Skip to content

Commit

Permalink
Use cryptography to load the pyOpenSSL certificates (#670)
Browse files Browse the repository at this point in the history
* Bump the dependencies group with 4 updates

Bumps the dependencies group with 4 updates: [packaging](https://github.com/pypa/packaging), [types-setuptools](https://github.com/python/typeshed), [coverage[toml]](https://github.com/nedbat/coveragepy) and [pyopenssl](https://github.com/pyca/pyopenssl).


Updates `packaging` from 24.1 to 24.2
- [Release notes](https://github.com/pypa/packaging/releases)
- [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst)
- [Commits](pypa/packaging@24.1...24.2)

Updates `types-setuptools` from 75.2.0.20241025 to 75.6.0.20241126
- [Commits](https://github.com/python/typeshed/commits)

Updates `coverage[toml]` from 7.6.4 to 7.6.8
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](nedbat/coveragepy@7.6.4...7.6.8)

Updates `pyopenssl` from 24.2.1 to 24.3.0
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](pyca/pyopenssl@24.2.1...24.3.0)

---
updated-dependencies:
- dependency-name: packaging
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: types-setuptools
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: coverage[toml]
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: pyopenssl
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* Switch to using cryptography privatekeys

* Switch x509 too

* Fix typings

* Give up on typing

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: EXPLOSION <git@helvetica.moe>
  • Loading branch information
dependabot[bot] and A5rocks authored Dec 4, 2024
1 parent 00a906d commit e3dc904
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 15 deletions.
2 changes: 1 addition & 1 deletion docs-requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ jinja2==3.1.2
# via sphinx
markupsafe==3.0.2
# via jinja2
packaging==24.1
packaging==24.2
# via sphinx
pycparser==2.22
# via cffi
Expand Down
4 changes: 2 additions & 2 deletions lint-requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ mypy-extensions==1.0.0
# via
# black
# mypy
packaging==24.1
packaging==24.2
# via
# black
# pytest
Expand All @@ -44,7 +44,7 @@ types-cffi==1.16.0.20240331
# via types-pyopenssl
types-pyopenssl==24.1.0.20240722
# via -r lint-requirements.in
types-setuptools==75.2.0.20241025
types-setuptools==75.6.0.20241126
# via types-cffi
typing-extensions==4.12.2
# via mypy
16 changes: 7 additions & 9 deletions src/trustme/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
from contextlib import contextmanager
from enum import Enum
from tempfile import NamedTemporaryFile
from typing import TYPE_CHECKING, Generator, List, Optional, Union
from typing import TYPE_CHECKING, Generator, List, Optional, Union, cast

import idna
from cryptography import x509
Expand Down Expand Up @@ -545,15 +545,13 @@ def configure_cert(self, ctx: Union[ssl.SSLContext, OpenSSL.SSL.Context]) -> Non
with self.private_key_and_cert_chain_pem.tempfile() as path:
ctx.load_cert_chain(path)
elif _smells_like_pyopenssl(ctx):
from OpenSSL.crypto import FILETYPE_PEM, load_certificate, load_privatekey

key = load_privatekey(FILETYPE_PEM, self.private_key_pem.bytes())
ctx.use_privatekey(key)
cert = load_certificate(FILETYPE_PEM, self.cert_chain_pems[0].bytes())
ctx.use_certificate(cert)
key = load_pem_private_key(self.private_key_pem.bytes(), None)
ctx.use_privatekey(key) # type: ignore[arg-type]
cert = x509.load_pem_x509_certificate(self.cert_chain_pems[0].bytes())
ctx.use_certificate(cert) # type: ignore[arg-type]
for pem in self.cert_chain_pems[1:]:
cert = load_certificate(FILETYPE_PEM, pem.bytes())
ctx.add_extra_chain_cert(cert)
cert = x509.load_pem_x509_certificate(pem.bytes())
ctx.add_extra_chain_cert(cert) # type: ignore[arg-type]
else:
raise TypeError(
"unrecognized context type {!r}".format(ctx.__class__.__name__)
Expand Down
6 changes: 3 additions & 3 deletions test-requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ attrs==24.2.0
# via service-identity
cffi==1.17.1
# via cryptography
coverage[toml]==7.6.4
coverage[toml]==7.6.8
# via -r test-requirements.in
cryptography==43.0.3
# via
Expand All @@ -19,7 +19,7 @@ idna==3.10
# via -r test-requirements.in
iniconfig==2.0.0
# via pytest
packaging==24.1
packaging==24.2
# via pytest
pluggy==1.5.0
# via pytest
Expand All @@ -31,7 +31,7 @@ pyasn1-modules==0.4.1
# via service-identity
pycparser==2.22
# via cffi
pyopenssl==24.2.1
pyopenssl==24.3.0
# via -r test-requirements.in
pytest==8.3.3
# via -r test-requirements.in
Expand Down

0 comments on commit e3dc904

Please # to comment.