fix: replace rsa dependency with cryptography

google/auth/credentials.py

@@ -17,20 +17,22 @@
 
 import abc
 from enum import Enum
+import logging
 import os
 from typing import List
 
 from google.auth import _helpers, environment_vars
 from google.auth import exceptions
 from google.auth import metrics
 from google.auth._credentials_base import _BaseCredentials
-from google.auth._default import _LOGGER
 from google.auth._refresh_worker import RefreshThreadManager
 
 DEFAULT_UNIVERSE_DOMAIN = "googleapis.com"
 NO_OP_TRUST_BOUNDARY_LOCATIONS: List[str] = []
 NO_OP_TRUST_BOUNDARY_ENCODED_LOCATIONS = "0x0"
 
+_LOGGER = logging.getLogger("google.auth._default")
+
 
 class Credentials(_BaseCredentials):
     """Base class for all credentials.

google/auth/crypt/__init__.py

@@ -38,43 +38,31 @@
 """
 
 from google.auth.crypt import base
+from google.auth.crypt import es
+from google.auth.crypt import es256
 from google.auth.crypt import rsa
 
-# google.auth.crypt.es depends on the crytpography module which may not be
-# successfully imported depending on the system.
-try:
-    from google.auth.crypt import es
-    from google.auth.crypt import es256
-except ImportError:  # pragma: NO COVER
-    es = None  # type: ignore
-    es256 = None  # type: ignore
-
-if es is not None and es256 is not None:  # pragma: NO COVER
-    __all__ = [
-        "EsSigner",
-        "EsVerifier",
-        "ES256Signer",
-        "ES256Verifier",
-        "RSASigner",
-        "RSAVerifier",
-        "Signer",
-        "Verifier",
-    ]
-
-    EsSigner = es.EsSigner
-    EsVerifier = es.EsVerifier
-    ES256Signer = es256.ES256Signer
-    ES256Verifier = es256.ES256Verifier
-else:  # pragma: NO COVER
-    __all__ = ["RSASigner", "RSAVerifier", "Signer", "Verifier"]
-
-
 # Aliases to maintain the v1.0.0 interface, as the crypt module was split
 # into submodules.
 Signer = base.Signer
 Verifier = base.Verifier
 RSASigner = rsa.RSASigner
 RSAVerifier = rsa.RSAVerifier
+EsSigner = es.EsSigner
+EsVerifier = es.EsVerifier
+ES256Signer = es256.ES256Signer
+ES256Verifier = es256.ES256Verifier
+
+__all__ = [
+    "EsSigner",
+    "EsVerifier",
+    "ES256Signer",
+    "ES256Verifier",
+    "RSASigner",
+    "RSAVerifier",
+    "Signer",
+    "Verifier",
+]
 
 
 def verify_signature(message, signature, certs, verifier_cls=rsa.RSAVerifier):

google/auth/crypt/_cryptography_rsa.py

@@ -29,22 +29,55 @@
 from google.auth import _helpers
 from google.auth.crypt import base
 
+import warnings
+
+try:
+    # attempt to import deprecated rsa module if available,
+    # for backwards compatibility
+    import rsa
+except ImportError:
+    rsa = None
+
+# Global flag for the module
+_RSA_DEPRECATION_WARNED = False
+
 _CERTIFICATE_MARKER = b"-----BEGIN CERTIFICATE-----"
 _BACKEND = backends.default_backend()
 _PADDING = padding.PKCS1v15()
 _SHA256 = hashes.SHA256()
 
 
+def _warn_rsa_type(key_type):
+    global _RSA_DEPRECATION_WARNED
+    if not _RSA_DEPRECATION_WARNED:
+        deprecation_msg = (
+            "The 'rsa' library is deprecated and unmaintained. Support for "
+            f"{key_type.__module__}.{key_type.__name__} keys will be removed in a future release. Please migrate to "
+            "'cryptography' keys or use the '.from_string()' factory method."
+        )
+        warnings.warn(deprecation_msg, DeprecationWarning, stacklevel=3)
+        _RSA_DEPRECATION_WARNED = True
+
+
 class RSAVerifier(base.Verifier):
     """Verifies RSA cryptographic signatures using public keys.
 
+    Note: rsa.key.PublicKey keys are currently accepted, but the `rsa` library
+    is deprecated. Please migrate to `cryptography` keys or use
+    `.from_string()` instead
+
     Args:
         public_key (
                 cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey):
             The public key used to verify signatures.
     """
 
     def __init__(self, public_key):
+        if rsa is not None and isinstance(public_key, rsa.key.PublicKey):
+            # convert rsa.key.PublicKey to cryptography type
+            _warn_rsa_type(type(public_key))
+            der_bytes = public_key.save_pkcs1(format='DER')
+            public_key = serialization.load_der_public_key(der_bytes)
         self._pubkey = public_key
 
     @_helpers.copy_docstring(base.Verifier)
@@ -66,7 +99,7 @@ def from_string(cls, public_key):
                 x509 public key certificate.
 
         Returns:
-            Verifier: The constructed verifier.
+            google.auth.crypt.base.Verifier: The constructed verifier.
 
         Raises:
             ValueError: If the public key can't be parsed.
@@ -88,6 +121,10 @@ def from_string(cls, public_key):
 class RSASigner(base.Signer, base.FromServiceAccountMixin):
     """Signs messages with an RSA private key.
 
+    Note: rsa.key.PrivateKey keys are currently accepted, but the `rsa` library
+    is deprecated. Please migrate to `cryptography` keys or use
+    `.from_string()` instead
+
     Args:
         private_key (
                 cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey):
@@ -98,6 +135,11 @@ class RSASigner(base.Signer, base.FromServiceAccountMixin):
     """
 
     def __init__(self, private_key, key_id=None):
+        if rsa is not None and isinstance(private_key, rsa.key.PrivateKey):
+            # convert rsa.key.PublicKey to cryptography type
+            _warn_rsa_type(type(private_key))
+            der_bytes = private_key.save_pkcs1(format='DER')
+            private_key = serialization.load_der_private_key(der_bytes, password=None)
         self._key = private_key
         self._key_id = key_id
 

google/auth/crypt/es.py

@@ -110,7 +110,7 @@ def from_string(cls, public_key: Union[str, bytes]) -> "EsVerifier":
                 x509 public key certificate.
 
         Returns:
-            Verifier: The constructed verifier.
+            google.auth.crypt.base.Verifier: The constructed verifier.
 
         Raises:
             ValueError: If the public key can't be parsed.

google/auth/crypt/rsa.py

@@ -14,17 +14,7 @@
 
 """RSA cryptography signer and verifier."""
 
+from google.auth.crypt import _cryptography_rsa
 
-try:
-    # Prefer cryptograph-based RSA implementation.
-    from google.auth.crypt import _cryptography_rsa
-
-    RSASigner = _cryptography_rsa.RSASigner
-    RSAVerifier = _cryptography_rsa.RSAVerifier
-except ImportError:  # pragma: NO COVER
-    # Fallback to pure-python RSA implementation if cryptography is
-    # unavailable.
-    from google.auth.crypt import _python_rsa
-
-    RSASigner = _python_rsa.RSASigner  # type: ignore
-    RSAVerifier = _python_rsa.RSAVerifier  # type: ignore
+RSASigner = _cryptography_rsa.RSASigner
+RSAVerifier = _cryptography_rsa.RSAVerifier