x25519 | Public key cryptography library for Ruby | Cryptography library

The issue is that your pip version is too old to install one of this project's subdependencies, cryptography, which is using newer features.

Upgrading pip with the following will make it possible to install this package:

The encoding defined by Bernstein et al for X25519 (and X448) keys both public and private is unsigned fixed-length little-endian, while the representation returned by BigInteger.toByteArray() and accepted by ctor BigInteger(byte[]) is twos-complement variable-length big-endian. Since 255 bits rounds up to 32 bytes with a spare bit that is always zero (for XDH) the signedness difference can be ignored there, but the others matter.

JCA did make the inteface class XECPrivateKey return, and the corresponding Spec accept, these forms, but for XECPublicKey[Spec] it uses BigInteger. It does use the Bernstein forms consistently for (both) the "X509" and "PKCS8" encodings (respectively) returned by Key.getEncoded() and accepted by a KeyFactory, but those have metadata that XDH-only (or Bernstein-only XDH-and-EdDSA) systems like X3DH don't use.

AFAICS your choices are

• byte-reverse and (zero-)pad when needed the JCA public values in your code, or
• use Key.getEncoded() and parse the algorithm-specific part or conversely build the algorithm-generic structure to pass as X509EncodedKeySpec to KeyFactory.getInstance("Xblah").

The second approach has been asked about in the past for other algorithms: 'traditional' (X9-style) EC -- especially secp256k1 for bitcoin and related coins, which generally use only the raw-X9/SECG data with no metadata -- and RSA where a few systems use the raw-PKCS1 formats (here more commonly for privatekey than publickey); if you want I can find some near-duplicates to illustrate the approach.

The thing is that the X25519 certificate doesn't need to be self-signed.

Signing the certificate using a 2nd bogus/throwaway key (f.i. RSA) works just fine.

django-allauth requires cryptography which now requires Rust to compile. You could try updating your Dockerfile with the newer python release, i.e. FROM python:3.8.8-alpine, which might let it fetch the prebuilt binary for cryptography.

If that doesn't work you need to add the Rust dependencies so it can compile the package.

You are not dealing with nested dictionaries, or not yet.

Your data structure is:

I found a working solution, although as mentioned in the comments - it isn't optimal.

Bytes generated by Kotlin/Java use different header than bytes generated by Python. While Kotlin's header is 14 bytes long, Python's header is 12 bytes long. This is the only difference between these two "versions" of encoded public keys and while Python is able to load the 12-byte header, it is unable to load Kotlin's 14-byte header.

Using a header extracted from bytes encoded using cryptography's .public_key().public_bytes(serialization.DER, serialization.SubjectPublicKeyInfo) and replacing the Kotlin's generated header with it it is possible to load the encoded bytes in Python.

Add in "config/mail.php"

It seems like the libpath MS build tools is using doesn't have OpenSSL lib path, so it can't find libssl.lib. One possible solution would be to copy .lib files from openssl directory you showed in the environment variables to Python lib c:\users\admin\appdata\local\programs\python\python38-32\libs. It should work.

It's not your fault (neither is JDK11).

I spoke too early in my comment under question, locally it fail same as yours if I supply -Djdk.tls.client.protocols="TLSv1.3".

Looking at debug output, it is server who rejected handshake: