From 957e7c8f1698da2aff4deaef6b27bd0c34573b6f Mon Sep 17 00:00:00 2001 From: Noah Stapp Date: Tue, 23 Jul 2024 12:47:06 -0700 Subject: [PATCH 1/2] PYTHON-4572 - Fix type errors caused by new PyOpenSSL type hints --- pymongo/pyopenssl_context.py | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/pymongo/pyopenssl_context.py b/pymongo/pyopenssl_context.py index 4afb3e17b5..e2b063a713 100644 --- a/pymongo/pyopenssl_context.py +++ b/pymongo/pyopenssl_context.py @@ -292,7 +292,7 @@ def load_cert_chain( # Password callback MUST be set first or it will be ignored. if password: - def _pwcb(_max_length: int, _prompt_twice: bool, _user_data: bytes) -> bytes: + def _pwcb(_max_length: int, _prompt_twice: bool, _user_data: Optional[bytes]) -> bytes: # XXX:We could check the password length against what OpenSSL # tells us is the max, but we can't raise an exception, so... # warn? @@ -332,14 +332,17 @@ def _load_certifi(self) -> None: def _load_wincerts(self, store: str) -> None: """Attempt to load CA certs from Windows trust store.""" cert_store = self._ctx.get_cert_store() - oid = _stdlibssl.Purpose.SERVER_AUTH.oid - - for cert, encoding, trust in _stdlibssl.enum_certificates(store): # type: ignore - if encoding == "x509_asn": - if trust is True or oid in trust: - cert_store.add_cert( - _crypto.X509.from_cryptography(x509.load_der_x509_certificate(cert)) - ) + if cert_store is not None: + oid = _stdlibssl.Purpose.SERVER_AUTH.oid + + for cert, encoding, trust in _stdlibssl.enum_certificates(store): # type: ignore + if encoding == "x509_asn": + if trust is True or oid in trust: + cert_store.add_cert( + _crypto.X509.from_cryptography(x509.load_der_x509_certificate(cert)) + ) + else: + raise _ConfigurationError("The current CA context does not have a X509Store object.") def load_default_certs(self) -> None: """A PyOpenSSL version of load_default_certs from CPython.""" From f3c2d05c57ae09ad8efa780992e666c609f28cfd Mon Sep 17 00:00:00 2001 From: Noah Stapp Date: Tue, 23 Jul 2024 13:35:35 -0700 Subject: [PATCH 2/2] Use assert to reduce code churn --- pymongo/pyopenssl_context.py | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/pymongo/pyopenssl_context.py b/pymongo/pyopenssl_context.py index e2b063a713..c1b85af125 100644 --- a/pymongo/pyopenssl_context.py +++ b/pymongo/pyopenssl_context.py @@ -332,17 +332,15 @@ def _load_certifi(self) -> None: def _load_wincerts(self, store: str) -> None: """Attempt to load CA certs from Windows trust store.""" cert_store = self._ctx.get_cert_store() - if cert_store is not None: - oid = _stdlibssl.Purpose.SERVER_AUTH.oid - - for cert, encoding, trust in _stdlibssl.enum_certificates(store): # type: ignore - if encoding == "x509_asn": - if trust is True or oid in trust: - cert_store.add_cert( - _crypto.X509.from_cryptography(x509.load_der_x509_certificate(cert)) - ) - else: - raise _ConfigurationError("The current CA context does not have a X509Store object.") + assert cert_store is not None + oid = _stdlibssl.Purpose.SERVER_AUTH.oid + + for cert, encoding, trust in _stdlibssl.enum_certificates(store): # type: ignore + if encoding == "x509_asn": + if trust is True or oid in trust: + cert_store.add_cert( + _crypto.X509.from_cryptography(x509.load_der_x509_certificate(cert)) + ) def load_default_certs(self) -> None: """A PyOpenSSL version of load_default_certs from CPython."""