fix: remove backend parameter, it is deprecated

Author: lepture

src/joserfc/_rfc7517/pem.py

@@ -16,38 +16,37 @@
     BestAvailableEncryption,
     NoEncryption,
 )
-from cryptography.hazmat.backends import default_backend
 from .models import NativeKeyBinding, GenericKey
 from .types import DictKey
 from ..errors import InvalidKeyTypeError
 from ..util import to_bytes
 
 
 def import_from_ssh_key(raw: bytes) -> Any:
-    return load_ssh_public_key(raw, backend=default_backend())
+    return load_ssh_public_key(raw)
 
 
 def import_from_pem_key(raw: bytes, password: bytes | None = None) -> Any:
     key: Any
 
     if b"OPENSSH PRIVATE" in raw:
-        key = load_ssh_private_key(raw, password=password, backend=default_backend())
+        key = load_ssh_private_key(raw, password=password)
 
     elif b"PUBLIC" in raw:
-        key = load_pem_public_key(raw, backend=default_backend())
+        key = load_pem_public_key(raw)
 
     elif b"PRIVATE" in raw:
-        key = load_pem_private_key(raw, password=password, backend=default_backend())
+        key = load_pem_private_key(raw, password=password)
 
     elif b"CERTIFICATE" in raw:
-        cert = load_pem_x509_certificate(raw, backend=default_backend())
+        cert = load_pem_x509_certificate(raw)
         return cert.public_key()
 
     else:
         try:
-            key = load_der_private_key(raw, password=password, backend=default_backend())
+            key = load_der_private_key(raw, password=password)
         except ValueError:
-            key = load_der_public_key(raw, backend=default_backend())
+            key = load_der_public_key(raw)
     return key
 
 

src/joserfc/_rfc7518/derive_key.py

@@ -1,7 +1,6 @@
 from __future__ import annotations
 import struct
 from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.kdf.concatkdf import ConcatKDFHash
 from ..registry import Header
 from ..util import to_bytes, urlsafe_b64decode
@@ -40,7 +39,6 @@ def derive_key_for_concat_kdf(
         algorithm=hashes.SHA256(),
         length=bit_size // 8,
         otherinfo=fixed_info,
-        backend=default_backend(),
     )
     return ckdf.derive(shared_key)
 

src/joserfc/_rfc7518/jwe_algs.py

@@ -2,7 +2,6 @@
 import secrets
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.keywrap import (
     aes_key_wrap,
     aes_key_unwrap,
@@ -92,12 +91,12 @@ def __init__(self, key_size: int, recommended: bool = False):
 
     def wrap_cek(self, cek: bytes, key: bytes) -> bytes:
         self.check_op_key(key)
-        return aes_key_wrap(key, cek, default_backend())
+        return aes_key_wrap(key, cek)
 
     def unwrap_cek(self, ek: bytes, key: bytes) -> bytes:
         self.check_op_key(key)
         try:
-            cek = aes_key_unwrap(key, ek, default_backend())
+            cek = aes_key_unwrap(key, ek)
         except InvalidUnwrap:
             raise DecodeError("Unwrap AES key failed")
         return cek
@@ -148,7 +147,7 @@ def encrypt_cek(self, cek: bytes, recipient: Recipient[OctKey]) -> bytes:
         iv_size = 96
         iv = secrets.token_bytes(iv_size // 8)
 
-        cipher = Cipher(AES(op_key), GCM(iv), backend=default_backend())
+        cipher = Cipher(AES(op_key), GCM(iv))
         enc = cipher.encryptor()
 
         encrypted_key = enc.update(cek) + enc.finalize()
@@ -169,7 +168,7 @@ def decrypt_cek(self, recipient: Recipient[OctKey]) -> bytes:
         iv = urlsafe_b64decode(to_bytes(headers["iv"]))
         tag = urlsafe_b64decode(to_bytes(headers["tag"]))
 
-        cipher = Cipher(AES(op_key), GCM(iv, tag), backend=default_backend())
+        cipher = Cipher(AES(op_key), GCM(iv, tag))
         d = cipher.decryptor()
         try:
             assert recipient.encrypted_key is not None
@@ -252,7 +251,6 @@ def compute_derived_key(self, key: bytes, p2s: bytes, p2c: int) -> bytes:
             length=self.key_size // 8,
             salt=salt,
             iterations=p2c,
-            backend=default_backend(),
         )
         return kdf.derive(key)
 

src/joserfc/_rfc7518/jwe_encs.py

@@ -11,7 +11,6 @@
 from __future__ import annotations
 import hmac
 import hashlib
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import Cipher
 from cryptography.hazmat.primitives.ciphers.algorithms import AES
 from cryptography.hazmat.primitives.ciphers.modes import GCM, CBC
@@ -54,7 +53,7 @@ def encrypt(self, plaintext: bytes, cek: bytes, iv: bytes, aad: bytes) -> tuple[
         pad = PKCS7(AES.block_size).padder()
         padded_data = pad.update(plaintext) + pad.finalize()
 
-        cipher = Cipher(AES(ekey), CBC(iv), backend=default_backend())
+        cipher = Cipher(AES(ekey), CBC(iv))
         enc = cipher.encryptor()
         ciphertext = enc.update(padded_data) + enc.finalize()
         tag = self._hmac(ciphertext, aad, iv, hkey)
@@ -69,7 +68,7 @@ def decrypt(self, ciphertext: bytes, tag: bytes, cek: bytes, iv: bytes, aad: byt
         if not hmac.compare_digest(ctag, tag):
             raise DecodeError("tag does not match")
 
-        cipher = Cipher(AES(dkey), CBC(iv), backend=default_backend())
+        cipher = Cipher(AES(dkey), CBC(iv))
         d = cipher.decryptor()
         data = d.update(ciphertext) + d.finalize()
         unpad = PKCS7(AES.block_size).unpadder()
@@ -90,15 +89,15 @@ def __init__(self, key_size: int):
 
     def encrypt(self, plaintext: bytes, cek: bytes, iv: bytes, aad: bytes) -> tuple[bytes, bytes]:
         """Key Encryption with AES GCM"""
-        cipher = Cipher(AES(cek), GCM(iv), backend=default_backend())
+        cipher = Cipher(AES(cek), GCM(iv))
         enc = cipher.encryptor()
         enc.authenticate_additional_data(aad)
         ciphertext = enc.update(plaintext) + enc.finalize()
         return ciphertext, enc.tag
 
     def decrypt(self, ciphertext: bytes, tag: bytes, cek: bytes, iv: bytes, aad: bytes) -> bytes:
         """Key Decryption with AES GCM"""
-        cipher = Cipher(AES(cek), GCM(iv, tag), backend=default_backend())
+        cipher = Cipher(AES(cek), GCM(iv, tag))
         d = cipher.decryptor()
         d.authenticate_additional_data(aad)
         try:

src/joserfc/_rfc7518/rsa_key.py

@@ -13,7 +13,6 @@
     rsa_crt_dmq1,
     rsa_crt_iqmp,
 )
-from cryptography.hazmat.backends import default_backend
 from ..registry import KeyParameter
 from ..errors import SecurityWarning, KeyParameterError
 from .._rfc7517.models import AsymmetricKey
@@ -45,11 +44,7 @@ class RSABinding(CryptographyBinding):
 
     @staticmethod
     def generate_private_key(size: int) -> RSAPrivateKey:
-        return generate_private_key(
-            public_exponent=65537,
-            key_size=size,
-            backend=default_backend(),
-        )
+        return generate_private_key(public_exponent=65537, key_size=size)
 
     @staticmethod
     def import_private_key(obj: RSADictKey) -> RSAPrivateKey:
@@ -82,7 +77,7 @@ def import_private_key(obj: RSADictKey) -> RSAPrivateKey:
                 public_numbers=public_numbers,
             )
 
-        return numbers.private_key(default_backend())
+        return numbers.private_key()
 
     @staticmethod
     def export_private_key(key: RSAPrivateKey) -> RSADictKey:
@@ -101,7 +96,7 @@ def export_private_key(key: RSAPrivateKey) -> RSADictKey:
     @staticmethod
     def import_public_key(obj: RSADictKey) -> RSAPublicKey:
         numbers = RSAPublicNumbers(base64_to_int(obj["e"]), base64_to_int(obj["n"]))
-        return numbers.public_key(default_backend())
+        return numbers.public_key()
 
     @staticmethod
     def export_public_key(key: RSAPublicKey) -> dict[str, str]:

src/joserfc/_rfc8037/okp_key.py

@@ -3,7 +3,6 @@
 import typing as t
 from functools import cached_property
 from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey, Ed25519PrivateKey
 from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey, Ed448PrivateKey
 from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PublicKey, X25519PrivateKey
@@ -282,7 +281,6 @@ def derive_key(
             hkdf = HKDF(
                 algorithm=algorithm,
                 length=OKP_SEED_SIZES[crv],
-                backend=default_backend(),
                 **kdf_options,
             )
             seed = hkdf.derive(to_bytes(secret))
@@ -291,7 +289,6 @@ def derive_key(
             pbkdf2 = PBKDF2HMAC(
                 algorithm=algorithm,
                 length=OKP_SEED_SIZES[crv],
-                backend=default_backend(),
                 **kdf_options,
             )
             seed = pbkdf2.derive(to_bytes(secret))