rpms
/
python-cryptography
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Replace whole repo with latest content from branch stream-2.8-rhel-8.8.0

This commit is contained in:
Honza Horak 2023-05-15 21:49:53 +02:00 committed by root
parent 6ba5c5c44b
commit 540bcbe3f7
12 changed files with 1 additions and 775 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/cryptography-2.8.tar.gz
/cryptography-2.8.tar.gz

1
.python-cryptography.metadata Normal file
View File

@ -0,0 +1 @@
94ef5dc1261a4388572ce3ad9af1515691276d2c cryptography-2.8.tar.gz

71
0001-Block-TripleDES-in-FIPS-mode-6879.patch
View File

@ -1,71 +0,0 @@
From d250d169e87168903a543248d0bfd6c37f2f6841 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 22 Feb 2022 00:37:32 +0200
Subject: [PATCH 1/5] Block TripleDES in FIPS mode (#6879)
* Block TripleDES in FIPS mode
NIST SP-800-131A rev 2 lists TripleDES Encryption as disallowed in FIPS 140-3
decryption as legacy use. Three-key TDEA is listed as deprecated
throughout 2023 and disallowed after 2023.
For simplicity we block all use of TripleDES in FIPS mode.
Fixes: #6875
Signed-off-by: Christian Heimes <christian@python.org>
* Fix flake
---
src/cryptography/hazmat/backends/openssl/backend.py | 13 ++++++-------
tests/hazmat/primitives/utils.py | 4 ++++
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 736452392..f38269e26 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -134,7 +134,9 @@ class Backend(BackendInterface):
b"aes-192-gcm",
b"aes-256-gcm",
}
- _fips_ciphers = (AES, TripleDES)
+ # TripleDES encryption is disallowed/deprecated throughout 2023 in
+ # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA).
+ _fips_ciphers = (AES,)
# Sometimes SHA1 is still permissible. That logic is contained
# within the various *_supported methods.
_fips_hashes = (
@@ -323,12 +325,9 @@ class Backend(BackendInterface):
def cipher_supported(self, cipher, mode):
if self._fips_enabled:
- # FIPS mode requires AES or TripleDES, but only CBC/ECB allowed
- # in TripleDES mode.
- if not isinstance(cipher, self._fips_ciphers) or (
- isinstance(cipher, TripleDES)
- and not isinstance(mode, (CBC, ECB))
- ):
+ # FIPS mode requires AES. TripleDES is disallowed/deprecated in
+ # FIPS 140-3.
+ if not isinstance(cipher, self._fips_ciphers):
return False
try:
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
index 93f117828..a367343ca 100644
--- a/tests/hazmat/primitives/utils.py
+++ b/tests/hazmat/primitives/utils.py
@@ -469,6 +469,10 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, params):
algorithm = supported_cipher_algorithms.get(prf)
assert algorithm is not None
+ # TripleDES is disallowed in FIPS mode.
+ if backend._fips_enabled and algorithm is algorithms.TripleDES:
+ pytest.skip("TripleDES is not supported in FIPS mode.")
+
ctrkdf = KBKDFCMAC(
algorithm,
Mode.CounterMode,
--
2.35.1

319
0002-Disable-DSA-tests-in-FIPS-mode-6916.patch
View File

@ -1,319 +0,0 @@
From ff80e3a27408657fef599f44ae1a9a875e005685 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 2 Mar 2022 21:47:04 +0200
Subject: [PATCH 2/5] Disable DSA tests in FIPS mode (#6916)
* Disable DSA tests in FIPS mode
See: #6880
* ignore coverage for nested FIPS check
* Remove if branch
* Remove skip modulus branch
* Keep tests that don't use the backend
---
.../hazmat/backends/openssl/backend.py | 7 ++-
tests/hazmat/primitives/test_dsa.py | 46 +++++++++++--------
tests/hazmat/primitives/test_serialization.py | 24 ++++++++++
tests/x509/test_x509.py | 43 ++++++++++++++---
tests/x509/test_x509_ext.py | 4 ++
5 files changed, 98 insertions(+), 26 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index f38269e26..a6d0e8872 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -804,7 +804,12 @@ class Backend(BackendInterface):
self.openssl_assert(res == 1)
return evp_pkey
- def dsa_hash_supported(self, algorithm):
+ def dsa_supported(self) -> bool:
+ return not self._fips_enabled
+
+ def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+ if not self.dsa_supported():
+ return False
return self.hash_supported(algorithm)
def dsa_parameters_supported(self, p, q, g):
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
index 6028b600d..60681683d 100644
--- a/tests/hazmat/primitives/test_dsa.py
+++ b/tests/hazmat/primitives/test_dsa.py
@@ -59,7 +59,12 @@ def test_skip_if_dsa_not_supported(backend):
_skip_if_dsa_not_supported(backend, DummyHashAlgorithm(), 1, 1, 1)
-class TestDSA(object):
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSA:
def test_generate_dsa_parameters(self, backend):
parameters = dsa.generate_parameters(2048, backend)
assert isinstance(parameters, dsa.DSAParameters)
@@ -76,11 +81,6 @@ class TestDSA(object):
),
)
def test_generate_dsa_keys(self, vector, backend):
- if (
- backend._fips_enabled
- and vector["p"] < backend._fips_dsa_min_modulus
- ):
- pytest.skip("Small modulus blocked in FIPS mode")
parameters = dsa.DSAParameterNumbers(
p=vector["p"], q=vector["q"], g=vector["g"]
).parameters(backend)
@@ -389,7 +389,12 @@ class TestDSA(object):
).private_key(backend)
-class TestDSAVerification(object):
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSAVerification:
def test_dsa_verification(self, backend, subtests):
vectors = load_vectors_from_file(
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"),
@@ -481,17 +486,12 @@ class TestDSAVerification(object):
Prehashed(hashes.SHA1()) # type: ignore[arg-type]
)
- def test_prehashed_unsupported_in_verifier_ctx(self, backend):
- public_key = DSA_KEY_1024.private_key(backend).public_key()
- with pytest.raises(TypeError), pytest.warns(
- CryptographyDeprecationWarning
- ):
- public_key.verifier(
- b"0" * 64, Prehashed(hashes.SHA1()) # type: ignore[arg-type]
- )
-
-class TestDSASignature(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSASignature:
def test_dsa_signing(self, backend, subtests):
vectors = load_vectors_from_file(
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigGen.txt"),
@@ -695,7 +695,11 @@ class TestDSANumberEquality(object):
assert priv != object()
-class TestDSASerialization(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSASerialization:
@pytest.mark.parametrize(
("fmt", "password"),
itertools.product(
@@ -916,7 +920,11 @@ class TestDSASerialization(object):
)
-class TestDSAPEMPublicKeySerialization(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSAPEMPublicKeySerialization:
@pytest.mark.parametrize(
("key_path", "loader_func", "encoding"),
[
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
index fb6b753de..5a2b9fba5 100644
--- a/tests/hazmat/primitives/test_serialization.py
+++ b/tests/hazmat/primitives/test_serialization.py
@@ -141,6 +141,10 @@ class TestDERSerialization(object):
assert isinstance(key, rsa.RSAPrivateKey)
_check_rsa_private_numbers(key.private_numbers())
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "password"),
[
@@ -341,6 +345,10 @@ class TestDERSerialization(object):
with pytest.raises(ValueError):
load_der_public_key(b"invalid data", backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
"key_file",
[
@@ -422,6 +430,10 @@ class TestPEMSerialization(object):
assert isinstance(key, rsa.RSAPrivateKey)
_check_rsa_private_numbers(key.private_numbers())
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "password"),
[
@@ -490,6 +502,10 @@ class TestPEMSerialization(object):
numbers = key.public_numbers()
assert numbers.e == 65537
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_file"),
[
@@ -894,6 +910,10 @@ class TestPEMSerialization(object):
16,
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_load_pem_dsa_private_key(self, backend):
key = load_vectors_from_file(
os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"),
@@ -2313,6 +2333,10 @@ class TestOpenSSHSerialization(object):
DummyKeySerializationEncryption(),
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "supported"),
[
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 23e97a768..7a7a52977 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -2561,7 +2561,21 @@ class TestCertificateBuilder(object):
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
skip_message="Requires OpenSSL with MD5 support",
)
- def test_sign_dsa_with_md5(self, backend):
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
+ @pytest.mark.parametrize(
+ "hash_algorithm",
+ [
+ hashes.MD5(),
+ hashes.SHA3_224(),
+ hashes.SHA3_256(),
+ hashes.SHA3_384(),
+ hashes.SHA3_512(),
+ ],
+ )
+ def test_sign_dsa_with_unsupported_hash(self, hash_algorithm, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
builder = (
@@ -2602,6 +2616,10 @@ class TestCertificateBuilder(object):
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("hashalg", "hashalg_oid"),
[
@@ -2615,9 +2633,6 @@ class TestCertificateBuilder(object):
def test_build_cert_with_dsa_private_key(
self, hashalg, hashalg_oid, backend
):
- if backend._fips_enabled and hashalg is hashes.SHA1:
- pytest.skip("SHA1 not supported in FIPS mode")
-
issuer_private_key = DSA_KEY_2048.private_key(backend)
subject_private_key = DSA_KEY_2048.private_key(backend)
@@ -3646,6 +3661,10 @@ class TestCertificateSigningRequestBuilder(object):
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
skip_message="Requires OpenSSL with MD5 support",
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_sign_dsa_with_md5(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
@@ -3969,6 +3988,10 @@ class TestCertificateSigningRequestBuilder(object):
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_build_ca_request_with_dsa(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
@@ -4319,7 +4342,11 @@ class TestCertificateSigningRequestBuilder(object):
builder.sign(private_key, hashes.SHA512(), backend)
-class TestDSACertificate(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSACertificate:
def test_load_dsa_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
@@ -4444,7 +4471,11 @@ class TestDSACertificate(object):
)
-class TestDSACertificateRequest(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSACertificateRequest:
@pytest.mark.parametrize(
("path", "loader_func"),
[
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 4173dece6..66ac43d95 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -1712,6 +1712,10 @@ class TestSubjectKeyIdentifierExtension(object):
ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
assert ext.value == ski
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_from_dsa_public_key(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
--
2.35.1

26
0003-fixes-6927-handle-negative-return-values-from-openss.patch
View File

@ -1,26 +0,0 @@
From 20bafea414bcc08bfcb5b669ecbf9a3438ff7b78 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 3 Mar 2022 15:44:02 -0500
Subject: [PATCH 3/5] fixes #6927 -- handle negative return values from openssl
(#6928)
---
src/cryptography/hazmat/backends/openssl/rsa.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 9bef49d24..dd5d4990b 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -208,7 +208,7 @@ def _rsa_sig_setup(backend, padding, algorithm, key, init_func):
if algorithm is not None:
evp_md = backend._evp_md_non_null_from_algorithm(algorithm)
res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md)
- if res == 0:
+ if res <= 0:
backend._consume_errors()
raise UnsupportedAlgorithm(
"{} is not supported by this backend for RSA signing.".format(
--
2.35.1

24
0004-Disable-test_openssl_assert_error_on_stack-in-FIPS-m.patch
View File

@ -1,24 +0,0 @@
From 820d9527070ad2c7724dcecf1a35dbac7d68621d Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 1 Mar 2022 16:22:51 +0100
Subject: [PATCH 4/5] Disable test_openssl_assert_error_on_stack in FIPS mode
---
tests/hazmat/bindings/test_openssl.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 129928ac0..9839aec4d 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -84,6 +84,7 @@ class TestOpenSSL(object):
with pytest.raises(AttributeError):
b.lib.TLS_ST_OK
+ @pytest.mark.skip_fips(reason="FIPS maps to different error codes")
def test_openssl_assert_error_on_stack(self):
b = Binding()
b.lib.ERR_put_error(
--
2.35.1

67
0005-Fixed-serialization-of-keyusage-ext-with-no-bits-693.patch
View File

@ -1,67 +0,0 @@
From 89af85f9d4fc2ef3e89ad1b2a58c751f00f54a4f Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 3 Mar 2022 16:24:21 -0500
Subject: [PATCH 5/5] Fixed serialization of keyusage ext with no bits (#6930)
fixes #6926
---
src/rust/src/x509/extensions.rs | 17 +++++++++++------
tests/x509/test_x509_ext.py | 14 ++++++++++++++
2 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs
index 606566dd9..68b9839a0 100644
--- a/src/rust/src/x509/extensions.rs
+++ b/src/rust/src/x509/extensions.rs
@@ -135,12 +135,17 @@ pub(crate) fn encode_extension(
certificate::set_bit(&mut bs, 7, ext.getattr("encipher_only")?.is_true()?);
certificate::set_bit(&mut bs, 8, ext.getattr("decipher_only")?.is_true()?);
}
- let bits = if bs[1] == 0 { &bs[..1] } else { &bs[..] };
- let unused_bits = bits.last().unwrap().trailing_zeros() as u8;
- Ok(Some(asn1::write_single(&asn1::BitString::new(
- bits,
- unused_bits,
- ))))
+ let (bits, unused_bits) = if bs[1] == 0 {
+ if bs[0] == 0 {
+ (&[][..], 0)
+ } else {
+ (&bs[..1], bs[0].trailing_zeros() as u8)
+ }
+ } else {
+ (&bs[..], bs[1].trailing_zeros() as u8)
+ };
+ let v = asn1::BitString::new(bits, unused_bits).unwrap();
+ Ok(Some(asn1::write_single(&v)))
} else if oid == &*oid::AUTHORITY_INFORMATION_ACCESS_OID
|| oid == &*oid::SUBJECT_INFORMATION_ACCESS_OID
{
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 66ac43d95..2bbba8ec6 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -1137,6 +1137,20 @@ class TestKeyUsage(object):
),
b"\x03\x02\x02\x94",
),
+ (
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False,
+ ),
+ b"\x03\x01\x00",
+ ),
],
)
def test_public_bytes(self, ext, serialized):
--
2.35.1

59
README.md
View File

@ -1,59 +0,0 @@
# PyCA cryptography
https://cryptography.io/en/latest/
## Packaging python-cryptography
The example assumes
* Fedora Rawhide (f34)
* PyCA cryptography release ``3.4``
* Update Bugzilla issue is ``RHBZ#00000001``
### Build new python-cryptography
Switch and update branch
```shell
fedpkg switch-branch rawhide
fedpkg pull
```
Bump version and get sources
```shell
rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
spectool -gf python-cryptography.spec
```
Upload new source
```shell
fedpkg new-sources cryptography-3.4.tar.gz
```
Commit changes
```shell
fedpkg commit --clog
fedpkg push
```
Build
```shell
fedpkg build
```
## RHEL/CentOS builds
RHEL and CentOS use a different approach for Rust crates packaging than
Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
CentOS. Instead python-cryptography uses a tar ball with vendored crates.
The tar ball is created by a script:
```shell
./vendor_rust.py
rhpkg upload cryptography-3.4-vendor.tar.bz2
```

22
conftest-skipper.py
View File

@ -1,22 +0,0 @@
class Skipper:
"""Skip iso8601 and pretend tests
RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
all tests that use the excluded modules.
"""
def parse_date(self, datestring):
pytest.skip(f"iso8601 module is not available.")
def stub(self, **kwargs):
pytest.skip(f"pretend module is not available.")
def raiser(self, exc):
pytest.skip(f"pretend module is not available.")
import sys
sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()

7
gating.yaml
View File

@ -1,7 +0,0 @@
# recipients: abokovoy, frenaud, kaleem, ftrivino, cheimes
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

67
tests/tests.yml
View File

@ -1,67 +0,0 @@
---
#
# 1minutetip --buildroot rhel9
#
- hosts: localhost
tags:
- classic
roles:
- role: standard-test-source
- role: standard-test-basic
required_packages:
- python3-cryptography
- python3-pytest
- python3-pytest-subtests
environment:
PYTHONPATH: "{{ srcdir }}/vectors"
tests:
- remove_hypothesis:
# remove tests that depend on python3-hypothesis package
dir: "source"
run: rm -rf tests/hypothesis/
- remove_iso8601:
# remove tests that depend on python3-iso8601 package
dir: "source"
run: rm -rf tests/test_fernet.py
- remove_scrypt:
# scrypt tests require more memory than available
dir: "source"
run: rm -f tests/hazmat/primitives/test_scrypt.py
- patch_conftest:
dir: "source"
run: "cat ../conftest-skipper.py >> tests/conftest.py"
# tests take some time, split up to avoid CI timeouts.
- unittests-basic:
dir: "source"
run: pytest-3 tests/test_*.py
- unittests-x509:
dir: "source"
run: pytest-3 tests/x509/
- unittests-hazmat:
dir: "source"
run: pytest-3 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
- unittests-primitives-aead:
dir: "source"
run: pytest-3 tests/hazmat/primitives/test_aead.py
- unittests-primitives-aes:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_aes.py::TestAESModeCBC
tests/hazmat/primitives/test_aes.py::TestAESModeCTR
tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
- unittests-primitives-a-e:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_arc4.py
tests/hazmat/primitives/test_asym_utils.py
tests/hazmat/primitives/test_[b-e]*.py
- unittests-primitives-f-z:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_[f-z]*.py
tests/hazmat/primitives/twofactor

112
vendor_rust.py
View File

@ -1,112 +0,0 @@
#!/usr/bin/python3
"""Vendor PyCA cryptography's Rust crates
"""
import argparse
import os
import re
import tarfile
import tempfile
import shutil
import subprocess
import sys
VENDOR_DIR = "vendor"
CARGO_TOML = "src/rust/Cargo.toml"
RE_VERSION = re.compile("Version:\s*(.*)")
parser = argparse.ArgumentParser(description="Vendor Rust packages")
parser.add_argument(
"--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
)
def cargo(cmd, manifest):
args = ["cargo", cmd, f"--manifest-path={manifest}"]
return subprocess.check_call(
args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
)
def tar_reset(tarinfo):
"""Reset user, group, mtime, and mode to create reproducible tar"""
tarinfo.uid = 0
tarinfo.gid = 0
tarinfo.uname = "root"
tarinfo.gname = "root"
tarinfo.mtime = 0
if tarinfo.type == tarfile.DIRTYPE:
tarinfo.mode = 0o755
else:
tarinfo.mode = 0o644
if tarinfo.pax_headers:
raise ValueError(tarinfo.name, tarinfo.pax_headers)
return tarinfo
def tar_reproducible(tar, basedir):
"""Create reproducible tar file"""
content = [basedir]
for root, dirs, files in os.walk(basedir):
for directory in dirs:
content.append(os.path.join(root, directory))
for filename in files:
content.append(os.path.join(root, filename))
content.sort()
for fn in content:
tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
def main():
args = parser.parse_args()
spec = args.spec
# change cwd to work in bundle directory
here = os.path.dirname(os.path.abspath(spec))
os.chdir(here)
# extract version number from bundle name
with open(spec) as f:
for line in f:
mo = RE_VERSION.search(line)
if mo is not None:
version = mo.group(1)
break
else:
raise ValueError(f"Cannot find version in {spec}")
bundle_file = f"cryptography-{version}.tar.gz"
vendor_file = f"cryptography-{version}-vendor.tar.bz2"
# remove existing vendor directory and file
if os.path.isdir(VENDOR_DIR):
shutil.rmtree(VENDOR_DIR)
try:
os.unlink(vendor_file)
except FileNotFoundError:
pass
print(f"Getting crates for {bundle_file}", file=sys.stderr)
# extract tar file in tempdir
# fetch and vendor Rust crates
with tempfile.TemporaryDirectory(dir=here) as tmp:
with tarfile.open(bundle_file) as tar:
tar.extractall(path=tmp)
manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
cargo("fetch", manifest)
cargo("vendor", manifest)
print("\nCreating tar ball...", file=sys.stderr)
with tarfile.open(vendor_file, "x:bz2") as tar:
tar_reproducible(tar, VENDOR_DIR)
# remove vendor dir
shutil.rmtree(VENDOR_DIR)
parser.exit(0, f"Created {vendor_file}\n")
if __name__ == "__main__":
main()