Update py cryptography to >=2.5.0

2026-06-04 22:33:00 -04:00 · 2021-11-22 12:53:59 -08:00 · 2021-11-22 12:53:59 -08:00 · a23bb6a93b
commit a23bb6a93b
parent 2746fc572f
7 changed files with 7 additions and 33 deletions
--- a/acme/setup.py
+++ b/acme/setup.py
@ -6,7 +6,7 @@ from setuptools import setup
 version = '1.22.0.dev0'

 install_requires = [
-    'cryptography>=2.1.4',
+    'cryptography>=2.5.0',
    'josepy>=1.9.0',
    'PyOpenSSL>=17.3.0',
    'pyrfc3339',
--- a/certbot/certbot/ocsp.py
+++ b/certbot/certbot/ocsp.py
@ -14,6 +14,7 @@ from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
+from cryptography.x509 import ocsp
 import pytz
 import requests

@ -23,14 +24,6 @@ from certbot import util
 from certbot.compat.os import getenv
 from certbot.interfaces import RenewableCert  # pylint: disable=unused-import

-try:
-    # Only cryptography>=2.5 has ocsp module
-    # and signature_hash_algorithm attribute in OCSPResponse class
-    from cryptography.x509 import ocsp  # pylint: disable=ungrouped-imports
-    getattr(ocsp.OCSPResponse, 'signature_hash_algorithm')
-except (ImportError, AttributeError):  # pragma: no cover
-    ocsp = None  # type: ignore
-

 logger = logging.getLogger(__name__)

@ -40,7 +33,7 @@ class RevocationChecker:

    def __init__(self, enforce_openssl_binary_usage: bool = False) -> None:
        self.broken = False
-        self.use_openssl_binary = enforce_openssl_binary_usage or not ocsp
+        self.use_openssl_binary = enforce_openssl_binary_usage

        if self.use_openssl_binary:
            if not util.exe_exists("openssl"):
--- a/certbot/setup.py
+++ b/certbot/setup.py
@ -50,7 +50,7 @@ install_requires = [
    # in which we added 2.6 support (see #2243), so we relax the requirement.
    'ConfigArgParse>=0.9.3',
    'configobj>=5.0.6',
-    'cryptography>=2.1.4',
+    'cryptography>=2.5.0',
    'distro>=1.0.1',
    'josepy>=1.9.0',
    'parsedatetime>=2.4',
--- a/certbot/tests/ocsp_test.py
+++ b/certbot/tests/ocsp_test.py
@ -10,6 +10,7 @@ from cryptography.exceptions import InvalidSignature
 from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
+from cryptography.x509 import ocsp as ocsp_lib
 import pytz

 from certbot import errors
@ -21,15 +22,6 @@ except ImportError: # pragma: no cover
    from unittest import mock


-try:
-    # Only cryptography>=2.5 has ocsp module
-    # and signature_hash_algorithm attribute in OCSPResponse class
-    from cryptography.x509 import ocsp as ocsp_lib  # pylint: disable=import-error
-    getattr(ocsp_lib.OCSPResponse, 'signature_hash_algorithm')
-except (ImportError, AttributeError):  # pragma: no cover
-    ocsp_lib = None  # type: ignore
-
-
 out = """Missing = in header key=value
 ocsp: Use -help for summary.
 """
@ -139,8 +131,6 @@ class OCSPTestOpenSSL(unittest.TestCase):
        self.assertEqual(mock_log.info.call_count, 1)


-@unittest.skipIf(not ocsp_lib,
-                 reason='This class tests functionalities available only on cryptography>=2.5.0')
 class OSCPTestCryptography(unittest.TestCase):
    """
    OCSP revokation tests using Cryptography >= 2.4.0
--- a/letstest/scripts/test_sdists.sh
+++ b/letstest/scripts/test_sdists.sh
@ -20,15 +20,6 @@ TEMP_DIR=$(mktemp -d)
 CONSTRAINTS="$TEMP_DIR/constraints.txt"
 cp tools/requirements.txt "$CONSTRAINTS"

-# We pin cryptography to 3.1.1 and pyopenssl to 19.1.0 specifically for CentOS 7 / RHEL 7
-# because these systems ship only with OpenSSL 1.0.2, and this OpenSSL version support has been
-# dropped on cryptography>=3.2 and pyopenssl>=20.0.0.
-# Using this old version of OpenSSL would break the cryptography and pyopenssl wheels builds.
-if [ -f /etc/redhat-release ] && [ "$(. /etc/os-release 2> /dev/null && echo "$VERSION_ID" | cut -d '.' -f1)" -eq 7 ]; then
-  sed -i 's|cryptography==.*|cryptography==3.1.1|g' "$CONSTRAINTS"
-  sed -i 's|pyopenssl==.*|pyopenssl==19.1.0|g' "$CONSTRAINTS"
-fi
-

 PLUGINS="certbot-apache certbot-nginx"
 # build sdists
--- a/tools/oldest_constraints.txt
+++ b/tools/oldest_constraints.txt
@ -17,7 +17,7 @@ colorama==0.4.4; python_version >= "3.6" and python_full_version < "3.0.0" and s
 configargparse==0.10.0
 configobj==5.0.6
 coverage==5.5; python_version >= "3.6" and python_full_version < "3.0.0" or python_full_version >= "3.5.0" and python_version < "4" and python_version >= "3.6"
-cryptography==2.1.4
+cryptography==2.5.0
 cython==0.29.24; (python_version >= "2.6" and python_full_version < "3.0.0") or (python_full_version >= "3.3.0")
 distlib==0.3.2; python_version >= "3.6" and python_full_version < "3.0.0" or python_version >= "3.6" and python_full_version >= "3.5.0"
 distro==1.0.1
--- a/tools/pinning/oldest/pyproject.toml
+++ b/tools/pinning/oldest/pyproject.toml
@ -60,7 +60,7 @@ cffi = "1.9.1"
 chardet = "2.2.1"
 cloudflare = "1.5.1"
 configobj = "5.0.6"
-cryptography = "2.1.4"
+cryptography = "2.5.0"
 distro = "1.0.1"
 dns-lexicon = "3.2.1"
 dnspython = "1.15.0"