sethmlarson · sethmlarson · May 6, 2024 · May 5, 2024 · May 5, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -38,10 +38,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [macos-latest, windows-latest, ubuntu-latest]
-        python-version: ["3.10", "3.11", "3.12", "pypy3.10"]
-        include:
-          - os: ubuntu-latest
-            python-version: "3.13"
+        python-version: ["3.10", "3.11", "3.12", "3.13", "pypy3.10"]
 
     runs-on: ${{ matrix.os }}
     name: ${{ fromJson('{"macos-latest":"macOS","windows-latest":"Windows","ubuntu-latest":"Ubuntu"}')[matrix.os] }} Python ${{ matrix.python-version }}

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -7,6 +7,7 @@ urllib3
 requests
 flaky
 httpx
+trustme
 
-# Requires 'cryptography' which doesn't yet support Python 3.13
-trustme; python_version < "3.13"
+# Temporary stop-gap until cffi supports 3.13
+cffi @ https://github.com/python-cffi/cffi/archive/refs/heads/main.zip; python_version > "3.12"
diff --git a/src/truststore/_api.py b/src/truststore/_api.py
@@ -5,6 +5,8 @@
 import sys
 import typing
 
+import _ssl  # type: ignore[import-not-found]
+
 from ._ssl_constants import (
     _original_SSLContext,
     _original_super_SSLContext,
@@ -279,10 +281,12 @@ def verify_mode(self, value: ssl.VerifyMode) -> None:
 
     def _get_unverified_chain_bytes(sslobj: ssl.SSLObject) -> list[bytes]:
         unverified_chain = sslobj.get_unverified_chain() or ()  # type: ignore[attr-defined]
-        return [cert for cert in unverified_chain]
+        return [
+            cert if isinstance(cert, bytes) else cert.public_bytes(_ssl.ENCODING_DER)
+            for cert in unverified_chain
+        ]
 
 else:
-    import _ssl  # type: ignore[import-not-found]
 
     def _get_unverified_chain_bytes(sslobj: ssl.SSLObject) -> list[bytes]:
         unverified_chain = sslobj.get_unverified_chain() or ()  # type: ignore[attr-defined]