Allow elliptic curve keys in from_cryptography_key().

[theno]

With this change an (Certificate Transparency) SCT can be verified
against the public key of a CT-Log. CT-Logs usually are signed with an
elliptic curve digest. The argument cert of the function
verify(cert, signature, data, digest) is just a wrapper for its pkey
attribute. This attribute now can contain an ec-pubkey. Here is an example
of this usage:
https://github.com/theno/ctutlz/blob/60cd6b9aeee7a7c6f0f90b0262a306a292808985/ctutlz/sct/verification.py#L29

Elliptic curve support in PKey objects still needs to be implemented.

[Lukasa]

Thanks for this! However, I think you're approaching this backwards. Without support for EC keys in PKey, I don't think we should allow them to be loaded: I'd much rather see EC PKey support added first.

I'd even more rather see SCR verification land in cryptography, as this seems right up @alex's street.

[codecov]

Codecov Report

Merging #636 into master will decrease coverage by 0.08%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #636      +/-   ##
==========================================
- Coverage   96.78%   96.69%   -0.09%     
==========================================
  Files          18       18              
  Lines        5625     5625              
  Branches      390      390              
==========================================
- Hits         5444     5439       -5     
- Misses        121      125       +4     
- Partials       60       61       +1

Impacted Files	Coverage Δ
tests/test_crypto.py	98.38% <100%> (-0.2%)	⬇️
src/OpenSSL/crypto.py	96.21% <100%> (-0.19%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c9280c5...6e7c49d. Read the comment docs.

[theno]

For convenience I marked the failing test to be skipped when running pytest to make the unit tests passing.

This even makes the arguments of Lukasa more obvious.

[ronf]

I was just about to submit a pull request very similar to this. I have a need for this functionality in my AsyncSSH package. I'm in the middle of adding support for X.509 certificates in SSH and I have things working for RSA certificates. However, I ran into this issue when attempting to use EC certificates.

As it turns out, EC certificates work just fine when you feed them to OpenSSL.crypto.load_certificate(). However, to support generating certificates, I need to be able to convert a cryptography EC key to a PKey, and it looks like these explicit checks are the only thing stopping that from working.

While it's true that PyOpenSSL doesn't support creating new EC PKeys directly yet, I don't need that in my application and supporting conversion from already constructed PyCA keys would be a good first step.

I might be able to work around this by generating a certificate using the native PyCA X.509 support and then using OpenSSL.crypto.load_certificate() to get a PyOpenSSL certificate object out of that. However, I'd prefer not to have to do that.

Long term, I'd love to convert everything over to PyCA and not depend on PyOpenSSL at all, but I can't do that until PyCA adds support for X.509 certificate chain validation.