Update to 48.0.0

Resolves: RHEL-172409

.gitignore

@@ -63,3 +63,5 @@
 /cryptography-41.0.7-vendor.tar.bz2
 /cryptography-43.0.0.tar.gz
 /cryptography-43.0.0-vendor.tar.bz2
+/cryptography-48.0.0.tar.gz
+/cryptography-48.0.0-vendor.tar.bz2

11328.patch

@@ -1,36 +0,0 @@
-From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <christian@python.org>
-Date: Mon, 22 Jul 2024 09:09:05 +0200
-Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined
-
-Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE
-support. Downstream has moved `openssl/engine.h` into a separate RPM
-package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The
-compiler flag disables PyCA cryptography's ENGINE support successfully.
-We also like to build the downstream package without the `engine.h`
-header file present.
-
-This commit makes the include conditional. The `ENGINE` type is
-defined in `openssl/types.h`.
-
-See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide
-See: https://issues.redhat.com/browse/RHEL-33747
-Signed-off-by: Christian Heimes <christian@python.org>
----
- src/_cffi_src/openssl/engine.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py
-index 9629a2c8f929..f47e20327003 100644
---- a/src/_cffi_src/openssl/engine.py
-+++ b/src/_cffi_src/openssl/engine.py
-@@ -5,7 +5,9 @@
- from __future__ import annotations
- 
- INCLUDES = """
-+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL
- #include <openssl/engine.h>
-+#endif
- """
- 
- TYPES = """

11536.patch

@@ -1,26 +0,0 @@
-From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Tue, 3 Sep 2024 20:19:02 -0400
-Subject: [PATCH] allow sha1 in OAEP (#11536)
-
-fixes #11512
----
- src/rust/src/backend/rsa.rs | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs
-index 3c01e7421..066b1412a 100644
---- a/src/rust/src/backend/rsa.rs
-+++ b/src/rust/src/backend/rsa.rs
-@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu
- }
- 
- fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool {
--    (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1())
-+    md == &openssl::hash::MessageDigest::sha1()
-         || md == &openssl::hash::MessageDigest::sha224()
-         || md == &openssl::hash::MessageDigest::sha256()
-         || md == &openssl::hash::MessageDigest::sha384()
--- 
-2.46.0
-

changelog

@@ -1,3 +1,6 @@
+* Sat May 16 2026 Fraser Tweedale <ftweedal@redhat.com> - 48.0.0-1
+- Update to 48.0.0, resolves RHEL-172409
+
 * Tue Jul 02 2024 Jeremy Cline <jeremycline@linux.microsoft.com> - 42.0.8-1
 - Update to 42.0.8, fixes rhbz#2251816
 

python-cryptography.spec

@@ -5,7 +5,7 @@
 %global srcname cryptography
 
 Name:           python-%{srcname}
-Version:        43.0.0
+Version:        48.0.0
 Release:        %autorelease
 Summary:        PyCA's cryptography library
 
@@ -19,8 +19,8 @@ Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
 
-Patch:          11328.patch
+# RHEL 10 only has python3-cffi 1.16 and maturin 1.4.0, step down requirements
-Patch:          11536.patch
+Patch:          stepdown-cffi-and-maturin.patch
 
 ExclusiveArch:  %{rust_arches}
 
@@ -33,10 +33,10 @@ BuildRequires:  rust-packaging
 BuildRequires:  rust-toolset
 %endif
 
-BuildRequires:  python%{python3_pkgversion}-cffi >= 1.12
+BuildRequires:  python%{python3_pkgversion}-cffi >= 1.16
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-setuptools-rust >= 0.11.4
+BuildRequires:  python%{python3_pkgversion}-maturin >= 1.4
 
 %if %{with tests}
 %if 0%{?fedora}
@@ -115,6 +115,8 @@ find . -name .keep -print -delete
 %if 0%{?rhel}
 # skip benchmark, hypothesis, and pytz tests on RHEL
 rm -rf tests/bench tests/hypothesis tests/x509
+# test_pkcs7.py imports from tests.x509 which we removed above
+rm -f tests/hazmat/primitives/test_pkcs7.py
 # append skipper to skip iso8601 and pretend tests
 cat < %{SOURCE2} >> tests/conftest.py
 %endif

sources

@@ -1,2 +1,2 @@
-SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7
+SHA512 (cryptography-48.0.0.tar.gz) = b38d0ae952bd33149c5358bb1fe9c875b55cc438f62ab0c0ab4d30d651e9d44f2895b39194906e7e9503294ca95a19eba6d97b32d319ed36bb38fa05faf89c6b
-SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924
+SHA512 (cryptography-48.0.0-vendor.tar.bz2) = fddc63507ce64f6e4a6174b043ed789d8b6f5aea7f6110d95a460eb2327ca39a3bef9a87d1e17732d7782a929358ac821c2b84f39682419cfbb101dbdaa94363

stepdown-cffi-and-maturin.patch

@@ -0,0 +1,44 @@
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -30,7 +30,8 @@ foreign-types-shared = "0.1"
+ openssl = "0.10.79"
+ openssl-sys = "0.9.115"
+ pem = { version = "3", default-features = false }
+-pyo3 = { version = "0.28", features = ["abi3"] }
++# Disable abi3 for maturin 1.4.0 compatibility - build for specific Python version
++pyo3 = { version = "0.28" }
+ pyo3-build-config = { version = "0.28" }
+ self_cell = "1"
+
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -2,10 +2,10 @@
+ # These requirements must be kept sync with the requirements in
+ # ./.github/requirements/build-requirements.{in,txt}
+ requires = [
+-    "maturin>=1.9.4,<2,!=1.12.0",
++    "maturin>=1.4.0,<2,!=1.12.0",
+
+     # Must be kept in sync with `project.dependencies`
+-    "cffi>=2.0.0; platform_python_implementation != 'PyPy'",
++    "cffi>=1.16; platform_python_implementation != 'PyPy'",
+     # Used by cffi (which import distutils, and in Python 3.12, distutils has
+     # been removed from the stdlib, but installing setuptools puts it back) as
+     # well as our build.rs for the rust/cffi bridge.
+@@ -22,7 +22,6 @@ authors = [
+ description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
+ readme = "README.rst"
+ license = "Apache-2.0 OR BSD-3-Clause"
+-license-files = [ "LICENSE", "LICENSE.APACHE", "LICENSE.BSD" ]
+ classifiers = [
+     "Development Status :: 5 - Production/Stable",
+     "Intended Audience :: Developers",
+@@ -49,7 +48,7 @@ classifiers = [
+ requires-python = ">=3.9,!=3.9.0,!=3.9.1"
+ dependencies = [
+     # Must be kept in sync with `build-system.requires`
+-    "cffi>=2.0.0; platform_python_implementation != 'PyPy'",
++    "cffi>=1.16; platform_python_implementation != 'PyPy'",
+     # Must be kept in sync with ./.github/requirements/build-requirements.{in,txt}
+     "typing-extensions>=4.13.2; python_version < '3.11'",
+ ]

tests/tests.yml

@@ -59,7 +59,7 @@
         dir: "source"
         run: >-
             pytest-3
-            tests/hazmat/primitives/test_arc4.py
+            tests/hazmat/primitives/decrepit/test_arc4.py
             tests/hazmat/primitives/test_asym_utils.py
             tests/hazmat/primitives/test_[b-e]*.py
     - unittests-primitives-f-z: