Fix errors caused by cryptography>=35.0.0

- _OID_NAMES was moved to a different module by [1].
- default_backend() is silently ignored, so should be dropped[2].
- The new Rust backend does not accept mocked private keys
  which caused failures with invalid private keys for tests.

[1]: pyca/cryptography@7b56349
[2]: https://cryptography.io/en/latest/faq/#faq-missing-backend

Change-Id: I44407703fbcf2da97c29a28043520c781ef4c3b2

Author: kajinamit

magnum/common/x509/operations.py

@@ -16,7 +16,6 @@
 import six
 import uuid
 
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
@@ -112,8 +111,7 @@ def _generate_certificate(issuer_name, subject_name, extensions,
 
     private_key = rsa.generate_private_key(
         public_exponent=65537,
-        key_size=CONF.x509.rsa_key_size,
-        backend=default_backend()
+        key_size=CONF.x509.rsa_key_size
     )
 
     # subject name is set as common name
@@ -132,7 +130,7 @@ def _generate_certificate(issuer_name, subject_name, extensions,
         ca_key = private_key
         ca_key_password = encryption_password
 
-    csr = csr.sign(private_key, hashes.SHA256(), default_backend())
+    csr = csr.sign(private_key, hashes.SHA256())
 
     if six.PY3 and isinstance(encryption_password, six.text_type):
         encryption_password = encryption_password.encode()
@@ -170,8 +168,7 @@ def _load_pem_private_key(ca_key, ca_key_password=None):
 
         ca_key = serialization.load_pem_private_key(
             ca_key,
-            password=ca_key_password,
-            backend=default_backend()
+            password=ca_key_password
         )
 
     return ca_key
@@ -198,7 +195,7 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
         csr = six.b(str(csr))
     if not isinstance(csr, x509.CertificateSigningRequest):
         try:
-            csr = x509.load_pem_x509_csr(csr, backend=default_backend())
+            csr = x509.load_pem_x509_csr(csr)
         except ValueError:
             LOG.exception("Received invalid csr %s.", csr)
             raise exception.InvalidCsr(csr=csr)
@@ -229,7 +226,6 @@ def sign(csr, issuer_name, ca_key, ca_key_password=None,
 
     certificate = builder.sign(
         private_key=ca_key, algorithm=hashes.SHA256(),
-        backend=default_backend()
     ).public_bytes(serialization.Encoding.PEM).strip()
 
     return certificate
@@ -239,14 +235,14 @@ def generate_csr_and_key(common_name):
     """Return a dict with a new csr, public key and private key."""
     private_key = rsa.generate_private_key(
         public_exponent=65537,
-        key_size=2048,
-        backend=default_backend())
+        key_size=2048
+    )
 
     public_key = private_key.public_key()
 
     csr = x509.CertificateSigningRequestBuilder().subject_name(x509.Name([
         x509.NameAttribute(x509.oid.NameOID.COMMON_NAME, common_name),
-    ])).sign(private_key, hashes.SHA256(), default_backend())
+    ])).sign(private_key, hashes.SHA256())
 
     result = {
         'csr': csr.public_bytes(

magnum/common/x509/validator.py

@@ -18,6 +18,12 @@
 from magnum.common.x509 import extensions
 import magnum.conf
 
+try:
+    # for cryptography >= 35.0.0
+    from cryptography.hazmat._oid import _OID_NAMES as OID_NAMES
+except ImportError:
+    from cryptography.x509.oid import _OID_NAMES as OID_NAMES
+
 _CA_KEY_USAGES = [
     extensions.KeyUsages.KEY_CERT_SIGN.value[0],
     extensions.KeyUsages.CRL_SIGN.value[0]
@@ -50,7 +56,7 @@ def filter_allowed_extensions(extensions, allowed_extensions=None):
     allowed_extensions = allowed_extensions or []
 
     for ext in extensions:
-        ext_name = x509.oid._OID_NAMES.get(ext.oid, None)
+        ext_name = OID_NAMES.get(ext.oid, None)
         if ext_name in allowed_extensions:
             yield ext
         else:

magnum/tests/unit/common/x509/test_operations.py

@@ -25,10 +25,9 @@ def setUp(self):
         super(TestX509Operations, self).setUp()
 
     @mock.patch.object(serialization, 'NoEncryption')
-    @mock.patch.object(operations, 'default_backend')
     @mock.patch.object(operations, '_load_pem_private_key')
     def test_decrypt_key(self, mock_load_pem_private_key,
-                         mock_default_backend, mock_no_encryption_class):
+                         mock_no_encryption_class):
         mock_private_key = mock.MagicMock()
         mock_load_pem_private_key.return_value = mock_private_key
         mock_private_key.private_bytes.return_value = mock.sentinel.decrypted
@@ -45,11 +44,7 @@ def test_decrypt_key(self, mock_load_pem_private_key,
         )
         self.assertEqual(mock.sentinel.decrypted, actual_decrypted)
 
-    @mock.patch.object(operations, 'default_backend')
-    @mock.patch.object(rsa, 'generate_private_key')
-    def test_generate_csr_and_key(self, mock_generate_private_key,
-                                  mock_default_backend):
-        mock_generate_private_key.return_value = mock.MagicMock()
+    def test_generate_csr_and_key(self):
         csr_keys = operations.generate_csr_and_key(u"Test")
         self.assertIsNotNone(csr_keys)
         self.assertTrue("public_key" in csr_keys)

magnum/tests/unit/common/x509/test_sign.py

@@ -12,7 +12,6 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
@@ -40,11 +39,10 @@ def setUp(self):
     def _load_pems(self, keypairs, encryption_password):
         private_key = serialization.load_pem_private_key(
             keypairs['private_key'],
-            password=encryption_password,
-            backend=default_backend(),
+            password=encryption_password
         )
         certificate = c_x509.load_pem_x509_certificate(
-            keypairs['certificate'], default_backend())
+            keypairs['certificate'])
 
         return certificate, private_key
 
@@ -85,8 +83,7 @@ def _private_bytes(self, private_key):
     def _generate_private_key(self):
         return rsa.generate_private_key(
             public_exponent=65537,
-            key_size=2048,
-            backend=default_backend()
+            key_size=2048
         )
 
     def _build_csr(self, private_key):
@@ -95,7 +92,7 @@ def _build_csr(self, private_key):
             c_x509.NameAttribute(NameOID.COMMON_NAME, self.subject_name)
         ]))
 
-        return csr.sign(private_key, hashes.SHA256(), default_backend())
+        return csr.sign(private_key, hashes.SHA256())
 
     def assertHasPublicKey(self, keypairs):
         key = keypairs[1]