - ssh-keygen (if O(backend=openssh))
-  - cryptography >= 3.4 (if O(backend=cryptography))
+  - cryptography >= 3.3 (if O(backend=cryptography))
 extends_documentation_fragment:
   - ansible.builtin.files
   - community.crypto.attributes

plugins/modules/openssl_csr_info.py

@@ -14,16 +14,15 @@ description:
   - This module allows one to query information on OpenSSL Certificate Signing Requests (CSR).
   - In case the CSR signature cannot be validated, the module will fail. In this case, all return variables are still returned.
   - It uses the cryptography python library to interact with OpenSSL.
-requirements:
-  - cryptography >= 3.4
 author:
   - Felix Fontein (@felixfontein)
   - Yanis Guenane (@Spredzy)
 extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.info_module
-  - community.crypto.name_encoding
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
+  - community.crypto.name_encoding
 options:
   path:
     description:

plugins/modules/openssl_dhparam.py

@@ -17,7 +17,7 @@ description:
   - The module can use the cryptography Python library, or the C(openssl) executable. By default, it tries to detect which
     one is available. This can be overridden with the O(select_crypto_backend) option.
 requirements:
-  - Either cryptography >= 3.4
+  - Either cryptography >= 3.3
   - Or OpenSSL binary C(openssl)
 author:
   - Thom Wiggers (@thomwiggers)
@@ -139,6 +139,9 @@ from ansible.module_utils.common.text.converters import to_native
 from ansible_collections.community.crypto.plugins.module_utils.crypto.math import (
     count_bits,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     load_file_if_exists,
     write_file,
@@ -148,7 +151,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/openssl_pkcs12.py

@@ -14,12 +14,11 @@ short_description: Generate OpenSSL PKCS#12 archive
 description:
   - This module allows one to (re-)generate PKCS#12.
   - The module uses the cryptography Python library.
-requirements:
-  - cryptography >= 3.4
 extends_documentation_fragment:
   - ansible.builtin.files
   - community.crypto.attributes
   - community.crypto.attributes.files
+  - community.crypto.cryptography_dep.minimum
 attributes:
   check_mode:
     support: full
@@ -296,6 +295,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     load_certificate,
     load_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     load_file_if_exists,
     write_file,
@@ -305,7 +307,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/openssl_privatekey_info.py

@@ -16,8 +16,6 @@ description:
     return variables are still returned. Note that key consistency checks are not available all key types; if none is available,
     V(none) is returned for RV(key_is_consistent).
   - It uses the cryptography python library to interact with OpenSSL.
-requirements:
-  - cryptography >= 3.4
 author:
   - Felix Fontein (@felixfontein)
   - Yanis Guenane (@Spredzy)
@@ -25,6 +23,7 @@ extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.info_module
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
 options:
   path:
     description:

plugins/modules/openssl_publickey.py

@@ -14,8 +14,6 @@ description:
   - Public keys are generated in PEM or OpenSSH format. Private keys must be OpenSSL PEM keys. B(OpenSSH private keys are
     not supported), use the M(community.crypto.openssh_keypair) module to manage these.
   - The module uses the cryptography Python library.
-requirements:
-  - cryptography >= 3.4
 author:
   - Yanis Guenane (@Spredzy)
   - Felix Fontein (@felixfontein)
@@ -23,6 +21,7 @@ extends_documentation_fragment:
   - ansible.builtin.files
   - community.crypto.attributes
   - community.crypto.attributes.files
+  - community.crypto.cryptography_dep.minimum
 attributes:
   check_mode:
     support: full
@@ -200,6 +199,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     get_fingerprint,
     load_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     load_file_if_exists,
     write_file,
@@ -209,7 +211,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/openssl_publickey_info.py

@@ -13,14 +13,13 @@ description:
   - This module allows one to query information on OpenSSL public keys.
   - It uses the cryptography python library to interact with OpenSSL.
 version_added: 1.7.0
-requirements:
-  - cryptography >= 3.4
 author:
   - Felix Fontein (@felixfontein)
 extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.info_module
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
 options:
   path:
     description:

plugins/modules/openssl_signature.py

@@ -13,13 +13,12 @@ short_description: Sign data with openssl
 description:
   - This module allows one to sign data using a private key.
   - The module uses the cryptography Python library.
-requirements:
-  - cryptography >= 3.4
 author:
   - Patrick Pichler (@aveexy)
   - Markus Teufelberger (@MarkusTeufelberger)
 extends_documentation_fragment:
   - community.crypto.attributes
+  - community.crypto.cryptography_dep.minimum
 attributes:
   check_mode:
     support: full
@@ -99,12 +98,15 @@ import base64
 import os
 import traceback
 
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/openssl_signature_info.py

@@ -13,8 +13,6 @@ short_description: Verify signatures with openssl
 description:
   - This module allows one to verify a signature for a file by a certificate.
   - The module uses the cryptography Python library.
-requirements:
-  - cryptography >= 3.4
 author:
   - Patrick Pichler (@aveexy)
   - Markus Teufelberger (@MarkusTeufelberger)
@@ -22,6 +20,7 @@ extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.info_module
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
 options:
   path:
     description:
@@ -88,12 +87,15 @@ import base64
 import os
 import traceback
 
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/x509_certificate_convert.py

@@ -124,13 +124,16 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     OpenSSLObject,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.io import (
     load_file_if_exists,
     write_file,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/x509_certificate_info.py

@@ -19,8 +19,6 @@ description:
     to M(community.crypto.x509_certificate_info). When using FQCNs or when using the
     L(collections,https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#using-collections-in-a-playbook)
     keyword, the new name M(community.crypto.x509_certificate_info) should be used to avoid a deprecation warning.
-requirements:
-  - cryptography >= 3.4
 author:
   - Felix Fontein (@felixfontein)
   - Yanis Guenane (@Spredzy)
@@ -29,6 +27,7 @@ extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.info_module
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
   - community.crypto.name_encoding
 options:
   path:

plugins/modules/x509_crl.py

@@ -14,14 +14,13 @@ description:
   - This module allows one to (re)generate or update Certificate Revocation Lists (CRLs).
   - Certificates on the revocation list can be either specified by serial number and (optionally) their issuer, or as a path
     to a certificate file in PEM format.
-requirements:
-  - cryptography >= 3.4
 author:
   - Felix Fontein (@felixfontein)
 extends_documentation_fragment:
   - ansible.builtin.files
   - community.crypto.attributes
   - community.crypto.attributes.files
+  - community.crypto.cryptography_dep.minimum
   - community.crypto.name_encoding
 attributes:
   check_mode:
@@ -470,6 +469,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     parse_ordered_name_field,
     select_message_digest,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.io import write_file
 from ansible_collections.community.crypto.plugins.module_utils.serial import (
     parse_serial,
@@ -482,7 +484,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/modules/x509_crl_info.py

@@ -12,14 +12,13 @@ version_added: '1.0.0'
 short_description: Retrieve information on Certificate Revocation Lists (CRLs)
 description:
   - This module allows one to retrieve information on Certificate Revocation Lists (CRLs).
-requirements:
-  - cryptography >= 3.4
 author:
   - Felix Fontein (@felixfontein)
 extends_documentation_fragment:
   - community.crypto.attributes
   - community.crypto.attributes.info_module
   - community.crypto.attributes.idempotent_not_modify_state
+  - community.crypto.cryptography_dep.minimum
   - community.crypto.name_encoding
 options:
   path: