Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate CSR support in pyOpenSSL #1316

Merged
merged 1 commit into from
Jul 16, 2024
Merged

Deprecate CSR support in pyOpenSSL #1316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ Backward-incompatible changes:
Deprecations:
^^^^^^^^^^^^^

- Deprecated ``OpenSSL.crypto.X509Req``, ``OpenSSL.crypto.load_certificate_request``, ``OpenSSL.crypto.dump_certificate_request``. Instead, :class:`cryptography.x509.CertificateSigningRequest`, :class:`cryptography.x509.CertificateSigningRequestBuilder`, :func:`cryptography.x509.load_der_x509_csr`, or :func:`cryptography.x509.load_pem_x509_csr` should be used.

Changes:
^^^^^^^^

Expand Down
48 changes: 45 additions & 3 deletions src/OpenSSL/crypto.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -993,7 +993,7 @@ def to_cryptography(self) -> x509.CertificateSigningRequest:
"""
from cryptography.x509 import load_der_x509_csr

der = dump_certificate_request(FILETYPE_ASN1, self)
der = _dump_certificate_request_internal(FILETYPE_ASN1, self)

return load_der_x509_csr(der)

Expand All @@ -1017,7 +1017,7 @@ def from_cryptography(
from cryptography.hazmat.primitives.serialization import Encoding

der = crypto_req.public_bytes(Encoding.DER)
return load_certificate_request(FILETYPE_ASN1, der)
return _load_certificate_request_internal(FILETYPE_ASN1, der)

def set_pubkey(self, pkey: PKey) -> None:
"""
Expand Down Expand Up @@ -1193,6 +1193,20 @@ def verify(self, pkey: PKey) -> bool:
return result


_X509ReqInternal = X509Req

utils.deprecated(
X509Req,
__name__,
(
"CSR support in pyOpenSSL is deprecated. You should use the APIs "
"in cryptography."
),
DeprecationWarning,
name="X509Req",
)


class X509:
"""
An X.509 certificate.
Expand Down Expand Up @@ -2816,6 +2830,20 @@ def dump_certificate_request(type: int, req: X509Req) -> bytes:
return _bio_to_string(bio)


_dump_certificate_request_internal = dump_certificate_request

utils.deprecated(
dump_certificate_request,
__name__,
(
"CSR support in pyOpenSSL is deprecated. You should use the APIs "
"in cryptography."
),
DeprecationWarning,
name="dump_certificate_request",
)


def load_certificate_request(type: int, buffer: bytes) -> X509Req:
"""
Load a certificate request (X509Req) from the string *buffer* encoded with
Expand All @@ -2839,11 +2867,25 @@ def load_certificate_request(type: int, buffer: bytes) -> X509Req:

_openssl_assert(req != _ffi.NULL)

x509req = X509Req.__new__(X509Req)
x509req = _X509ReqInternal.__new__(_X509ReqInternal)
x509req._req = _ffi.gc(req, _lib.X509_REQ_free)
return x509req


_load_certificate_request_internal = load_certificate_request

utils.deprecated(
load_certificate_request,
__name__,
(
"CSR support in pyOpenSSL is deprecated. You should use the APIs "
"in cryptography."
),
DeprecationWarning,
name="load_certificate_request",
)


def sign(pkey: PKey, data: Union[str, bytes], digest: str) -> bytes:
"""
Sign a data string using the given key and message digest.
Expand Down