Remove Dependency on Cryptography >=36.0.0

The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on cryptography 36.0.0 or later. Users may have to upgrade cryptography which is already installed, which can be unreasonably hassle. This patch introduces an alternative for that parameter. [1] https://cryptography.io/en/latest/changelog/#v36-0-0 Closes-bug: 2009600 Change-Id: Idffe269b62797bb2935429f4069e878a177db04f
2023-03-17 23:16:04 +09:00 · 2023-03-17 23:16:04 +09:00 · f5db9801c2
parent c08d97672d
commit f5db9801c2
1 changed files with 6 additions and 4 deletions
--- a/keystone/common/utils.py
+++ b/keystone/common/utils.py
@ -479,8 +479,9 @@ def get_certificate_subject_dn(cert_pem):
    try:
        cert = x509.load_pem_x509_certificate(cert_pem.encode('utf-8'))
        for item in cert.subject:
-            name, value = item.rfc4514_string(
-                attr_name_overrides=ATTR_NAME_OVERRIDES).split('=')
+            name, value = item.rfc4514_string().split('=')
+            if item.oid in ATTR_NAME_OVERRIDES:
+                name = ATTR_NAME_OVERRIDES[item.oid]
            dn_dict[name] = value
    except Exception as error:
        LOG.exception(error)
@ -501,8 +502,9 @@ def get_certificate_issuer_dn(cert_pem):
    try:
        cert = x509.load_pem_x509_certificate(cert_pem.encode('utf-8'))
        for item in cert.issuer:
-            name, value = item.rfc4514_string(
-                attr_name_overrides=ATTR_NAME_OVERRIDES).split('=')
+            name, value = item.rfc4514_string().split('=')
+            if item.oid in ATTR_NAME_OVERRIDES:
+                name = ATTR_NAME_OVERRIDES[item.oid]
            dn_dict[name] = value
    except Exception as error:
        LOG.exception(error)