Stop passing backend to cryptography (#1094)

alex · web-flow · commit 7dbafff8e918 · 2022-02-13T08:44:34.000-10:00
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
@@ -79,19 +79,6 @@ class Error(Exception):
 _openssl_assert = _make_assert(Error)
 
 
-def _get_backend():
-    """
-    Importing the backend from cryptography has the side effect of activating
-    the osrandom engine. This mutates the global state of OpenSSL in the
-    process and causes issues for various programs that use subinterpreters or
-    embed Python. By putting the import in this function we can avoid
-    triggering this side effect unless _get_backend is called.
-    """
-    from cryptography.hazmat.backends.openssl.backend import backend
-
-    return backend
-
-
 def _untested_error(where):
     """
     An OpenSSL API failed somehow.  Additionally, the failure which was
@@ -241,13 +228,12 @@ def to_cryptography_key(self):
             load_der_public_key,
         )
 
-        backend = _get_backend()
         if self._only_public:
             der = dump_publickey(FILETYPE_ASN1, self)
-            return load_der_public_key(der, backend)
+            return load_der_public_key(der)
         else:
             der = dump_privatekey(FILETYPE_ASN1, self)
-            return load_der_private_key(der, None, backend)
+            return load_der_private_key(der, None)
 
     @classmethod
     def from_cryptography_key(cls, crypto_key):
@@ -897,8 +883,7 @@ def to_cryptography(self):
 
         der = dump_certificate_request(FILETYPE_ASN1, self)
 
-        backend = _get_backend()
-        return load_der_x509_csr(der, backend)
+        return load_der_x509_csr(der)
 
     @classmethod
     def from_cryptography(cls, crypto_req):
@@ -1118,8 +1103,7 @@ def to_cryptography(self):
         from cryptography.x509 import load_der_x509_certificate
 
         der = dump_certificate(FILETYPE_ASN1, self)
-        backend = _get_backend()
-        return load_der_x509_certificate(der, backend)
+        return load_der_x509_certificate(der)
 
     @classmethod
     def from_cryptography(cls, crypto_cert):
@@ -2267,9 +2251,7 @@ def to_cryptography(self):
         from cryptography.x509 import load_der_x509_crl
 
         der = dump_crl(FILETYPE_ASN1, self)
-
-        backend = _get_backend()
-        return load_der_x509_crl(der, backend)
+        return load_der_x509_crl(der)
 
     @classmethod
     def from_cryptography(cls, crypto_crl):
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
@@ -15,7 +15,6 @@
 import pytest
 
 from cryptography import x509
-from cryptography.hazmat.backends.openssl.backend import backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 
@@ -1017,9 +1016,7 @@ def test_convert_from_cryptography_private_key(self):
         """
         PKey.from_cryptography_key creates a proper private PKey.
         """
-        key = serialization.load_pem_private_key(
-            intermediate_key_pem, None, backend
-        )
+        key = serialization.load_pem_private_key(intermediate_key_pem, None)
         pkey = PKey.from_cryptography_key(key)
 
         assert isinstance(pkey, PKey)
@@ -1031,7 +1028,7 @@ def test_convert_from_cryptography_public_key(self):
         """
         PKey.from_cryptography_key creates a proper public PKey.
         """
-        key = serialization.load_pem_public_key(cleartextPublicKeyPEM, backend)
+        key = serialization.load_pem_public_key(cleartextPublicKeyPEM)
         pkey = PKey.from_cryptography_key(key)
 
         assert isinstance(pkey, PKey)
@@ -1043,9 +1040,7 @@ def test_convert_from_cryptography_unsupported_type(self):
         """
         PKey.from_cryptography_key raises TypeError with an unsupported type.
         """
-        key = serialization.load_pem_private_key(
-            ec_private_key_pem, None, backend
-        )
+        key = serialization.load_pem_private_key(ec_private_key_pem, None)
         with pytest.raises(TypeError):
             PKey.from_cryptography_key(key)
 
@@ -1699,9 +1694,7 @@ def test_verify_success(self):
         assert request.verify(pkey)
 
     def test_convert_from_cryptography(self):
-        crypto_req = x509.load_pem_x509_csr(
-            cleartextCertificateRequestPEM, backend
-        )
+        crypto_req = x509.load_pem_x509_csr(cleartextCertificateRequestPEM)
         req = X509Req.from_cryptography(crypto_req)
         assert isinstance(req, X509Req)
 
@@ -2217,9 +2210,7 @@ def test_sign_bad_pubkey_type(self):
             cert.sign(object(), b"sha256")
 
     def test_convert_from_cryptography(self):
-        crypto_cert = x509.load_pem_x509_certificate(
-            intermediate_cert_pem, backend
-        )
+        crypto_cert = x509.load_pem_x509_certificate(intermediate_cert_pem)
         cert = X509.from_cryptography(crypto_cert)
 
         assert isinstance(cert, X509)
@@ -3561,7 +3552,7 @@ def test_export_pem(self):
         dumped_crl = self._get_crl().export(
             self.cert, self.pkey, days=20, digest=b"sha256"
         )
-        crl = x509.load_pem_x509_crl(dumped_crl, backend)
+        crl = x509.load_pem_x509_crl(dumped_crl)
         revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
         assert revoked is not None
         assert crl.issuer == x509.Name(
@@ -3588,7 +3579,7 @@ def test_export_der(self):
         dumped_crl = self._get_crl().export(
             self.cert, self.pkey, FILETYPE_ASN1, digest=b"sha256"
         )
-        crl = x509.load_der_x509_crl(dumped_crl, backend)
+        crl = x509.load_der_x509_crl(dumped_crl)
         revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
         assert revoked is not None
         assert crl.issuer == x509.Name(
@@ -3857,7 +3848,7 @@ def test_verify_with_missing_crl(self):
         assert err.value.certificate.get_subject().CN == "intermediate-service"
 
     def test_convert_from_cryptography(self):
-        crypto_crl = x509.load_pem_x509_crl(crlData, backend)
+        crypto_crl = x509.load_pem_x509_crl(crlData)
         crl = CRL.from_cryptography(crypto_crl)
         assert isinstance(crl, CRL)
 
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
@@ -40,7 +40,6 @@
 from pretend import raiser
 
 from cryptography import x509
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
@@ -447,9 +446,7 @@ def ca_file(tmpdir):
     """
     Create a valid PEM file with CA certificates and return the path.
     """
-    key = rsa.generate_private_key(
-        public_exponent=65537, key_size=2048, backend=default_backend()
-    )
+    key = rsa.generate_private_key(public_exponent=65537, key_size=2048)
     public_key = key.public_key()
 
     builder = x509.CertificateBuilder()
@@ -469,9 +466,7 @@ def ca_file(tmpdir):
         critical=True,
     )
 
-    certificate = builder.sign(
-        private_key=key, algorithm=hashes.SHA256(), backend=default_backend()
-    )
+    certificate = builder.sign(private_key=key, algorithm=hashes.SHA256())
 
     ca_file = tmpdir.join("test.pem")
     ca_file.write_binary(
