Hi,

Just some side notes from my side for cryptography bump as this came up recently in a discussion with our downstream team as well.

There is a patch that tries to bump it in requirements repo:

https://review.opendev.org/c/openstack/requirements/+/958191

I tried to add as comments my findings, as I remember the bottleneck is now in pysaml2 which depends on pyOpenSSL,

(and cryptography at the end) and there is no new release of pysaml2 that bumps these dependencies.

There is PR of pysaml2 to replace pyOpenSSL with cryptography, that would be good (at least for bumping the versions) for us:

https://github.com/IdentityPython/pysaml2/pull/977

Best wishes

Lajos Katona (lajoskatona)

melanie witt <melwittt@gmail.com> ezt írta (időpont: 2025. okt. 10., P, 2:48):

On 10/9/25 16:31, Ivan Marton wrote:
>
> [...]
>> It seems to me that the underlying cryptography module does support
> these public keys since https://github.com/pyca/cryptography/
> commit/51a6dd28ccbb7587fff9e951299b17aac39ee5cc <https://github.com/
> pyca/cryptography/commit/51a6dd28ccbb7587fff9e951299b17aac39ee5cc>. That
> commit appeared in version 43.0.0 first. (In 2.7 that I see in https://
> github.com/openstack/nova/blob/076498ed95958a5d6ccb784f3d336657584bc63a/
> requirements.txt#L13 <https://github.com/openstack/nova/
> blob/076498ed95958a5d6ccb784f3d336657584bc63a/requirements.txt#L13> this
> was still not there. 2.7 was released on May 31, 2019, while 43.0.0 on
> Jul 20, 2024.)
>
> Is there chance to have that dependency being bumped up to some newer
> version?

You and Clark are correct, whether or not Nova supports the key types
depends only on the version of the Python 'cryptography' library
installed as it does not deal with the key types directly.

IMO we could bump the required version for release versions circa 2024
and newer. As long as 43.0.0 is available for install in the common
distros of the time.

That said, the version in the requirements.txt represents the minimum
version needed to use Nova in general, as using newer key types is not
strictly "required".

What really matters is the version indicated in the
upper-constraints.txt [1] for the given Nova release. The version on the
master branch allows up to version 43.0.3 as of today. This version is
also shown as the upper bound for OpenStack versions 2025.2 and 2025.1.
Generally upper bound versions are selected within the range of the
common distros package versions at the time of that OpenStack release.

Note that I don't think you actually have to adhere to
upper-constraints.txt either in your environment depending on how you
deploy.

If you are able to install cryptography 43.0.0 in your environment, you
should automatically get Nova working with it (after service restart).

This was my experience anyway in the past with
https://bugs.launchpad.net/nova/+bug/1555521.

-melwitt

[1]
https://opendev.org/openstack/requirements/src/commit/af5fa8a98f1f093d01d87f8e57579e14e7ca5f61/upper-constraints.txt#L187