19 changed files with 827 additions and 791 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,65 +1 @@
-/results_python-cryptography
+SOURCES/cryptography-3.2.1.tar.gz
 /*.src.rpm
 /cryptography-1.3.1.tar.gz
 /cryptography-1.5.3.tar.gz
 /cryptography-1.7.1.tar.gz
 /cryptography-1.7.2.tar.gz
 /cryptography-1.9.tar.gz
 /cryptography-2.0.2.tar.gz
 /cryptography-2.1.tar.gz
 /cryptography-2.1.3.tar.gz
 /cryptography-2.1.4.tar.gz
 /cryptography-2.2.1.tar.gz
 /cryptography-2.3.tar.gz
 /cryptography-2.5.tar.gz
 /cryptography-2.6.1.tar.gz
 /cryptography-2.7.tar.gz
 /cryptography-2.8.tar.gz
 /cryptography-2.9.tar.gz
 /cryptography-2.9.tar.gz.asc
 /cryptography-3.0.tar.gz
 /cryptography-3.0.tar.gz.asc
 /cryptography-3.1.tar.gz
 /cryptography-3.1.tar.gz.asc
 /cryptography-3.2.tar.gz
 /cryptography-3.2.tar.gz.asc
 /cryptography-3.2.1.tar.gz
 /cryptography-3.2.1.tar.gz.asc
 /cryptography-3.3.1.tar.gz
 /cryptography-3.3.1.tar.gz.asc
 /cryptography-3.4.tar.gz
 /cryptography-3.4.tar.gz.asc
 /cryptography-3.4.1.tar.gz
 /cryptography-3.4.1.tar.gz.asc
 /cryptography-3.4.2.tar.gz
 /cryptography-3.4.2.tar.gz.asc
 /cryptography-3.4.4.tar.gz
 /cryptography-3.4.4.tar.gz.asc
 /cryptography-3.4.5.tar.gz
 /cryptography-3.4.5.tar.gz.asc
 /cryptography-3.4.6.tar.gz
 /cryptography-3.4.6.tar.gz.asc
 /cryptography-3.4.7.tar.gz
 /cryptography-3.4.7-vendor.tar.bz2
 /cryptography-35.0.0.tar.gz
 /cryptography-35.0.0-vendor.tar.bz2
 /cryptography-36.0.0.tar.gz
 /cryptography-36.0.0-vendor.tar.bz2
 /cryptography-37.0.2.tar.gz
 /cryptography-37.0.2-vendor.tar.bz2
 /cryptography-39.0.2.tar.gz
 /cryptography-39.0.2-vendor.tar.bz2
 /cryptography-40.0.0.tar.gz
 /cryptography-40.0.0-vendor.tar.bz2
 /cryptography-40.0.1.tar.gz
 /cryptography-40.0.1-vendor.tar.bz2
 /cryptography-40.0.2.tar.gz
 /cryptography-40.0.2-vendor.tar.bz2
 /cryptography-41.0.3.tar.gz
 /cryptography-41.0.3-vendor.tar.bz2
 /cryptography-41.0.5-vendor.tar.bz2
 /cryptography-41.0.5.tar.gz
 /cryptography-41.0.7.tar.gz
 /cryptography-41.0.7-vendor.tar.bz2
 /cryptography-43.0.0.tar.gz
 /cryptography-43.0.0-vendor.tar.bz2
--- a/.python-cryptography.metadata
+++ b/.python-cryptography.metadata
@ -0,0 +1 @@
 20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz
--- a/11328.patch
+++ b/11328.patch
@ -1,36 +0,0 @@
 From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Mon, 22 Jul 2024 09:09:05 +0200
 Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined
 Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE
 support. Downstream has moved `openssl/engine.h` into a separate RPM
 package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The
 compiler flag disables PyCA cryptography's ENGINE support successfully.
 We also like to build the downstream package without the `engine.h`
 header file present.
 This commit makes the include conditional. The `ENGINE` type is
 defined in `openssl/types.h`.
 See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide
 See: https://issues.redhat.com/browse/RHEL-33747
 Signed-off-by: Christian Heimes <christian@python.org>
 ---
 src/_cffi_src/openssl/engine.py | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py
 index 9629a2c8f929..f47e20327003 100644
 --- a/src/_cffi_src/openssl/engine.py
 +++ b/src/_cffi_src/openssl/engine.py
@@ -5,7 +5,9 @@
 from __future__ import annotations
 INCLUDES = """
 +#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL
 #include <openssl/engine.h>
 +#endif
 """
 TYPES = """
--- a/11536.patch
+++ b/11536.patch
@ -1,26 +0,0 @@
 From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001
 From: Alex Gaynor <alex.gaynor@gmail.com>
 Date: Tue, 3 Sep 2024 20:19:02 -0400
 Subject: [PATCH] allow sha1 in OAEP (#11536)
 fixes #11512
 ---
 src/rust/src/backend/rsa.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs
 index 3c01e7421..066b1412a 100644
 --- a/src/rust/src/backend/rsa.rs
 +++ b/src/rust/src/backend/rsa.rs
@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu
 }
 fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool {
 -    (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1())
 +    md == &openssl::hash::MessageDigest::sha1()
         || md == &openssl::hash::MessageDigest::sha224()
         || md == &openssl::hash::MessageDigest::sha256()
         || md == &openssl::hash::MessageDigest::sha384()
 -- 
 2.46.0
--- a/README.md
+++ b/README.md
@ -1,59 +0,0 @@
 # PyCA cryptography
 https://cryptography.io/en/latest/
 ## Packaging python-cryptography
 The example assumes
 * Fedora Rawhide (f34)
 * PyCA cryptography release ``3.4``
 * Update Bugzilla issue is ``RHBZ#00000001``
 ### Build new python-cryptography
 Switch and update branch
 ```shell
 fedpkg switch-branch rawhide
 fedpkg pull
 ```
 Bump version and get sources
 ```shell
 rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
 spectool -gf python-cryptography.spec
 ```
 Upload new source
 ```shell
 fedpkg new-sources cryptography-3.4.tar.gz
 ```
 Commit changes
 ```shell
 fedpkg commit --clog
 fedpkg push
 ```
 Build
 ```shell
 fedpkg build
 ```
 ## RHEL/CentOS builds
 RHEL and CentOS use a different approach for Rust crates packaging than
 Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
 ``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
 CentOS. Instead python-cryptography uses a tar ball with vendored crates.
 The tar ball is created by a script:
 ```shell
 ./vendor_rust.py
 rhpkg upload cryptography-3.4-vendor.tar.bz2
 ```
--- a/SOURCES/0001-Re-add-deprecated-and-removed-features.patch
+++ b/SOURCES/0001-Re-add-deprecated-and-removed-features.patch
@ -0,0 +1,254 @@
 From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Tue, 27 Oct 2020 16:42:15 +0100
 Subject: [PATCH 1] Re-add deprecated and removed features
 * encode_rfc6979_signature()
 * decode_rfc6979_signature()
 * Certificate.serial property
 * MACContext
 * osrandom engine is disabled
 Signed-off-by: Christian Heimes <cheimes@redhat.com>
 ---
 .../hazmat/backends/openssl/cmac.py           |  3 +-
 .../hazmat/backends/openssl/hmac.py           |  3 +-
 .../hazmat/backends/openssl/x509.py           |  4 ++
 .../hazmat/primitives/asymmetric/utils.py     |  8 ++++
 src/cryptography/hazmat/primitives/cmac.py    |  3 +-
 src/cryptography/hazmat/primitives/hmac.py    |  3 +-
 src/cryptography/hazmat/primitives/mac.py     | 37 +++++++++++++++++++
 src/cryptography/x509/extensions.py           |  6 ++-
 tests/hazmat/backends/test_openssl.py         |  3 ++
 tests/hazmat/primitives/test_asym_utils.py    |  9 +++++
 tests/x509/test_x509.py                       |  1 +
 tests/x509/test_x509_ext.py                   |  5 +++
 12 files changed, 80 insertions(+), 5 deletions(-)
 create mode 100644 src/cryptography/hazmat/primitives/mac.py
 diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
 index 195fc230f..5281f634d 100644
 --- a/src/cryptography/hazmat/backends/openssl/cmac.py
 +++ b/src/cryptography/hazmat/backends/openssl/cmac.py
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
     UnsupportedAlgorithm,
     _Reasons,
 )
 -from cryptography.hazmat.primitives import constant_time
 +from cryptography.hazmat.primitives import constant_time, mac
 from cryptography.hazmat.primitives.ciphers.modes import CBC
 +@utils.register_interface(mac.MACContext)
 class _CMACContext(object):
     def __init__(self, backend, algorithm, ctx=None):
         if not backend.cmac_algorithm_supported(algorithm):
 diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
 index 5024223b2..11c850e10 100644
 --- a/src/cryptography/hazmat/backends/openssl/hmac.py
 +++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
     UnsupportedAlgorithm,
     _Reasons,
 )
 -from cryptography.hazmat.primitives import constant_time, hashes
 +from cryptography.hazmat.primitives import constant_time, hashes, mac
 +@utils.register_interface(mac.MACContext)
 @utils.register_interface(hashes.HashContext)
 class _HMACContext(object):
     def __init__(self, backend, key, algorithm, ctx=None):
 diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
 index 4d0dac764..c9074f59e 100644
 --- a/src/cryptography/hazmat/backends/openssl/x509.py
 +++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -73,6 +73,10 @@ class _Certificate(object):
         self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
         return _asn1_integer_to_int(self._backend, asn1_int)
 +    @property
 +    def serial(self):
 +        return self.serial_number
 +
     def public_key(self):
         pkey = self._backend._lib.X509_get_pubkey(self._x509)
         if pkey == self._backend._ffi.NULL:
 diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
 index 5f9b67786..886d7565b 100644
 --- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
 +++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -39,3 +39,11 @@ class Prehashed(object):
         self._digest_size = algorithm.digest_size
     digest_size = utils.read_only_property("_digest_size")
 +
 +
 +def decode_rfc6979_signature(signature):
 +    return decode_dss_signature(signature)
 +
 +
 +def encode_rfc6979_signature(r, s):
 +    return encode_dss_signature(r, s)
 diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
 index bf962c906..7f37f13cc 100644
 --- a/src/cryptography/hazmat/primitives/cmac.py
 +++ b/src/cryptography/hazmat/primitives/cmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
 )
 from cryptography.hazmat.backends import _get_backend
 from cryptography.hazmat.backends.interfaces import CMACBackend
 -from cryptography.hazmat.primitives import ciphers
 +from cryptography.hazmat.primitives import ciphers, mac
 +@utils.register_interface(mac.MACContext)
 class CMAC(object):
     def __init__(self, algorithm, backend=None, ctx=None):
         backend = _get_backend(backend)
 diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
 index 8c421dc68..6f03a1071 100644
 --- a/src/cryptography/hazmat/primitives/hmac.py
 +++ b/src/cryptography/hazmat/primitives/hmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
 )
 from cryptography.hazmat.backends import _get_backend
 from cryptography.hazmat.backends.interfaces import HMACBackend
 -from cryptography.hazmat.primitives import hashes
 +from cryptography.hazmat.primitives import hashes, mac
 +@utils.register_interface(mac.MACContext)
 @utils.register_interface(hashes.HashContext)
 class HMAC(object):
     def __init__(self, key, algorithm, backend=None, ctx=None):
 diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
 new file mode 100644
 index 000000000..4c95190ba
 --- /dev/null
 +++ b/src/cryptography/hazmat/primitives/mac.py
@@ -0,0 +1,37 @@
 +# This file is dual licensed under the terms of the Apache License, Version
 +# 2.0, and the BSD License. See the LICENSE file in the root of this repository
 +# for complete details.
 +
 +from __future__ import absolute_import, division, print_function
 +
 +import abc
 +
 +import six
 +
 +
 +@six.add_metaclass(abc.ABCMeta)
 +class MACContext(object):
 +    @abc.abstractmethod
 +    def update(self, data):
 +        """
 +        Processes the provided bytes.
 +        """
 +
 +    @abc.abstractmethod
 +    def finalize(self):
 +        """
 +        Returns the message authentication code as bytes.
 +        """
 +
 +    @abc.abstractmethod
 +    def copy(self):
 +        """
 +        Return a MACContext that is a copy of the current context.
 +        """
 +
 +    @abc.abstractmethod
 +    def verify(self, signature):
 +        """
 +        Checks if the generated message authentication code matches the
 +        signature.
 +        """
 diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
 index 130ba69b8..ddbccdf3b 100644
 --- a/src/cryptography/x509/extensions.py
 +++ b/src/cryptography/x509/extensions.py
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
     @classmethod
     def from_issuer_subject_key_identifier(cls, ski):
 +        if isinstance(ski, SubjectKeyIdentifier):
 +            digest = ski.digest
 +        else:
 +            digest = ski.value.digest
         return cls(
 -            key_identifier=ski.digest,
 +            key_identifier=digest,
             authority_cert_issuer=None,
             authority_cert_serial_number=None,
         )
 diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
 index 2f7e7bebf..73c17d84f 100644
 --- a/tests/hazmat/backends/test_openssl.py
 +++ b/tests/hazmat/backends/test_openssl.py
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
         res = backend._lib.ENGINE_free(e)
         assert res == 1
 +    def test_rhel8_no_osrandom(self):
 +        pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
 +
 @pytest.mark.skipif(
     backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
 diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
 index 70bff012f..334b459b5 100644
 --- a/tests/hazmat/primitives/test_asym_utils.py
 +++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
     Prehashed,
     decode_dss_signature,
     encode_dss_signature,
 +    encode_rfc6979_signature,
 +    decode_rfc6979_signature
 )
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
 def test_pass_invalid_prehashed_arg():
     with pytest.raises(TypeError):
         Prehashed(object())
 +
 +
 +def test_deprecated_rfc6979_signature():
 +    sig = encode_rfc6979_signature(1, 1)
 +    assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
 +    decoded = decode_rfc6979_signature(sig)
 +    assert decoded == (1, 1)
 diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
 index 11c80816c..e5bdf17d4 100644
 --- a/tests/x509/test_x509.py
 +++ b/tests/x509/test_x509.py
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
         )
         assert isinstance(cert, x509.Certificate)
         assert cert.serial_number == 11559813051657483483
 +        assert cert.serial == cert.serial_number
         fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
         assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
         assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
 diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
 index 2cd216fb6..ac2b2c03d 100644
 --- a/tests/x509/test_x509_ext.py
 +++ b/tests/x509/test_x509_ext.py
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
         )
         assert ext.value == aki
 +        aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
 +            ski_ext
 +        )
 +        assert ext.value == aki
 +
 class TestNameConstraints(object):
     def test_ipaddress_wrong_type(self):
 -- 
 2.26.2
--- a/SOURCES/0002-Support-pytest-3.4.2.patch
+++ b/SOURCES/0002-Support-pytest-3.4.2.patch
@ -0,0 +1,86 @@
 From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Wed, 28 Oct 2020 14:27:55 +0100
 Subject: [PATCH 2] Support pytest 3.4.2
 ---
 setup.py            | 3 ++-
 tests/conftest.py   | 4 ++--
 tests/test_utils.py | 4 ++--
 tests/utils.py      | 2 +-
 4 files changed, 7 insertions(+), 6 deletions(-)
 diff --git a/setup.py b/setup.py
 index 82800a96e..5678db004 100644
 --- a/setup.py
 +++ b/setup.py
@@ -93,7 +93,8 @@ setup(
     extras_require={
         ":python_version < '3'": ["enum34", "ipaddress"],
         "test": [
 -            "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
 +            "pytest>=3.4.2,<3.6",
 +            "attrs>=17.4.0,<18.0",
             "pretend",
             "iso8601",
             "pytz",
 diff --git a/tests/conftest.py b/tests/conftest.py
 index 4e3124fa7..53c194830 100644
 --- a/tests/conftest.py
 +++ b/tests/conftest.py
@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
 def pytest_runtest_setup(item):
     if openssl_backend._fips_enabled:
 -        for marker in item.iter_markers(name="skip_fips"):
 +        for marker in item.get_marker(name="skip_fips") or []:
             pytest.skip(marker.kwargs["reason"])
@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
 def backend(request):
     required_interfaces = [
         mark.kwargs["interface"]
 -        for mark in request.node.iter_markers("requires_backend_interface")
 +        for mark in request.node.get_marker("requires_backend_interface") or []
     ]
     if not all(
         isinstance(openssl_backend, iface) for iface in required_interfaces
 diff --git a/tests/test_utils.py b/tests/test_utils.py
 index d6afa3b34..e0a1be4f5 100644
 --- a/tests/test_utils.py
 +++ b/tests/test_utils.py
@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
     supported = pretend.stub(
         kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
     )
 -    node = pretend.stub(iter_markers=lambda x: [supported])
 +    node = pretend.stub(get_marker=lambda x: [supported])
     item = pretend.stub(node=node)
     with pytest.raises(pytest.skip.Exception) as exc_info:
         check_backend_support(True, item)
@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
     supported = pretend.stub(
         kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
     )
 -    node = pretend.stub(iter_markers=lambda x: [supported])
 +    node = pretend.stub(get_marker=lambda x: [supported])
     item = pretend.stub(node=node)
     assert check_backend_support(None, item) is None
 diff --git a/tests/utils.py b/tests/utils.py
 index 5d98af00e..a08f79c34 100644
 --- a/tests/utils.py
 +++ b/tests/utils.py
@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
 def check_backend_support(backend, item):
 -    for mark in item.node.iter_markers("supported"):
 +    for mark in item.node.get_marker("supported") or []:
         if not mark.kwargs["only_if"](backend):
             pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
 -- 
 2.26.2
--- a/SOURCES/0003-Skip-iso8601-test-cases.patch
+++ b/SOURCES/0003-Skip-iso8601-test-cases.patch
@ -0,0 +1,73 @@
 From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Thu, 29 Oct 2020 09:21:06 +0100
 Subject: [PATCH 3] Skip iso8601 test cases
 ---
 tests/test_fernet.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
 diff --git a/tests/test_fernet.py b/tests/test_fernet.py
 index 38409b03e..343f3e4ec 100644
 --- a/tests/test_fernet.py
 +++ b/tests/test_fernet.py
@@ -10,7 +10,10 @@ import json
 import os
 import time
 -import iso8601
 +try:
 +    import iso8601
 +except ImportError:
 +    iso8601 = None
 import pytest
@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
 import cryptography_vectors
 +skip_iso8601 = pytest.mark.skipif(
 +    iso8601 is None,
 +    reason="is8601 is not available"
 +)
 +
 +
 def json_parametrize(keys, filename):
     vector_file = cryptography_vectors.open_vector_file(
         os.path.join("fernet", filename), "r"
@@ -49,6 +58,7 @@ def test_default_backend():
     skip_message="Does not support AES CBC",
 )
 class TestFernet(object):
 +    @skip_iso8601
     @json_parametrize(
         ("secret", "now", "iv", "src", "token"),
         "generate.json",
@@ -62,6 +72,7 @@ class TestFernet(object):
         )
         assert actual_token == token.encode("ascii")
 +    @skip_iso8601
     @json_parametrize(
         ("secret", "now", "src", "ttl_sec", "token"),
         "verify.json",
@@ -81,6 +92,7 @@ class TestFernet(object):
         payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
         assert payload == src.encode("ascii")
 +    @skip_iso8601
     @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
     def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
         f = Fernet(secret.encode("ascii"), backend=backend)
@@ -117,6 +129,7 @@ class TestFernet(object):
         with pytest.raises(TypeError):
             f.decrypt(u"")
 +    @skip_iso8601
     def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
         f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
         pt = b"encrypt me"
 -- 
 2.26.2
--- a/SOURCES/0004-Revert-remove-NPN-bindings.patch
+++ b/SOURCES/0004-Revert-remove-NPN-bindings.patch
@ -0,0 +1,75 @@
 From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Mon, 14 Dec 2020 14:13:53 +0100
 Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
 (#4765)"
 This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
 ---
 src/_cffi_src/openssl/ssl.py          | 20 +++++++++++++++++++-
 tests/hazmat/bindings/test_openssl.py |  4 ++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
 index c38e309a1..fa854f5dd 100644
 --- a/src/_cffi_src/openssl/ssl.py
 +++ b/src/_cffi_src/openssl/ssl.py
@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
 static const long TLS_ST_BEFORE;
 static const long TLS_ST_OK;
 +static const long OPENSSL_NPN_NEGOTIATED;
 +
 typedef ... SSL_METHOD;
 typedef ... SSL_CTX;
@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
 long SSL_session_reused(SSL *);
 +void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
 +                                           int (*)(SSL *,
 +                                                   const unsigned char **,
 +                                                   unsigned int *,
 +                                                   void *),
 +                                           void *);
 +void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
 +                                      int (*)(SSL *,
 +                                              unsigned char **,
 +                                              unsigned char *,
 +                                              const unsigned char *,
 +                                              unsigned int,
 +                                              void *),
 +                                      void *);
 int SSL_select_next_proto(unsigned char **, unsigned char *,
                           const unsigned char *, unsigned int,
                           const unsigned char *, unsigned int);
 +void SSL_get0_next_proto_negotiated(const SSL *,
 +                                    const unsigned char **, unsigned *);
 int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
 const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
 static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
 static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
 static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
 -static const long Cryptography_HAS_NEXTPROTONEG = 0;
 +static const long Cryptography_HAS_NEXTPROTONEG = 1;
 static const long Cryptography_HAS_ALPN = 1;
 #if CRYPTOGRAPHY_IS_LIBRESSL
 diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
 index ecee34091..aeb12a0dc 100644
 --- a/tests/hazmat/bindings/test_openssl.py
 +++ b/tests/hazmat/bindings/test_openssl.py
@@ -137,3 +137,7 @@ class TestOpenSSL(object):
         )
         with pytest.raises(RuntimeError):
             _verify_openssl_version(lib)
 +
 +    def test_npn_binding(self):
 +        b = Binding()
 +        assert b.lib.Cryptography_HAS_NEXTPROTONEG
 -- 
 2.29.2
--- a/SOURCES/0005-CVE-2020-36242.patch
+++ b/SOURCES/0005-CVE-2020-36242.patch
@ -0,0 +1,18 @@
 From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
 From: Paul Kehrer <paul.l.kehrer@gmail.com>
 Date: Sun, 7 Feb 2021 11:04:43 -0600
 Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
 diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
 index 2b10681b31..0f96795fdc 100644
 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py
 +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -16,7 +16,7 @@
 class _CipherContext(object):
     _ENCRYPT = 1
     _DECRYPT = 0
 -    _MAX_CHUNK_SIZE = 2 ** 31 - 1
 +    _MAX_CHUNK_SIZE = 2 ** 30 - 1
     def __init__(self, backend, cipher, mode, operation):
         self._backend = backend
--- a/SOURCES/0006-CVE-2023-23931.patch
+++ b/SOURCES/0006-CVE-2023-23931.patch
@ -0,0 +1,42 @@
 From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001
 From: Alex Gaynor <alex.gaynor@gmail.com>
 Date: Tue, 31 Jan 2023 08:33:54 -0500
 Subject: [PATCH] Don't allow update_into to mutate immutable objects
 ---
 src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
 tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
 index 286583f9325..075d68fb905 100644
 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py
 +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
         data_processed = 0
         total_out = 0
         outlen = self._backend._ffi.new("int *")
 -        baseoutbuf = self._backend._ffi.from_buffer(buf)
 +        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
         baseinbuf = self._backend._ffi.from_buffer(data)
         while data_processed != total_data_len:
 diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
 index 02127dd9cab..bf3b047dec2 100644
 --- a/tests/hazmat/primitives/test_ciphers.py
 +++ b/tests/hazmat/primitives/test_ciphers.py
@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
         with pytest.raises(ValueError):
             encryptor.update_into(b"testing", buf)
 +    def test_update_into_immutable(self, backend):
 +        key = b"\x00" * 16
 +        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
 +        encryptor = c.encryptor()
 +        buf = b"\x00" * 32
 +        with pytest.raises((TypeError, BufferError)):
 +            encryptor.update_into(b"testing", buf)
 +
     @pytest.mark.supported(
         only_if=lambda backend: backend.cipher_supported(
             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
--- a/SPECS/python-cryptography.spec
+++ b/SPECS/python-cryptography.spec
@ -0,0 +1,277 @@
 %{!?python3_pkgversion:%global python3_pkgversion 3}
 %global srcname cryptography
 # rhbz#2172416: from_buffer(..., require_writable=True)
 %global cffi_version 1.11.5-6
 Name:           python-%{srcname}
 Version:        3.2.1
 Release:        7%{?dist}
 Summary:        PyCA's cryptography library
 Group:          Development/Libraries
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/
 Source0:        https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
 Patch0001:      0001-Re-add-deprecated-and-removed-features.patch
 Patch0002:      0002-Support-pytest-3.4.2.patch
 Patch0003:	0003-Skip-iso8601-test-cases.patch
 Patch0004:	0004-Revert-remove-NPN-bindings.patch
 Patch0005:	0005-CVE-2020-36242.patch
 # https://github.com/pyca/cryptography/pull/8230
 Patch0006:		0006-CVE-2023-23931.patch
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-pytest >= 3.4.2
 BuildRequires:  python%{python3_pkgversion}-setuptools
 BuildRequires:  python%{python3_pkgversion}-pretend
 # BuildRequires:  python{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
 BuildRequires:  python%{python3_pkgversion}-pytz
 BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
 BuildRequires:  python%{python3_pkgversion}-cffi >= %{cffi_version}
 %description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %package -n  python%{python3_pkgversion}-%{srcname}
 Group:          Development/Libraries
 Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 Requires:       openssl-libs
 Requires:       python%{python3_pkgversion}-six >= 1.4.1
 Requires:       python%{python3_pkgversion}-cffi >= %{cffi_version}
 Conflicts:      python%{python3_pkgversion}-cryptography-vectors < %{version}
 Conflicts:      python%{python3_pkgversion}-cryptography-vectors > %{version}
 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %prep
 %autosetup -p1 -n %{srcname}-%{version}
 %build
 %py3_build
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
 %py3_install
 %check
 # workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
 rm -f tests/hazmat/primitives/test_padding.py
 # don't run hypothesis tests
 rm -rf tests/hypothesis
 PYTHONPATH=%{buildroot}%{python3_sitearch} \
    %{__python3} -m pytest \
    -k "not test_decrypt_invalid_decrypt"
 %files -n python%{python3_pkgversion}-%{srcname}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %{python3_sitearch}/%{srcname}
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 %changelog
 * Fri Dec 01 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-7
 - Fix FTBFS caused by rsa_pkcs1_implicit_rejection OpenSSL feature, resolves: RHEL-17873
 * Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-6
 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172404
 * Tue Jun 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-5
 - Rebuild for RHEL 8.5
 - Resolves: rhbz#1933071
 * Tue Feb 09 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-4
 - CVE-2020-36242: Fixed a bug where certain sequences of update() calls
  when symmetrically encrypting very large payloads (>2GB) could result
  in an integer overflow, leading to buffer overflows.
 - Resolves: rhbz#1926528
 * Mon Dec 14 17:24:01 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-3
 - Conflict with non-matching vector package
 * Mon Dec 14 14:19:42 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
 - Re-add remove NPN bindings, required for pyOpenSSL
 - Resolves: rhbz#1907429
 * Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
 - Rebase to upstream release 3.2.1
 - Resolves: rhbz#1873581
 - Resolves: rhbz#1778939
 - Removed dependencies on python-asn1crypto, python-idna
 * Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
 - Don't activate custom osrandom engine for FIPS compliance
 - Resolves: rhbz#1762667
 * Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
 - Use TLSv1.2 in test as workaround for RHBZ#1615099
 - Resolves: RHBZ#1611738
 * Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
 - New upstream release 2.3
 - Fix AEAD tag truncation bug, CVE-2018-10903, RHBZ#1602755, RHBZ#1602932
 * Tue Jun 19 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-2
 - Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1589754
 - Remove unnecessary copy and shebang mangling
 * Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
 - New upstream release 2.2.1
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
 - New upstream release 2.1.4
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
 - Build requires gcc
 * Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
 - Update Python 2 dependency declarations to new packaging standards
  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Thu Nov 23 2017 Haïkel Guémar <hguemar@fedoraproject.org> - 2.1.3-1
 - Upstream 2.1.3
 * Tue Oct 24 2017 Christian Heimes <cheimes@redhat.com> - 2.1-2
 - Change Requires to openssl-libs
 * Thu Oct 12 2017 Christian Heimes <cheimes@redhat.com> - 2.1-1
 - New upstream release 2.1
 * Wed Sep 27 2017 Troy Dawson <tdawson@redhat.com> - 2.0.2-3
 - Cleanup spec file conditionals
 * Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-2
 - Add workaround for pytest bug
 * Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-1
 - New upstream release 2.0.2
 - Modernize spec
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Tue Jun 27 2017 Christian Heimes <cheimes@redhat.com> - 1.9-1
 - Upstream release 1.9
 * Wed Feb 15 2017 Christian Heimes <cheimes@redhat.com> - 1.7.2-1
 - Update to latest upstream
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Thu Jan 05 2017 Matěj Cepl <mcepl@redhat.com> - 1.7.1-1
 - Update to the latest upstream.
 - Add a patch from https://github.com/pyca/cryptography/pull/3328
 * Tue Dec 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-5
 - Enable tests
 * Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-4
 - Rebuild for Python 3.6
 - Disable python3 tests for now
 * Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-3
 - Revert previous change
 * Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-2
 - Disable tests on releases earlier than 24
 * Mon Nov 07 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-1
 - Update to v1.5.3
 - Update source URL
 - Add BR for pytz
 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-4
 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
 * Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-3
 - Remove versioned setuptools dependency
 * Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-2
 - Make it easier to build on EL7
 * Tue May 03 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-1
 - Update to v1.3.1
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Mon Jan 11 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-2
 - Move python-cryptograph => python2-cryptography
 * Sat Jan 09 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-1
 - Update to v1.2.1
 * Wed Nov 11 2015 Robert Kuska <rkuska@redhat.com> - 1.1-1
 - Update to v1.1
 * Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.0.2-2
 - Rebuilt for Python3.5 rebuild
 * Wed Sep 30 2015 Matěj Cepl <mcepl@redhat.com> - 1.0.2-1
 - New upstream release (fix #1267548)
 * Wed Aug 12 2015 Nathaniel McCallum <npmccallum@redhat.com> - 1.0-1
 - New upstream release
 * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Thu May 14 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.9-1
 - New upstream release
 - Run tests on RHEL
 - New deps: python-idna, python-ipaddress
 * Fri Apr 17 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8.2-1
 - New upstream release
 - Add python3-pyasn1 Requires (#1211073)
 * Tue Apr 14 2015 Matej Cepl <mcepl@redhat.com> - 0.8-2
 - Add python-pyasn1 Requires (#1211073)
 * Fri Mar 13 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8-1
 - New upstream release
 - Remove upstreamed patch
 * Wed Mar 04 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-2
 - Add python3-cryptography-vectors build requires
 - Add python-enum34 requires
 * Tue Feb 03 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-1
 - New upstream release. BSD is now an optional license.
 - Fix test running on python3
 - Add upstream patch to fix test paths
 * Fri Nov 07 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-2
 - Fix requires, for reasons why other development files were not
  eliminated see https://github.com/pyca/cryptography/issues/1463.
 * Wed Nov 05 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-1
 - New upstream release.
 * Sun Jun 29 2014 Terry Chia <terrycwk1994@gmail.com> 0.4-1
 - initial version
--- a/248
+++ b/248
@ -1,248 +0,0 @@
 * Tue Jul 02 2024 Jeremy Cline <jeremycline@linux.microsoft.com> - 42.0.8-1
 - Update to 42.0.8, fixes rhbz#2251816
 * Sat Jun 08 2024 Python Maint <python-maint@redhat.com> - 41.0.7-3
 - Rebuilt for Python 3.13
 * Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 41.0.7-2
 - Bootstrap for Python 3.13
 * Thu Feb 01 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 41.0.7-1
 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083
 * Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Fri Dec 01 2023 Fabio Valentini <decathorpe@gmail.com> - 41.0.5-2
 - Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072)
 * Thu Oct 26 2023 Christian Heimes <cheimes@redhat.com> - 41.0.5-1
 - Update to 41.0.5, resolves RHBZ#2239707
 * Mon Aug 14 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-2
 - Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042
 * Wed Aug 09 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-1
 - Update to 41.0.3, resolves rhbz#2211237
 - Use pyo3 0.19
 * Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 40.0.2-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Mon Jul 10 2023 Python Maint <python-maint@redhat.com> - 40.0.2-4
 - Rebuilt for Python 3.12
 * Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 40.0.2-3
 - Bootstrap for Python 3.12
 * Tue Jun 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 40.0.2-2
 - Use vendored rust-pem in RHEL builds
 * Tue Apr 18 2023 Christian Heimes <cheimes@redhat.com> - 40.0.2-1
 - Update to 40.0.2, resolves rhbz#2181430
 * Thu Mar 09 2023 Miro Hrončok <mhroncok@redhat.com> - 39.0.2-2
 - Don't run tests requiring pytz on RHEL
 - Don't try to run tests of vendored dependencies in %%check
 * Sat Mar 04 2023 Christian Heimes <cheimes@redhat.com> - 39.0.2-1
 - Update to 39.0.2, resolves rhbz#2124729
 * Tue Feb 28 2023 Fabio Valentini <decathorpe@gmail.com> - 37.0.2-9
 - Ensure correct compiler flags are used for Rust code.
 * Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 37.0.2-8
 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820
 - Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661
 * Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Fri Dec 09 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-6
 - Enable SHA1 signatures in test suite (ELN-only)
 * Wed Aug 17 2022 Miro Hrončok <mhroncok@redhat.com> - 37.0.2-5
 - Drop unused requirement of python3-six
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-3
 - Rebuilt for Python 3.11
 * Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-2
 - Bootstrap for Python 3.11
 * Thu May 05 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-1
 - Update to 37.0.2, resolves rhbz#2078968
 * Thu Jan 27 2022 Christian Heimes <cheimes@redhat.com> - 36.0.0-3
 - Skip unstable memleak tests, resolves: RHBZ#2042413
 * Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 36.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Mon Nov 22 2021 Christian Heimes <cheimes@redhat.com> - 36.0.0-1
 - Update to 36.0.0, fixes RHBZ#2025347
 * Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0.0-2
 - Require rust-asn1 >= 0.6.4
 * Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0-1
 - Update to 35.0.0 (#2009117)
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.4.7-6
 - Rebuilt with OpenSSL 3.0.0
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.7-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Thu Jun 10 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.4.7-4
 - Don't conditionalize Source: directives
 * Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 3.4.7-3
 - Rebuilt for Python 3.10
 * Tue May 11 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
 - Fix compatibility issue with Python 3.10. Enums now use same
  representation as on Python 3.9. (#1952522)
 - Backport OpenSSL 3.0.0 compatibility patches.
 * Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
 - Update to 3.4.7
 - Remove dependency on python-cryptography-vectors package and use vectors
  directly from Github source tar ball. (#1952024)
 * Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
 - Update to 3.4.6 (#1927044)
 * Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
 - Update to 3.4.5 (#1927044)
 * Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
 - Skip iso8601 and pretend tests on RHEL
 * Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
 - Provide RHEL build infrastructure
 * Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
 - Update to 3.4.4 (#1927044)
 * Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
 - Update to 3.4.2 (#1926339)
 - Package no longer depends on Rust (#1926181)
 * Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
 - Use dynamically generated BuildRequires for PyO3 Rust module.
 - Drop unnecessary CARGO_NET_OFFLINE environment variable.
 * Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
 - Update to 3.4.1 (#1925953)
 * Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
 - Add missing abi3 and pytest dependencies
 * Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
 - Update to 3.4 (#1925953)
 - Remove Python 2 support
 - Remove unused python-idna dependency
 - Add Rust support
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
 - Update to 3.3.1 (#1905756)
 * Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
 - Update to 3.2.1 (#1892153)
 * Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
 - Update to 3.2 (#1891378)
 * Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
 - Update to 3.1 (#1872978)
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
 - Update to 3.0 (#185897)
 * Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
 - Rebuilt for Python 3.9
 * Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
 - add source file verification
 * Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
 - Update to 2.9 (#1820348)
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
 - cryptography 2.8+ no longer depends on python-asn1crypto
 * Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
 - Update to 2.8
 - Resolves: rhbz#1762779
 * Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
 - Skip unit tests that fail with OpenSSL 1.1.1.d
 - Resolves: rhbz#1761194
 - Fix and simplify Python 3 packaging
 * Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
 - Drop Python 2 package
 - Resolves: rhbz#1761081
 * Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
 - Update to 2.7 (#1715680).
 * Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
 - Rebuilt for Python 3.8
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
 - New upstream release 2.6.1, resolves RHBZ#1683691
 * Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
 - Updated to 2.5.
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
 - Use TLSv1.2 in test as workaround for RHBZ#1615143
 * Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
 - New upstream release 2.3
 - Fix AEAD tag truncation bug, RHBZ#1602752
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
 - Rebuilt for Python 3.7
 * Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
 - New upstream release 2.2.1
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
 - New upstream release 2.1.4
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
 - Build requires gcc
 * Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
 - Update Python 2 dependency declarations to new packaging standards
  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
--- a/conftest-skipper.py
+++ b/conftest-skipper.py
@ -1,22 +0,0 @@
 class Skipper:
    """Skip iso8601 and pretend tests
    RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
    all tests that use the excluded modules.
    """
    def parse_date(self, datestring):
        pytest.skip(f"iso8601 module is not available.")
    def stub(self, **kwargs):
        pytest.skip(f"pretend module is not available.")
    def raiser(self, exc):
        pytest.skip(f"pretend module is not available.")
 import sys
 sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
 # recipients: abokovoy, frenaud, kaleem, ftrivino, cheimes
 --- !Policy
 product_versions:
  - rhel-10
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@ -1,144 +0,0 @@
 %bcond_without tests
 %{!?python3_pkgversion:%global python3_pkgversion 3}
 %global srcname cryptography
 Name:           python-%{srcname}
 Version:        43.0.0
 Release:        %autorelease
 Summary:        PyCA's cryptography library
 # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
 # as well as the Python Software Foundation license for the OS random
 # engine derived by CPython.
 License:        (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
 URL:            https://cryptography.io/en/latest/
 Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
                # created by ./vendor_rust.py helper script
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
 Patch:          11328.patch
 Patch:          11536.patch
 ExclusiveArch:  %{rust_arches}
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
 %if 0%{?fedora}
 BuildRequires:  rust-packaging
 %else
 BuildRequires:  rust-toolset
 %endif
 BuildRequires:  python%{python3_pkgversion}-cffi >= 1.12
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
 BuildRequires:  python%{python3_pkgversion}-setuptools-rust >= 0.11.4
 %if %{with tests}
 %if 0%{?fedora}
 BuildRequires:  python%{python3_pkgversion}-certifi
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
 BuildRequires:  python%{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-pretend
 BuildRequires:  python%{python3_pkgversion}-pytest-benchmark
 BuildRequires:  python%{python3_pkgversion}-pytest-xdist
 BuildRequires:  python%{python3_pkgversion}-pytz
 %endif
 BuildRequires:  python%{python3_pkgversion}-pytest >= 6.2.0
 %endif
 %description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %package -n  python%{python3_pkgversion}-%{srcname}
 Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 Requires:       openssl-libs
 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
 # Can be safely removed in Fedora 37
 Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
 %endif
 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %prep
 %autosetup -p1 -n %{srcname}-%{version}
 %if 0%{?fedora}
 %cargo_prep
 sed -i 's/locked = true//g' pyproject.toml
 rm src/rust/Cargo.lock
 %else
 # RHEL: use vendored Rust crates
 %cargo_prep -V 1
 %endif
 %if ! 0%{?fedora}
 sed -i 's,--benchmark-disable,,' pyproject.toml
 %endif
 %generate_buildrequires
 %pyproject_buildrequires
 %if 0%{?fedora}
 # Fedora: use RPMified crates
 cd src/rust
 %cargo_generate_buildrequires
 cd ../..
 %endif
 %build
 export RUSTFLAGS="%build_rustflags"
 export OPENSSL_NO_VENDOR=1
 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
 %pyproject_wheel
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
 %pyproject_install
 %pyproject_save_files %{srcname}
 %check
 %if %{with tests}
 %if 0%{?rhel}
 # skip benchmark, hypothesis, and pytz tests on RHEL
 rm -rf tests/bench tests/hypothesis tests/x509
 # append skipper to skip iso8601 and pretend tests
 cat < %{SOURCE2} >> tests/conftest.py
 %endif
 # enable SHA-1 signatures for RSA tests
 # also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
 export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
 # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
 # not much sense for downstream testing.
 # see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure
 PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
    %{__python3} -m pytest \
    --ignore vendor \
    -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)"
 %endif
 %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %changelog
 %autochangelog
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7
 SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,70 +0,0 @@
 ---
 #
 # 1minutetip --buildroot rhel10
 #
 - hosts: localhost
  tags:
  - classic
  roles:
  - role: standard-test-source
    required_packages:
    - rust-toolset
  - role: standard-test-basic
    required_packages:
    - python3-cryptography
    - python3-pytest
    - python3-pytest-subtests
    environment:
      PYTHONPATH: "{{ srcdir }}/vectors"
      OPENSSL_ENABLE_SHA1_SIGNATURES: "yes"
    tests:
    - remove_hypothesis:
        # remove tests that depend on python3-hypothesis package
        dir: "source"
        run: rm -rf tests/hypothesis/
    - remove_iso8601:
        # remove tests that depend on python3-iso8601 package
        dir: "source"
        run: rm -rf tests/test_fernet.py
    - remove_scrypt:
        # scrypt tests require more memory than available
        dir: "source"
        run: rm -f tests/hazmat/primitives/test_scrypt.py
    - patch_conftest:
        dir: "source"
        run: "cat ../conftest-skipper.py  >> tests/conftest.py"
    # tests take some time, split up to avoid CI timeouts.
    - unittests-basic:
        dir: "source"
        run: pytest-3 tests/test_*.py
    - unittests-x509:
        dir: "source"
        run: pytest-3 tests/x509/
    - unittests-hazmat:
        dir: "source"
        run: pytest-3 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
    - unittests-primitives-aead:
        dir: "source"
        run: pytest-3 tests/hazmat/primitives/test_aead.py
    - unittests-primitives-aes:
        dir: "source"
        run: >-
            pytest-3
            tests/hazmat/primitives/test_aes.py::TestAESModeCBC
            tests/hazmat/primitives/test_aes.py::TestAESModeCTR
            tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
    - unittests-primitives-a-e:
        dir: "source"
        run: >-
            pytest-3
            tests/hazmat/primitives/test_arc4.py
            tests/hazmat/primitives/test_asym_utils.py
            tests/hazmat/primitives/test_[b-e]*.py
    - unittests-primitives-f-z:
        dir: "source"
        run: >-
            pytest-3
            tests/hazmat/primitives/test_[f-z]*.py
            tests/hazmat/primitives/twofactor
--- a/vendor_rust.py
+++ b/vendor_rust.py
@ -1,112 +0,0 @@
 #!/usr/bin/python3
 """Vendor PyCA cryptography's Rust crates
 """
 import argparse
 import os
 import re
 import tarfile
 import tempfile
 import shutil
 import subprocess
 import sys
 VENDOR_DIR = "vendor"
 CARGO_TOML = "src/rust/Cargo.toml"
 RE_VERSION = re.compile(r"Version:\s*(.*)")
 parser = argparse.ArgumentParser(description="Vendor Rust packages")
 parser.add_argument(
    "--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
 )
 def cargo(cmd, manifest):
    args = ["cargo", cmd, f"--manifest-path={manifest}"]
    return subprocess.check_call(
        args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
    )
 def tar_reset(tarinfo):
    """Reset user, group, mtime, and mode to create reproducible tar"""
    tarinfo.uid = 0
    tarinfo.gid = 0
    tarinfo.uname = "root"
    tarinfo.gname = "root"
    tarinfo.mtime = 0
    if tarinfo.type == tarfile.DIRTYPE:
        tarinfo.mode = 0o755
    else:
        tarinfo.mode = 0o644
    if tarinfo.pax_headers:
        raise ValueError(tarinfo.name, tarinfo.pax_headers)
    return tarinfo
 def tar_reproducible(tar, basedir):
    """Create reproducible tar file"""
    content = [basedir]
    for root, dirs, files in os.walk(basedir):
        for directory in dirs:
            content.append(os.path.join(root, directory))
        for filename in files:
            content.append(os.path.join(root, filename))
    content.sort()
    for fn in content:
        tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
 def main():
    args = parser.parse_args()
    spec = args.spec
    # change cwd to work in bundle directory
    here = os.path.dirname(os.path.abspath(spec))
    os.chdir(here)
    # extract version number from bundle name
    with open(spec) as f:
        for line in f:
            mo = RE_VERSION.search(line)
            if mo is not None:
                version = mo.group(1)
                break
        else:
            raise ValueError(f"Cannot find version in {spec}")
    bundle_file = f"cryptography-{version}.tar.gz"
    vendor_file = f"cryptography-{version}-vendor.tar.bz2"
    # remove existing vendor directory and file
    if os.path.isdir(VENDOR_DIR):
        shutil.rmtree(VENDOR_DIR)
    try:
        os.unlink(vendor_file)
    except FileNotFoundError:
        pass
    print(f"Getting crates for {bundle_file}", file=sys.stderr)
    # extract tar file in tempdir
    # fetch and vendor Rust crates
    with tempfile.TemporaryDirectory(dir=here) as tmp:
        with tarfile.open(bundle_file) as tar:
            tar.extractall(path=tmp)
        manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
        cargo("fetch", manifest)
        cargo("vendor", manifest)
    print("\nCreating tar ball...", file=sys.stderr)
    with tarfile.open(vendor_file, "x:bz2") as tar:
        tar_reproducible(tar, VENDOR_DIR)
    # remove vendor dir
    shutil.rmtree(VENDOR_DIR)
    parser.exit(0, f"Created {vendor_file}\n")
 if __name__ == "__main__":
    main()
		`@ -0,0 +1 @@`
							`20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz`
		`@ -1,2 +0,0 @@`
			`SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7`
			`SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924`