Wrong type annotation for is_signature_valid

[userappgate]

See this example code:

from cryptography import x509

def is_signature_valid(crl: bytes, ca_cert: bytes) -> bool:
    crl_object = x509.load_pem_x509_crl(crl)

    ca_cert_object = x509.load_pem_x509_certificate(ca_cert)

    return crl_object.is_signature_valid(ca_cert_object.public_key())

mypy fails with

test.py:8: error: Argument 1 to "is_signature_valid" of "CertificateRevocationList" has incompatible type "DSAPublicKey | RSAPublicKey | EllipticCurvePublicKey | Ed25519PublicKey | Ed448PublicKey | X25519PublicKey | X448PublicKey"; expected "DSAPublicKey | RSAPublicKey | EllipticCurvePublicKey | Ed25519PublicKey | Ed448PublicKey"  [arg-type]

I noticed that while migrating the codebast on ubuntu noble (that uses 41.0.7-4ubuntu0.1), while on ubuntu jammy (that uses 3.4.8-1ubuntu2.2) mypy does not complain.

The codebase is quite different, but the code seems to work on both versions so I think the mistake is in the type annotations (unless I am doing something wrong, of course).

Thanks

[alex]

Unfortunately, that's correct.

A certificate can carry a public key that's not valid for issuing certificates, and the type signatures reflect this.

You can use https://cryptography.io/en/latest/hazmat/primitives/asymmetric/#cryptography.hazmat.primitives.asymmetric.types.CertificateIssuerPrivateKeyTypes to check for this (either with typing.cast() or an isinstance check.)