fix from_issuer_subject_key_identifier to take the right type (#4864)

* fix from_issuer_subject_key_identifier to take the right type

deprecate passing the old Extension wrapper object

* don't use a try:except:

* hilarious contortions to satisfy doc8

4 files changed, 33 insertions, 4 deletions

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index d6b3ac28..df1a1fea 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -16,7 +16,14 @@ Changelog
   when using OpenSSL 1.1.1 or newer.
 * Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH``
   in
-  :meth:`Ed25519PublicKey.public_bytes <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>`.
+  :meth:`Ed25519PublicKey.public_bytes
+  <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>`
+  .
+* Correctly allow passing a ``SubjectKeyIdentifier`` to
+  :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`
+  and deprecate passing an ``Extension`` object. The documentation always
+  required ``SubjectKeyIdentifier`` but the implementation previously
+  required an ``Extension``.
 
 .. _v2-6-1:
 
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index 18c2ab3b..0b36f637 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -23,6 +23,7 @@ class CryptographyDeprecationWarning(UserWarning):
 PersistentlyDeprecated2017 = CryptographyDeprecationWarning
 PersistentlyDeprecated2018 = CryptographyDeprecationWarning
 DeprecatedIn25 = CryptographyDeprecationWarning
+DeprecatedIn27 = CryptographyDeprecationWarning
 
 
 def _check_bytes(name, value):
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index e64e09c5..d25131b8 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -8,6 +8,7 @@ import abc
 import datetime
 import hashlib
 import ipaddress
+import warnings
 from enum import Enum
 
 from asn1crypto.keys import PublicKeyInfo
@@ -188,8 +189,21 @@ class AuthorityKeyIdentifier(object):
 
     @classmethod
     def from_issuer_subject_key_identifier(cls, ski):
+        if isinstance(ski, SubjectKeyIdentifier):
+            digest = ski.digest
+        else:
+            digest = ski.value.digest
+            warnings.warn(
+                "Extension objects are deprecated as arguments to "
+                "from_issuer_subject_key_identifier and support will be "
+                "removed soon. Please migrate to passing a "
+                "SubjectKeyIdentifier directly.",
+                utils.DeprecatedIn27,
+                stacklevel=2,
+            )
+
         return cls(
-            key_identifier=ski.value.digest,
+            key_identifier=digest,
             authority_cert_issuer=None,
             authority_cert_serial_number=None
         )
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index ec618d9a..654bd13b 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -3196,11 +3196,18 @@ class TestAuthorityKeyIdentifierExtension(object):
         ext = cert.extensions.get_extension_for_oid(
             ExtensionOID.AUTHORITY_KEY_IDENTIFIER
         )
-        ski = issuer_cert.extensions.get_extension_for_class(
+        ski_ext = issuer_cert.extensions.get_extension_for_class(
             x509.SubjectKeyIdentifier
         )
+        # This was the incorrect arg we want to deprecate and remove
+        with pytest.warns(utils.CryptographyDeprecationWarning):
+            aki = x509.AuthorityKeyIdentifier.\
+                from_issuer_subject_key_identifier(ski_ext)
+            assert ext.value == aki
+
+        # Here's what we actually documented and want to do
         aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
-            ski
+            ski_ext.value
         )
         assert ext.value == aki