-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deprecate signer/verifier on asymmetric keys #3663
Conversation
@reaperhulk, thanks for your PR! By analyzing the history of the files in this pull request, we identified @alex, @public and @gorisaka to be potential reviewers. |
|
||
.. doctest:: | ||
|
||
>>> public_key = private_key.public_key() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Drop this assigment, we already have a public_key
|
||
.. doctest:: | ||
|
||
>>> public_key = private_key.public_key() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same
|
||
.. doctest:: | ||
|
||
>>> public_key = private_key.public_key() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
once more, with feelign!
src/cryptography/utils.py
Outdated
# Asymmetric signature and verification contexts were deprecated in 2.0 | ||
# However they are widely used and we will obey a longer than normal | ||
# deprecation cycle for them. | ||
PersistentlyDeprecatedIn20 = PendingDeprecationWarning |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason not to use the same PersistentlyDeprecated
class, or is your expectation that we'll migrate to them once this switches from Pending
to regular?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My main thinking was that it's useful to know at what point we persistently deprecated something. By grouping the persistent deprecations we have to look at the repository history or changelog to know how long it's been. Having written those words I think I'm going to just use PersistentlyDeprecated
though, because looking at the changelog is not a burden.
I don't know how to write a test that catches this deprecation warning actually. It happens once and then is suppressed after that, but we also run a random test order job so we can't introduce an order dependent test. |
I'm very confused, I would have expected the code as written to work. |
I can't reproduce this except in our tests (which I got down to two calls to |
Meaning if you copy the tests out of our overall suite, into it's own suite, you still can't reproduce? |
This reproduces it in its own file: import pytest
from cryptography.hazmat.backends.openssl.backend import backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding, rsa
def test_signer_deprecated():
private_key = rsa.generate_private_key(65537, 512, backend)
private_key.signer(
padding.PKCS1v15(),
hashes.SHA1()
)
def test_signer_check_deprecated():
private_key = rsa.generate_private_key(65537, 512, backend)
with pytest.deprecated_call():
private_key.signer(
padding.PKCS1v15(),
hashes.SHA1()
) |
Notably if you put the contextmanager around the first call then it all works. |
Interesting! And what happens if you replace |
It works then: import warnings
import pytest
from cryptography.hazmat.backends.openssl.backend import backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding, rsa
def warn_me():
warnings.warn("deprecated", PendingDeprecationWarning, stacklevel=2)
def test_signer_deprecated():
private_key = rsa.generate_private_key(65537, 512, backend)
private_key.signer(
padding.PKCS1v15(),
hashes.SHA1()
)
def test_signer_check_deprecated():
private_key = rsa.generate_private_key(65537, 512, backend)
with pytest.deprecated_call():
private_key.signer(
padding.PKCS1v15(),
hashes.SHA1()
)
def test_warn_me():
warn_me()
def test_warn_me_check_deprecated():
with pytest.deprecated_call():
warn_me() So the output of that set of tests is: |
wat. Does this mean that somewhere in the test suite there's a |
There's a ton of those actually (we call signer/verifier...a lot). But here's a minimal reproducer! import warnings
import pytest
def warn_me():
warnings.warn("deprecated", PendingDeprecationWarning, stacklevel=2)
def i_call_warn_me():
warn_me()
def test_warn_me():
i_call_warn_me()
def test_warn_me_check_deprecated():
with pytest.deprecated_call():
i_call_warn_me() |
So.... wtf. File a pytest bug I guess? |
The RSA `signer` was deprecated in favor of `sign` in version 2.0 of cryptography (pyca/cryptography#3663) and currently emits a deprecation warning. The single shot `sign` method has been available since version 1.4.
fixes #3659