Package: python3-trustme
Version: 1.2.0-0.1
Severity: serious
Tags: patch
Control: affects -1 src:python-cheroot
python-cheroot FTBFSes in unstable for a couple of reasons at the
moment, but one of them is that the latest python3-openssl has caused
DeprecationWarnings to show up via python3-trustme. This manifests as
something like this:
_________________________________________________________________________
test_ssl_adapters[pyopenssl]
_________________________________________________________________________
[gw4] linux -- Python 3.13.1 /usr/bin/python3.13
http_request_timeout = 0.1
tls_http_server = functools.partial(<function make_tls_http_server at
0x7fba15dcc180>, request=<SubRequest 'tls_http_server' for <Function
test_ssl_adapters[pyopenssl]>>)
adapter_type = 'pyopenssl', tls_certificate = <trustme.LeafCert object at
0x7fba159274d0>, tls_certificate_chain_pem_path = '/tmp/tmprthmjb0j.pem'
tls_certificate_private_key_pem_path = '/tmp/tmphcv6h1pr.pem',
tls_ca_certificate_pem_path = '/tmp/tmp63qa09j0.pem'
@pytest.mark.parametrize(
'adapter_type',
(
'builtin',
'pyopenssl',
),
)
def test_ssl_adapters(
http_request_timeout,
tls_http_server, adapter_type,
tls_certificate,
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
tls_ca_certificate_pem_path,
):
"""Test ability to connect to server via HTTPS using adapters."""
interface, _host, port = _get_conn_data(ANY_INTERFACE_IPV4)
tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
tls_adapter = tls_adapter_cls(
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
)
if adapter_type == 'pyopenssl':
tls_adapter.context = tls_adapter.get_context()
> tls_certificate.configure_cert(tls_adapter.context)
_host = '0.0.0.0'
adapter_type = 'pyopenssl'
http_request_timeout = 0.1
interface = '127.0.0.1'
port = 0
tls_adapter = <cheroot.ssl.pyopenssl.pyOpenSSLAdapter object at
0x7fba15cbfcb0>
tls_adapter_cls = <class 'cheroot.ssl.pyopenssl.pyOpenSSLAdapter'>
tls_ca_certificate_pem_path = '/tmp/tmp63qa09j0.pem'
tls_certificate = <trustme.LeafCert object at 0x7fba159274d0>
tls_certificate_chain_pem_path = '/tmp/tmprthmjb0j.pem'
tls_certificate_private_key_pem_path = '/tmp/tmphcv6h1pr.pem'
tls_http_server = functools.partial(<function make_tls_http_server at
0x7fba15dcc180>, request=<SubRequest 'tls_http_server' for <Function
test_ssl_adapters[pyopenssl]>>)
cheroot/test/test_ssl.py:212:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _
/usr/lib/python3/dist-packages/trustme/__init__.py:553: in configure_cert
ctx.use_certificate(cert)
FILETYPE_PEM = 1
cert = <OpenSSL.crypto.X509 object at 0x7fba15cbdbe0>
ctx = <OpenSSL.SSL.Context object at 0x7fba15cbe660>
key =
<cryptography.hazmat.bindings._rust.openssl.ec.ECPrivateKey object at
0x7fba140bcb10>
load_certificate = <function load_certificate at 0x7fba15d82ca0>
self = <trustme.LeafCert object at 0x7fba159274d0>
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _
self = <OpenSSL.SSL.Context object at 0x7fba15cbe660>, cert =
<OpenSSL.crypto.X509 object at 0x7fba15cbdbe0>
def use_certificate(self, cert: X509 | x509.Certificate) -> None:
"""
Load a certificate from a X509 object
:param cert: The X509 object
:return: None
"""
# Mirrored at Connection.use_certificate
if not isinstance(cert, X509):
cert = X509.from_cryptography(cert)
else:
> warnings.warn(
(
"Passing pyOpenSSL X509 objects is deprecated. You "
"should use a cryptography.x509.Certificate instead."
),
DeprecationWarning,
stacklevel=2,
)
E DeprecationWarning: Passing pyOpenSSL X509 objects is deprecated.
You should use a cryptography.x509.Certificate instead.
cert = <OpenSSL.crypto.X509 object at 0x7fba15cbdbe0>
self = <OpenSSL.SSL.Context object at 0x7fba15cbe660>
/usr/lib/python3/dist-packages/OpenSSL/SSL.py:1140: DeprecationWarning
(This also shows up as warnings when building python-trustme, but they
don't cause failures in that context.)
The attached patch is cherry-picked from upstream and fixes this. If
you're still busy, would you like me to NMU again?
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
diff -Nru python-trustme-1.2.0/debian/changelog
python-trustme-1.2.0/debian/changelog
--- python-trustme-1.2.0/debian/changelog 2024-11-19 20:22:45.000000000
+0000
+++ python-trustme-1.2.0/debian/changelog 2024-12-10 19:31:04.000000000
+0000
@@ -1,3 +1,10 @@
+python-trustme (1.2.0-0.2) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Use cryptography to load the pyOpenSSL certificates.
+
+ -- Colin Watson <cjwat...@debian.org> Tue, 10 Dec 2024 19:31:04 +0000
+
python-trustme (1.2.0-0.1) unstable; urgency=medium
* Non-maintainer upload with maintainer's permission.
diff -Nru python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
--- python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
1970-01-01 01:00:00.000000000 +0100
+++ python-trustme-1.2.0/debian/patches/pyOpenSSL-cryptography.patch
2024-12-10 19:31:04.000000000 +0000
@@ -0,0 +1,40 @@
+Description: Use cryptography to load the pyOpenSSL certificates
+Origin: backport, https://github.com/python-trio/trustme/pull/670
+Author: EXPLOSION <g...@helvetica.moe>
+Last-Update: 2024-12-10
+
+Index: b/src/trustme/__init__.py
+===================================================================
+--- a/src/trustme/__init__.py
++++ b/src/trustme/__init__.py
+@@ -8,7 +8,7 @@
+ from contextlib import contextmanager
+ from enum import Enum
+ from tempfile import NamedTemporaryFile
+-from typing import TYPE_CHECKING, Generator, List, Optional, Union
++from typing import TYPE_CHECKING, Generator, List, Optional, Union, cast
+
+ import idna
+ from cryptography import x509
+@@ -545,15 +545,13 @@
+ with self.private_key_and_cert_chain_pem.tempfile() as path:
+ ctx.load_cert_chain(path)
+ elif _smells_like_pyopenssl(ctx):
+- from OpenSSL.crypto import FILETYPE_PEM, load_certificate,
load_privatekey
+-
+- key = load_privatekey(FILETYPE_PEM, self.private_key_pem.bytes())
+- ctx.use_privatekey(key)
+- cert = load_certificate(FILETYPE_PEM,
self.cert_chain_pems[0].bytes())
+- ctx.use_certificate(cert)
++ key = load_pem_private_key(self.private_key_pem.bytes(), None)
++ ctx.use_privatekey(key) # type: ignore[arg-type]
++ cert =
x509.load_pem_x509_certificate(self.cert_chain_pems[0].bytes())
++ ctx.use_certificate(cert) # type: ignore[arg-type]
+ for pem in self.cert_chain_pems[1:]:
+- cert = load_certificate(FILETYPE_PEM, pem.bytes())
+- ctx.add_extra_chain_cert(cert)
++ cert = x509.load_pem_x509_certificate(pem.bytes())
++ ctx.add_extra_chain_cert(cert) # type: ignore[arg-type]
+ else:
+ raise TypeError(
+ "unrecognized context type
{!r}".format(ctx.__class__.__name__)
diff -Nru python-trustme-1.2.0/debian/patches/series
python-trustme-1.2.0/debian/patches/series
--- python-trustme-1.2.0/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ python-trustme-1.2.0/debian/patches/series 2024-12-10 19:28:33.000000000
+0000
@@ -0,0 +1 @@
+pyOpenSSL-cryptography.patch
