Replace PyOpenSSL with PyCA Crytography

[tiran]

fedmsg uses PyCA cryptography and PyOpenSSL's OpenSSL.crypto module. Please consider to use only PyCA cryptography.

https://pyopenssl.readthedocs.io/en/stable/api/crypto.html

pyca/cryptography is likely a better choice than using this module. It contains a complete set of cryptographic primitives as well as a significantly better and more powerful X509 API. If necessary you can convert to and from cryptography objects using the to_cryptography and from_cryptography methods on X509, X509Req, CRL, and PKey.

PyOpenSSL is used in fedmsg.crypto.x509_ng:

https://github.com/fedora-infra/fedmsg/blob/78c0ffabc788025af07cdf0c5d3c10fe537a96bd/fedmsg/crypto/x509_ng.py#L25-L39

[jeremycline]

@tiran I'd be very happy to drop the PyOpenSSL dependency. If I recall correctly, I needed it to do certificate chain validation and cryptography didn't have an API for that. Is that still the case? I saw it was mentioned that Alex was working on an implementation, but I couldn't find a PR or changelog entry so I'm guessing that's not landed yet.

[tiran]

PyOpenSSL is implemented on top of cryptography. You should be able to do anything with cryptography, but cryptography may not have a public API for that. I'll get back to you.

[tiran]

For the record, cryptography does not have an API for cert chain validation against a CRL and trust anchors yet, https://github.com/fedora-infra/fedmsg/blob/78c0ffabc788025af07cdf0c5d3c10fe537a96bd/fedmsg/crypto/x509_ng.py#L209-L240

[jeremycline]

Thanks for looking into that. I think that in the medium to long term, fedmsg will drop the signing/verifying messages feature. ZeroMQ provides a feature that covers message authentication so fedmsg doesn't need its own. If the API shows up in cryptography great, but we really should get rid of all the crypto code anyway.