Lock cryptography requirement to <41

Introduced deprecation notice
scheiblingco · Jun 3, 2023 · 8c228ca · 8c228ca
1 parent cd58114
commit 8c228ca
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -3,16 +3,20 @@
 Python package for managing OpenSSH keypairs and certificates ([protocol.CERTKEYS](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)). Supported functionality includes:
 
 # Notice
+The DSA algorithm has been deprecated and is removed in pyca/cryptography 41.x, meaning **version 0.9.* of this package will be the last to support DSA keys and certificates** for SSH. If there is any demand to reintroduce DSA support, please open an issue regarding this and we'll look into it. 
+
+For now, **0.9.* will be restricted to version <41.1 of the cryptography package** and **0.10 will have its DSA support removed**. We've introduced a deprecation notice in version 0.9.3.
+
+## Background
 The DSA algorithm is considered deprecated and will be removed in a future version. If possible, use RSA, [(ECDSA)](https://billatnapier.medium.com/ecdsa-weakness-where-nonces-are-reused-2be63856a01a) or ED25519 as a first-hand choice.
 
-Notice from OpenSSH:
+## Notice from OpenSSH:
 ```
 OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use. It can be re-enabled using the HostKeyAlgorithms configuration option: sshd_config(5) HostKeyAlgorithms
 ```
 
 [ECDSA has some flaws](https://billatnapier.medium.com/ecdsa-weakness-where-nonces-are-reused-2be63856a01a), especially when using short nonces or re-using nonces, it can still be used but exercise some caution in regards to nonces/re-signing identical data multiple times.
 
-
 # Features
 ### SSH Keys
 - Supports RSA, DSA (Note: Deprecated), ECDSA and ED25519 keys

diff --git a/requirements.txt b/requirements.txt
@@ -1,5 +1,5 @@
 click
-cryptography
+cryptography<41.0.0
 bcrypt
 enum34
 PrettyTable

diff --git a/src/sshkey_tools/cert.py b/src/sshkey_tools/cert.py
@@ -8,6 +8,7 @@
     _EX.NoPrivateKeyException: The certificate contains no private key
     _EX.NotSignedException: The certificate is not signed and cannot be exported
 """
+import warnings
 from base64 import b64decode, b64encode
 from dataclasses import dataclass
 from typing import Tuple, Union
@@ -577,9 +578,16 @@ class RsaCertificate(SSHCertificate):
 
 
 class DsaCertificate(SSHCertificate):
-    """The DSA Certificate class"""
+    """The DSA Certificate class (DEPRECATED)"""
 
     DEFAULT_KEY_TYPE = "[email protected]"
+
+    def __post_init__(self):
+        """Display the deprecation notice"""
+        warnings.warn(
+            "SSH DSA keys and certificates are deprecated and will be removed in version 0.10 of sshkey-tools",
+            stacklevel=2,
+        )
 
 
 class EcdsaCertificate(SSHCertificate):

diff --git a/src/sshkey_tools/keys.py b/src/sshkey_tools/keys.py
@@ -1,6 +1,7 @@
 """
 Classes for handling SSH public/private keys
 """
+import warnings
 from base64 import b64decode
 from enum import Enum
 from struct import unpack
@@ -613,6 +614,11 @@ def __init__(
             serialized=serialized,
         )
         self.parameters = key.parameters().parameter_numbers()
+
+        warnings.warn(
+            "SSH DSA keys and certificates are deprecated and will be removed in version 0.10 of sshkey-tools",
+            stacklevel=2,
+        )
 
     @classmethod
     # pylint: disable=invalid-name
@@ -665,6 +671,11 @@ def __init__(self, key: _DSA.DSAPrivateKey):
             public_key=DsaPublicKey(key.public_key()),
             private_numbers=key.private_numbers(),
         )
+
+        warnings.warn(
+            "SSH DSA keys and certificates are deprecated and will be removed in version 0.10 of sshkey-tools",
+            stacklevel=2,
+        )
 
     @classmethod
     # pylint: disable=invalid-name,too-many-arguments