Removed the deprecated md5 default on CRL.export() (#652)
* Removed the deprecated md5 default on CRL.export()
* Doh
* unused import
* fixed tests
* last one
* py3k!!!!!
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 2725eb8..035d561 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -15,6 +15,9 @@
- Removed the deprecated ``OpenSSL.rand.egd()`` function.
Applications should prefer ``os.urandom()`` for random number generation.
`#630 <https://github.com/pyca/pyopenssl/pull/630>`_
+- Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
+ Callers must now always pass an explicit ``digest``.
+ `#652 <https://github.com/pyca/pyopenssl/pull/652>`_
- Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
and ``Revoked.set_lastUpdate()``. You must now pass times in the form
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index e58a455..20cf183 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -3,7 +3,6 @@
from base64 import b16encode
from functools import partial
from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
-from warnings import warn as _warn
from six import (
integer_types as _integer_types,
@@ -2221,13 +2220,7 @@
raise TypeError("type must be an integer")
if digest is _UNSPECIFIED:
- _warn(
- "The default message digest (md5) is deprecated. "
- "Pass the name of a message digest explicitly.",
- category=DeprecationWarning,
- stacklevel=2,
- )
- digest = b"md5"
+ raise TypeError("digest must be provided")
digest_obj = _lib.EVP_get_digestbyname(digest)
if digest_obj == _ffi.NULL:
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index 916186b..4b99bd9 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3181,7 +3181,9 @@
"""
crl = self._get_crl()
# PEM format
- dumped_crl = crl.export(self.cert, self.pkey, days=20)
+ dumped_crl = crl.export(
+ self.cert, self.pkey, days=20, digest=b"sha256"
+ )
text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
# These magic values are based on the way the CRL above was constructed
@@ -3201,7 +3203,9 @@
crl = self._get_crl()
# DER format
- dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
+ dumped_crl = crl.export(
+ self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
+ )
text = _runopenssl(
dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
)
@@ -3219,13 +3223,17 @@
"""
crl = self._get_crl()
- dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
+ dumped_crl = crl.export(
+ self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
+ )
text = _runopenssl(
dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
)
# text format
- dumped_text = crl.export(self.cert, self.pkey, type=FILETYPE_TEXT)
+ dumped_text = crl.export(
+ self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5"
+ )
assert text == dumped_text
def test_export_custom_digest(self):
@@ -3253,20 +3261,12 @@
def test_export_default_digest(self):
"""
- If not passed the name of a digest function, ``CRL.export`` uses a
- signature algorithm based on MD5 and emits a deprecation warning.
+ If not passed the name of a digest function, ``CRL.export`` raises a
+ ``TypeError``.
"""
crl = self._get_crl()
- with pytest.warns(None) as catcher:
- simplefilter("always")
- dumped_crl = crl.export(self.cert, self.pkey)
- assert (
- "The default message digest (md5) is deprecated. "
- "Pass the name of a message digest explicitly." ==
- str(catcher[0].message)
- )
- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
- text.index(b'Signature Algorithm: md5')
+ with pytest.raises(TypeError):
+ crl.export(self.cert, self.pkey)
def test_export_invalid(self):
"""
@@ -3275,7 +3275,7 @@
"""
crl = CRL()
with pytest.raises(Error):
- crl.export(X509(), PKey())
+ crl.export(X509(), PKey(), digest=b"sha256")
def test_add_revoked_keyword(self):
"""
@@ -3313,7 +3313,7 @@
"""
crl = CRL()
with pytest.raises(ValueError):
- crl.export(self.cert, self.pkey, 100, 10)
+ crl.export(self.cert, self.pkey, 100, 10, digest=b"sha256")
def test_export_unknown_digest(self):
"""