From 1a5d70e876346653b3dfa2a95f188ef0eb92bd7d Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 3 Jun 2017 17:11:55 -1000
Subject: deprecate signer/verifier on asymmetric keys (#3663)

* deprecate signer/verifier on asymmetric keys

* review feedback, switch deprecated_call to work around a bug
---
 src/cryptography/hazmat/backends/openssl/dsa.py   |  5 ++++-
 src/cryptography/hazmat/backends/openssl/ec.py    |  5 ++++-
 src/cryptography/hazmat/backends/openssl/rsa.py   |  5 ++++-
 src/cryptography/hazmat/backends/openssl/utils.py | 12 ++++++++++++
 4 files changed, 24 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index c2223250..48886e45 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -7,7 +7,8 @@ from __future__ import absolute_import, division, print_function
 from cryptography import utils
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.backends.openssl.utils import (
-    _calculate_digest_and_algorithm, _check_not_prehashed
+    _calculate_digest_and_algorithm, _check_not_prehashed,
+    _warn_sign_verify_deprecated
 )
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
@@ -121,6 +122,7 @@ class _DSAPrivateKey(object):
     key_size = utils.read_only_property("_key_size")
 
     def signer(self, signature_algorithm):
+        _warn_sign_verify_deprecated()
         _check_not_prehashed(signature_algorithm)
         return _DSASignatureContext(self._backend, self, signature_algorithm)
 
@@ -208,6 +210,7 @@ class _DSAPublicKey(object):
     key_size = utils.read_only_property("_key_size")
 
     def verifier(self, signature, signature_algorithm):
+        _warn_sign_verify_deprecated()
         if not isinstance(signature, bytes):
             raise TypeError("signature must be bytes.")
 
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index b70735dc..69da2344 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -9,7 +9,8 @@ from cryptography.exceptions import (
     InvalidSignature, UnsupportedAlgorithm, _Reasons
 )
 from cryptography.hazmat.backends.openssl.utils import (
-    _calculate_digest_and_algorithm, _check_not_prehashed
+    _calculate_digest_and_algorithm, _check_not_prehashed,
+    _warn_sign_verify_deprecated
 )
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
@@ -140,6 +141,7 @@ class _EllipticCurvePrivateKey(object):
         return self.curve.key_size
 
     def signer(self, signature_algorithm):
+        _warn_sign_verify_deprecated()
         _check_signature_algorithm(signature_algorithm)
         _check_not_prehashed(signature_algorithm.algorithm)
         return _ECDSASignatureContext(
@@ -241,6 +243,7 @@ class _EllipticCurvePublicKey(object):
         return self.curve.key_size
 
     def verifier(self, signature, signature_algorithm):
+        _warn_sign_verify_deprecated()
         if not isinstance(signature, bytes):
             raise TypeError("signature must be bytes.")
 
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index fdde4589..839ef147 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -11,7 +11,8 @@ from cryptography.exceptions import (
     InvalidSignature, UnsupportedAlgorithm, _Reasons
 )
 from cryptography.hazmat.backends.openssl.utils import (
-    _calculate_digest_and_algorithm, _check_not_prehashed
+    _calculate_digest_and_algorithm, _check_not_prehashed,
+    _warn_sign_verify_deprecated
 )
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import (
@@ -378,6 +379,7 @@ class _RSAPrivateKey(object):
     key_size = utils.read_only_property("_key_size")
 
     def signer(self, padding, algorithm):
+        _warn_sign_verify_deprecated()
         _check_not_prehashed(algorithm)
         return _RSASignatureContext(self._backend, self, padding, algorithm)
 
@@ -472,6 +474,7 @@ class _RSAPublicKey(object):
     key_size = utils.read_only_property("_key_size")
 
     def verifier(self, signature, padding, algorithm):
+        _warn_sign_verify_deprecated()
         if not isinstance(signature, bytes):
             raise TypeError("signature must be bytes.")
 
diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py
index f71a62a5..ff1b9745 100644
--- a/src/cryptography/hazmat/backends/openssl/utils.py
+++ b/src/cryptography/hazmat/backends/openssl/utils.py
@@ -4,6 +4,9 @@
 
 from __future__ import absolute_import, division, print_function
 
+import warnings
+
+from cryptography import utils
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
 
@@ -31,3 +34,12 @@ def _check_not_prehashed(signature_algorithm):
             "Prehashed is only supported in the sign and verify methods. "
             "It cannot be used with signer or verifier."
         )
+
+
+def _warn_sign_verify_deprecated():
+    warnings.warn(
+        "signer and verifier have been deprecated. Please use sign "
+        "and verify instead.",
+        utils.PersistentlyDeprecated,
+        stacklevel=2
+    )
-- 
cgit v1.2.3