From 87af1f2761eb4a953c8cf098d3dcfc315f239d04 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Fri, 26 Jan 2024 17:47:46 +0100
Subject: [PATCH] Disable consistency checking of RSA keys for cryptography
 42.0.0 which no longer gives access to the required function. (#702)

---
 changelogs/fragments/701-private_key_info-consistency.yml    | 2 ++
 .../module_utils/crypto/module_backends/privatekey_info.py   | 5 ++++-
 plugins/modules/openssl_privatekey_info.py                   | 3 +++
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/701-private_key_info-consistency.yml

diff --git a/changelogs/fragments/701-private_key_info-consistency.yml b/changelogs/fragments/701-private_key_info-consistency.yml
new file mode 100644
index 00000000..fe920423
--- /dev/null
+++ b/changelogs/fragments/701-private_key_info-consistency.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "openssl_privatekey_info - ``check_consistency=true`` no longer works for RSA keys with cryptography 42.0.0+ (https://github.com/ansible-collections/community.crypto/pull/701)."
diff --git a/plugins/module_utils/crypto/module_backends/privatekey_info.py b/plugins/module_utils/crypto/module_backends/privatekey_info.py
index d87b9c2b..7118cd9d 100644
--- a/plugins/module_utils/crypto/module_backends/privatekey_info.py
+++ b/plugins/module_utils/crypto/module_backends/privatekey_info.py
@@ -107,7 +107,10 @@ def _check_dsa_consistency(key_public_data, key_private_data):
 
 def _is_cryptography_key_consistent(key, key_public_data, key_private_data):
     if isinstance(key, cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey):
-        return bool(key._backend._lib.RSA_check_key(key._rsa_cdata))
+        # key._backend was removed in cryptography 42.0.0
+        backend = getattr(key, '_backend', None)
+        if backend is not None:
+            return bool(backend._lib.RSA_check_key(key._rsa_cdata))
     if isinstance(key, cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey):
         result = _check_dsa_consistency(key_public_data, key_private_data)
         if result is not None:
diff --git a/plugins/modules/openssl_privatekey_info.py b/plugins/modules/openssl_privatekey_info.py
index 9415bc37..220bf988 100644
--- a/plugins/modules/openssl_privatekey_info.py
+++ b/plugins/modules/openssl_privatekey_info.py
@@ -60,6 +60,9 @@ options:
               avoid private key material to be transported around and computed with, and only do
               so when requested explicitly. This can potentially prevent
               L(side-channel attacks,https://en.wikipedia.org/wiki/Side-channel_attack).
+            - Note that consistency checks only work for certain key types, and might depend on the
+              version of the cryptography library. For example, with cryptography 42.0.0 and newer
+              consistency of RSA keys can no longer be checked.
         type: bool
         default: false
         version_added: 2.0.0