From 8dfec28647f7c17e47fbfc96a1720dcde1592386 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Mon, 2 Dec 2024 15:04:30 +0300
Subject: [PATCH] pyca: adapt import paths for TripleDES cipher

https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.TripleDES

> This algorithm has been deprecated and moved to the Decrepit
  cryptography module. If you need to continue using it then update your
  code to use the new module path. It will be removed from this namespace
  in 48.0.0.

Fixes: https://pagure.io/freeipa/issue/9708
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaclient/plugins/vault.py               |  8 +++++++-
 ipalib/constants.py                      | 24 +++++++++++-------------
 ipaserver/install/ipa_otptoken_import.py |  8 +++++++-
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 75415c03a57242ae674636fa31a72db2fa56d6ea..6af7297936924dfb80e7f79924b570421da65c97 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -34,6 +34,12 @@ from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+try:
+    # cryptography>=43.0.0
+    from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
+except ImportError:
+    # will be removed from this module in cryptography 48.0.0
+    from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
 from cryptography.hazmat.primitives.padding import PKCS7
 from cryptography.hazmat.primitives.serialization import (
     load_pem_public_key, load_pem_private_key)
@@ -661,7 +667,7 @@ class ModVaultData(Local):
         if name == constants.VAULT_WRAPPING_AES128_CBC:
             return algorithms.AES(os.urandom(128 // 8))
         elif name == constants.VAULT_WRAPPING_3DES:
-            return algorithms.TripleDES(os.urandom(196 // 8))
+            return TripleDES(os.urandom(196 // 8))
         else:
             # unreachable
             raise ValueError(name)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index b657e5a9065d115d0eff2dbfffff49e992006536..c90caa22149ec3d93d45fcb5480f7401e4555799 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -25,20 +25,19 @@ All constants centralised in one file.
 import os
 import string
 import uuid
-import warnings
-
-warnings.filterwarnings(
-    "ignore",
-    "TripleDES has been moved to "
-    "cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and "
-    "will be removed from this module in 48.0.0",
-    category=UserWarning)
 
 from ipaplatform.constants import constants as _constants
 from ipapython.dn import DN
 from ipapython.fqdn import gethostfqdn
 from ipapython.version import VERSION, API_VERSION
-from cryptography.hazmat.primitives.ciphers import algorithms, modes
+from cryptography.hazmat.primitives.ciphers import modes
+try:
+    # cryptography>=43.0.0
+    from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
+except ImportError:
+    # will be removed from this module in cryptography 48.0.0
+    from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
+
 from cryptography.hazmat.backends.openssl.backend import backend
 
 
@@ -389,7 +388,6 @@ VAULT_WRAPPING_SUPPORTED_ALGOS = (
 VAULT_WRAPPING_DEFAULT_ALGO = VAULT_WRAPPING_AES128_CBC
 
 # Add 3DES for backwards compatibility if supported
-if getattr(algorithms, 'TripleDES', None):
-    if backend.cipher_supported(algorithms.TripleDES(
-                                b"\x00" * 8), modes.CBC(b"\x00" * 8)):
-        VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
+if backend.cipher_supported(TripleDES(
+                            b"\x00" * 8), modes.CBC(b"\x00" * 8)):
+    VAULT_WRAPPING_SUPPORTED_ALGOS += (VAULT_WRAPPING_3DES,)
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index 279a7502d2f305309252b3b291e32b772a51a1d3..17457f6c5b81ab70a0ecee13bf744e242ec88ff0 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -37,6 +37,12 @@ from cryptography.hazmat.primitives import hashes, hmac
 from cryptography.hazmat.primitives.padding import PKCS7
 from cryptography.hazmat.primitives.kdf import pbkdf2
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+try:
+    # cryptography>=43.0.0
+    from cryptography.hazmat.decrepit.ciphers.algorithms import TripleDES
+except ImportError:
+    # will be removed from this module in cryptography 48.0.0
+    from cryptography.hazmat.primitives.ciphers.algorithms import TripleDES
 from cryptography.hazmat.backends import default_backend
 
 from ipaplatform.paths import paths
@@ -169,7 +175,7 @@ def convertAlgorithm(value):
     # in the list of the vault wrapping algorithms, we cannot use 3DES anywhere
     if VAULT_WRAPPING_3DES in VAULT_WRAPPING_SUPPORTED_ALGOS:
         supported_algs["http://www.w3.org/2001/04/xmlenc#tripledes-cbc"] = (
-            algorithms.TripleDES, modes.CBC, 64)
+            TripleDES, modes.CBC, 64)
 
     return supported_algs.get(value.lower(), (None, None, None))
 
-- 
2.47.1