Add modified pkey_from_cryptography_key()

It is a modified version of `OpenSSL.crypto.PKey.from_cryptography_key()`
which also accepts EC Keys.

Using this function, a patched PyOpenSSL is no longer required, which
makes it possiblel to remove the `--process-dependency-links` argument
at the pip-install.

There is a pull request for `OpenSSL.crypto.PKey.from_cryptography_key()` of
PyOpenSSL to also accept EC Keys, but there are comprehensible reasons not to
accept this request in the near future -- or at all:
pyca/pyopenssl#636

README.md

@@ -121,7 +121,7 @@ Install the latest version of the pypi python package
 [ctutlz](https://pypi.python.org/pypi/ctutlz):
 
 ```bash
-pip install --process-dependency-links  ctutlz
+pip install ctutlz
 ```
 
 ## Development

ctutlz/sct/verification.py

@@ -1,6 +1,8 @@
 import collections
+
 from cryptography.hazmat.backends.openssl.backend import backend
 from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import ec, dsa, rsa
 from OpenSSL.crypto import verify, X509, PKey, Error as OpenSSL_crypto_Error
 
 from ctutlz.utils.cmd import CmdResult
@@ -26,10 +28,41 @@ def find_log(sct, logs):
     return None
 
 
+def pkey_from_cryptography_key(crypto_key):
+    '''
+    Modified version of `OpenSSL.crypto.PKey.from_cryptography_key()` of
+    PyOpenSSL which also accepts EC Keys
+    (cf. https://github.com/pyca/pyopenssl/pull/636).
+    '''
+    pkey = PKey()
+    if not isinstance(crypto_key, (rsa.RSAPublicKey, rsa.RSAPrivateKey,
+                                   dsa.DSAPublicKey, dsa.DSAPrivateKey,
+                                   ec.EllipticCurvePublicKey,
+                                   ec.EllipticCurvePrivateKey)):
+        raise TypeError("Unsupported key type")
+
+    pkey._pkey = crypto_key._evp_pkey
+    if isinstance(crypto_key, (rsa.RSAPublicKey, dsa.DSAPublicKey,
+                               ec.EllipticCurvePublicKey)):
+        pkey._only_public = True
+    pkey._initialized = True
+    return pkey
+
+
 def verify_signature(signature_input, signature, pubkey_pem):
-    cryptography_key = serialization.load_pem_public_key(pubkey_pem, backend)
+    '''
+    Args:
+        signature_input(bytes): signed data
+        signature(bytes):
+        pubkey_pem(str): PEM formatted pubkey
+        digest_algo(str): name of the used digest algorithm, e.g. 'sha256'
 
-    pkey = PKey.from_cryptography_key(cryptography_key)
+    Return:
+        (True, 'Verified OK\n', CmdResult(0, None, None, None) on success, else
+        (False, 'Verification Failure\n', CmdResult(1, None, None, None)
+    '''
+    cryptography_key = serialization.load_pem_public_key(pubkey_pem, backend)
+    pkey = pkey_from_cryptography_key(cryptography_key)
 
     auxiliary_cert = X509()
     auxiliary_cert.set_pubkey(pkey)

setup.py

@@ -76,16 +76,11 @@ def create_readme_with_long_description():
     package_data={'ctutlz': ['all_logs_list.json'], },
     install_requires=[
         'cffi>=1.4.0',
-        'pyasn1',
+        'pyasn1>=0.2.0',
         'pyasn1-modules>=0.0.9',
-        'pyOpenSSL>=999.0.0',
-        'requests',
-        'utlz',
-    ],
-    dependency_links=[
-        # pyOpenSSL-16.2.0 has no OCSP support
-        # nor elliptic curve support for digest verification
-        'git+https://github.com/theno/pyopenssl.git#egg=pyOpenSSL-999.0.0',
+        'pyOpenSSL>=17.0.0',
+        'requests>=2.17.0',
+        'utlz>=0.9.0',
     ],
     extras_require={
         'dev': ['pypandoc'],

tox.ini

@@ -1,9 +1,7 @@
 [tox]
 envlist = py26,py27,py33,py34,py35,py36
 [testenv]
-setenv =
-    PIP_CONFIG_FILE = pip.conf
-# for running ffibuilder pytest needs six to be installed
+# pytest needs six to be installed for running ffibuilder
 deps = pytest
        six
 commands = py.test