Bump pyopenssl from 24.2.1 to 24.3.0

[dependabot]

Bumps pyopenssl from 24.2.1 to 24.3.0.

Changelog

Sourced from pyopenssl's changelog.

24.3.0 (2024-11-27)

Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

• Removed the deprecated OpenSSL.crypto.CRL, OpenSSL.crypto.Revoked, OpenSSL.crypto.dump_crl, and OpenSSL.crypto.load_crl. cryptography.x509's CRL functionality should be used instead.
• Removed the deprecated OpenSSL.crypto.sign and OpenSSL.crypto.verify. cryptography.hazmat.primitives.asymmetric's signature APIs should be used instead.

Deprecations: ^^^^^^^^^^^^^

• Deprecated OpenSSL.rand - callers should use os.urandom() instead.
• Deprecated add_extensions and get_extensions on OpenSSL.crypto.X509Req and OpenSSL.crypto.X509. These should have been deprecated at the same time X509Extension was. Users should use pyca/cryptography's X.509 APIs instead.
• Deprecated OpenSSL.crypto.get_elliptic_curves and OpenSSL.crypto.get_elliptic_curve, as well as passing the reult of them to OpenSSL.SSL.Context.set_tmp_ecdh, users should instead pass curves from cryptography.
• Deprecated passing X509 objects to OpenSSL.SSL.Context.use_certificate, OpenSSL.SSL.Connection.use_certificate, OpenSSL.SSL.Context.add_extra_chain_cert, and OpenSSL.SSL.Context.add_client_ca, users should instead pass cryptography.x509.Certificate instances. This is in preparation for deprecating pyOpenSSL's X509 entirely.
• Deprecated passing PKey objects to OpenSSL.SSL.Context.use_privatekey and OpenSSL.SSL.Connection.use_privatekey, users should instead pass cryptography priate key instances. This is in preparation for deprecating pyOpenSSL's PKey entirely.

Changes: ^^^^^^^^

• cryptography maximum version has been increased to 44.0.x.
• OpenSSL.SSL.Connection.get_certificate, OpenSSL.SSL.Connection.get_peer_certificate, OpenSSL.SSL.Connection.get_peer_cert_chain, and OpenSSL.SSL.Connection.get_verified_chain now take an as_cryptography keyword-argument. When True is passed then cryptography.x509.Certificate are returned, instead of OpenSSL.crypto.X509. In the future, passing False (the default) will be deprecated.

Commits

• 9f82d97 Raise cryptography version and prepare the 24.3.0 release (#1381)
• 7e1660b Remove APIs that have been deprecated for a year (#1374)
• a6678a9 make deprecation warnings more prominent in docs (#1379)
• 0baa319 Reorganize how we test downstreams and add more (#1377)
• 24cc2c1 Refactor two tests that rely on deprecated APIs (#1375)
• a378d53 Bump actions/upload-artifact in /.github/actions/upload-coverage (#1372)
• ace2244 Bump actions/upload-artifact from 4.4.2 to 4.4.3 (#1371)
• f8ef486 Bump actions/upload-artifact in /.github/actions/upload-coverage (#1370)
• f8c2d99 Bump actions/upload-artifact from 4.4.1 to 4.4.2 (#1369)
• bad5ba4 Bump actions/upload-artifact in /.github/actions/upload-coverage (#1367)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jwhitlock]

The notes say:

Removed the deprecated OpenSSL.crypto.sign and OpenSSL.crypto.verify. cryptography.hazmat.primitives.asymmetric's signature APIs should be used instead.

We use crypto.verify here:

fx-private-relay/emails/sns.py

Lines 66 to 76 in 3e33942

	def verify_from_sns(json_body):
	pemfile = _grab_keyfile(json_body["SigningCertURL"])
	cert = crypto.load_certificate(crypto.FILETYPE_PEM, pemfile)
	signature = base64.decodebytes(json_body["Signature"].encode("utf-8"))
	hash_format = _get_hash_format(json_body)
	crypto.verify(
	cert, signature, hash_format.format(**json_body).encode("utf-8"), "sha1"
	)
	return json_body

It is probable that the tests are passing due to mocks, but the live code will fail.

[groovecoder]

I added #5234 to the merge queue. Sorry it took a while.

[groovecoder]

@dependabot rebase

[groovecoder]

Woohoo the new tests caught the error.

[dependabot]

Looks like pyopenssl is no longer a dependency, so this is no longer needed.