Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate/remove all non-SSL APIs in pyOpenSSL #1321

Open
24 of 52 tasks
alex opened this issue Jul 20, 2024 · 4 comments
Open
24 of 52 tasks

Deprecate/remove all non-SSL APIs in pyOpenSSL #1321

alex opened this issue Jul 20, 2024 · 4 comments

Comments

@alex
Copy link
Member

alex commented Jul 20, 2024
edited
Loading

Motivation

pyOpenSSL has many APIs with poor designs that are entirely reliant on OpenSSL implementation details. For nearly all of these, pyca/cryptography has much better implementations with more thought out APIs.

Therefore, we would like to deprecate/remove anything besides SSL in pyOpenSSL (SSL has no equivalent in pyca/cryptography, nor is there is a path to adding one).

We've been doing this for a while already, but now we're filing an issue to actually track this in a systematic way.

Strategy

Most APIs can simply be deprecated and removed. In some cases, where SSL relies on these (e.g., PKey objects for private keys or X509 for certificates), we'll need to expand the SSL API to accept the pyca/cryptography versions of these objects (there are mostly already from_cryptography APIs we can keep around).

This also means we will not be adding any new API surface in these areas.

Status

Deprecations and Removals

  • rand
    • add, status
      • Deprecated
      • Removed
  • crypto
    • PKey, dump_publickey, dump_privatekey, load_publickey, load_privatekey
      • Replacement APIs
      • Deprecated
      • Removed
    • get_elliptic_curves, get_elliptic_curve
      • Replacement APIs
      • Deprecated
      • Removed
    • X509Name
      • Replacement APIs
      • Deprecated
      • Removed
    • X509Extension
      • Deprecated
      • Removed
    • X509Req, dump_certificate_request, load_certificate_request
      • Deprecated
      • Removed
    • X509, load_certificate, dump_certificate
      • Replacement APIs
      • Deprecated
      • Removed
    • X509Store, X509StoreContext
      • Decision about how to handle SSL integration
      • Deprecated
      • Removed
    • CRL, Revoked, dump_crl, load_crl
      • Deprecated
      • Removed
    • sign, verify
      • Deprecated
      • Removed

APIs needing to accept/return pyca/cryptography types

  • Context
    • use_certificate
    • add_extra_chain_cert
    • use_privatekey
    • set_tmp_ecdh
    • set_client_ca_list
    • add_client_ca
  • Connection
    • use_certificate
    • use_privatekey
    • get_client_ca_list
    • get_certificate
    • get_peer_certificate
    • get_peer_cert_chain
    • get_verified_chain
This was referenced Jul 26, 2024
Open
Merged
alex added a commit to alex/pyopenssl that referenced this issue Jul 27, 2024
@alex
Deprecate the rand module
825779e 
refs pyca#1321
mhils pushed a commit that referenced this issue Jul 27, 2024
@alex
Deprecate the rand module (#1325)
26d8a3c 
refs #1321
This was referenced Jul 28, 2024
Merged
Merged
Merged
Merged
This was referenced Aug 5, 2024
Merged
Merged
alex added a commit to alex/pyopenssl that referenced this issue Aug 6, 2024
@alex
Deprecate passing PKey instances to use_privatekey
8765c30 
Allow passing cryptography keys instead.

Refs pyca#1321
alex added a commit to alex/pyopenssl that referenced this issue Aug 6, 2024
@alex
Deprecate passing PKey instances to use_privatekey
6849f05 
Allow passing cryptography keys instead.

Refs pyca#1321
alex added a commit to alex/pyopenssl that referenced this issue Aug 6, 2024
@alex
Deprecate passing PKey instances to use_privatekey
ebf2edf 
Allow passing cryptography keys instead.

Refs pyca#1321
mhils pushed a commit that referenced this issue Aug 6, 2024
@alex
Deprecate passing PKey instances to use_privatekey (#1348)
b0cb4b4 
Allow passing cryptography keys instead.

Refs #1321
This was referenced Aug 9, 2024
Merged
Merged
Merged
Merged
@alex alex mentioned this issue Oct 26, 2024
Closed
@alex alex mentioned this issue Nov 16, 2024
Merged
@phlax
Copy link

phlax commented Nov 28, 2024

removing crypto has just broke gsutil - i suspect it will break a lot of other downstreams too

surely removing things like this would be better suited to a major (or at least minor) release rather than a patch release

@phlax
Copy link

phlax commented Nov 28, 2024

my bad - it was at least a minor release

@alex
Copy link
Member Author

alex commented Nov 28, 2024

@phlax If there's some action to be taken here, please file a separate bug. My read of the gsutil source is that it should work fine with these APIs removed in pyOpenSSL, because all the behavior has a 2nd implementation using pyca/cryptography.

@phlax
Copy link

phlax commented Nov 28, 2024

probs there is no action here - but posted as i suspect others will arrive here with same issue (i also opened a pr in gsutil to pin the dep)

ftr - since last release doing ...

pip install gsutil
gsutil ...

... is broke - pinning pyopenssl==24.2.1 fixes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex @phlax