Use cryptography to load the pyOpenSSL certificates (#670)

* Bump the dependencies group with 4 updates

Bumps the dependencies group with 4 updates: [packaging](https://github.com/pypa/packaging), [types-setuptools](https://github.com/python/typeshed), [coverage[toml]](https://github.com/nedbat/coveragepy) and [pyopenssl](https://github.com/pyca/pyopenssl).


Updates `packaging` from 24.1 to 24.2
- [Release notes](https://github.com/pypa/packaging/releases)
- [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst)
- [Commits](pypa/packaging@24.1...24.2)

Updates `types-setuptools` from 75.2.0.20241025 to 75.6.0.20241126
- [Commits](https://github.com/python/typeshed/commits)

Updates `coverage[toml]` from 7.6.4 to 7.6.8
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](nedbat/coveragepy@7.6.4...7.6.8)

Updates `pyopenssl` from 24.2.1 to 24.3.0
- [Changelog](https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst)
- [Commits](pyca/pyopenssl@24.2.1...24.3.0)

---
updated-dependencies:
- dependency-name: packaging
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: types-setuptools
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: coverage[toml]
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: pyopenssl
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>

* Switch to using cryptography privatekeys

* Switch x509 too

* Fix typings

* Give up on typing

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: EXPLOSION <[email protected]>

Author: dependabot[bot]

docs-requirements.txt

@@ -28,7 +28,7 @@ jinja2==3.1.2
     # via sphinx
 markupsafe==3.0.2
     # via jinja2
-packaging==24.1
+packaging==24.2
     # via sphinx
 pycparser==2.22
     # via cffi

lint-requirements.txt

@@ -26,7 +26,7 @@ mypy-extensions==1.0.0
     # via
     #   black
     #   mypy
-packaging==24.1
+packaging==24.2
     # via
     #   black
     #   pytest
@@ -44,7 +44,7 @@ types-cffi==1.16.0.20240331
     # via types-pyopenssl
 types-pyopenssl==24.1.0.20240722
     # via -r lint-requirements.in
-types-setuptools==75.2.0.20241025
+types-setuptools==75.6.0.20241126
     # via types-cffi
 typing-extensions==4.12.2
     # via mypy

src/trustme/__init__.py

@@ -8,7 +8,7 @@
 from contextlib import contextmanager
 from enum import Enum
 from tempfile import NamedTemporaryFile
-from typing import TYPE_CHECKING, Generator, List, Optional, Union
+from typing import TYPE_CHECKING, Generator, List, Optional, Union, cast
 
 import idna
 from cryptography import x509
@@ -545,15 +545,13 @@ def configure_cert(self, ctx: Union[ssl.SSLContext, OpenSSL.SSL.Context]) -> Non
             with self.private_key_and_cert_chain_pem.tempfile() as path:
                 ctx.load_cert_chain(path)
         elif _smells_like_pyopenssl(ctx):
-            from OpenSSL.crypto import FILETYPE_PEM, load_certificate, load_privatekey
-
-            key = load_privatekey(FILETYPE_PEM, self.private_key_pem.bytes())
-            ctx.use_privatekey(key)
-            cert = load_certificate(FILETYPE_PEM, self.cert_chain_pems[0].bytes())
-            ctx.use_certificate(cert)
+            key = load_pem_private_key(self.private_key_pem.bytes(), None)
+            ctx.use_privatekey(key)  # type: ignore[arg-type]
+            cert = x509.load_pem_x509_certificate(self.cert_chain_pems[0].bytes())
+            ctx.use_certificate(cert)  # type: ignore[arg-type]
             for pem in self.cert_chain_pems[1:]:
-                cert = load_certificate(FILETYPE_PEM, pem.bytes())
-                ctx.add_extra_chain_cert(cert)
+                cert = x509.load_pem_x509_certificate(pem.bytes())
+                ctx.add_extra_chain_cert(cert)  # type: ignore[arg-type]
         else:
             raise TypeError(
                 "unrecognized context type {!r}".format(ctx.__class__.__name__)

test-requirements.txt

@@ -8,7 +8,7 @@ attrs==24.2.0
     # via service-identity
 cffi==1.17.1
     # via cryptography
-coverage[toml]==7.6.4
+coverage[toml]==7.6.8
     # via -r test-requirements.in
 cryptography==43.0.3
     # via
@@ -19,7 +19,7 @@ idna==3.10
     # via -r test-requirements.in
 iniconfig==2.0.0
     # via pytest
-packaging==24.1
+packaging==24.2
     # via pytest
 pluggy==1.5.0
     # via pytest
@@ -31,7 +31,7 @@ pyasn1-modules==0.4.1
     # via service-identity
 pycparser==2.22
     # via cffi
-pyopenssl==24.2.1
+pyopenssl==24.3.0
     # via -r test-requirements.in
 pytest==8.3.3
     # via -r test-requirements.in