chore: remove deprecated backend input (#18980)

miketheman · web-flow · commit 5af2be9f69f2 · 2025-10-31T22:37:22.000Z
cryptography's `default_backend` was removed in 36.0.0 Refs: pyca/cryptography#6499 Signed-off-by: Mike Fiedler <miketheman@gmail.com>
diff --git a/tests/unit/utils/test_otp.py b/tests/unit/utils/test_otp.py
@@ -7,7 +7,6 @@
 
 import pytest
 
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.hashes import SHA1
 from cryptography.hazmat.primitives.twofactor.totp import TOTP
 from urllib3.util import parse_url
@@ -49,19 +48,15 @@ def test_generate_totp_provisioning_uri():
 @pytest.mark.parametrize("skew", [0, -20, 20])
 def test_verify_totp_success(skew):
     secret = otp.generate_totp_secret()
-    totp = TOTP(
-        secret, otp.TOTP_LENGTH, SHA1(), otp.TOTP_INTERVAL, backend=default_backend()
-    )
+    totp = TOTP(secret, otp.TOTP_LENGTH, SHA1(), otp.TOTP_INTERVAL)
     value = totp.generate(time.time() + skew)
     assert otp.verify_totp(secret, value)
 
 
 @pytest.mark.parametrize("skew", [-60, 60])
 def test_verify_totp_failure(skew):
     secret = otp.generate_totp_secret()
-    totp = TOTP(
-        secret, otp.TOTP_LENGTH, SHA1(), otp.TOTP_INTERVAL, backend=default_backend()
-    )
+    totp = TOTP(secret, otp.TOTP_LENGTH, SHA1(), otp.TOTP_INTERVAL)
     value = totp.generate(time.time() + skew)
     with pytest.raises(otp.OutOfSyncTOTPError):
         otp.verify_totp(secret, value)
diff --git a/tests/unit/utils/test_sns.py b/tests/unit/utils/test_sns.py
@@ -8,7 +8,6 @@
 import pytest
 
 from cryptography import x509
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
@@ -32,16 +31,13 @@ def sns_privatekey():
     key = rsa.generate_private_key(
         public_exponent=65537,
         key_size=2048,
-        backend=default_backend(),
     )
     return key.private_bytes(Encoding.PEM, PrivateFormat.PKCS8, NoEncryption())
 
 
 @pytest.fixture(scope="module")
 def sns_publickey(sns_privatekey):
-    private_key = load_pem_private_key(
-        sns_privatekey, password=None, backend=default_backend()
-    )
+    private_key = load_pem_private_key(sns_privatekey, password=None)
     public_key = private_key.public_key()
     return public_key.public_bytes(Encoding.PEM, PublicFormat.SubjectPublicKeyInfo)
 
@@ -50,10 +46,8 @@ def sns_publickey(sns_privatekey):
 def sns_certificate(sns_privatekey, sns_publickey):
     one_day = datetime.timedelta(1, 0, 0)
 
-    private_key = load_pem_private_key(
-        sns_privatekey, password=None, backend=default_backend()
-    )
-    public_key = load_pem_public_key(sns_publickey, backend=default_backend())
+    private_key = load_pem_private_key(sns_privatekey, password=None)
+    public_key = load_pem_public_key(sns_publickey)
 
     builder = x509.CertificateBuilder()
     builder = builder.subject_name(
@@ -74,7 +68,7 @@ def sns_certificate(sns_privatekey, sns_publickey):
     )
 
     cert = builder.sign(
-        private_key=private_key, algorithm=hashes.SHA256(), backend=default_backend()
+        private_key=private_key, algorithm=hashes.SHA256(), backend=None
     )
 
     return cert.public_bytes(Encoding.PEM)
@@ -190,9 +184,7 @@ def test_invalid(self, sns_certificate, sns_privatekey, topics, data, error):
         verifier = MessageVerifier(topics=topics, session=session)
 
         if data.get("Signature") is VALID_SIGNATURE:
-            private_key = load_pem_private_key(
-                sns_privatekey, password=None, backend=default_backend()
-            )
+            private_key = load_pem_private_key(sns_privatekey, password=None)
             signature_bytes = private_key.sign(
                 verifier._get_data_to_sign(data),
                 PKCS1v15(),
@@ -280,9 +272,7 @@ def test_valid(self, sns_certificate, sns_privatekey, topics, data):
         session = pretend.stub(get=lambda url: response)
         verifier = MessageVerifier(topics=topics, session=session)
 
-        private_key = load_pem_private_key(
-            sns_privatekey, password=None, backend=default_backend()
-        )
+        private_key = load_pem_private_key(sns_privatekey, password=None)
         signature_bytes = private_key.sign(
             verifier._get_data_to_sign(data),
             PKCS1v15(),
diff --git a/warehouse/integrations/__init__.py b/warehouse/integrations/__init__.py
@@ -6,7 +6,6 @@
 from typing import cast
 
 from cryptography.exceptions import InvalidSignature
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric.ec import ECDSA, EllipticCurvePublicKey
 from cryptography.hazmat.primitives.hashes import SHA256
@@ -114,7 +113,7 @@ def _check_public_key(self, public_keys, key_id):
     def _check_signature(self, payload, public_key, signature):
         try:
             loaded_public_key = serialization.load_pem_public_key(
-                data=public_key.encode("utf-8"), backend=default_backend()
+                data=public_key.encode("utf-8")
             )
             # Use Type Narrowing to confirm the loaded_public_key is the correct type
             loaded_public_key = cast(EllipticCurvePublicKey, loaded_public_key)
diff --git a/warehouse/utils/otp.py b/warehouse/utils/otp.py
@@ -4,7 +4,6 @@
 import os
 import time
 
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.hashes import SHA1
 from cryptography.hazmat.primitives.twofactor import InvalidToken
 from cryptography.hazmat.primitives.twofactor.totp import TOTP
@@ -31,7 +30,7 @@ def _get_totp(secret):
         * 6-digit code
         * 30-second interval
     """
-    return TOTP(secret, TOTP_LENGTH, SHA1(), TOTP_INTERVAL, backend=default_backend())
+    return TOTP(secret, TOTP_LENGTH, SHA1(), TOTP_INTERVAL)
 
 
 def generate_totp_secret():
diff --git a/warehouse/utils/sns.py b/warehouse/utils/sns.py
@@ -8,7 +8,6 @@
 
 from cryptography import x509
 from cryptography.exceptions import InvalidSignature as _InvalidSignature
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 from cryptography.hazmat.primitives.hashes import SHA256
 from urllib3.util import parse_url
@@ -76,7 +75,7 @@ def _get_pubkey(self, cert_url):
         resp = self.http.get(cert_url)
         resp.raise_for_status()
 
-        cert = x509.load_pem_x509_certificate(resp.content, default_backend())
+        cert = x509.load_pem_x509_certificate(resp.content)
         return cert.public_key()
 
     def _get_signature(self, message):
