search

pyca / pyopenssl

A Python wrapper around the OpenSSL library
https://pyopenssl.org/
Apache License 2.0
885 stars 422 forks source link

Deprecate `X509Extension` and `CRL` APIs #1249

Closed facutuesca closed 11 months ago

facutuesca commented 1 year ago

These have better alternatives in cryptography, and users should be pointed to use them instead.

Here is a list of packages that depend on pyOpenSSL, along with their importance to the ecosystem (number of direct+indirect dependents), current use of these APIs and places where pyOpenSSL is being used.

Format:

Dependents:

facutuesca commented 1 year ago

Here's another list of important packages dependent on PyOpenSSL, this time sorted by # of downloads last month (I removed the packages already present in the previous list):

Format:

Dependents:

alex commented 1 year ago

I just realized there's at least one public API that relies on CRL: add_crl on X509Store. My recommendation would be to change that method to allow it to accept a pyca/cryptography CRL or a pyOpenSSL CRL. This gives users who rely on that method a deprecation-free path.

facutuesca commented 1 year ago

@alex To have add_crl accept a x509.CertificateRevocationList, we would need to convert it so that _lib.X509_STORE_add_crl() can take it. Currently, the logic for that is in CRL::from_cryptography() and _load_crl(), two functions that are in the set to be deprecated. Should we duplicate that logic in X509Store::add_crl, so that when those two are deprecated, add_crl() still works?

To put it in code, what we want is:

def add_crl(self, crl: Union["CRL", x509.CertificateRevocationList]) -> None:
    converted_crl = crl if isinstance(crl, CRL) else CRL.from_cryptography(crl)
    _openssl_assert(_lib.X509_STORE_add_crl(self._store, converted_crl._crl) != 0)

But since from_cryptography() (and _load_crl(), used by from_cryptography) are going to be deprecated, we would need to duplicate their logic in add_crl's definition

alex commented 1 year ago

I don't feel strongly about this.

On Wed, Sep 20, 2023 at 5:45 AM Facundo Tuesca @.***> wrote:

@alex https://github.com/alex To have add_crl accept a x509.CertificateRevocationList, we would need to convert it so that _lib.X509_STORE_add_crl() can take it. Currently, the logic for that is in CRL::from_cryptography() and _load_crl(), two functions that are in the set to be deprecated. Should we duplicate that logic in X509Store::add_crl, so that when those two are deprecated, add_crl() still works?

— Reply to this email directly, view it on GitHub https://github.com/pyca/pyopenssl/issues/1249#issuecomment-1727365344, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBDD7T2MTR7JPWBUSJLX3K3NLANCNFSM6AAAAAA4T4HTW4 . You are receiving this because you were mentioned.Message ID: @.***>

-- All that is necessary for evil to succeed is for good people to do nothing.

facutuesca commented 1 year ago

I just realized there's at least one public API that relies on CRL: add_crl on X509Store. My recommendation would be to change that method to allow it to accept a pyca/cryptography CRL or a pyOpenSSL CRL. This gives users who rely on that method a deprecation-free path.

@alex Here's the PR for that: https://github.com/pyca/pyopenssl/pull/1252