From 481d61551d23834c1f7f9cf2e83465c0349e3780 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 7 Jun 2026 21:37:45 +0000
Subject: [PATCH] Deprecate PKey.generate_key, PKey.check, and dump_privatekey

The key generation, loading, and serialization APIs in cryptography
should be used instead.

https://claude.ai/code/session_01KzTRkDmWNuEfCubRUhVit5
---
 CHANGELOG.rst         | 15 +++++++++++++++
 src/OpenSSL/crypto.py | 28 +++++++++++++++++++++++++++-
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index e4b43a74..03ab036e 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -4,6 +4,21 @@ Changelog
 Versions are year-based with a strict backward-compatibility policy.
 The third digit is only for regressions.
 
+26.3.0 (UNRELEASED)
+-------------------
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Deprecations:
+^^^^^^^^^^^^^
+
+- Deprecated ``OpenSSL.crypto.PKey.generate_key`` and ``OpenSSL.crypto.PKey.check``. The key generation and loading APIs in ``cryptography`` should be used instead.
+- Deprecated ``OpenSSL.crypto.dump_privatekey``. The serialization APIs on ``cryptography`` private key types should be used instead.
+
+Changes:
+^^^^^^^^
+
 26.2.0 (2026-05-04)
 -------------------
 
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 4ac9c502..3dffe711 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -275,7 +275,7 @@ def to_cryptography_key(self) -> _Key:
             der = dump_publickey(FILETYPE_ASN1, self)
             return typing.cast(_Key, load_der_public_key(der))
         else:
-            der = dump_privatekey(FILETYPE_ASN1, self)
+            der = _dump_privatekey_internal(FILETYPE_ASN1, self)
             return typing.cast(_Key, load_der_private_key(der, password=None))
 
     @classmethod
@@ -336,6 +336,10 @@ def from_cryptography_key(cls, crypto_key: _Key) -> PKey:
             )
             return load_privatekey(FILETYPE_ASN1, der)
 
+    @deprecated(
+        "PKey.generate_key is deprecated. You should use the key "
+        "generation APIs in cryptography instead."
+    )
     def generate_key(self, type: int, bits: int) -> None:
         """
         Generate a key pair of the given type, with the given number of bits.
@@ -392,6 +396,10 @@ def generate_key(self, type: int, bits: int) -> None:
 
         self._initialized = True
 
+    @deprecated(
+        "PKey.check is deprecated. You should use the APIs in "
+        "cryptography instead."
+    )
     def check(self) -> bool:
         """
         Check the consistency of an RSA private key.
@@ -1851,6 +1859,10 @@ def dump_privatekey(
 
     :return: The buffer with the dumped key in
     :rtype: bytes
+
+    .. deprecated:: 26.3.0
+       Use the serialization APIs on ``cryptography`` private key types
+       instead.
     """
     bio = _new_mem_buf()
 
@@ -1900,6 +1912,20 @@ def dump_privatekey(
     return _bio_to_string(bio)
 
 
+_dump_privatekey_internal = dump_privatekey
+
+utils.deprecated(
+    dump_privatekey,
+    __name__,
+    (
+        "dump_privatekey is deprecated. You should use the APIs in "
+        "cryptography."
+    ),
+    DeprecationWarning,
+    name="dump_privatekey",
+)
+
+
 class _PassphraseHelper:
     def __init__(
         self,