Support cryptography 3.3 (#882)

* Re-add Debian Bullseye to CI.

* Support cryptography 3.3 as well.

plugins/module_utils/crypto/module_backends/certificate.py

@@ -30,12 +30,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     load_certificate_request,
     load_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 CRYPTOGRAPHY_VERSION = None

plugins/module_utils/crypto/module_backends/certificate_info.py

@@ -28,6 +28,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     get_fingerprint_of_bytes,
     load_certificate,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.time import (
     get_now_datetime,
 )
@@ -36,7 +39,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/crl_info.py

@@ -19,6 +19,9 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
 from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
     identify_pem_format,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
@@ -26,7 +29,7 @@ from ansible_collections.community.crypto.plugins.module_utils.version import (
 
 # crypto_utils
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/csr.py

@@ -40,12 +40,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     parse_ordered_name_field,
     select_message_digest,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/csr_info.py

@@ -24,12 +24,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.module_bac
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     load_certificate_request,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/privatekey.py

@@ -29,12 +29,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import
 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
     get_fingerprint_of_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/privatekey_convert.py

@@ -22,13 +22,16 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
 from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import (
     identify_private_key_format,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.io import load_file
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/privatekey_info.py

@@ -26,12 +26,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     get_fingerprint_of_bytes,
     load_privatekey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/crypto/module_backends/publickey_info.py

@@ -16,12 +16,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
     get_fingerprint_of_bytes,
     load_publickey,
 )
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.version import (
     LooseVersion,
 )
 
 
-MINIMAL_CRYPTOGRAPHY_VERSION = "3.4"
+MINIMAL_CRYPTOGRAPHY_VERSION = COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION
 
 CRYPTOGRAPHY_IMP_ERR = None
 try:

plugins/module_utils/cryptography_dep.py

@@ -0,0 +1,15 @@
+# Copyright (c) 2025 Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+"""
+Module utils for cryptography requirements.
+
+Must be kept in sync with plugins/doc_fragments/cryptography_dep.py.
+"""
+
+from __future__ import annotations
+
+
+# Corresponds to the community.crypto.cryptography_dep.minimum doc fragment
+COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION = "3.3"

plugins/module_utils/openssh/backends/keypair_backend.py

@@ -11,6 +11,9 @@ import os
 from ansible.module_utils import six
 from ansible.module_utils.basic import missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes, to_text
+from ansible_collections.community.crypto.plugins.module_utils.cryptography_dep import (
+    COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION,
+)
 from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.common import (
     KeygenCommand,
     OpensshModule,
@@ -19,7 +22,6 @@ from ansible_collections.community.crypto.plugins.module_utils.openssh.backends.
     parse_private_key_format,
 )
 from ansible_collections.community.crypto.plugins.module_utils.openssh.cryptography import (
-    HAS_OPENSSH_PRIVATE_FORMAT,
     HAS_OPENSSH_SUPPORT,
     InvalidCommentError,
     InvalidPassphraseError,
@@ -434,15 +436,6 @@ class KeypairBackendCryptography(KeypairBackend):
                 # OpenSSH made SSH formatted private keys available in version 6.5,
                 # but still defaulted to PKCS1 format with the exception of ed25519 keys
                 result = "PKCS1"
-
-            if result == "SSH" and not HAS_OPENSSH_PRIVATE_FORMAT:
-                self.module.fail_json(
-                    msg=missing_required_lib(
-                        "cryptography >= 3.4",
-                        reason="to load/dump private keys in the default OpenSSH format for OpenSSH >= 7.8 "
-                        + "or for ed25519 keys",
-                    )
-                )
         else:
             result = key_format.upper()
 
@@ -548,8 +541,10 @@ def select_backend(module, backend):
             backend = "cryptography"
         else:
             module.fail_json(
-                msg="Cannot find either the OpenSSH binary in the PATH "
-                + "or cryptography >= 3.4 installed on this system"
+                msg=(
+                    "Cannot find either the OpenSSH binary in the PATH "
+                    f"or cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION} installed on this system"
+                )
             )
 
     if backend == "opensshbin":
@@ -558,7 +553,11 @@ def select_backend(module, backend):
         return backend, KeypairBackendOpensshBin(module)
     elif backend == "cryptography":
         if not can_use_cryptography:
-            module.fail_json(msg=missing_required_lib("cryptography >= 3.4"))
+            module.fail_json(
+                msg=missing_required_lib(
+                    f"cryptography >= {COLLECTION_MINIMUM_CRYPTOGRAPHY_VERSION}"
+                )
+            )
         return backend, KeypairBackendCryptography(module)
     else:
         raise ValueError(f"Unsupported value for backend: {backend}")

plugins/module_utils/openssh/cryptography.py

@@ -9,10 +9,6 @@ from base64 import b64decode, b64encode
 from getpass import getuser
 from socket import gethostname
 
-from ansible_collections.community.crypto.plugins.module_utils.version import (
-    LooseVersion,
-)
-
 
 try:
     from cryptography import __version__ as CRYPTOGRAPHY_VERSION
@@ -25,11 +21,6 @@ try:
         Ed25519PublicKey,
     )
 
-    if LooseVersion(CRYPTOGRAPHY_VERSION) >= LooseVersion("3.4"):
-        HAS_OPENSSH_PRIVATE_FORMAT = True
-    else:
-        HAS_OPENSSH_PRIVATE_FORMAT = False
-
     HAS_OPENSSH_SUPPORT = True
 
     _ALGORITHM_PARAMETERS = {
@@ -70,7 +61,6 @@ try:
         },
     }
 except ImportError:
-    HAS_OPENSSH_PRIVATE_FORMAT = False
     HAS_OPENSSH_SUPPORT = False
     CRYPTOGRAPHY_VERSION = "0.0"
     _ALGORITHM_PARAMETERS = {}
@@ -413,11 +403,7 @@ class OpensshKeypair:
         """
 
         if key_format == "SSH":
-            # Default to PEM format if SSH not available
-            if not HAS_OPENSSH_PRIVATE_FORMAT:
-                privatekey_format = serialization.PrivateFormat.PKCS8
-            else:
-                privatekey_format = serialization.PrivateFormat.OpenSSH
+            privatekey_format = serialization.PrivateFormat.OpenSSH
         elif key_format == "PKCS8":
             privatekey_format = serialization.PrivateFormat.PKCS8
         elif key_format == "PKCS1":