Skip to content

Commit

Permalink
Deprecate CSR support in pyOpenSSL (#1316)
Browse files Browse the repository at this point in the history
  • Loading branch information
alex authored Jul 16, 2024
1 parent 01b9b56 commit 6943ee5
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 3 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ Backward-incompatible changes:
Deprecations:
^^^^^^^^^^^^^

- Deprecated ``OpenSSL.crypto.X509Req``, ``OpenSSL.crypto.load_certificate_request``, ``OpenSSL.crypto.dump_certificate_request``. Instead, :class:`cryptography.x509.CertificateSigningRequest`, :class:`cryptography.x509.CertificateSigningRequestBuilder`, :func:`cryptography.x509.load_der_x509_csr`, or :func:`cryptography.x509.load_pem_x509_csr` should be used.

Changes:
^^^^^^^^

Expand Down
48 changes: 45 additions & 3 deletions src/OpenSSL/crypto.py
Original file line number Diff line number Diff line change
Expand Up @@ -993,7 +993,7 @@ def to_cryptography(self) -> x509.CertificateSigningRequest:
"""
from cryptography.x509 import load_der_x509_csr

der = dump_certificate_request(FILETYPE_ASN1, self)
der = _dump_certificate_request_internal(FILETYPE_ASN1, self)

return load_der_x509_csr(der)

Expand All @@ -1017,7 +1017,7 @@ def from_cryptography(
from cryptography.hazmat.primitives.serialization import Encoding

der = crypto_req.public_bytes(Encoding.DER)
return load_certificate_request(FILETYPE_ASN1, der)
return _load_certificate_request_internal(FILETYPE_ASN1, der)

def set_pubkey(self, pkey: PKey) -> None:
"""
Expand Down Expand Up @@ -1193,6 +1193,20 @@ def verify(self, pkey: PKey) -> bool:
return result


_X509ReqInternal = X509Req

utils.deprecated(
X509Req,
__name__,
(
"CSR support in pyOpenSSL is deprecated. You should use the APIs "
"in cryptography."
),
DeprecationWarning,
name="X509Req",
)


class X509:
"""
An X.509 certificate.
Expand Down Expand Up @@ -2816,6 +2830,20 @@ def dump_certificate_request(type: int, req: X509Req) -> bytes:
return _bio_to_string(bio)


_dump_certificate_request_internal = dump_certificate_request

utils.deprecated(
dump_certificate_request,
__name__,
(
"CSR support in pyOpenSSL is deprecated. You should use the APIs "
"in cryptography."
),
DeprecationWarning,
name="dump_certificate_request",
)


def load_certificate_request(type: int, buffer: bytes) -> X509Req:
"""
Load a certificate request (X509Req) from the string *buffer* encoded with
Expand All @@ -2839,11 +2867,25 @@ def load_certificate_request(type: int, buffer: bytes) -> X509Req:

_openssl_assert(req != _ffi.NULL)

x509req = X509Req.__new__(X509Req)
x509req = _X509ReqInternal.__new__(_X509ReqInternal)
x509req._req = _ffi.gc(req, _lib.X509_REQ_free)
return x509req


_load_certificate_request_internal = load_certificate_request

utils.deprecated(
load_certificate_request,
__name__,
(
"CSR support in pyOpenSSL is deprecated. You should use the APIs "
"in cryptography."
),
DeprecationWarning,
name="load_certificate_request",
)


def sign(pkey: PKey, data: Union[str, bytes], digest: str) -> bytes:
"""
Sign a data string using the given key and message digest.
Expand Down

0 comments on commit 6943ee5

Please sign in to comment.