ACME: use Cryptography (if a new enough version is available) instead of OpenSSL (#42170)

* Collecting PEM -> DER conversions. * Using cryptography instead of OpenSSL binary in some situations. * Moving key-to-disk writing for key content to parse_account_key. * Rename parse_account_key -> parse_key. * Move OpenSSL specific code for key parsing and request signing into global functions. * Also using cryptography for key parsing and request signing. * Remove assert statements. * Fixing handling of key contents for cryptography code path. * Allow to disable the use of cryptography. * Updating documentation. * 1.5 seems to work as well (earlier versions don't have EC sign function). Making Python 2.x adjustments. * Changing option to select_crypto_backend. * Python 2.6 compatibility. * Trying to test both backends separately for acme_account. * Also testing both backends separately for acme_certificate and acme_certificate_revoke. * Adding changelog entry which informs about select_crypto_backend option in case autodetect fails. * Fixing YAML.
2026-05-08 22:33:25 +00:00 · 2018-08-12 19:12:01 +02:00
parent 7f41f0168a
commit aef16ee195
13 changed files with 1031 additions and 671 deletions
--- a/changelogs/fragments/42170-acme-backend-selection.yaml
+++ b/changelogs/fragments/42170-acme-backend-selection.yaml
@@ -0,0 +1,8 @@
+---
+minor_changes:
+- "The acme_account and acme_certificate modules now support two backends:
+   the Python cryptograpy module or the OpenSSL binary. By default, the
+   modules detect if a new enough cryptography module is available and
+   use it, with the OpenSSL binary being a fallback. If the detection
+   fails for some reason, the OpenSSL binary backend can be explicitly
+   selected by setting select_crypto_backend to openssl."