remove signer/verifier as they've been deprecated for 4.25 years (#6639)

* remove signer/verifier as they've been deprecated for 4.25 years

* fix coverage

CHANGELOG.rst

@@ -10,6 +10,10 @@ Changelog
 
 * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x.
   The new minimum LibreSSL version is 3.1+.
+* **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods
+  from the public key and private key classes. These methods were originally
+  deprecated in version 2.0, but had an extended deprecation timeline due
+  to usage. Any remaining users should transition to ``sign`` and ``verify``.
 * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by
   the OpenSSL project. Support for compiling with OpenSSL 1.1.0 will be
   removed in a future release.
@@ -25,7 +29,7 @@ Changelog
 ~~~~~~~~~~~~~~~~~~~
 
 * **FINAL DEPRECATION** Support for ``verifier`` and ``signer`` on our
-  asymmetric key classes was deprecated in version 2.1. These functions had an
+  asymmetric key classes was deprecated in version 2.0. These functions had an
   extended deprecation due to usage, however the next version of
   ``cryptography`` will drop support. Users should migrate to ``sign`` and
   ``verify``.

src/cryptography/hazmat/backends/openssl/dsa.py

@@ -5,17 +5,12 @@
 
 import typing
 
-from cryptography import utils
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.backends.openssl.utils import (
     _calculate_digest_and_algorithm,
-    _check_not_prehashed,
-    _warn_sign_verify_deprecated,
 )
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
-    AsymmetricSignatureContext,
-    AsymmetricVerificationContext,
     dsa,
     utils as asym_utils,
 )
@@ -49,46 +44,6 @@ def _dsa_sig_verify(backend, public_key, signature, data):
         raise InvalidSignature
 
 
-class _DSAVerificationContext(AsymmetricVerificationContext):
-    def __init__(self, backend, public_key, signature, algorithm):
-        self._backend = backend
-        self._public_key = public_key
-        self._signature = signature
-        self._algorithm = algorithm
-
-        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
-
-    def update(self, data: bytes):
-        self._hash_ctx.update(data)
-
-    def verify(self) -> None:
-        data_to_verify = self._hash_ctx.finalize()
-
-        _dsa_sig_verify(
-            self._backend, self._public_key, self._signature, data_to_verify
-        )
-
-
-class _DSASignatureContext(AsymmetricSignatureContext):
-    def __init__(
-        self,
-        backend,
-        private_key: dsa.DSAPrivateKey,
-        algorithm: hashes.HashAlgorithm,
-    ):
-        self._backend = backend
-        self._private_key = private_key
-        self._algorithm = algorithm
-        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
-
-    def update(self, data: bytes) -> None:
-        self._hash_ctx.update(data)
-
-    def finalize(self) -> bytes:
-        data_to_sign = self._hash_ctx.finalize()
-        return _dsa_sig_sign(self._backend, self._private_key, data_to_sign)
-
-
 class _DSAParameters(dsa.DSAParameters):
     def __init__(self, backend, dsa_cdata):
         self._backend = backend
@@ -129,13 +84,6 @@ def __init__(self, backend, dsa_cdata, evp_pkey):
     def key_size(self) -> int:
         return self._key_size
 
-    def signer(
-        self, signature_algorithm: hashes.HashAlgorithm
-    ) -> AsymmetricSignatureContext:
-        _warn_sign_verify_deprecated()
-        _check_not_prehashed(signature_algorithm)
-        return _DSASignatureContext(self._backend, self, signature_algorithm)
-
     def private_numbers(self) -> dsa.DSAPrivateNumbers:
         p = self._backend._ffi.new("BIGNUM **")
         q = self._backend._ffi.new("BIGNUM **")
@@ -230,19 +178,6 @@ def __init__(self, backend, dsa_cdata, evp_pkey):
     def key_size(self) -> int:
         return self._key_size
 
-    def verifier(
-        self,
-        signature: bytes,
-        signature_algorithm: hashes.HashAlgorithm,
-    ) -> AsymmetricVerificationContext:
-        _warn_sign_verify_deprecated()
-        utils._check_bytes("signature", signature)
-
-        _check_not_prehashed(signature_algorithm)
-        return _DSAVerificationContext(
-            self._backend, self, signature, signature_algorithm
-        )
-
     def public_numbers(self) -> dsa.DSAPublicNumbers:
         p = self._backend._ffi.new("BIGNUM **")
         q = self._backend._ffi.new("BIGNUM **")

src/cryptography/hazmat/backends/openssl/ec.py

@@ -3,24 +3,17 @@
 # for complete details.
 
 
-from cryptography import utils
 from cryptography.exceptions import (
     InvalidSignature,
     UnsupportedAlgorithm,
     _Reasons,
 )
 from cryptography.hazmat.backends.openssl.utils import (
     _calculate_digest_and_algorithm,
-    _check_not_prehashed,
     _evp_pkey_derive,
-    _warn_sign_verify_deprecated,
-)
-from cryptography.hazmat.primitives import hashes, serialization
-from cryptography.hazmat.primitives.asymmetric import (
-    AsymmetricSignatureContext,
-    AsymmetricVerificationContext,
-    ec,
 )
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ec
 
 
 def _check_signature_algorithm(
@@ -107,49 +100,6 @@ def _ecdsa_sig_verify(backend, public_key, signature, data):
         raise InvalidSignature
 
 
-class _ECDSASignatureContext(AsymmetricSignatureContext):
-    def __init__(
-        self,
-        backend,
-        private_key: ec.EllipticCurvePrivateKey,
-        algorithm: hashes.HashAlgorithm,
-    ):
-        self._backend = backend
-        self._private_key = private_key
-        self._digest = hashes.Hash(algorithm, backend)
-
-    def update(self, data: bytes) -> None:
-        self._digest.update(data)
-
-    def finalize(self) -> bytes:
-        digest = self._digest.finalize()
-
-        return _ecdsa_sig_sign(self._backend, self._private_key, digest)
-
-
-class _ECDSAVerificationContext(AsymmetricVerificationContext):
-    def __init__(
-        self,
-        backend,
-        public_key: ec.EllipticCurvePublicKey,
-        signature: bytes,
-        algorithm: hashes.HashAlgorithm,
-    ):
-        self._backend = backend
-        self._public_key = public_key
-        self._signature = signature
-        self._digest = hashes.Hash(algorithm, backend)
-
-    def update(self, data: bytes) -> None:
-        self._digest.update(data)
-
-    def verify(self) -> None:
-        digest = self._digest.finalize()
-        _ecdsa_sig_verify(
-            self._backend, self._public_key, self._signature, digest
-        )
-
-
 class _EllipticCurvePrivateKey(ec.EllipticCurvePrivateKey):
     def __init__(self, backend, ec_key_cdata, evp_pkey):
         self._backend = backend
@@ -168,18 +118,6 @@ def curve(self) -> ec.EllipticCurve:
     def key_size(self) -> int:
         return self.curve.key_size
 
-    def signer(
-        self, signature_algorithm: ec.EllipticCurveSignatureAlgorithm
-    ) -> AsymmetricSignatureContext:
-        _warn_sign_verify_deprecated()
-        _check_signature_algorithm(signature_algorithm)
-        _check_not_prehashed(signature_algorithm.algorithm)
-        # This assert is to help mypy realize what type this object holds
-        assert isinstance(signature_algorithm.algorithm, hashes.HashAlgorithm)
-        return _ECDSASignatureContext(
-            self._backend, self, signature_algorithm.algorithm
-        )
-
     def exchange(
         self, algorithm: ec.ECDH, peer_public_key: ec.EllipticCurvePublicKey
     ) -> bytes:
@@ -272,22 +210,6 @@ def curve(self) -> ec.EllipticCurve:
     def key_size(self) -> int:
         return self.curve.key_size
 
-    def verifier(
-        self,
-        signature: bytes,
-        signature_algorithm: ec.EllipticCurveSignatureAlgorithm,
-    ) -> AsymmetricVerificationContext:
-        _warn_sign_verify_deprecated()
-        utils._check_bytes("signature", signature)
-
-        _check_signature_algorithm(signature_algorithm)
-        _check_not_prehashed(signature_algorithm.algorithm)
-        # This assert is to help mypy realize what type this object holds
-        assert isinstance(signature_algorithm.algorithm, hashes.HashAlgorithm)
-        return _ECDSAVerificationContext(
-            self._backend, self, signature, signature_algorithm.algorithm
-        )
-
     def public_numbers(self) -> ec.EllipticCurvePublicNumbers:
         get_func, group = self._backend._ec_key_determine_group_get_func(
             self._ec_key
@@ -366,6 +288,6 @@ def verify(
         data, algorithm = _calculate_digest_and_algorithm(
             self._backend,
             data,
-            signature_algorithm._algorithm,  # type: ignore[attr-defined]
+            signature_algorithm.algorithm,
         )
         _ecdsa_sig_verify(self._backend, self, signature, data)

src/cryptography/hazmat/backends/openssl/rsa.py

@@ -5,7 +5,6 @@
 
 import typing
 
-from cryptography import utils
 from cryptography.exceptions import (
     InvalidSignature,
     UnsupportedAlgorithm,
@@ -14,12 +13,9 @@
 from cryptography.hazmat.backends.openssl.utils import (
     _calculate_digest_and_algorithm,
     _check_not_prehashed,
-    _warn_sign_verify_deprecated,
 )
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
-    AsymmetricSignatureContext,
-    AsymmetricVerificationContext,
     utils as asym_utils,
 )
 from cryptography.hazmat.primitives.asymmetric.padding import (
@@ -316,74 +312,6 @@ def _rsa_sig_recover(backend, padding, algorithm, public_key, signature):
     return resbuf
 
 
-class _RSASignatureContext(AsymmetricSignatureContext):
-    def __init__(
-        self,
-        backend,
-        private_key: RSAPrivateKey,
-        padding: AsymmetricPadding,
-        algorithm: hashes.HashAlgorithm,
-    ):
-        self._backend = backend
-        self._private_key = private_key
-
-        # We now call _rsa_sig_determine_padding in _rsa_sig_setup. However
-        # we need to make a pointless call to it here so we maintain the
-        # API of erroring on init with this context if the values are invalid.
-        _rsa_sig_determine_padding(backend, private_key, padding, algorithm)
-        self._padding = padding
-        self._algorithm = algorithm
-        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
-
-    def update(self, data: bytes) -> None:
-        self._hash_ctx.update(data)
-
-    def finalize(self) -> bytes:
-        return _rsa_sig_sign(
-            self._backend,
-            self._padding,
-            self._algorithm,
-            self._private_key,
-            self._hash_ctx.finalize(),
-        )
-
-
-class _RSAVerificationContext(AsymmetricVerificationContext):
-    def __init__(
-        self,
-        backend,
-        public_key: RSAPublicKey,
-        signature: bytes,
-        padding: AsymmetricPadding,
-        algorithm: hashes.HashAlgorithm,
-    ):
-        self._backend = backend
-        self._public_key = public_key
-        self._signature = signature
-        self._padding = padding
-        # We now call _rsa_sig_determine_padding in _rsa_sig_setup. However
-        # we need to make a pointless call to it here so we maintain the
-        # API of erroring on init with this context if the values are invalid.
-        _rsa_sig_determine_padding(backend, public_key, padding, algorithm)
-
-        padding = padding
-        self._algorithm = algorithm
-        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
-
-    def update(self, data: bytes) -> None:
-        self._hash_ctx.update(data)
-
-    def verify(self) -> None:
-        return _rsa_sig_verify(
-            self._backend,
-            self._padding,
-            self._algorithm,
-            self._public_key,
-            self._signature,
-            self._hash_ctx.finalize(),
-        )
-
-
 class _RSAPrivateKey(RSAPrivateKey):
     def __init__(self, backend, rsa_cdata, evp_pkey, _skip_check_key):
         # RSA_check_key is slower in OpenSSL 3.0.0 due to improved
@@ -420,13 +348,6 @@ def __init__(self, backend, rsa_cdata, evp_pkey, _skip_check_key):
     def key_size(self) -> int:
         return self._key_size
 
-    def signer(
-        self, padding: AsymmetricPadding, algorithm: hashes.HashAlgorithm
-    ) -> AsymmetricSignatureContext:
-        _warn_sign_verify_deprecated()
-        _check_not_prehashed(algorithm)
-        return _RSASignatureContext(self._backend, self, padding, algorithm)
-
     def decrypt(self, ciphertext: bytes, padding: AsymmetricPadding) -> bytes:
         key_size_bytes = (self.key_size + 7) // 8
         if key_size_bytes != len(ciphertext):
@@ -523,20 +444,6 @@ def __init__(self, backend, rsa_cdata, evp_pkey):
     def key_size(self) -> int:
         return self._key_size
 
-    def verifier(
-        self,
-        signature: bytes,
-        padding: AsymmetricPadding,
-        algorithm: hashes.HashAlgorithm,
-    ) -> AsymmetricVerificationContext:
-        _warn_sign_verify_deprecated()
-        utils._check_bytes("signature", signature)
-
-        _check_not_prehashed(algorithm)
-        return _RSAVerificationContext(
-            self._backend, self, signature, padding, algorithm
-        )
-
     def encrypt(self, plaintext: bytes, padding: AsymmetricPadding) -> bytes:
         return _enc_dec_rsa(self._backend, self, plaintext, padding)