CryptographyDeprecationWarning for _permission (not_valid_before and not_valid_after)

[cdisco]

The following warning was observerned when running ros2 security create_enclave in a bazel environment.

INFO: Running command line: bazel-bin/ros2/ros2_security create_enclave /tmp/MY_ENCLAVE /MY_ENCLAVE_NAME
/home/user/.cache/bazel/_bazel_/9aa7afc3a0e2498fab67e6e6e7243812/execroot/rules_ros2/bazel-out/k8-opt/bin/ros2/ros2sec.runfiles/sros2/sros2/sros2/keystore/_permission.py:78: 
CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. 
Please switch to not_valid_before_utc.kwargs['not_valid_before'] = etree.XSLT.strparam(cert_content.not_valid_before.isoformat())

/home/user/.cache/bazel/_bazel_/9aa7afc3a0e2498fab67e6e6e7243812/execroot/rules_ros2/bazel-out/k8-opt/bin/ros2/ros2sec.runfiles/sros2/sros2/sros2/keystore/_permission.py:79: 
CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. 
Please switch to not_valid_after_utc.kwargs['not_valid_after'] = etree.XSLT.strparam(cert_content.not_valid_after.isoformat())

Here are the offending lines:

sros2/sros2/sros2/keystore/_permission.py

Line 78 in 3ee78e1

kwargs['not_valid_before'] = etree.XSLT.strparam(cert_content.not_valid_before.isoformat())

The solution is to use not_valid_before_utc and not_valid_after_utc respectively

[mikaelarguedas]

Thanks for reporting!

This is currently blocked because the cryptography version on windows debug is old and doesn't have not_valid_before/after_utc yet

https://github.com/ros2/sros2/pull/300/files#diff-8f16a457e0b37424b56a61828f82e06a985e0c793b018184eff60a775d00fb2eR79-R81

@cottsay with the move to pixi do you know if there is a simpler path to getting more recent version of cryptography on Windows ?
Looks like it's v41 ATM: https://github.com/ros2/ros2/blob/87f12bfd2965a0612ea60fe3d8dd49ad9fd91c98/pixi.toml#L47

[mjcarroll]

With the migration to pixi, we are also not supporting debug on Windows anymore.

I think, in this case, we are pinned to the Ubuntu Noble version (which is 41)

[Yadunund]

We've added this topic to the agenda for next week's PMC meeting. You can find the calendar invite for the next meeting here if you would like to join the discussion.

[clalancette]

As far as I understand, pycryptography 41 supports the API we need, and we have at least pycryptography 41 support on all platforms (including Windows). So we should be able to move forward and use the non-deprecated APIs.

That said, I've tried this in the past, and it isn't as simple as substituting one API for another. When I did that, all tests failed. Fixing it will probably require a deeper look.

[ros-discourse]

This issue has been mentioned on Open Robotics Discourse. There might be relevant details there:

https://discourse.ros.org/t/ros-pmc-minutes-for-july-1-2025/45001/1

[mikaelarguedas]

As far as I understand, pycryptography 41 supports the API we need

@clalancette The APIs needed are not_valid_before_utc and not_valid_after_utc

These are part of Cryptography 42: https://cryptography.io/en/42.0.0/search/?q=not_valid_before_utc&check_keywords=yes&area=default
But not 41: https://cryptography.io/en/41.0.7/search/?q=not_valid_before_utc&check_keywords=yes&area=default

e.g. on Ubuntu Noble:

In [1]: import cryptography

In [2]: cryptography.__version__
Out[2]: '41.0.7'

In [3]: from cryptography.x509 import Certificate

In [4]: Certificate.not_valid_after
Out[4]: <property at 0x778bd0b8d170>

In [5]: Certificate.not_valid_after_utc
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
Cell In[5], line 1
----> 1 Certificate.not_valid_after_utc

AttributeError: type object 'Certificate' has no attribute 'not_valid_after_utc'

[clalancette]

@clalancette The APIs needed are not_valid_before_utc and not_valid_after_utc

These are part of Cryptography 42: https://cryptography.io/en/42.0.0/search/?q=not_valid_before_utc&check_keywords=yes&area=default But not 41: https://cryptography.io/en/41.0.7/search/?q=not_valid_before_utc&check_keywords=yes&area=default

Ah, fair enough. In that case, the best we could do here would be to have conditional code that still used the old APIs for Cryptography <= 41, and the new APIs for Cryptography 42 and newer.

[mikaelarguedas]

@cdisco The use of not_valid_before_utc/not_valid_after_utc has been implemented in #300, if you get a chance, could you confirm it fixes this issue for you ?