From 6943ee524e511138dd78fde6000e6f8e2bdd4b0c Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 16 Jul 2024 19:28:13 -0400
Subject: [PATCH] Deprecate CSR support in pyOpenSSL (#1316)

---
 CHANGELOG.rst         |  2 ++
 src/OpenSSL/crypto.py | 48 ++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 81ed2c11..396debd4 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -13,6 +13,8 @@ Backward-incompatible changes:
 Deprecations:
 ^^^^^^^^^^^^^
 
+- Deprecated ``OpenSSL.crypto.X509Req``, ``OpenSSL.crypto.load_certificate_request``, ``OpenSSL.crypto.dump_certificate_request``. Instead, :class:`cryptography.x509.CertificateSigningRequest`, :class:`cryptography.x509.CertificateSigningRequestBuilder`, :func:`cryptography.x509.load_der_x509_csr`, or :func:`cryptography.x509.load_pem_x509_csr` should be used.
+
 Changes:
 ^^^^^^^^
 
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 88bac330..07c112a6 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -993,7 +993,7 @@ def to_cryptography(self) -> x509.CertificateSigningRequest:
         """
         from cryptography.x509 import load_der_x509_csr
 
-        der = dump_certificate_request(FILETYPE_ASN1, self)
+        der = _dump_certificate_request_internal(FILETYPE_ASN1, self)
 
         return load_der_x509_csr(der)
 
@@ -1017,7 +1017,7 @@ def from_cryptography(
         from cryptography.hazmat.primitives.serialization import Encoding
 
         der = crypto_req.public_bytes(Encoding.DER)
-        return load_certificate_request(FILETYPE_ASN1, der)
+        return _load_certificate_request_internal(FILETYPE_ASN1, der)
 
     def set_pubkey(self, pkey: PKey) -> None:
         """
@@ -1193,6 +1193,20 @@ def verify(self, pkey: PKey) -> bool:
         return result
 
 
+_X509ReqInternal = X509Req
+
+utils.deprecated(
+    X509Req,
+    __name__,
+    (
+        "CSR support in pyOpenSSL is deprecated. You should use the APIs "
+        "in cryptography."
+    ),
+    DeprecationWarning,
+    name="X509Req",
+)
+
+
 class X509:
     """
     An X.509 certificate.
@@ -2816,6 +2830,20 @@ def dump_certificate_request(type: int, req: X509Req) -> bytes:
     return _bio_to_string(bio)
 
 
+_dump_certificate_request_internal = dump_certificate_request
+
+utils.deprecated(
+    dump_certificate_request,
+    __name__,
+    (
+        "CSR support in pyOpenSSL is deprecated. You should use the APIs "
+        "in cryptography."
+    ),
+    DeprecationWarning,
+    name="dump_certificate_request",
+)
+
+
 def load_certificate_request(type: int, buffer: bytes) -> X509Req:
     """
     Load a certificate request (X509Req) from the string *buffer* encoded with
@@ -2839,11 +2867,25 @@ def load_certificate_request(type: int, buffer: bytes) -> X509Req:
 
     _openssl_assert(req != _ffi.NULL)
 
-    x509req = X509Req.__new__(X509Req)
+    x509req = _X509ReqInternal.__new__(_X509ReqInternal)
     x509req._req = _ffi.gc(req, _lib.X509_REQ_free)
     return x509req
 
 
+_load_certificate_request_internal = load_certificate_request
+
+utils.deprecated(
+    load_certificate_request,
+    __name__,
+    (
+        "CSR support in pyOpenSSL is deprecated. You should use the APIs "
+        "in cryptography."
+    ),
+    DeprecationWarning,
+    name="load_certificate_request",
+)
+
+
 def sign(pkey: PKey, data: Union[str, bytes], digest: str) -> bytes:
     """
     Sign a data string using the given key and message digest.