diff options
-rw-r--r-- | CHANGELOG.rst | 9 | ||||
-rw-r--r-- | src/cryptography/utils.py | 1 | ||||
-rw-r--r-- | src/cryptography/x509/extensions.py | 16 | ||||
-rw-r--r-- | tests/x509/test_x509_ext.py | 11 |
4 files changed, 33 insertions, 4 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d6b3ac28..df1a1fea 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,7 +16,14 @@ Changelog when using OpenSSL 1.1.1 or newer. * Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH`` in - :meth:`Ed25519PublicKey.public_bytes <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>`. + :meth:`Ed25519PublicKey.public_bytes + <cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.public_bytes>` + . +* Correctly allow passing a ``SubjectKeyIdentifier`` to + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier` + and deprecate passing an ``Extension`` object. The documentation always + required ``SubjectKeyIdentifier`` but the implementation previously + required an ``Extension``. .. _v2-6-1: diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index 18c2ab3b..0b36f637 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -23,6 +23,7 @@ class CryptographyDeprecationWarning(UserWarning): PersistentlyDeprecated2017 = CryptographyDeprecationWarning PersistentlyDeprecated2018 = CryptographyDeprecationWarning DeprecatedIn25 = CryptographyDeprecationWarning +DeprecatedIn27 = CryptographyDeprecationWarning def _check_bytes(name, value): diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index e64e09c5..d25131b8 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -8,6 +8,7 @@ import abc import datetime import hashlib import ipaddress +import warnings from enum import Enum from asn1crypto.keys import PublicKeyInfo @@ -188,8 +189,21 @@ class AuthorityKeyIdentifier(object): @classmethod def from_issuer_subject_key_identifier(cls, ski): + if isinstance(ski, SubjectKeyIdentifier): + digest = ski.digest + else: + digest = ski.value.digest + warnings.warn( + "Extension objects are deprecated as arguments to " + "from_issuer_subject_key_identifier and support will be " + "removed soon. Please migrate to passing a " + "SubjectKeyIdentifier directly.", + utils.DeprecatedIn27, + stacklevel=2, + ) + return cls( - key_identifier=ski.value.digest, + key_identifier=digest, authority_cert_issuer=None, authority_cert_serial_number=None ) diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index ec618d9a..654bd13b 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -3196,11 +3196,18 @@ class TestAuthorityKeyIdentifierExtension(object): ext = cert.extensions.get_extension_for_oid( ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) - ski = issuer_cert.extensions.get_extension_for_class( + ski_ext = issuer_cert.extensions.get_extension_for_class( x509.SubjectKeyIdentifier ) + # This was the incorrect arg we want to deprecate and remove + with pytest.warns(utils.CryptographyDeprecationWarning): + aki = x509.AuthorityKeyIdentifier.\ + from_issuer_subject_key_identifier(ski_ext) + assert ext.value == aki + + # Here's what we actually documented and want to do aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - ski + ski_ext.value ) assert ext.value == aki |