python-common/cryptotools: stop using the removed X509Req API

pyOpenSSL deprecated OpenSSL.crypto.X509Req in 24.2.0 (2024-07-20) and
removed it in 26.3.0 (2026-06-12). as we don't pin pyopenssl, CI picked
up the new release, and create_self_signed_cert() started failing with:

  AttributeError: module 'OpenSSL.crypto' has no attribute 'X509Req'

this took down run-tox-mgr, run-tox-mgr-dashboard-py3 and the mypy check.

we only used X509Req to build a subject name and then copied it into the
X509 cert. so drop it, and set the subject on the cert directly. the
resulting cert stays the same: subject from dname, issuer set to the same
subject, self-signed.

Fixes: https://tracker.ceph.com/issues/77391
Signed-off-by: Kefu Chai <k.chai@proxmox.com>

diff --git a/src/python-common/ceph/cryptotools/internal.py b/src/python-common/ceph/cryptotools/internal.py
index 7d6e0a487ecc940bb050f1622168438b2c3ea7ff..db3d6a5c0481b93763937aacecb51143fdbd4e9f 100644 (file)
--- a/src/python-common/ceph/cryptotools/internal.py
+++ b/src/python-common/ceph/cryptotools/internal.py
@@ -45,19 +45,13 @@ class InternalCryptoCaller(CryptoCaller):
     ) -> str:
         _pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, pkey)
 
-        # Create a "subject" object
-        with warnings.catch_warnings():
-            warnings.simplefilter("ignore")
-            req = crypto.X509Req()
-        subj = req.get_subject()
-
-        # populate the subject with the dname settings
+        # create a self-signed cert and populate its subject with the dname
+        # settings
+        cert = crypto.X509()
+        subj = cert.get_subject()
         for k, v in dname.items():
             setattr(subj, k, v)
-
-        # create a self-signed cert
-        cert = crypto.X509()
-        cert.set_subject(req.get_subject())
+        cert.set_subject(subj)
         cert.set_serial_number(int(uuid4()))
         cert.gmtime_adj_notBefore(0)
         cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)  # 10 years