Remove Dependency on Cryptography >=36.0.0

The mTLS OAuth2.0 in Keystone uses a parameter that is only availble on
cryptography 36.0.0 or later. Users may have to upgrade cryptography
which is already installed, which can be unreasonably hassle. This
patch introduces an alternative for that parameter.

[1] https://cryptography.io/en/latest/changelog/#v36-0-0

Closes-bug: 2009600
Change-Id: Idffe269b62797bb2935429f4069e878a177db04f

1 files changed, 6 insertions, 4 deletions

diff --git a/keystone/common/utils.py b/keystone/common/utils.py
index 792c17951..3f8088f27 100644
--- a/keystone/common/utils.py
+++ b/keystone/common/utils.py
@@ -479,8 +479,9 @@ def get_certificate_subject_dn(cert_pem):
     try:
         cert = x509.load_pem_x509_certificate(cert_pem.encode('utf-8'))
         for item in cert.subject:
-            name, value = item.rfc4514_string(
-                attr_name_overrides=ATTR_NAME_OVERRIDES).split('=')
+            name, value = item.rfc4514_string().split('=')
+            if item.oid in ATTR_NAME_OVERRIDES:
+                name = ATTR_NAME_OVERRIDES[item.oid]
             dn_dict[name] = value
     except Exception as error:
         LOG.exception(error)
@@ -501,8 +502,9 @@ def get_certificate_issuer_dn(cert_pem):
     try:
         cert = x509.load_pem_x509_certificate(cert_pem.encode('utf-8'))
         for item in cert.issuer:
-            name, value = item.rfc4514_string(
-                attr_name_overrides=ATTR_NAME_OVERRIDES).split('=')
+            name, value = item.rfc4514_string().split('=')
+            if item.oid in ATTR_NAME_OVERRIDES:
+                name = ATTR_NAME_OVERRIDES[item.oid]
             dn_dict[name] = value
     except Exception as error:
         LOG.exception(error)