Drop pyOpenSSL dependency

[kislyuk]

SignXML uses two major bits of pyOpenSSL functionality:

• X.509 parsing
• Certificate chain validation

I've identified two strategies so far:

• Get Add x509 Certificate Validation pyca/cryptography#2381 resolved
• Use https://github.com/wbond/certvalidator / https://github.com/wbond/oscrypto (for consistency, this would prompt a wholesale switch from cryptography+pyopenssl to certvalidator/oscrypto, which may bring other advantages including better platform compatibility)

[kislyuk]

For additional context see: wbond/certvalidator#33 (comment)

[kislyuk]

wbond/certvalidator is unmaintained and we will only be using it as inspiration. However there has been some movement on cryptography: the verify_directly_issued_by() API will be released in cryptography 40.0. So the path to retiring pyOpenSSL looks like this:

• Replace pyOpenSSL.crypto.verify() with cryptography's X509 public key loader (this will also allow us to support ed25519 keys Support keys with ED25519 algorithm #216) WIP #218
• Replace signxml.util.verify_x509_cert_chain() with a mixin (or separate library, since our sister library tsp-client needs the same functionality) that can build a chain using verify_directly_issued_by and verify point-in-time validity and extensions using an API inspired by certvalidator.context.ValidationContext. The logic here would have to be inspired by a close reading of certvalidator code and any code referenced by Add x509 Certificate Validation pyca/cryptography#2381.

[kislyuk]

If you're looking at this issue because of the PyOpenSSL deprecation warning, this issue is blocked by cryptography support for standalone client certificate validation, which is scheduled to be released in cryptography version 43.