cryptography 42 and later compatibility

Signed-off-by: Mikael Arguedas <mikael.arguedas@gmail.com>

Author: mikaelarguedas

sros2/package.xml

@@ -15,6 +15,7 @@
   <exec_depend>python3-cryptography</exec_depend>
   <exec_depend>python3-importlib-resources</exec_depend>
   <exec_depend>python3-lxml</exec_depend>
+  <exec_depend>python3-semver</exec_depend>
   <exec_depend>rclpy</exec_depend>
   <exec_depend>ros2cli</exec_depend>
 

sros2/sros2/_utilities.py

@@ -17,12 +17,15 @@
 import os
 import pathlib
 
+import cryptography
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend as cryptography_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 
+import semver
+
 import sros2.errors
 
 _DOMAIN_ID_ENV = 'ROS_DOMAIN_ID'
@@ -38,6 +41,10 @@ def create_symlink(*, src: pathlib.Path, dst: pathlib.Path):
     os.symlink(src, dst)
 
 
+def cryptography_version() -> semver.VersionInfo:
+    return semver.parse_version_info(cryptography.__version__)
+
+
 def domain_id() -> str:
     return os.getenv(_DOMAIN_ID_ENV, '0')
 

sros2/sros2/keystore/_permission.py

@@ -76,15 +76,20 @@ def create_permission_file(path: pathlib.Path, domain_id, policy_element) -> Non
 
     cert_path = path.parent.joinpath('cert.pem')
     cert_content = _utilities.load_cert(cert_path)
-    # TODO replace "not_valid_before"/"not_valid_after" functions by
-    # "not_valid_before_utc"/"not_valid_after_utc"
-    # once cryptography 42 is supported on all target platforms
-    kwargs['not_valid_before'] = etree.XSLT.strparam(
-        cert_content.not_valid_before.replace(tzinfo=datetime.timezone.utc).isoformat()
-    )
-    kwargs['not_valid_after'] = etree.XSLT.strparam(
-        cert_content.not_valid_after.replace(tzinfo=datetime.timezone.utc).isoformat()
-    )
+    if _utilities.cryptography_version().major >= 42:
+        kwargs['not_valid_before'] = etree.XSLT.strparam(
+            cert_content.not_valid_before_utc
+        )
+        kwargs['not_valid_after'] = etree.XSLT.strparam(
+            cert_content.not_valid_after_utc
+        )
+    else:
+        kwargs['not_valid_before'] = etree.XSLT.strparam(
+            cert_content.not_valid_before.replace(tzinfo=datetime.timezone.utc).isoformat()
+        )
+        kwargs['not_valid_after'] = etree.XSLT.strparam(
+            cert_content.not_valid_after.replace(tzinfo=datetime.timezone.utc).isoformat()
+        )
 
     if get_rmw_implementation_identifier() in _RMW_WITH_ROS_GRAPH_INFO_TOPIC:
         kwargs['allow_ros_discovery_topic'] = etree.XSLT.strparam('1')

sros2/test/sros2/commands/security/verbs/test_create_enclave.py

@@ -124,15 +124,19 @@ def test_cert_pem(enclave_keys_dir):
     # Verify the cert is valid for the expected timespan
     utcnow = datetime.datetime.now(datetime.timezone.utc)
 
-    # TODO replace "not_valid_before"/"not_valid_after" functions by
-    # "not_valid_before_utc"/"not_valid_after_utc"
-    # once cryptography 42 is supported on all target platforms
+    if _utilities.cryptography_version().major >= 42:
+        cert_not_valid_before_value = cert.not_valid_before_utc
+        cert_not_valid_after_value = cert.not_valid_after_utc
+    else:
+        cert_not_valid_before_value = cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
+        cert_not_valid_after_value = cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
+
     assert _datetimes_are_close(
-        cert.not_valid_before.replace(tzinfo=datetime.timezone.utc),
+        cert_not_valid_before_value,
         utcnow
     )
     assert _datetimes_are_close(
-        cert.not_valid_after.replace(tzinfo=datetime.timezone.utc),
+        cert_not_valid_after_value,
         utcnow + datetime.timedelta(days=3650)
     )