Replace deprecated OpenSSL.crypto.load_crl

OpenSSL.crypto.load_crl was deprecated with with pyOpenSSL 23.3.0 and
eventually removed in 24.3.0. pyOpenSSL recommends using cryptography.x509's
CRL functions as a replacement.
See also: https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst

Signed-off-by: Christian Schürmann <spike@fedoraproject.org>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20250704082813.99654-2-spike@fedoraproject.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32037.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/contrib/extract-crl/extractcrl.py b/contrib/extract-crl/extractcrl.py
index 441464e9d8a649cbeff70c49322144027cb67d99..c387ea1cd469d9e690f6e2211b947fdc209bdf08 100755 (executable)
--- a/contrib/extract-crl/extractcrl.py
+++ b/contrib/extract-crl/extractcrl.py
@@ -42,17 +42,17 @@ def measure_time(method):
 def load_crl(filename, format):
 
     def try_openssl_module(filename, format):
-        from OpenSSL import crypto
-        types = {
-            FILETYPE_PEM: crypto.FILETYPE_PEM,
-            FILETYPE_DER: crypto.FILETYPE_ASN1
+        from cryptography import x509
+        load_crl_functions = {
+            FILETYPE_PEM: x509.load_pem_x509_crl,
+            FILETYPE_DER: x509.load_der_x509_crl
         }
         if filename == '-':
-            crl = crypto.load_crl(types[format], sys.stdin.buffer.read())
+            crl = load_crl_functions[format](sys.stdin.buffer.read())
         else:
             with open(filename, 'rb') as f:
-                crl = crypto.load_crl(types[format], f.read())
-        return set(int(r.get_serial(), 16) for r in crl.get_revoked())
+                crl = load_crl_functions[format](f.read())
+        return set(r.serial_number for r in crl)
 
     def try_openssl_exec(filename, format):
         args = ['openssl', 'crl', '-inform', format, '-text']