diff --git a/.gitignore b/.gitignore index 55004b3..4c1a214 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,5 @@ /cryptography-41.0.7-vendor.tar.bz2 /cryptography-43.0.0.tar.gz /cryptography-43.0.0-vendor.tar.bz2 +/cryptography-48.0.0.tar.gz +/cryptography-48.0.0-vendor.tar.bz2 diff --git a/11328.patch b/11328.patch deleted file mode 100644 index 3dd1aee..0000000 --- a/11328.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 22 Jul 2024 09:09:05 +0200 -Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined - -Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE -support. Downstream has moved `openssl/engine.h` into a separate RPM -package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The -compiler flag disables PyCA cryptography's ENGINE support successfully. -We also like to build the downstream package without the `engine.h` -header file present. - -This commit makes the include conditional. The `ENGINE` type is -defined in `openssl/types.h`. - -See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide -See: https://issues.redhat.com/browse/RHEL-33747 -Signed-off-by: Christian Heimes ---- - src/_cffi_src/openssl/engine.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py -index 9629a2c8f929..f47e20327003 100644 ---- a/src/_cffi_src/openssl/engine.py -+++ b/src/_cffi_src/openssl/engine.py -@@ -5,7 +5,9 @@ - from __future__ import annotations - - INCLUDES = """ -+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL - #include -+#endif - """ - - TYPES = """ diff --git a/11536.patch b/11536.patch deleted file mode 100644 index b18f149..0000000 --- a/11536.patch +++ /dev/null @@ -1,26 +0,0 @@ -From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 3 Sep 2024 20:19:02 -0400 -Subject: [PATCH] allow sha1 in OAEP (#11536) - -fixes #11512 ---- - src/rust/src/backend/rsa.rs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs -index 3c01e7421..066b1412a 100644 ---- a/src/rust/src/backend/rsa.rs -+++ b/src/rust/src/backend/rsa.rs -@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu - } - - fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { -- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) -+ md == &openssl::hash::MessageDigest::sha1() - || md == &openssl::hash::MessageDigest::sha224() - || md == &openssl::hash::MessageDigest::sha256() - || md == &openssl::hash::MessageDigest::sha384() --- -2.46.0 - diff --git a/changelog b/changelog index fa06f3e..8edb0ba 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,6 @@ +* Sat May 16 2026 Fraser Tweedale - 48.0.0-1 +- Update to 48.0.0, resolves RHEL-172409 + * Tue Jul 02 2024 Jeremy Cline - 42.0.8-1 - Update to 42.0.8, fixes rhbz#2251816 diff --git a/python-cryptography.spec b/python-cryptography.spec index eff8c1c..5c40131 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 43.0.0 +Version: 48.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,8 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch: 11328.patch -Patch: 11536.patch +# RHEL 10 only has python3-cffi 1.16 and maturin 1.4.0, step down requirements +Patch: stepdown-cffi-and-maturin.patch ExclusiveArch: %{rust_arches} @@ -33,10 +33,10 @@ BuildRequires: rust-packaging BuildRequires: rust-toolset %endif -BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 +BuildRequires: python%{python3_pkgversion}-cffi >= 1.16 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 +BuildRequires: python%{python3_pkgversion}-maturin >= 1.4 %if %{with tests} %if 0%{?fedora} @@ -115,6 +115,8 @@ find . -name .keep -print -delete %if 0%{?rhel} # skip benchmark, hypothesis, and pytz tests on RHEL rm -rf tests/bench tests/hypothesis tests/x509 +# test_pkcs7.py imports from tests.x509 which we removed above +rm -f tests/hazmat/primitives/test_pkcs7.py # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif diff --git a/sources b/sources index fe39107..994ce71 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 -SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 +SHA512 (cryptography-48.0.0.tar.gz) = b38d0ae952bd33149c5358bb1fe9c875b55cc438f62ab0c0ab4d30d651e9d44f2895b39194906e7e9503294ca95a19eba6d97b32d319ed36bb38fa05faf89c6b +SHA512 (cryptography-48.0.0-vendor.tar.bz2) = fddc63507ce64f6e4a6174b043ed789d8b6f5aea7f6110d95a460eb2327ca39a3bef9a87d1e17732d7782a929358ac821c2b84f39682419cfbb101dbdaa94363 diff --git a/stepdown-cffi-and-maturin.patch b/stepdown-cffi-and-maturin.patch new file mode 100644 index 0000000..191ed4d --- /dev/null +++ b/stepdown-cffi-and-maturin.patch @@ -0,0 +1,44 @@ +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -30,7 +30,8 @@ foreign-types-shared = "0.1" + openssl = "0.10.79" + openssl-sys = "0.9.115" + pem = { version = "3", default-features = false } +-pyo3 = { version = "0.28", features = ["abi3"] } ++# Disable abi3 for maturin 1.4.0 compatibility - build for specific Python version ++pyo3 = { version = "0.28" } + pyo3-build-config = { version = "0.28" } + self_cell = "1" + +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -2,10 +2,10 @@ + # These requirements must be kept sync with the requirements in + # ./.github/requirements/build-requirements.{in,txt} + requires = [ +- "maturin>=1.9.4,<2,!=1.12.0", ++ "maturin>=1.4.0,<2,!=1.12.0", + + # Must be kept in sync with `project.dependencies` +- "cffi>=2.0.0; platform_python_implementation != 'PyPy'", ++ "cffi>=1.16; platform_python_implementation != 'PyPy'", + # Used by cffi (which import distutils, and in Python 3.12, distutils has + # been removed from the stdlib, but installing setuptools puts it back) as + # well as our build.rs for the rust/cffi bridge. +@@ -22,7 +22,6 @@ authors = [ + description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." + readme = "README.rst" + license = "Apache-2.0 OR BSD-3-Clause" +-license-files = [ "LICENSE", "LICENSE.APACHE", "LICENSE.BSD" ] + classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", +@@ -49,7 +48,7 @@ classifiers = [ + requires-python = ">=3.9,!=3.9.0,!=3.9.1" + dependencies = [ + # Must be kept in sync with `build-system.requires` +- "cffi>=2.0.0; platform_python_implementation != 'PyPy'", ++ "cffi>=1.16; platform_python_implementation != 'PyPy'", + # Must be kept in sync with ./.github/requirements/build-requirements.{in,txt} + "typing-extensions>=4.13.2; python_version < '3.11'", + ] diff --git a/tests/tests.yml b/tests/tests.yml index 4593049..e29b469 100644 --- a/tests/tests.yml +++ b/tests/tests.yml @@ -59,7 +59,7 @@ dir: "source" run: >- pytest-3 - tests/hazmat/primitives/test_arc4.py + tests/hazmat/primitives/decrepit/test_arc4.py tests/hazmat/primitives/test_asym_utils.py tests/hazmat/primitives/test_[b-e]*.py - unittests-primitives-f-z: