pyca/pyopenssl

Deprecate/remove all non-SSL APIs in pyOpenSSL

alex opened this issue · 4 comments

alex commented

Motivation

pyOpenSSL has many APIs with poor designs that are entirely reliant on OpenSSL implementation details. For nearly all of these, pyca/cryptography has much better implementations with more thought out APIs.

Therefore, we would like to deprecate/remove anything besides SSL in pyOpenSSL (SSL has no equivalent in pyca/cryptography, nor is there is a path to adding one).

We've been doing this for a while already, but now we're filing an issue to actually track this in a systematic way.

Strategy

Most APIs can simply be deprecated and removed. In some cases, where SSL relies on these (e.g., PKey objects for private keys or X509 for certificates), we'll need to expand the SSL API to accept the pyca/cryptography versions of these objects (there are mostly already from_cryptography APIs we can keep around).

This also means we will not be adding any new API surface in these areas.

Status

Deprecations and Removals

  • rand
    • add, status
      • Deprecated
      • Removed
  • crypto
    • PKey, dump_publickey, dump_privatekey, load_publickey, load_privatekey
      • Replacement APIs
      • Deprecated
      • Removed
    • get_elliptic_curves, get_elliptic_curve
      • Replacement APIs
      • Deprecated
      • Removed
    • X509Name
      • Replacement APIs
      • Deprecated
      • Removed
    • X509Extension
      • Deprecated
      • Removed
    • X509Req, dump_certificate_request, load_certificate_request
      • Deprecated
      • Removed
    • X509, load_certificate, dump_certificate
      • Replacement APIs
      • Deprecated
      • Removed
    • X509Store, X509StoreContext
      • Decision about how to handle SSL integration
      • Deprecated
      • Removed
    • CRL, Revoked, dump_crl, load_crl
      • Deprecated
      • Removed
    • sign, verify
      • Deprecated
      • Removed

APIs needing to accept/return pyca/cryptography types

  • Context
    • use_certificate
    • add_extra_chain_cert
    • use_privatekey
    • set_tmp_ecdh
    • set_client_ca_list
    • add_client_ca
  • Connection
    • use_certificate
    • use_privatekey
    • get_client_ca_list
    • get_certificate
    • get_peer_certificate
    • get_peer_cert_chain
    • get_verified_chain