Use cryptography to load the pyOpenSSL certificates (#670)

* Bump the dependencies group with 4 updates Bumps the dependencies group with 4 updates: [packaging](https://github.com/pypa/packaging), [types-setuptools](https://github.com/python/typeshed), [coverage[toml]](https://github.com/nedbat/coveragepy) and [pyopenssl](https://github.com/pyca/pyopenssl). Updates `packaging` from 24.1 to 24.2 - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](pypa/packaging@24.1...24.2) Updates `types-setuptools` from 75.2.0.20241025 to 75.6.0.20241126 - [Commits](https://github.com/python/typeshed/commits) Updates `coverage[toml]` from 7.6.4 to 7.6.8 - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](nedbat/coveragepy@7.6.4...7.6.8) Updates `pyopenssl` from 24.2.1 to 24.3.0 - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](pyca/pyopenssl@24.2.1...24.3.0) --- updated-dependencies: - dependency-name: packaging dependency-type: indirect update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: types-setuptools dependency-type: indirect update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: coverage[toml] dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: pyopenssl dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] <support@github.com> * Switch to using cryptography privatekeys * Switch x509 too * Fix typings * Give up on typing --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: EXPLOSION <git@helvetica.moe>
python-trio · Dec 4, 2024 · e3dc904 · e3dc904
1 parent 00a906d
commit e3dc904
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 15 deletions.
diff --git a/docs-requirements.txt b/docs-requirements.txt
@@ -28,7 +28,7 @@ jinja2==3.1.2
     # via sphinx
 markupsafe==3.0.2
     # via jinja2
-packaging==24.1
+packaging==24.2
     # via sphinx
 pycparser==2.22
     # via cffi

diff --git a/lint-requirements.txt b/lint-requirements.txt
@@ -26,7 +26,7 @@ mypy-extensions==1.0.0
     # via
     #   black
     #   mypy
-packaging==24.1
+packaging==24.2
     # via
     #   black
     #   pytest
@@ -44,7 +44,7 @@ types-cffi==1.16.0.20240331
     # via types-pyopenssl
 types-pyopenssl==24.1.0.20240722
     # via -r lint-requirements.in
-types-setuptools==75.2.0.20241025
+types-setuptools==75.6.0.20241126
     # via types-cffi
 typing-extensions==4.12.2
     # via mypy
diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py
@@ -8,7 +8,7 @@
 from contextlib import contextmanager
 from enum import Enum
 from tempfile import NamedTemporaryFile
-from typing import TYPE_CHECKING, Generator, List, Optional, Union
+from typing import TYPE_CHECKING, Generator, List, Optional, Union, cast
 
 import idna
 from cryptography import x509
@@ -545,15 +545,13 @@ def configure_cert(self, ctx: Union[ssl.SSLContext, OpenSSL.SSL.Context]) -> Non
             with self.private_key_and_cert_chain_pem.tempfile() as path:
                 ctx.load_cert_chain(path)
         elif _smells_like_pyopenssl(ctx):
-            from OpenSSL.crypto import FILETYPE_PEM, load_certificate, load_privatekey
-
-            key = load_privatekey(FILETYPE_PEM, self.private_key_pem.bytes())
-            ctx.use_privatekey(key)
-            cert = load_certificate(FILETYPE_PEM, self.cert_chain_pems[0].bytes())
-            ctx.use_certificate(cert)
+            key = load_pem_private_key(self.private_key_pem.bytes(), None)
+            ctx.use_privatekey(key)  # type: ignore[arg-type]
+            cert = x509.load_pem_x509_certificate(self.cert_chain_pems[0].bytes())
+            ctx.use_certificate(cert)  # type: ignore[arg-type]
             for pem in self.cert_chain_pems[1:]:
-                cert = load_certificate(FILETYPE_PEM, pem.bytes())
-                ctx.add_extra_chain_cert(cert)
+                cert = x509.load_pem_x509_certificate(pem.bytes())
+                ctx.add_extra_chain_cert(cert)  # type: ignore[arg-type]
         else:
             raise TypeError(
                 "unrecognized context type {!r}".format(ctx.__class__.__name__)

diff --git a/test-requirements.txt b/test-requirements.txt
@@ -8,7 +8,7 @@ attrs==24.2.0
     # via service-identity
 cffi==1.17.1
     # via cryptography
-coverage[toml]==7.6.4
+coverage[toml]==7.6.8
     # via -r test-requirements.in
 cryptography==43.0.3
     # via
@@ -19,7 +19,7 @@ idna==3.10
     # via -r test-requirements.in
 iniconfig==2.0.0
     # via pytest
-packaging==24.1
+packaging==24.2
     # via pytest
 pluggy==1.5.0
     # via pytest
@@ -31,7 +31,7 @@ pyasn1-modules==0.4.1
     # via service-identity
 pycparser==2.22
     # via cffi
-pyopenssl==24.2.1
+pyopenssl==24.3.0
     # via -r test-requirements.in
 pytest==8.3.3
     # via -r test-requirements.in