Improve OpenSSL stubs (#5645)

* Support Python 3.
* Add OpenSSL.SSL.
* Extend OpenSSL.crypto.

Co-authored-by: Vasily Zakharov <v.zakharov@wwpass.com>

stubs/openssl-python/@tests/stubtest_allowlist.txt

@@ -0,0 +1,3 @@
+OpenSSL
+OpenSSL.SSL
+OpenSSL.crypto

stubs/openssl-python/METADATA.toml

@@ -1,4 +1,4 @@
 version = "0.1"
 python2 = true
-python3 = false
+python3 = true
 requires = ["types-cryptography"]

stubs/openssl-python/OpenSSL/SSL.pyi

@@ -0,0 +1,26 @@
+from socket import socket
+from typing import Callable, Sequence
+
+from OpenSSL.crypto import X509
+
+TLSv1_2_METHOD: int
+OP_NO_SSLv2: int
+OP_NO_SSLv3: int
+OP_NO_TLSv1: int
+OP_NO_TLSv1_1: int
+OP_NO_TLSv1_2: int
+OP_NO_TLSv1_3: int
+VERIFY_PEER: int
+
+class Connection:
+    def __init__(self, context: Context, _socket: socket | None) -> None: ...
+    def connect(self, addr: str | bytes | Sequence[str | int]) -> None: ...
+    def do_handshake(self) -> None: ...
+    def get_peer_certificate(self) -> X509: ...
+    def set_tlsext_host_name(self, name: bytes) -> None: ...
+
+class Context:
+    def __init__(self, method: int) -> None: ...
+    def load_verify_locations(self, cafile: str | None, capath: str | None) -> None: ...
+    def set_options(self, options: int) -> None: ...
+    def set_verify(self, mode: int, callback: Callable[[Connection, X509, int, int, int], bool]) -> None: ...

stubs/openssl-python/OpenSSL/crypto.pyi

@@ -1,105 +1,147 @@
-import sys
 from datetime import datetime
-from typing import Callable, Iterable, List, Optional, Set, Text, Tuple, Union
+from typing import Callable, Iterable, List, Sequence, Set, Text, Tuple, Union
 
-from cryptography.hazmat.primitives.asymmetric import dsa, rsa
+from cryptography.hazmat.primitives.asymmetric.dsa import DSAPrivateKey, DSAPublicKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
+from cryptography.x509 import Certificate, CertificateRevocationList, CertificateSigningRequest
+
+_Key = Union[DSAPrivateKey, DSAPublicKey, RSAPrivateKey, RSAPublicKey]
 
 FILETYPE_PEM: int
 FILETYPE_ASN1: int
 FILETYPE_TEXT: int
+
 TYPE_RSA: int
 TYPE_DSA: int
 
-class Error(Exception): ...
-
-_Key = Union[rsa.RSAPublicKey, rsa.RSAPrivateKey, dsa.DSAPublicKey, dsa.DSAPrivateKey]
-
-class PKey:
-    def __init__(self) -> None: ...
-    def to_cryptography_key(self) -> _Key: ...
-    @classmethod
-    def from_cryptography_key(cls, crypto_key: _Key) -> PKey: ...
-    def generate_key(self, type: int, bits: int) -> None: ...
-    def check(self) -> bool: ...
-    def type(self) -> int: ...
-    def bits(self) -> int: ...
-
 class _EllipticCurve:
     name: Text
 
-def get_elliptic_curves() -> Set[_EllipticCurve]: ...
-def get_elliptic_curve(name: str) -> _EllipticCurve: ...
+class Error(Exception): ...
 
-if sys.version_info >= (3, 0):
-    _StrLike = str
-else:
-    _StrLike = Union[str, unicode]
+class PKey:
+    def __init__(self) -> None: ...
+    def bits(self) -> int: ...
+    def check(self) -> bool: ...
+    @classmethod
+    def from_cryptography_key(cls, crypto_key: _Key) -> PKey: ...
+    def generate_key(self, type: int, bits: int) -> None: ...
+    def to_cryptography_key(self) -> _Key: ...
+    def type(self) -> int: ...
 
 class X509Name:
+    countryName: Text
+    C: Text
+    stateOrProvinceName: Text
+    ST: Text
+    localityName: Text
+    L: Text
+    organizationName: Text
+    O: Text
+    organizationalUnitName: Text
+    OU: Text
+    commonName: Text
+    CN: Text
+    emailAddress: Text
     def __init__(self, name: X509Name) -> None: ...
-    countryName: _StrLike
-    stateOrProvinceName: _StrLike
-    localityName: _StrLike
-    organizationName: _StrLike
-    organizationalUnitName: _StrLike
-    commonName: _StrLike
-    emailAddress: _StrLike
-    C: _StrLike
-    ST: _StrLike
-    L: _StrLike
-    O: _StrLike
-    OU: _StrLike
-    CN: _StrLike
-    def hash(self) -> int: ...
     def der(self) -> bytes: ...
     def get_components(self) -> List[Tuple[str, str]]: ...
-
-class X509Extension:
-    def __init__(
-        self, type_name: bytes, critical: bool, value: bytes, subject: Optional[X509] = ..., issuer: Optional[X509] = ...
-    ) -> None: ...
-    def get_critical(self) -> bool: ...
-    def get_short_name(self) -> str: ...
-    def get_data(self) -> str: ...
-
-class X509Req:
-    def __init__(self) -> None: ...
-    def set_pubkey(self, pkey: PKey) -> None: ...
-    def get_pubkey(self) -> PKey: ...
-    def set_version(self, version: int) -> None: ...
-    def get_version(self) -> int: ...
-    def get_subject(self) -> X509Name: ...
-    def add_extensions(self, extensions: Iterable[X509Extension]) -> None: ...
-    def get_extensions(self) -> List[X509Extension]: ...
-    def sign(self, pkey: PKey, digest: str) -> None: ...
-    def verify(self, pkey: PKey) -> bool: ...
+    def hash(self) -> int: ...
 
 class X509:
     def __init__(self) -> None: ...
-    def set_version(self, version: int) -> None: ...
-    def get_version(self) -> int: ...
+    def add_extensions(self, extensions: Iterable[X509Extension]) -> None: ...
+    def digest(self, digest_name: bytes) -> bytes: ...
+    @classmethod
+    def from_cryptography(cls, crypto_key: Certificate) -> X509: ...
+    def get_extension(self, index: int) -> X509Extension: ...
+    def get_extension_count(self) -> int: ...
+    def get_issuer(self) -> X509Name: ...
+    def get_notAfter(self) -> bytes | None: ...
+    def get_notBefore(self) -> bytes | None: ...
     def get_pubkey(self) -> PKey: ...
-    def set_pubkey(self, pkey: PKey) -> None: ...
-    def sign(self, pkey: PKey, digest: str) -> None: ...
-    def get_signature_algorithm(self) -> str: ...
-    def digest(self, digest_name: str) -> str: ...
-    def subject_name_hash(self) -> str: ...
-    def set_serial_number(self, serial: int) -> None: ...
     def get_serial_number(self) -> int: ...
+    def get_signature_algorithm(self) -> bytes: ...
+    def get_subject(self) -> X509Name: ...
+    def get_version(self) -> int: ...
     def gmtime_adj_notAfter(self, amount: int) -> None: ...
     def gmtime_adj_notBefore(self, amount: int) -> None: ...
     def has_expired(self) -> bool: ...
-    def get_notBefore(self) -> str: ...
-    def set_notBefore(self, when: str) -> None: ...
-    def get_notAfter(self) -> str: ...
-    def set_notAfter(self, when: str) -> None: ...
-    def get_issuer(self) -> X509Name: ...
     def set_issuer(self, issuer: X509Name) -> None: ...
-    def get_subject(self) -> X509Name: ...
+    def set_notAfter(self, when: bytes) -> None: ...
+    def set_notBefore(self, when: bytes) -> None: ...
+    def set_pubkey(self, pkey: PKey) -> None: ...
+    def set_serial_number(self, serial: int) -> None: ...
     def set_subject(self, subject: X509Name) -> None: ...
-    def get_extension_count(self) -> int: ...
+    def set_version(self, version: int) -> None: ...
+    def sign(self, pkey: PKey, digest: Text | bytes) -> None: ...
+    def subject_name_hash(self) -> bytes: ...
+    def to_cryptography(self) -> Certificate: ...
+
+class X509Req:
+    def __init__(self) -> None: ...
     def add_extensions(self, extensions: Iterable[X509Extension]) -> None: ...
-    def get_extension(self, index: int) -> X509Extension: ...
+    @classmethod
+    def from_cryptography(cls, crypto_req: CertificateSigningRequest) -> X509Req: ...
+    def get_extensions(self) -> List[X509Extension]: ...
+    def get_pubkey(self) -> PKey: ...
+    def get_subject(self) -> X509Name: ...
+    def get_version(self) -> int: ...
+    def set_pubkey(self, pkey: PKey) -> None: ...
+    def set_version(self, version: int) -> None: ...
+    def sign(self, pkey: PKey, digest: Text | bytes) -> None: ...
+    def to_cryptography(self) -> CertificateSigningRequest: ...
+    def verify(self, pkey: PKey) -> bool: ...
+
+class X509Extension:
+    def __init__(
+        self, type_name: bytes, critical: bool, value: bytes, subject: X509 | None = ..., issuer: X509 | None = ...
+    ) -> None: ...
+    def get_critical(self) -> bool: ...
+    def get_data(self) -> bytes: ...
+    def get_short_name(self) -> bytes: ...
+
+class Revoked:
+    def __init__(self) -> None: ...
+    def all_reasons(self) -> List[bytes]: ...
+    def get_reason(self) -> bytes | None: ...
+    def get_rev_date(self) -> bytes: ...
+    def get_serial(self) -> bytes: ...
+    def set_reason(self, reason: bytes | None) -> None: ...
+    def set_rev_date(self, when: bytes) -> None: ...
+    def set_serial(self, hex_str: bytes) -> None: ...
+
+class CRL:
+    def __init__(self) -> None: ...
+    def add_revoked(self, revoked: Revoked) -> None: ...
+    def export(self, cert: X509, key: PKey, type: int = ..., days: int = ..., digest: bytes = ...) -> bytes: ...
+    @classmethod
+    def from_cryptography(cls, crypto_crl: CertificateRevocationList) -> CRL: ...
+    def get_issuer(self) -> X509Name: ...
+    def get_revoked(self) -> Tuple[Revoked, ...]: ...
+    def set_lastUpdate(self, when: bytes) -> None: ...
+    def set_nextUpdate(self, when: bytes) -> None: ...
+    def set_version(self, version: int) -> None: ...
+    def sign(self, issuer_cert: X509, issuer_key: PKey, digest: bytes) -> None: ...
+    def to_cryptography(self) -> CertificateRevocationList: ...
+
+class X509Store:
+    def __init__(self) -> None: ...
+    def add_cert(self, cert: X509) -> None: ...
+    def add_crl(self, crl: CRL) -> None: ...
+    def load_locations(self, cafile: Text | bytes, capath: Text | bytes) -> None: ...
+    def set_flags(self, flags: int) -> None: ...
+    def set_time(self, vfy_time: datetime) -> None: ...
+
+class X509StoreContext:
+    def __init__(self, store: X509Store, certificate: X509, chain: Sequence[X509] | None) -> None: ...
+    def get_verified_chain(self) -> List[X509]: ...
+    def set_store(self, store: X509Store) -> None: ...
+    def verify_certificate(self) -> None: ...
+
+class X509StoreContextError(Exception):
+    certificate: X509
+    def __init__(self, message: Text | bytes, certificate: X509) -> None: ...
 
 class X509StoreFlags:
     CRL_CHECK: int
@@ -114,84 +156,48 @@ class X509StoreFlags:
     CHECK_SS_SIGNATURE: int
     CB_ISSUER_CHECK: int
 
-class X509Store:
-    def __init__(self) -> None: ...
-    def add_cert(self, cert: X509) -> None: ...
-    def add_crl(self, crl: CRL) -> None: ...
-    def set_flags(self, flags: int) -> None: ...
-    def set_time(self, vfy_time: datetime) -> None: ...
-
-class X509StoreContextError(Exception):
-    certificate: X509
-    def __init__(self, message: str, certificate: X509) -> None: ...
-
-class X509StoreContext:
-    def __init__(self, store: X509Store, certificate: X509) -> None: ...
-    def set_store(self, store: X509Store) -> None: ...
-    def verify_certificate(self) -> None: ...
-
-def load_certificate(type: int, buffer: _StrLike) -> X509: ...
-def dump_certificate(type: int, cert: X509) -> bytes: ...
-def dump_publickey(type: int, pkey: PKey) -> bytes: ...
-def dump_privatekey(
-    type: int, pkey: PKey, cipher: Optional[str] = ..., passphrase: Optional[Union[str, Callable[[int], int]]] = ...
-) -> bytes: ...
-
-class Revoked:
-    def __init__(self) -> None: ...
-    def set_serial(self, hex_str: str) -> None: ...
-    def get_serial(self) -> str: ...
-    def set_reason(self, reason: str) -> None: ...
-    def get_reason(self) -> str: ...
-    def all_reasons(self) -> List[str]: ...
-    def set_rev_date(self, when: str) -> None: ...
-    def get_rev_date(self) -> str: ...
-
-class CRL:
-    def __init__(self) -> None: ...
-    def get_revoked(self) -> Tuple[Revoked, ...]: ...
-    def add_revoked(self, revoked: Revoked) -> None: ...
-    def get_issuer(self) -> X509Name: ...
-    def set_version(self, version: int) -> None: ...
-    def set_lastUpdate(self, when: str) -> None: ...
-    def set_nextUpdate(self, when: str) -> None: ...
-    def sign(self, issuer_cert: X509, issuer_key: PKey, digest: str) -> None: ...
-    def export(self, cert: X509, key: PKey, type: int = ..., days: int = ..., digest: str = ...) -> bytes: ...
-
 class PKCS7:
-    def type_is_signed(self) -> bool: ...
-    def type_is_enveloped(self) -> bool: ...
-    def type_is_signedAndEnveloped(self) -> bool: ...
+    def get_type_name(self) -> Text: ...
     def type_is_data(self) -> bool: ...
-    def get_type_name(self) -> str: ...
+    def type_is_enveloped(self) -> bool: ...
+    def type_is_signed(self) -> bool: ...
+    def type_is_signedAndEnveloped(self) -> bool: ...
 
 class PKCS12:
     def __init__(self) -> None: ...
-    def get_certificate(self) -> X509: ...
-    def set_certificate(self, cert: X509) -> None: ...
-    def get_privatekey(self) -> PKey: ...
-    def set_privatekey(self, pkey: PKey) -> None: ...
+    def export(self, passphrase: bytes | None = ..., iter: int = ..., maciter: int = ...) -> bytes: ...
     def get_ca_certificates(self) -> Tuple[X509, ...]: ...
-    def set_ca_certificates(self, cacerts: Iterable[X509]) -> None: ...
-    def set_friendlyname(self, name: bytes) -> None: ...
-    def get_friendlyname(self) -> bytes: ...
-    def export(self, passphrase: Optional[str] = ..., iter: int = ..., maciter: int = ...) -> bytes: ...
+    def get_certificate(self) -> X509: ...
+    def get_friendlyname(self) -> bytes | None: ...
+    def get_privatekey(self) -> PKey: ...
+    def set_ca_certificates(self, cacerts: Iterable[X509] | None) -> None: ...
+    def set_certificate(self, cert: X509) -> None: ...
+    def set_friendlyname(self, name: bytes | None) -> None: ...
+    def set_privatekey(self, pkey: PKey) -> None: ...
 
 class NetscapeSPKI:
     def __init__(self) -> None: ...
-    def sign(self, pkey: PKey, digest: str) -> None: ...
-    def verify(self, key: PKey) -> bool: ...
-    def b64_encode(self) -> str: ...
+    def b64_encode(self) -> bytes: ...
     def get_pubkey(self) -> PKey: ...
     def set_pubkey(self, pkey: PKey) -> None: ...
+    def sign(self, pkey: PKey, digest: bytes) -> None: ...
+    def verify(self, key: PKey) -> bool: ...
 
-def load_publickey(type: int, buffer: _StrLike) -> PKey: ...
-def load_privatekey(type: int, buffer: bytes, passphrase: Optional[Union[str, Callable[[int], int]]] = ...) -> PKey: ...
-def dump_certificate_request(type: int, req: X509Req) -> bytes: ...
-def load_certificate_request(type: int, buffer: _StrLike) -> X509Req: ...
-def sign(pkey: PKey, data: _StrLike, digest: str) -> bytes: ...
-def verify(cert: X509, signature: bytes, data: _StrLike, digest: str) -> None: ...
+def get_elliptic_curves() -> Set[_EllipticCurve]: ...
+def get_elliptic_curve(name: Text) -> _EllipticCurve: ...
+def dump_certificate(type: int, cert: X509) -> bytes: ...
+def load_certificate(type: int, buffer: bytes) -> X509: ...
+def dump_certificate_request(type: int, cert: X509Req) -> bytes: ...
+def load_certificate_request(type: int, buffer: bytes) -> X509Req: ...
+def dump_privatekey(
+    type: int, pkey: PKey, cipher: bytes | None = ..., passphrase: bytes | Callable[[], bytes] | None = ...
+) -> bytes: ...
+def load_privatekey(type: int, buffer: Text | bytes, passphrase: bytes | Callable[[], bytes] | None = ...) -> PKey: ...
+def dump_publickey(type: int, pkey: PKey) -> bytes: ...
+def load_publickey(type: int, buffer: Text | bytes) -> PKey: ...
 def dump_crl(type: int, crl: CRL) -> bytes: ...
-def load_crl(type: int, buffer: _StrLike) -> CRL: ...
-def load_pkcs7_data(type: int, buffer: _StrLike) -> PKCS7: ...
-def load_pkcs12(buffer: _StrLike, passphrase: Optional[Union[str, Callable[[int], int]]] = ...) -> PKCS12: ...
+def load_crl(type: int, buffer: Text | bytes) -> CRL: ...
+def load_pkcs7_data(type: int, buffer: Text | bytes) -> PKCS7: ...
+def load_pkcs12(buffer: Text | bytes, passphrase: bytes | None = ...) -> PKCS12: ...
+def sign(pkey: PKey, data: Text | bytes, digest: Text | bytes) -> bytes: ...
+def verify(cert: X509, signature: bytes, data: Text | bytes, digest: Text | bytes) -> None: ...