Deprecate auto-idna in x509 layer #3357
Description
Trying to process IDNA within our certificate code was a mistake and has resulted in significant increases (rather than the desired decrease) in complexity for some of our downstream dependencies (see: https://github.com/kennethreitz/requests/blob/362da46e9a46da6e86e1907f03014384ab210151/requests/packages/urllib3/contrib/pyopenssl.py#L141). I'd like to see it removed, but let's talk a bit about whether we can actually achieve that goal.
Our current API requires that users do something like x509.DNSName(u"mydömain.com"). We also do this when parsing a certificate (we obtain the bytes, do some processing, idna.decode the parts we think we should, then pass the resulting string to the appropriate GeneralName class).
One potential path to removal would be to allow DNSName (and similar classes) to take bytes as well as unicode strings:
class DNSName(object):
def __init__(self, value):
if isinstance(value, six.binary_type):
self._value = decode_for_compat(value)
self._bytes_value = value
elif isinstance(value, six.text_type):
self._value = value
self._bytes_value = encode_to_bytes(value)
else:
raise TypeError("value must be a unicode string or bytes")
value = utils.read_only_property("_value")
bytes_value = utils.read_only_property("_bytes_value")This approach preserves compatibility, but results in a confusing API that allows users on Python 2 to set values like "dömain" as bytes when they really wanted unicode. (Although we could potentially mitigate this by calling .encode("ascii") on str in Python 2.)
Once that's done we could deprecate unicode construction and at the same time start raising a UserWarning that value will be changing to match bytes_value in the future. Then once the deprecation time is complete we'd drop support for unicode and make value an alias to bytes_value and potentially deprecate bytes_value at that time. This is a major breaking change so I would be in favor of a year long deprecation cycle if we choose to pursue it.