Deprecate a few more extensions APIs (#1357)

They really should have been deprecated previously.

Author: alex

CHANGELOG.rst

@@ -14,6 +14,7 @@ Deprecations:
 ^^^^^^^^^^^^^
 
 - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead.
+- Deprecated ``add_extensions`` and ``get_extensions`` on ``OpenSSL.crypto.X509Req`` and ``OpenSSL.crypto.X509``. These should have been deprecated at the same time ``X509Extension`` was. Users should use pyca/cryptography's X.509 APIs instead.
 - Deprecated ``OpenSSL.crypto.get_elliptic_curves`` and ``OpenSSL.crypto.get_elliptic_curve``, as well as passing the reult of them to ``OpenSSL.SSL.Context.set_tmp_ecdh``, users should instead pass curves from ``cryptography``.
 - Deprecated passing ``X509`` objects to ``OpenSSL.SSL.Context.use_certificate``, ``OpenSSL.SSL.Connection.use_certificate``, ``OpenSSL.SSL.Context.add_extra_chain_cert``, and ``OpenSSL.SSL.Context.add_client_ca``, users should instead pass ``cryptography.x509.Certificate`` instances. This is in preparation for deprecating pyOpenSSL's ``X509`` entirely.
 - Deprecated passing ``PKey`` objects to ``OpenSSL.SSL.Context.use_privatekey`` and ``OpenSSL.SSL.Connection.use_privatekey``, users should instead pass ``cryptography`` priate key instances. This is in preparation for deprecating pyOpenSSL's ``PKey`` entirely.

src/OpenSSL/crypto.py

@@ -4,6 +4,7 @@
 import datetime
 import functools
 import typing
+import warnings
 from base64 import b16encode
 from functools import partial
 from os import PathLike
@@ -1108,6 +1109,16 @@ def add_extensions(
         :type extensions: iterable of :py:class:`X509Extension`
         :return: ``None``
         """
+        warnings.warn(
+            (
+                "This API is deprecated and will be removed in a future "
+                "version of pyOpenSSL. You should use pyca/cryptography's "
+                "X.509 APIs instead."
+            ),
+            DeprecationWarning,
+            stacklevel=2,
+        )
+
         stack = _lib.sk_X509_EXTENSION_new_null()
         _openssl_assert(stack != _ffi.NULL)
 
@@ -1132,6 +1143,16 @@ def get_extensions(self) -> list[_X509ExtensionInternal]:
 
         .. versionadded:: 0.15
         """
+        warnings.warn(
+            (
+                "This API is deprecated and will be removed in a future "
+                "version of pyOpenSSL. You should use pyca/cryptography's "
+                "X.509 APIs instead."
+            ),
+            DeprecationWarning,
+            stacklevel=2,
+        )
+
         exts = []
         native_exts_obj = _lib.X509_REQ_get_extensions(self._req)
         native_exts_obj = _ffi.gc(
@@ -1652,6 +1673,16 @@ def add_extensions(
         :type extensions: An iterable of :py:class:`X509Extension` objects.
         :return: ``None``
         """
+        warnings.warn(
+            (
+                "This API is deprecated and will be removed in a future "
+                "version of pyOpenSSL. You should use pyca/cryptography's "
+                "X.509 APIs instead."
+            ),
+            DeprecationWarning,
+            stacklevel=2,
+        )
+
         for ext in extensions:
             if not isinstance(ext, _X509ExtensionInternal):
                 raise ValueError("One of the elements is not an X509Extension")
@@ -1673,6 +1704,16 @@ def get_extension(self, index: int) -> _X509ExtensionInternal:
 
         .. versionadded:: 0.12
         """
+        warnings.warn(
+            (
+                "This API is deprecated and will be removed in a future "
+                "version of pyOpenSSL. You should use pyca/cryptography's "
+                "X.509 APIs instead."
+            ),
+            DeprecationWarning,
+            stacklevel=2,
+        )
+
         ext = _X509ExtensionInternal.__new__(_X509ExtensionInternal)
         ext._extension = _lib.X509_get_ext(self._x509, index)
         if ext._extension == _ffi.NULL: