Skip to content

CryptographyDeprecationWarning: CFB warning fires on import even when AESCipher isn't used #1033

Description

@okke-formsma

Every time saml2.cryptography.symmetric is imported, cryptography 44+ emits:

saml2/cryptography/symmetric.py:108: CryptographyDeprecationWarning: CFB has been moved to cryptography.hazmat.decrepit.ciphers.modes.CFB and will be removed from cryptography.hazmat.primitives.ciphers.modes in 49.0.0.
  "cfb": _ciphers.modes.CFB,

This comes from the class-level POSTFIX_MODE dict on the already-deprecated AESCipher class, which is built unconditionally at import time, even if AESCipher itself is never used.

A lazy lookup (build the dict inside build_cipher, or resolve CFB conditionally based on the installed cryptography version, since hazmat.decrepit only exists since cryptography 43) would avoid the warning for anyone who isn't using AESCipher.

(pysaml2 7.5.4, cryptography 49.0.0)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions