From 7d8811c01331e0824b01d2f4f9cbe3d151869cb1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 11 Aug 2024 20:28:21 -0400 Subject: [PATCH] Deprecate a few more extensions APIs They really should have been deprecated previously. --- CHANGELOG.rst | 1 + src/OpenSSL/crypto.py | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index aed32193..a433a4ec 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -14,6 +14,7 @@ Deprecations: ^^^^^^^^^^^^^ - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead. +- Deprecated ``add_extensions`` and ``get_extensions`` on ``OpenSSL.crypto.X509Req`` and ``OpenSSL.crypto.X509``. These should have been deprecated at the same time ``X509Extension`` was. Users should use pyca/cryptography's X.509 APIs instead. - Deprecated ``OpenSSL.crypto.get_elliptic_curves`` and ``OpenSSL.crypto.get_elliptic_curve``, as well as passing the reult of them to ``OpenSSL.SSL.Context.set_tmp_ecdh``, users should instead pass curves from ``cryptography``. - Deprecated passing ``X509`` objects to ``OpenSSL.SSL.Context.use_certificate``, ``OpenSSL.SSL.Connection.use_certificate``, ``OpenSSL.SSL.Context.add_extra_chain_cert``, and ``OpenSSL.SSL.Context.add_client_ca``, users should instead pass ``cryptography.x509.Certificate`` instances. This is in preparation for deprecating pyOpenSSL's ``X509`` entirely. - Deprecated passing ``PKey`` objects to ``OpenSSL.SSL.Context.use_privatekey`` and ``OpenSSL.SSL.Connection.use_privatekey``, users should instead pass ``cryptography`` priate key instances. This is in preparation for deprecating pyOpenSSL's ``PKey`` entirely. diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index be0a9896..f62d5bde 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -4,6 +4,7 @@ import datetime import functools import typing +import warnings from base64 import b16encode from functools import partial from os import PathLike @@ -1108,6 +1109,16 @@ def add_extensions( :type extensions: iterable of :py:class:`X509Extension` :return: ``None`` """ + warnings.warn( + ( + "This API is deprecated and will be removed in a future " + "version of pyOpenSSL. You should use pyca/cryptography's " + "X.509 APIs instead." + ), + DeprecationWarning, + stacklevel=2, + ) + stack = _lib.sk_X509_EXTENSION_new_null() _openssl_assert(stack != _ffi.NULL) @@ -1132,6 +1143,16 @@ def get_extensions(self) -> list[_X509ExtensionInternal]: .. versionadded:: 0.15 """ + warnings.warn( + ( + "This API is deprecated and will be removed in a future " + "version of pyOpenSSL. You should use pyca/cryptography's " + "X.509 APIs instead." + ), + DeprecationWarning, + stacklevel=2, + ) + exts = [] native_exts_obj = _lib.X509_REQ_get_extensions(self._req) native_exts_obj = _ffi.gc( @@ -1652,6 +1673,16 @@ def add_extensions( :type extensions: An iterable of :py:class:`X509Extension` objects. :return: ``None`` """ + warnings.warn( + ( + "This API is deprecated and will be removed in a future " + "version of pyOpenSSL. You should use pyca/cryptography's " + "X.509 APIs instead." + ), + DeprecationWarning, + stacklevel=2, + ) + for ext in extensions: if not isinstance(ext, _X509ExtensionInternal): raise ValueError("One of the elements is not an X509Extension") @@ -1673,6 +1704,16 @@ def get_extension(self, index: int) -> _X509ExtensionInternal: .. versionadded:: 0.12 """ + warnings.warn( + ( + "This API is deprecated and will be removed in a future " + "version of pyOpenSSL. You should use pyca/cryptography's " + "X.509 APIs instead." + ), + DeprecationWarning, + stacklevel=2, + ) + ext = _X509ExtensionInternal.__new__(_X509ExtensionInternal) ext._extension = _lib.X509_get_ext(self._x509, index) if ext._extension == _ffi.NULL: