Removed the deprecated md5 default on CRL.export()

CHANGELOG.rst

@@ -15,6 +15,9 @@ Backward-incompatible changes:
 - Removed the deprecated ``OpenSSL.rand.egd()`` function.
   Applications should prefer ``os.urandom()`` for random number generation.
   `#630 <https://github.com/pyca/pyopenssl/pull/630>`_
+- Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
+  Callers must now always pass an explicit ``digest``.
+  `#652 <https://github.com/pyca/pyopenssl/pull/652>`_
 - Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
   ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
   and ``Revoked.set_lastUpdate()``. You must now pass times in the form

src/OpenSSL/crypto.py

@@ -3,7 +3,6 @@
 from base64 import b16encode
 from functools import partial
 from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
-from warnings import warn as _warn
 
 from six import (
     integer_types as _integer_types,
@@ -2221,13 +2220,7 @@ def export(self, cert, key, type=FILETYPE_PEM, days=100,
             raise TypeError("type must be an integer")
 
         if digest is _UNSPECIFIED:
-            _warn(
-                "The default message digest (md5) is deprecated.  "
-                "Pass the name of a message digest explicitly.",
-                category=DeprecationWarning,
-                stacklevel=2,
-            )
-            digest = b"md5"
+            raise TypeError("digest must be provided")
 
         digest_obj = _lib.EVP_get_digestbyname(digest)
         if digest_obj == _ffi.NULL:

tests/test_crypto.py

@@ -3181,7 +3181,9 @@ def test_export_pem(self):
         """
         crl = self._get_crl()
         # PEM format
-        dumped_crl = crl.export(self.cert, self.pkey, days=20)
+        dumped_crl = crl.export(
+            self.cert, self.pkey, days=20, digest=b"sha256"
+        )
         text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
 
         # These magic values are based on the way the CRL above was constructed
@@ -3201,7 +3203,9 @@ def test_export_der(self):
         crl = self._get_crl()
 
         # DER format
-        dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
+        dumped_crl = crl.export(
+            self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
+        )
         text = _runopenssl(
             dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
         )
@@ -3219,13 +3223,17 @@ def test_export_text(self):
         """
         crl = self._get_crl()
 
-        dumped_crl = crl.export(self.cert, self.pkey, FILETYPE_ASN1)
+        dumped_crl = crl.export(
+            self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
+        )
         text = _runopenssl(
             dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
         )
 
         # text format
-        dumped_text = crl.export(self.cert, self.pkey, type=FILETYPE_TEXT)
+        dumped_text = crl.export(
+            self.cert, self.pkey, type=FILETYPE_TEXT, digest=b"md5"
+        )
         assert text == dumped_text
 
     def test_export_custom_digest(self):
@@ -3253,20 +3261,12 @@ def test_export_md5_digest(self):
 
     def test_export_default_digest(self):
         """
-        If not passed the name of a digest function, ``CRL.export`` uses a
-        signature algorithm based on MD5 and emits a deprecation warning.
+        If not passed the name of a digest function, ``CRL.export`` raises a
+        ``TypeError``.
         """
         crl = self._get_crl()
-        with pytest.warns(None) as catcher:
-            simplefilter("always")
-            dumped_crl = crl.export(self.cert, self.pkey)
-        assert (
-            "The default message digest (md5) is deprecated.  "
-            "Pass the name of a message digest explicitly." ==
-            str(catcher[0].message)
-        )
-        text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
-        text.index(b'Signature Algorithm: md5')
+        with pytest.raises(TypeError):
+            crl.export(self.cert, self.pkey)
 
     def test_export_invalid(self):
         """
@@ -3275,7 +3275,7 @@ def test_export_invalid(self):
         """
         crl = CRL()
         with pytest.raises(Error):
-            crl.export(X509(), PKey())
+            crl.export(X509(), PKey(), digest=b"sha256")
 
     def test_add_revoked_keyword(self):
         """
@@ -3313,7 +3313,7 @@ def test_export_unknown_filetype(self):
         """
         crl = CRL()
         with pytest.raises(ValueError):
-            crl.export(self.cert, self.pkey, 100, 10)
+            crl.export(self.cert, self.pkey, 100, 10, digest=b"sha256")
 
     def test_export_unknown_digest(self):
         """