Start moving everything to the new API
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 01e6128..333bef0 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -25,7 +25,8 @@
)
from cryptography.hazmat.backends.interfaces import (
CMACBackend, CipherBackend, DSABackend, EllipticCurveBackend, HMACBackend,
- HashBackend, PBKDF2HMACBackend, PKCS8SerializationBackend, RSABackend,
+ HashBackend, PBKDF2HMACBackend, PEMSerializationBackend,
+ PKCS8SerializationBackend, RSABackend,
TraditionalOpenSSLSerializationBackend
)
from cryptography.hazmat.backends.openssl.ciphers import (
@@ -74,6 +75,7 @@
@utils.register_interface(PKCS8SerializationBackend)
@utils.register_interface(RSABackend)
@utils.register_interface(TraditionalOpenSSLSerializationBackend)
+@utils.register_interface(PEMSerializationBackend)
class Backend(object):
"""
OpenSSL API binding interfaces.
@@ -770,12 +772,7 @@
def create_cmac_ctx(self, algorithm):
return _CMACContext(self, algorithm)
- def load_traditional_openssl_pem_private_key(self, data, password):
- # OpenSSLs API for loading PKCS#8 certs can also load the traditional
- # format so we just use that for both of them.
- return self.load_pkcs8_pem_private_key(data, password)
-
- def load_pkcs8_pem_private_key(self, data, password):
+ def load_pem_private_key(self, data, password):
return self._load_key(
self._lib.PEM_read_bio_PrivateKey,
self._evp_pkey_to_private_key,
@@ -783,6 +780,9 @@
password,
)
+ load_traditional_openssl_pem_private_key = load_pkcs8_pem_private_key = \
+ load_pem_private_key
+
def _load_key(self, openssl_read_func, convert_func, data, password):
mem_bio = self._bytes_to_bio(data)
diff --git a/cryptography/hazmat/primitives/serialization.py b/cryptography/hazmat/primitives/serialization.py
index 55b8640..cf1ca8e 100644
--- a/cryptography/hazmat/primitives/serialization.py
+++ b/cryptography/hazmat/primitives/serialization.py
@@ -13,12 +13,34 @@
from __future__ import absolute_import, division, print_function
+import warnings
+
+from cryptography import utils
+
def load_pem_traditional_openssl_private_key(data, password, backend):
+ warnings.warn(
+ "load_pem_traditional_openssl_private_key is deprecated and will be "
+ "removed in a future version, use load_pem_private_key instead.",
+ utils.DeprecatedIn06,
+ stacklevel=2
+ )
+
return backend.load_traditional_openssl_pem_private_key(
data, password
)
def load_pem_pkcs8_private_key(data, password, backend):
+ warnings.warn(
+ "load_pem_pkcs8_private_key is deprecated and will be removed in a "
+ "future version, use load_pem_private_key instead.",
+ utils.DeprecatedIn06,
+ stacklevel=2
+ )
+
return backend.load_pkcs8_pem_private_key(data, password)
+
+
+def load_pem_private_key(data, password, backend):
+ return backend.load_pem_private_key(data, password)
diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst
index 5438c24..e18f8c8 100644
--- a/docs/hazmat/primitives/asymmetric/serialization.rst
+++ b/docs/hazmat/primitives/asymmetric/serialization.rst
@@ -45,8 +45,8 @@
>>> from cryptography.hazmat.backends import default_backend
>>> from cryptography.hazmat.primitives import interfaces
- >>> from cryptography.hazmat.primitives.serialization import load_pem_pkcs8_private_key
- >>> key = load_pem_pkcs8_private_key(pem_data, password=None, backend=default_backend())
+ >>> from cryptography.hazmat.primitives.serialization import load_pem_private_key
+ >>> key = load_pem_private_key(pem_data, password=None, backend=default_backend())
>>> if isinstance(key, interfaces.RSAPrivateKey):
... signature = sign_with_rsa_key(key, message)
... elif isinstance(key, interfaces.DSAPrivateKey):
@@ -54,6 +54,43 @@
... else:
... raise TypeError
+PEM
+~~~
+
+PEM is an encapsulation format, meaning keys in it can actually be any one of
+several formats, however these are all self-identifying, so you don't need to
+worry about this detail. PEM keys are recognizable because they all begin with
+``-----BEGIN {format}-----`` and end with ``-----END {format}-----``.
+
+.. function:: load_pem_private_key(data, password, backend):
+
+ .. versionadded:: 0.6
+
+ Deserialize a private key from PEM encoded data to one of the supported
+ asymmetric private key types.
+
+ :param bytes data: The PEM encoded key data.
+
+ :param bytes password: The password to use to decrypt the data. Should
+ be ``None`` if the private key is not encrypted.
+
+ :param backend: A
+ :class:`~cryptography.hazmat.backends.interfaces.PKCS8SerializationBackend`
+ provider.
+
+ :returns: A new instance of a private key.
+
+ :raises ValueError: If the PEM data could not be decrypted or if its
+ structure could not be decoded successfully.
+
+ :raises TypeError: If a ``password`` was given and the private key was
+ not encrypted. Or if the key was encrypted but no
+ password was supplied.
+
+ :raises UnsupportedAlgorithm: If the serialized key is of a type that
+ is not supported by the backend or if the key is encrypted with a
+ symmetric cipher that is not supported by the backend.
+
PKCS #8 Format
~~~~~~~~~~~~~~
@@ -72,6 +109,8 @@
Deserialize a private key from PEM encoded data to one of the supported
asymmetric private key types.
+ This has been deprecated in favor of :func:`load_pem_private_key`.
+
:param bytes data: The PEM encoded key data.
:param bytes password: The password to use to decrypt the data. Should
@@ -111,6 +150,8 @@
Deserialize a private key from PEM encoded data to one of the supported
asymmetric private key types.
+ This has been deprecated in favor of :func:`load_pem_private_key`.
+
:param bytes data: The PEM encoded key data.
:param bytes password: The password to use to decrypt the data. Should
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
index 30ac4f3..e960878 100644
--- a/tests/hazmat/primitives/test_serialization.py
+++ b/tests/hazmat/primitives/test_serialization.py
@@ -22,15 +22,33 @@
from cryptography.exceptions import _Reasons
from cryptography.hazmat.primitives import interfaces
from cryptography.hazmat.primitives.serialization import (
- load_pem_pkcs8_private_key, load_pem_traditional_openssl_private_key
+ load_pem_private_key, load_pem_pkcs8_private_key,
+ load_pem_traditional_openssl_private_key
)
from .utils import _check_rsa_private_numbers, load_vectors_from_file
from ...utils import raises_unsupported_algorithm
+@pytest.mark.pem_serialization
+class TestPEMSerialization(object):
+ def test_load_pem_rsa_private_key(self, backend):
+ key = load_vectors_from_file(
+ os.path.join(
+ "asymmetric", "Traditional_OpenSSL_Serialization", "key1.pem"),
+ lambda pemfile: load_pem_private_key(
+ pemfile.read().encode(), b"123456", backend
+ )
+ )
+
+ assert key
+ assert isinstance(key, interfaces.RSAPrivateKey)
+ if isinstance(key, interfaces.RSAPrivateKeyWithNumbers):
+ _check_rsa_private_numbers(key.private_numbers())
+
+
@pytest.mark.traditional_openssl_serialization
-class TestTraditionalOpenSSLSerialisation(object):
+class TestTraditionalOpenSSLSerialization(object):
@pytest.mark.parametrize(
("key_file", "password"),
[
@@ -252,7 +270,7 @@
@pytest.mark.pkcs8_serialization
-class TestPKCS8Serialisation(object):
+class TestPKCS8Serialization(object):
@pytest.mark.parametrize(
("key_file", "password"),
[