Remove pyopenssl usage from certdir (SYN-7712)

[vEpiphyte]

Summary

Remove the pyOpenSSL dependency and replace all certificate chain verification with a custom _verifyChain() implementation using the cryptography library directly. The cryptography dependency has been updated to >=46.0.7,<47.0.0.

• Replaced pyOpenSSL X509Store/X509StoreContext usage in Crl._verify(), valCodeCert(), and valUserCert() with _verifyChain() and _verifyCertSignature()
• _verifyCertSignature() uses Certificate.verify_directly_issued_by() for combined issuer name and signature verification
• Removed the vestigial CertDir.valUserCert() API (no production callers)
• Added _getCertName() helper to guard against certificates missing a Common Name subject field
• Added comprehensive adversarial and edge-case test coverage (40 tests, up from 13)

Verification improvements over pyOpenSSL

• Path length constraints enforced at every level of the chain per RFC 5280
• Maximum chain depth limited to 8 to prevent excessive recursion
• Cycle detection via SHA256 fingerprint tracking (pyOpenSSL relied on depth limits)
• BasicConstraints required on all certificates in the chain, not just issuers
• Root CA validity dates checked -- issuer time window is checked unconditionally at every level, including self-signed roots (pyOpenSSL skipped root CA validity)
• Distinct error messages for cert vs issuer failures, including the certificate subject for diagnostics
• Unhandled critical extensions rejected per RFC 5280 -- certificates with critical extensions not processed by _verifyChain are rejected. Handled critical extensions: BasicConstraints, ExtendedKeyUsage.
• Lenient CRL checking -- missing CRLs for a given issuer are skipped rather than failing the entire chain. This fixes a bug where independent CA chains sharing a certdir would break if only some chains had CRLs.
• Signature-based issuer matching via verify_directly_issued_by -- _verifyChain matches issuers by both subject name AND cryptographic signature in one operation, improving robustness when multiple CAs share the same CN.
• RSA-only key policy enforced in _verifyCertSignature() with a clear error for unsupported key types
• Empty subject certificates rejected with BadCertBytes instead of raw IndexError
• Deceptive self-signed certs rejected -- a cert signed by its own key but with issuer != subject is not treated as a root and fails chain verification

Files changed

File	Description
synapse/lib/certdir.py	Core migration: remove pyOpenSSL, add _verifyCertSignature(), _verifyChain(), _getCertName(), rewrite Crl._verify() and valCodeCert(), remove valUserCert() and _unpackContextError()
synapse/tests/test_lib_certdir.py	Remove pyOpenSSL usage, rewrite basic_assertions(), add 27 new adversarial/edge-case tests
synapse/tests/test_tools_docker_validate.py	Add test for checkCRL with invalid data
synapse/tools/docker/validate.py	Update stale pyopenssl comment
requirements.txt	Remove pyOpenSSL, update cryptography to >=46.0.7,<47.0.0
pyproject.toml	Same dependency changes

Test plan

• python -m pytest synapse/tests/test_lib_certdir.py -v -- 38 tests pass
• python -m pytest synapse/tests/test_tools_docker_validate.py -v
• 100% patch coverage.
• Verify no pyOpenSSL remnants.
• Verify the removal of valUserCert has no regressions.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.73%. Comparing base (2989d72) to head (a7f4205).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4867   +/-   ##
=======================================
  Coverage   97.72%   97.73%           
=======================================
  Files         298      298           
  Lines       62831    62865   +34     
=======================================
+ Hits        61404    61441   +37     
+ Misses       1427     1424    -3     

Flag	Coverage Δ
linux	97.66% <100.00%> (+<0.01%)	⬆️
linux_replay	93.44% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[invisig0th]

Looks really solid. A couple of style nits ;)