Fix deprecation warning yielded by Cryptography (#78)

HISTORY.md

@@ -1,6 +1,12 @@
 Release History
 ===============
 
+3.4.6 (2024-02-03)
+------------------
+
+**Fixed**
+- Unmatched filter for deprecation warning yielded by Cryptography due to some legacy CA available in Windows having a negative serial number.
+
 3.4.5 (2024-02-02)
 ------------------
 

docs/user/authentication.rst

@@ -41,7 +41,7 @@ You must provide the user and pass into the DNS url as such::
     from niquests import Session
 
     with Session(resolver="doh://user:[email protected]") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 Passing a bearer token
 ----------------------
@@ -60,7 +60,7 @@ You must provide the token directly into the DNS url as such::
     from niquests import Session
 
     with Session(resolver="doh://[email protected]") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 netrc Authentication
 ~~~~~~~~~~~~~~~~~~~~

docs/user/quickstart.rst

@@ -906,7 +906,7 @@ Here is a basic example that leverage Google public DNS over HTTPS::
     from niquests import Session
 
     with Session(resolver="doh+google://") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 Here, the domain name (**pie.dev**) will be resolved using the provided DNS url.
 
@@ -920,7 +920,7 @@ You may specify a list of resolvers to be tested in order::
     from niquests import Session
 
     with Session(resolver=["doh+google://", "doh://cloudflare-dns.com"]) as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 The second entry ``doh://cloudflare-dns.com`` will only be tested if ``doh+google://`` failed to provide a usable answer.
 
@@ -959,10 +959,10 @@ Simply add ``verify=false`` into your DNS url to pursue::
     from niquests import Session
 
     with Session(resolver="doh+google://default/?verify=false") as s:
-        resp = s.get("pie.dev/get")
+        resp = s.get("https://pie.dev/get")
 
 
-.. warning:: Doing a ``s.get("pie.dev/get", verify=False)`` does not impact the resolver.
+.. warning:: Doing a ``s.get("https://pie.dev/get", verify=False)`` does not impact the resolver.
 
 -----------------------
 

src/niquests/__init__.py

@@ -54,10 +54,10 @@
 
 # urllib3's DependencyWarnings should be silenced.
 warnings.simplefilter("ignore", DependencyWarning)
-# Some Microsoft root CAs may use a negative serial number. It is known and safe. They know about it.
-warnings.filterwarnings(
-    "ignore", "Parsed a negative serial number", module="cryptography"
-)
+# Commonly happen on Windows due to some legacy root CA in
+# their trust store. They are aware of it, we silent the warning
+# yield by Cryptography to avoid producing undesired noise to end-users.
+warnings.filterwarnings("ignore", "Parsed a negative serial number")
 
 # ruff: noqa: E402
 from . import utils

src/niquests/__version__.py

@@ -9,9 +9,9 @@
 __url__: str = "https://niquests.readthedocs.io"
 
 __version__: str
-__version__ = "3.4.5"
+__version__ = "3.4.6"
 
-__build__: int = 0x030405
+__build__: int = 0x030406
 __author__: str = "Kenneth Reitz"
 __author_email__: str = "[email protected]"
 __license__: str = "Apache-2.0"

src/niquests/extensions/_ocsp.py

@@ -65,7 +65,12 @@ def _infer_issuer_from(certificate: Certificate) -> Certificate | None:
         if isinstance(der_cert, Certificate):
             possible_issuer = der_cert
         else:
-            possible_issuer = load_der_x509_certificate(der_cert)
+            try:
+                possible_issuer = load_der_x509_certificate(der_cert)
+            except (
+                ValueError
+            ):  # Defensive: mitigation against future Cryptography evolutions
+                continue
 
         # detect cryptography old build
         if not hasattr(certificate, "verify_directly_issued_by"):