Skip to content

feat: add cryptography as required dependency #1929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
daniel-sanche merged 53 commits into from
Jan 16, 2026
Merged

feat: add cryptography as required dependency #1929

daniel-sanche merged 53 commits into from
Jan 16, 2026

Conversation

@daniel-sanche
Copy link
Collaborator

@daniel-sanche daniel-sanche commented Jan 12, 2026
edited by parthea
Loading

The rsa library has been deprecated and archived. This PR adds cryptography as a the new preferred backend for RSA operations

In the short term, both rsa and cryptography will be listed as dependencies. Soon, rsa will be removed, but still supported as an optional dependency. Eventually, it will be completely removed from the codebase.

As a part of this change, I introduced new RSASigner and RSAVerifier wrapper classes, that can use either cryptography or rsa implementations. Previously, the library would only import one or the other, depending on if cryptography was installed. This simplifies the import structure, and puts rsa and cryptography on equal footing

Fixes #912
Towards #1810
Towards #941

daniel-sanche and others added 30 commits January 8, 2026 16:05
@daniel-sanche
added warning
f357187
@daniel-sanche
added posargs to unit test nox command
575113c
@daniel-sanche
added test
bef613a
@daniel-sanche
add rsa extra
15e6e7b
@daniel-sanche
updated warning
7715f92
@daniel-sanche
added TODO
ddacaf2
@daniel-sanche
added docstring warnings
5573db6
@daniel-sanche
remove extra dependency
07a4f22
@daniel-sanche
Merge branch 'main' into warn_rsa
6890572
@daniel-sanche
added default rsa classes
c2ceeb4
@daniel-sanche
added shared wrapper class for RSASigner and RSAVerifier
d1b3fb6
@daniel-sanche
changed warning type
ad651ed
@daniel-sanche
added deprecation notices to docstrings
540f260
@daniel-sanche
Merge branch 'warn_rsa' into remove_rsa_2
a4830fa
@daniel-sanche
moved warning
68410f1
@daniel-sanche
fixed warning type in tests
f89e444
@daniel-sanche
remove rsa as required dependency
fd429f3
@daniel-sanche
fixed errors
fd1ae50
@daniel-sanche
added custom exception
0895998
@daniel-sanche
ran blacken
69bae96
@daniel-sanche
added new test file
a803198
@daniel-sanche
added test file
716bec3
@daniel-sanche
fixed bugs in implementation
6191d3b
@daniel-sanche
InvalidValue -> ValueError
b7c270b
@daniel-sanche
clean up tests
a1e0389
@daniel-sanche
finished tests
6b17faa
@daniel-sanche
added e2e tests
e88fc1c
@daniel-sanche
added warning tests
d7a3b23
@daniel-sanche
added unit tests
d0f1747
@daniel-sanche
fixed lint
db7037c
@daniel-sanche daniel-sanche mentioned this pull request Jan 13, 2026
Closed
@daniel-sanche daniel-sanche changed the title [DRAFT] feat: add cryptography as required dependency feat: add cryptography as required dependency Jan 13, 2026
@daniel-sanche daniel-sanche mentioned this pull request Jan 13, 2026
Draft
@daniel-sanche daniel-sanche marked this pull request as ready for review January 13, 2026 19:24
@daniel-sanche daniel-sanche requested review from a team as code owners January 13, 2026 19:24
@parthea
Copy link
Contributor

parthea commented Jan 14, 2026

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request successfully transitions the library to use cryptography as a required dependency for RSA operations, moving away from the deprecated rsa library. The introduction of RSASigner and RSAVerifier wrapper classes is a clean approach to maintain backward compatibility while encouraging migration. The dependency updates and test modifications are all well-executed. I have a couple of minor suggestions to improve the docstrings in the new wrapper classes, which will enhance documentation clarity and prevent potential issues with tooling.

parthea
parthea reviewed Jan 14, 2026
View reviewed changes
@parthea parthea assigned parthea and chalmerlowe and unassigned daniel-sanche Jan 15, 2026
parthea
parthea reviewed Jan 15, 2026
View reviewed changes
setup.py
# TODO(https://github.com/googleapis/google-auth-library-python/issues/1665): Remove the pinned version of pyopenssl
# once `TestDecryptPrivateKey::test_success` is updated to remove the deprecated `OpenSSL.crypto.sign` and
# `OpenSSL.crypto.verify` methods. See: https://www.pyopenssl.org/en/latest/changelog.html#id3.
"pyopenssl < 24.3.0",
Copy link
Contributor

@parthea parthea Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blocking: For testing, we're using pyopenssl < 24.3.0, we should revisit this in the future so that we're able to test the latest version of pyopenssl. Same with aiohttp below

@daniel-sanche daniel-sanche merged commit 52558ae into main Jan 16, 2026
24 checks passed
@daniel-sanche daniel-sanche deleted the add_cryptography_dependency branch January 16, 2026 18:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@parthea parthea parthea approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@parthea parthea

@chalmerlowe chalmerlowe

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Push cryptography more strongly

3 participants

@daniel-sanche @parthea @chalmerlowe