From e3dc9046c40859c8b9664bf52b3610ff806e9722 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Dec 2024 16:09:10 +0400 Subject: [PATCH] Use cryptography to load the pyOpenSSL certificates (#670) * Bump the dependencies group with 4 updates Bumps the dependencies group with 4 updates: [packaging](https://github.com/pypa/packaging), [types-setuptools](https://github.com/python/typeshed), [coverage[toml]](https://github.com/nedbat/coveragepy) and [pyopenssl](https://github.com/pyca/pyopenssl). Updates `packaging` from 24.1 to 24.2 - [Release notes](https://github.com/pypa/packaging/releases) - [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pypa/packaging/compare/24.1...24.2) Updates `types-setuptools` from 75.2.0.20241025 to 75.6.0.20241126 - [Commits](https://github.com/python/typeshed/commits) Updates `coverage[toml]` from 7.6.4 to 7.6.8 - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](https://github.com/nedbat/coveragepy/compare/7.6.4...7.6.8) Updates `pyopenssl` from 24.2.1 to 24.3.0 - [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/pyopenssl/compare/24.2.1...24.3.0) --- updated-dependencies: - dependency-name: packaging dependency-type: indirect update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: types-setuptools dependency-type: indirect update-type: version-update:semver-minor dependency-group: dependencies - dependency-name: coverage[toml] dependency-type: direct:production update-type: version-update:semver-patch dependency-group: dependencies - dependency-name: pyopenssl dependency-type: direct:production update-type: version-update:semver-minor dependency-group: dependencies ... Signed-off-by: dependabot[bot] * Switch to using cryptography privatekeys * Switch x509 too * Fix typings * Give up on typing --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: EXPLOSION --- docs-requirements.txt | 2 +- lint-requirements.txt | 4 ++-- src/trustme/__init__.py | 16 +++++++--------- test-requirements.txt | 6 +++--- 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/docs-requirements.txt b/docs-requirements.txt index 381a858..7a2aed2 100644 --- a/docs-requirements.txt +++ b/docs-requirements.txt @@ -28,7 +28,7 @@ jinja2==3.1.2 # via sphinx markupsafe==3.0.2 # via jinja2 -packaging==24.1 +packaging==24.2 # via sphinx pycparser==2.22 # via cffi diff --git a/lint-requirements.txt b/lint-requirements.txt index c7ea23d..a29ba83 100644 --- a/lint-requirements.txt +++ b/lint-requirements.txt @@ -26,7 +26,7 @@ mypy-extensions==1.0.0 # via # black # mypy -packaging==24.1 +packaging==24.2 # via # black # pytest @@ -44,7 +44,7 @@ types-cffi==1.16.0.20240331 # via types-pyopenssl types-pyopenssl==24.1.0.20240722 # via -r lint-requirements.in -types-setuptools==75.2.0.20241025 +types-setuptools==75.6.0.20241126 # via types-cffi typing-extensions==4.12.2 # via mypy diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py index ff87ab7..6f3cc00 100644 --- a/src/trustme/__init__.py +++ b/src/trustme/__init__.py @@ -8,7 +8,7 @@ from contextlib import contextmanager from enum import Enum from tempfile import NamedTemporaryFile -from typing import TYPE_CHECKING, Generator, List, Optional, Union +from typing import TYPE_CHECKING, Generator, List, Optional, Union, cast import idna from cryptography import x509 @@ -545,15 +545,13 @@ def configure_cert(self, ctx: Union[ssl.SSLContext, OpenSSL.SSL.Context]) -> Non with self.private_key_and_cert_chain_pem.tempfile() as path: ctx.load_cert_chain(path) elif _smells_like_pyopenssl(ctx): - from OpenSSL.crypto import FILETYPE_PEM, load_certificate, load_privatekey - - key = load_privatekey(FILETYPE_PEM, self.private_key_pem.bytes()) - ctx.use_privatekey(key) - cert = load_certificate(FILETYPE_PEM, self.cert_chain_pems[0].bytes()) - ctx.use_certificate(cert) + key = load_pem_private_key(self.private_key_pem.bytes(), None) + ctx.use_privatekey(key) # type: ignore[arg-type] + cert = x509.load_pem_x509_certificate(self.cert_chain_pems[0].bytes()) + ctx.use_certificate(cert) # type: ignore[arg-type] for pem in self.cert_chain_pems[1:]: - cert = load_certificate(FILETYPE_PEM, pem.bytes()) - ctx.add_extra_chain_cert(cert) + cert = x509.load_pem_x509_certificate(pem.bytes()) + ctx.add_extra_chain_cert(cert) # type: ignore[arg-type] else: raise TypeError( "unrecognized context type {!r}".format(ctx.__class__.__name__) diff --git a/test-requirements.txt b/test-requirements.txt index cc1a9ef..5555fa4 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -8,7 +8,7 @@ attrs==24.2.0 # via service-identity cffi==1.17.1 # via cryptography -coverage[toml]==7.6.4 +coverage[toml]==7.6.8 # via -r test-requirements.in cryptography==43.0.3 # via @@ -19,7 +19,7 @@ idna==3.10 # via -r test-requirements.in iniconfig==2.0.0 # via pytest -packaging==24.1 +packaging==24.2 # via pytest pluggy==1.5.0 # via pytest @@ -31,7 +31,7 @@ pyasn1-modules==0.4.1 # via service-identity pycparser==2.22 # via cffi -pyopenssl==24.2.1 +pyopenssl==24.3.0 # via -r test-requirements.in pytest==8.3.3 # via -r test-requirements.in