From 173e4bae31aac1fb66dd83ad4f78fa2fda0f3141 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 30 Jun 2017 08:01:12 -0700
Subject: Removed the deprecated md5 default on CRL.export() (#652)

* Removed the deprecated md5 default on CRL.export()

* Doh

* unused import

* fixed tests

* last one

* py3k!!!!!
---
 CHANGELOG.rst         |  3 +++
 src/OpenSSL/crypto.py |  9 +--------
 tests/test_crypto.py  | 36 ++++++++++++++++++------------------
 3 files changed, 22 insertions(+), 26 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 2725eb8..035d561 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -15,6 +15,9 @@ Backward-incompatible changes:
 - Removed the deprecated ``OpenSSL.rand.egd()`` function.
   Applications should prefer ``os.urandom()`` for random number generation.
   `#630 <https://github.com/pyca/pyopenssl/pull/630>`_
+- Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
+  Callers must now always pass an explicit ``digest``.
+  `#652 <https://github.com/pyca/pyopenssl/pull/652>`_
 - Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
   ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
   and ``Revoked.set_lastUpdate()``. You must now pass times in the form
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index e58a455..20cf183 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -3,7 +3,6 @@ import datetime
 from base64 import b16encode
 from functools import partial
 from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
-from warnings import warn as _warn
 
 from six import (
     integer_types as _integer_types,
@@ -2221,13 +2220,7 @@ class CRL(object):
             raise TypeError("type must be an integer")
 
         if digest is _UNSPECIFIED:
-            _warn(
-                "The default message digest (md5) is deprecated.  "
-                "Pass the name of a message digest explicitly.",
-                category=DeprecationWarning,
-                stacklevel=2,
-            )
-            digest = b"md5"
+            raise TypeError("digest must be provided")
 
         digest_obj = _lib.EVP_get_digestbyname(digest)
         if digest_obj == _ffi.NULL:
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index 916186b..4b99bd9 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3181,7 +3181,9 @@ class TestCRL(object):
         """
         crl = self._get_crl()
         # PEM format
-        dumped_crl = crl.export(self.cert, self.pkey, days=20)
+        dumped_crl = crl.export(
+            self.cert, self.pkey, days=20, digest=b"sha256"
+        )
         text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
 
         # These magic values are based on the way the CRL above was constructed
@@ -3201,7 +3203,9 @@ class TestCRL(object):
         crl = self._get_crl()
 
         # DER format
-        dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
+        dumped_crl = crl.export(
+            self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
+        )
         text = _runopenssl(
             dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
         )
@@ -3219,13 +3223,17 @@ class TestCRL(object):
         """
         crl = self._get_crl()
 
-        dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
+        dumped_crl = crl.export(
+            self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
+        )
         text = _runopenssl(
             dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
         )
 
         # text format
-        dumped_text = crl.export(self.cert, self.pkey, type=FILETYPE_TEXT)
+        dumped_text = crl.export(
+            self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5"
+        )
         assert text == dumped_text
 
     def test_export_custom_digest(self):
@@ -3253,20 +3261,12 @@ class TestCRL(object):
 
     def test_export_default_digest(self):
         """
-        If not passed the name of a digest function, ``CRL.export`` uses a
-        signature algorithm based on MD5 and emits a deprecation warning.
+        If not passed the name of a digest function, ``CRL.export`` raises a
+        ``TypeError``.
         """
         crl = self._get_crl()
-        with pytest.warns(None) as catcher:
-            simplefilter("always")
-            dumped_crl = crl.export(self.cert, self.pkey)
-        assert (
-            "The default message digest (md5) is deprecated.  "
-            "Pass the name of a message digest explicitly." ==
-            str(catcher[0].message)
-        )
-        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
-        text.index(b'Signature Algorithm: md5')
+        with pytest.raises(TypeError):
+            crl.export(self.cert, self.pkey)
 
     def test_export_invalid(self):
         """
@@ -3275,7 +3275,7 @@ class TestCRL(object):
         """
         crl = CRL()
         with pytest.raises(Error):
-            crl.export(X509(), PKey())
+            crl.export(X509(), PKey(), digest=b"sha256")
 
     def test_add_revoked_keyword(self):
         """
@@ -3313,7 +3313,7 @@ class TestCRL(object):
         """
         crl = CRL()
         with pytest.raises(ValueError):
-            crl.export(self.cert, self.pkey, 100, 10)
+            crl.export(self.cert, self.pkey, 100, 10, digest=b"sha256")
 
     def test_export_unknown_digest(self):
         """
-- 
cgit v1.2.1