Remove deprecated verifier attributes (#12940)

Author: alex

docs/x509/verification.rst

@@ -133,11 +133,6 @@ the root of trust:
 
     .. versionadded:: 43.0.0
 
-    .. versionchanged:: 45.0.0
-        ``verification_time`` and ``max_chain_depth`` were deprecated and will be 
-        removed in version 46.0.0.
-        The new ``policy`` property should be used to access these values instead.
-
     A ClientVerifier verifies client certificates.
 
     It contains and describes various pieces of configurable path
@@ -180,12 +175,6 @@ the root of trust:
 
     .. versionadded:: 42.0.0
 
-    .. versionchanged:: 45.0.0
-        ``subject``, ``verification_time`` and ``max_chain_depth`` were deprecated and will be 
-        removed in version 46.0.0.
-        The new ``policy`` property should be used to access these values instead.
-
-
     A ServerVerifier verifies server certificates.
 
     It contains and describes various pieces of configurable path
@@ -233,7 +222,7 @@ the root of trust:
     .. versionadded:: 42.0.0
 
     .. versionchanged:: 45.0.0
-        Added the ``extension_policies`` method. 
+        Added the ``extension_policies`` method.
         Removed the ``new_`` prefix from all parameter names.
 
     A PolicyBuilder provides a builder-style interface for constructing a
@@ -284,11 +273,11 @@ the root of trust:
         .. warning::
             If the PolicyBuilder will be used to build a :class:`ServerVerifier`, the EE extension policy
             `must require` the :class:`~cryptography.x509.SubjectAlternativeName` extension to be present.
-            All CA extension policies `must require` the :class:`~cryptography.x509.BasicConstraints` 
+            All CA extension policies `must require` the :class:`~cryptography.x509.BasicConstraints`
             extension to be present.
 
         :param ExtensionPolicy ca_policy: The CA extension policy to use.
-        :param ExtensionPolicy ee_policy: The EE extension policy to use. 
+        :param ExtensionPolicy ee_policy: The EE extension policy to use.
 
         :returns: A new instance of :class:`PolicyBuilder`
 
@@ -337,7 +326,7 @@ the root of trust:
 
     .. staticmethod:: permit_all()
 
-        Creates an ExtensionPolicy that does not put any constraints on a certificate's extensions. 
+        Creates an ExtensionPolicy that does not put any constraints on a certificate's extensions.
         This can serve as a base for a fully custom extension policy.
 
         :returns: An instance of :class:`ExtensionPolicy`
@@ -371,17 +360,17 @@ the root of trust:
     .. method:: may_be_present(extension_type, criticality, validator_cb)
 
         Specifies that the extension identified by `extension_type` is optional.
-        If it is present, it must conform to the given criticality constraint. 
+        If it is present, it must conform to the given criticality constraint.
         An optional validator callback may be provided.
 
-        If a validator callback is provided, the callback will be invoked 
-        when :meth:`ClientVerifier.verify` or :meth:`ServerVerifier.verify` is called on a verifier 
+        If a validator callback is provided, the callback will be invoked
+        when :meth:`ClientVerifier.verify` or :meth:`ServerVerifier.verify` is called on a verifier
         that uses the extension policy. For details on the callback signature, see :type:`MaybeExtensionValidatorCallback`.
 
         :param type[ExtensionType] extension_type: A concrete class derived from :type:`~cryptography.x509.ExtensionType`
             indicating which extension may be present.
         :param Criticality criticality: The criticality of the extension
-        :param validator_cb: An optional Python callback to validate the extension value. 
+        :param validator_cb: An optional Python callback to validate the extension value.
             Must accept extensions of type `extension_type`.
         :type validator_cb: :type:`MaybeExtensionValidatorCallback` or None
 
@@ -392,8 +381,8 @@ the root of trust:
         Specifies that the extension identified by `extension_type`` must be present
         and conform to the given criticality constraint. An optional validator callback may be provided.
 
-        If a validator callback is provided, the callback will be invoked 
-        when :meth:`ClientVerifier.verify` or :meth:`ServerVerifier.verify` is called on a verifier 
+        If a validator callback is provided, the callback will be invoked
+        when :meth:`ClientVerifier.verify` or :meth:`ServerVerifier.verify` is called on a verifier
         that uses the extension policy. For details on the callback signature, see :type:`PresentExtensionValidatorCallback`.
 
         :param type[ExtensionType] extension_type: A concrete class derived from :type:`~cryptography.x509.ExtensionType`
@@ -416,7 +405,7 @@ the root of trust:
         The extension must be marked as critical.
 
     .. attribute:: AGNOSTIC
-            
+
         The extension may be marked either as critical or non-critical.
 
     .. attribute:: NON_CRITICAL
@@ -427,7 +416,7 @@ the root of trust:
 
     .. versionadded:: 45.0.0
 
-    Represents a policy for certificate verification. Passed to extension validator callbacks and 
+    Represents a policy for certificate verification. Passed to extension validator callbacks and
     accessible via :class:`ClientVerifier` and :class:`ServerVerifier`.
 
     .. attribute:: max_chain_depth
@@ -438,7 +427,7 @@ the root of trust:
 
     .. attribute:: subject
 
-        The subject used during verification. 
+        The subject used during verification.
         Will be None if the verifier is a :class:`ClientVerifier`.
 
         :type: x509.verification.Subject or None
@@ -463,7 +452,7 @@ the root of trust:
 
 .. type:: MaybeExtensionValidatorCallback
     :canonical: Callable[[Policy, Certificate, Optional[ExtensionType]], None]
-    
+
     .. versionadded:: 45.0.0
 
 
@@ -475,7 +464,7 @@ the root of trust:
     :param Policy policy: The verification policy.
     :param Certificate certificate: The certificate being verified.
     :param ExtensionType or None extension: The extension value or `None` if the extension is not present.
-    
+
     :returns: An extension validator callback must return `None`.
               If the validation fails, the validator must raise an exception.
 

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -277,10 +277,6 @@ class ClientVerifier:
     @property
     def policy(self) -> Policy: ...
     @property
-    def validation_time(self) -> datetime.datetime: ...
-    @property
-    def max_chain_depth(self) -> int: ...
-    @property
     def store(self) -> Store: ...
     def verify(
         self,
@@ -292,12 +288,6 @@ class ServerVerifier:
     @property
     def policy(self) -> Policy: ...
     @property
-    def subject(self) -> x509.verification.Subject: ...
-    @property
-    def validation_time(self) -> datetime.datetime: ...
-    @property
-    def max_chain_depth(self) -> int: ...
-    @property
     def store(self) -> Store: ...
     def verify(
         self,

src/cryptography/utils.py

@@ -26,7 +26,6 @@ class CryptographyDeprecationWarning(UserWarning):
 DeprecatedIn41 = CryptographyDeprecationWarning
 DeprecatedIn42 = CryptographyDeprecationWarning
 DeprecatedIn43 = CryptographyDeprecationWarning
-DeprecatedIn45 = CryptographyDeprecationWarning
 
 
 # If you're wondering why we don't use `Buffer`, it's because `Buffer` would

src/rust/src/types.rs

@@ -47,8 +47,6 @@ pub static DEPRECATED_IN_42: LazyPyImport =
     LazyPyImport::new("cryptography.utils", &["DeprecatedIn42"]);
 pub static DEPRECATED_IN_43: LazyPyImport =
     LazyPyImport::new("cryptography.utils", &["DeprecatedIn43"]);
-pub static DEPRECATED_IN_45: LazyPyImport =
-    LazyPyImport::new("cryptography.utils", &["DeprecatedIn45"]);
 
 pub static ENCODING: LazyPyImport = LazyPyImport::new(
     "cryptography.hazmat.primitives.serialization",

src/rust/src/x509/verify/mod.rs

@@ -20,7 +20,6 @@ use super::parse_general_names;
 use crate::backend::keys;
 use crate::error::{CryptographyError, CryptographyResult};
 use crate::types;
-use crate::utils::cstr_from_literal;
 use crate::x509::certificate::Certificate as PyCertificate;
 use crate::x509::common::{datetime_now, py_to_datetime};
 use crate::x509::sign;
@@ -306,25 +305,6 @@ pub(crate) struct PyVerifiedClient {
     chain: pyo3::Py<pyo3::types::PyList>,
 }
 
-macro_rules! warn_verifier_deprecated_getter {
-    ($py: expr, $class_name: literal, $property_name: literal) => {{
-        let warning_cls = types::DEPRECATED_IN_45.get($py)?;
-        let message = cstr_from_literal!(concat!(
-            "The `",
-            $property_name,
-            "` property on `",
-            $class_name,
-            "` is deprecated and will be removed in cryptography 46.0.",
-            " Access via `",
-            $class_name,
-            ".policy.",
-            $property_name,
-            "` instead."
-        ));
-        pyo3::PyErr::warn($py, &warning_cls, message, 1)
-    }};
-}
-
 #[pyo3::pyclass(
     frozen,
     name = "ClientVerifier",
@@ -345,18 +325,6 @@ impl PyClientVerifier {
 
 #[pyo3::pymethods]
 impl PyClientVerifier {
-    #[getter]
-    fn validation_time(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::PyObject> {
-        warn_verifier_deprecated_getter!(py, "ClientVerifier", "validation_time")?;
-        self.py_policy.get().validation_time(py)
-    }
-
-    #[getter]
-    fn max_chain_depth(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<u8> {
-        warn_verifier_deprecated_getter!(py, "ClientVerifier", "max_chain_depth")?;
-        Ok(self.py_policy.get().max_chain_depth())
-    }
-
     fn verify(
         &self,
         py: pyo3::Python<'_>,
@@ -429,24 +397,6 @@ impl PyServerVerifier {
 
 #[pyo3::pymethods]
 impl PyServerVerifier {
-    #[getter]
-    fn subject(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::PyObject> {
-        warn_verifier_deprecated_getter!(py, "ServerVerifier", "subject")?;
-        Ok(self.py_policy.get().subject(py))
-    }
-
-    #[getter]
-    fn validation_time(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<pyo3::PyObject> {
-        warn_verifier_deprecated_getter!(py, "ServerVerifier", "validation_time")?;
-        self.py_policy.get().validation_time(py)
-    }
-
-    #[getter]
-    fn max_chain_depth(&self, py: pyo3::Python<'_>) -> pyo3::PyResult<u8> {
-        warn_verifier_deprecated_getter!(py, "ServerVerifier", "max_chain_depth")?;
-        Ok(self.py_policy.get().max_chain_depth())
-    }
-
     fn verify<'p>(
         &self,
         py: pyo3::Python<'p>,

tests/x509/verification/test_verification.py

@@ -10,7 +10,7 @@
 
 import pytest
 
-from cryptography import utils, x509
+from cryptography import x509
 from cryptography.hazmat._oid import ExtendedKeyUsageOID
 from cryptography.x509 import ExtensionType
 from cryptography.x509.general_name import DNSName, IPAddress
@@ -99,12 +99,6 @@ def test_builder_pattern(self):
         assert verifier.policy.subject == subject
         assert verifier.policy.validation_time == now
         assert verifier.policy.max_chain_depth == max_chain_depth
-        with pytest.warns(utils.DeprecatedIn45):
-            assert verifier.subject == subject
-        with pytest.warns(utils.DeprecatedIn45):
-            assert verifier.validation_time == now
-        with pytest.warns(utils.DeprecatedIn45):
-            assert verifier.max_chain_depth == max_chain_depth
 
         assert (
             verifier.policy.extended_key_usage
@@ -164,12 +158,6 @@ def test_verify(self):
             tzinfo=None
         )
         assert verifier.policy.max_chain_depth == max_chain_depth
-        with pytest.warns(utils.DeprecatedIn45):
-            assert verifier.validation_time == validation_time.replace(
-                tzinfo=None
-            )
-        with pytest.warns(utils.DeprecatedIn45):
-            assert verifier.max_chain_depth == max_chain_depth
 
         assert (
             verifier.policy.extended_key_usage