Merge pull request #50 from njsmith/support-cryptography-2.7

Fix a deprecation warning on cryptography 2.7
python-trio · Jun 3, 2019 · c539c8d · c539c8d
2 parents 086976d + 4594639
commit c539c8d
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 10 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -12,6 +12,10 @@ dist: xenial
 
 matrix:
   include:
+    - os: linux
+      language: python
+      python: 3.7
+      env: OLD_CRYPTOGRAPHY=2.6.1
     - os: linux
       language: python
       python: 3.7

diff --git a/ci/rtd-requirements.in b/ci/rtd-requirements.in
@@ -1,3 +1,3 @@
 sphinxcontrib_trio
-cryptography==2.6.1
+cryptography
 idna
diff --git a/ci/rtd-requirements.txt b/ci/rtd-requirements.txt
@@ -10,7 +10,7 @@ babel==2.7.0              # via sphinx
 certifi==2019.3.9         # via requests
 cffi==1.12.3              # via cryptography
 chardet==3.0.4            # via requests
-cryptography==2.6.1
+cryptography==2.7
 docutils==0.14            # via sphinx
 idna==2.8
 imagesize==1.1.0          # via sphinx

diff --git a/ci/travis.sh b/ci/travis.sh
@@ -17,6 +17,9 @@ else
     # Actual tests
 
     pip install -Ur test-requirements.txt
+    if [ -n "${OLD_CRYPTOGRAPHY:-}" ]; then
+        pip install cryptography=="${OLD_CRYPTOGRAPHY}"
+    fi
     mkdir empty
     pushd empty
     INSTALLDIR=$(python -c "import os, trustme; print(os.path.dirname(trustme.__file__))")

diff --git a/newsfragments/47.bugfix.rst b/newsfragments/47.bugfix.rst
@@ -0,0 +1 @@
+Update to avoid a deprecation warning on cryptography 2.7.
diff --git a/test-requirements.in b/test-requirements.in
@@ -2,7 +2,7 @@ pytest
 pytest-cov
 PyOpenSSL
 service-identity
-cryptography==2.6.1
+cryptography
 idna
 # This is the last version with py2 support
 # and pip-compile won't let us pin it just on py2, so we have to pin it

diff --git a/test-requirements.txt b/test-requirements.txt
@@ -9,7 +9,7 @@ atomicwrites==1.3.0       # via pytest
 attrs==19.1.0             # via pytest, service-identity
 cffi==1.12.3              # via cryptography
 coverage==4.5.3           # via pytest-cov
-cryptography==2.6.1
+cryptography==2.7
 futures==3.1.1
 idna==2.8
 importlib-metadata==0.17  # via pluggy, pytest

diff --git a/trustme/__init__.py b/trustme/__init__.py
@@ -339,8 +339,17 @@ def issue_cert(self, *identities, **kwargs):
             backend=default_backend()
         )
 
-        ski = self._certificate.extensions.get_extension_for_class(
+        ski_ext = self._certificate.extensions.get_extension_for_class(
             x509.SubjectKeyIdentifier)
+        ski = ski_ext.value
+        # Workaround a bug in cryptography 2.6 and earlier, where you have to
+        # pass the extension object instead of the actual SKI object
+        try:
+            # The new way
+            aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski)
+        except AttributeError:
+            # The old way
+            aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext)
 
         cert = (
             _cert_builder_common(
@@ -354,11 +363,7 @@ def issue_cert(self, *identities, **kwargs):
                 x509.BasicConstraints(ca=False, path_length=None),
                 critical=True,
             )
-            .add_extension(
-                x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
-                    ski),
-                critical=False,
-            )
+            .add_extension(aki, critical=False)
             .add_extension(
                 x509.SubjectAlternativeName(
                     [_identity_string_to_x509(ident) for ident in identities]