From 81233de59df126c8b21f359661f3204924c9d67b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 4 May 2019 13:34:29 -0400 Subject: fix from_issuer_subject_key_identifier to take the right type (#4864) * fix from_issuer_subject_key_identifier to take the right type deprecate passing the old Extension wrapper object * don't use a try:except: * hilarious contortions to satisfy doc8 --- CHANGELOG.rst | 9 ++++++++- src/cryptography/utils.py | 1 + src/cryptography/x509/extensions.py | 16 +++++++++++++++- tests/x509/test_x509_ext.py | 11 +++++++++-- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index d6b3ac28..df1a1fea 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,7 +16,14 @@ Changelog when using OpenSSL 1.1.1 or newer. * Support serialization with ``Encoding.OpenSSH`` and ``PublicFormat.OpenSSH`` in - :meth:`Ed25519PublicKey.public_bytes `. + :meth:`Ed25519PublicKey.public_bytes + ` + . +* Correctly allow passing a ``SubjectKeyIdentifier`` to + :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier` + and deprecate passing an ``Extension`` object. The documentation always + required ``SubjectKeyIdentifier`` but the implementation previously + required an ``Extension``. .. _v2-6-1: diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index 18c2ab3b..0b36f637 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -23,6 +23,7 @@ class CryptographyDeprecationWarning(UserWarning): PersistentlyDeprecated2017 = CryptographyDeprecationWarning PersistentlyDeprecated2018 = CryptographyDeprecationWarning DeprecatedIn25 = CryptographyDeprecationWarning +DeprecatedIn27 = CryptographyDeprecationWarning def _check_bytes(name, value): diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index e64e09c5..d25131b8 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -8,6 +8,7 @@ import abc import datetime import hashlib import ipaddress +import warnings from enum import Enum from asn1crypto.keys import PublicKeyInfo @@ -188,8 +189,21 @@ class AuthorityKeyIdentifier(object): @classmethod def from_issuer_subject_key_identifier(cls, ski): + if isinstance(ski, SubjectKeyIdentifier): + digest = ski.digest + else: + digest = ski.value.digest + warnings.warn( + "Extension objects are deprecated as arguments to " + "from_issuer_subject_key_identifier and support will be " + "removed soon. Please migrate to passing a " + "SubjectKeyIdentifier directly.", + utils.DeprecatedIn27, + stacklevel=2, + ) + return cls( - key_identifier=ski.value.digest, + key_identifier=digest, authority_cert_issuer=None, authority_cert_serial_number=None ) diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py index ec618d9a..654bd13b 100644 --- a/tests/x509/test_x509_ext.py +++ b/tests/x509/test_x509_ext.py @@ -3196,11 +3196,18 @@ class TestAuthorityKeyIdentifierExtension(object): ext = cert.extensions.get_extension_for_oid( ExtensionOID.AUTHORITY_KEY_IDENTIFIER ) - ski = issuer_cert.extensions.get_extension_for_class( + ski_ext = issuer_cert.extensions.get_extension_for_class( x509.SubjectKeyIdentifier ) + # This was the incorrect arg we want to deprecate and remove + with pytest.warns(utils.CryptographyDeprecationWarning): + aki = x509.AuthorityKeyIdentifier.\ + from_issuer_subject_key_identifier(ski_ext) + assert ext.value == aki + + # Here's what we actually documented and want to do aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( - ski + ski_ext.value ) assert ext.value == aki -- cgit v1.2.3