remove cryptography workarounds

Author: blink1073

pymongo/ocsp_support.py

@@ -347,13 +347,8 @@ def _ocsp_callback(conn: Connection, ocsp_bytes: bytes, user_data: Optional[_Cal
         _LOGGER.debug("No peer cert?")
         return False
     cert = pycert.to_cryptography()
-    # Use the verified chain when available (pyopenssl>=20.0).
-    if hasattr(conn, "get_verified_chain"):
-        pychain = conn.get_verified_chain()
-        trusted_ca_certs = None
-    else:
-        pychain = conn.get_peer_cert_chain()
-        trusted_ca_certs = user_data.trusted_ca_certs
+    pychain = conn.get_verified_chain()
+    trusted_ca_certs = None
     if not pychain:
         _LOGGER.debug("No peer cert chain?")
         return False

pymongo/pyopenssl_context.py

@@ -35,7 +35,7 @@
 from pymongo.errors import ConfigurationError as _ConfigurationError
 from pymongo.errors import _CertificateError  # type:ignore[attr-defined]
 from pymongo.ocsp_cache import _OCSPCache
-from pymongo.ocsp_support import _load_trusted_ca_certs, _ocsp_callback
+from pymongo.ocsp_support import _ocsp_callback
 from pymongo.socket_checker import SocketChecker as _SocketChecker
 from pymongo.socket_checker import _errno_from_exception
 from pymongo.write_concern import validate_boolean
@@ -322,10 +322,6 @@ def load_verify_locations(
         ssl.CERT_NONE.
         """
         self._ctx.load_verify_locations(cafile, capath)
-        # Manually load the CA certs when get_verified_chain is not available (pyopenssl<20).
-        if not hasattr(_SSL.Connection, "get_verified_chain"):
-            assert cafile is not None
-            self._callback_data.trusted_ca_certs = _load_trusted_ca_certs(cafile)
 
     def _load_certifi(self) -> None:
         """Attempt to load CA certs from certifi."""

requirements/ocsp.txt

@@ -8,5 +8,5 @@
 certifi>=2022.5.18.1;os.name=='nt' or sys_platform=='darwin'
 pyopenssl>=22.0
 requests>2.23,<3.0.0
-cryptography>=2.5
+cryptography>=38.0
 service_identity>=18.1.0