Skip to content

Commit

Permalink
Deprecate a few more extensions APIs
Browse files Browse the repository at this point in the history
They really should have been deprecated previously.
  • Loading branch information
alex committed Aug 12, 2024
1 parent 1c62aab commit 7d8811c
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Deprecations:
^^^^^^^^^^^^^

- Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead.
- Deprecated ``add_extensions`` and ``get_extensions`` on ``OpenSSL.crypto.X509Req`` and ``OpenSSL.crypto.X509``. These should have been deprecated at the same time ``X509Extension`` was. Users should use pyca/cryptography's X.509 APIs instead.
- Deprecated ``OpenSSL.crypto.get_elliptic_curves`` and ``OpenSSL.crypto.get_elliptic_curve``, as well as passing the reult of them to ``OpenSSL.SSL.Context.set_tmp_ecdh``, users should instead pass curves from ``cryptography``.
- Deprecated passing ``X509`` objects to ``OpenSSL.SSL.Context.use_certificate``, ``OpenSSL.SSL.Connection.use_certificate``, ``OpenSSL.SSL.Context.add_extra_chain_cert``, and ``OpenSSL.SSL.Context.add_client_ca``, users should instead pass ``cryptography.x509.Certificate`` instances. This is in preparation for deprecating pyOpenSSL's ``X509`` entirely.
- Deprecated passing ``PKey`` objects to ``OpenSSL.SSL.Context.use_privatekey`` and ``OpenSSL.SSL.Connection.use_privatekey``, users should instead pass ``cryptography`` priate key instances. This is in preparation for deprecating pyOpenSSL's ``PKey`` entirely.
Expand Down
41 changes: 41 additions & 0 deletions src/OpenSSL/crypto.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import datetime
import functools
import typing
import warnings
from base64 import b16encode
from functools import partial
from os import PathLike
Expand Down Expand Up @@ -1108,6 +1109,16 @@ def add_extensions(
:type extensions: iterable of :py:class:`X509Extension`
:return: ``None``
"""
warnings.warn(
(
"This API is deprecated and will be removed in a future "
"version of pyOpenSSL. You should use pyca/cryptography's "
"X.509 APIs instead."
),
DeprecationWarning,
stacklevel=2,
)

stack = _lib.sk_X509_EXTENSION_new_null()
_openssl_assert(stack != _ffi.NULL)

Expand All @@ -1132,6 +1143,16 @@ def get_extensions(self) -> list[_X509ExtensionInternal]:
.. versionadded:: 0.15
"""
warnings.warn(
(
"This API is deprecated and will be removed in a future "
"version of pyOpenSSL. You should use pyca/cryptography's "
"X.509 APIs instead."
),
DeprecationWarning,
stacklevel=2,
)

exts = []
native_exts_obj = _lib.X509_REQ_get_extensions(self._req)
native_exts_obj = _ffi.gc(
Expand Down Expand Up @@ -1652,6 +1673,16 @@ def add_extensions(
:type extensions: An iterable of :py:class:`X509Extension` objects.
:return: ``None``
"""
warnings.warn(
(
"This API is deprecated and will be removed in a future "
"version of pyOpenSSL. You should use pyca/cryptography's "
"X.509 APIs instead."
),
DeprecationWarning,
stacklevel=2,
)

for ext in extensions:
if not isinstance(ext, _X509ExtensionInternal):
raise ValueError("One of the elements is not an X509Extension")
Expand All @@ -1673,6 +1704,16 @@ def get_extension(self, index: int) -> _X509ExtensionInternal:
.. versionadded:: 0.12
"""
warnings.warn(
(
"This API is deprecated and will be removed in a future "
"version of pyOpenSSL. You should use pyca/cryptography's "
"X.509 APIs instead."
),
DeprecationWarning,
stacklevel=2,
)

ext = _X509ExtensionInternal.__new__(_X509ExtensionInternal)
ext._extension = _lib.X509_get_ext(self._x509, index)
if ext._extension == _ffi.NULL:
Expand Down

0 comments on commit 7d8811c

Please sign in to comment.