rpms
/
python-cryptography
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c8-stream-3.9
rpms:c9
rpms:c8-beta-stream-3.9
rpms:stream-python39-3.9-rhel-8.10.0
rpms:c8-beta
rpms:c9-beta
rpms:stream-python38-3.8-rhel-8.10.0
rpms:stream-python39-3.9-rhel-8.9.0
rpms:stream-python38-3.8-rhel-8.9.0
rpms:stream-python39-3.9-bootstrap-rhel-8.9.0
rpms:stream-python38-3.8-bootstrap-rhel-8.9.0
rpms:c9s
rpms:c8-beta-stream-3.8
rpms:c8s-stream-3.9
rpms:c8s-stream-3.8
rpms:c8s
rpms:c8-stream-3.8
rpms:imports/c8-stream-3.9/python-cryptography-3.3.1-3.module_el8.10.0+3765+2f9a457d
rpms:imports/c9/python-cryptography-36.0.1-4.el9
rpms:imports/c8/python-cryptography-3.2.1-7.el8_9
rpms:imports/c8-beta/python-cryptography-3.2.1-6.el8
rpms:imports/c9-beta/python-cryptography-36.0.1-4.el9
rpms:imports/c9/python-cryptography-36.0.1-2.el9
rpms:imports/c9-beta/python-cryptography-36.0.1-2.el9
rpms:imports/c9/python-cryptography-36.0.1-1.el9_0
rpms:imports/c9-beta/python-cryptography-36.0.1-1.el9_0
rpms:imports/c9-beta/python-cryptography-3.4.7-8.el9
rpms:imports/c9-beta/python-cryptography-3.4.7-5.el9
rpms:imports/c8/python-cryptography-3.2.1-5.el8
rpms:imports/c8-beta-stream-3.9/python-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249
rpms:imports/c8-beta-stream-3.8/python-cryptography-2.8-3.module+el8.4.0+8888+89bc7e79
rpms:imports/c8-beta-stream-3.8/python-cryptography-2.8-3.module+el8.2.0+5234+f98739b6
rpms:imports/c8-beta/python-cryptography-3.2.1-5.el8
rpms:imports/c8-beta/python-cryptography-3.2.1-3.el8
rpms:imports/c8-beta/python-cryptography-2.3-3.el8
rpms:imports/c8-beta/python-cryptography-2.3-2.el8
rpms:imports/c8s-stream-3.9/python-cryptography-3.3.1-2.module+el8.4.0+9540+56f9cecb
rpms:imports/c8s-stream-3.8/python-cryptography-2.8-3.module+el8.4.0+8888+89bc7e79
rpms:imports/c8s/python-cryptography-3.2.1-5.el8
rpms:imports/c8s/python-cryptography-3.2.1-4.el8
rpms:imports/c8s/python-cryptography-3.2.1-3.el8
rpms:imports/c8s/python-cryptography-3.2.1-1.el8
rpms:imports/c8s/python-cryptography-2.3-3.el8
rpms:imports/c8-stream-3.9/python-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249
rpms:imports/c8-stream-3.8/python-cryptography-2.8-3.module+el8.4.0+8888+89bc7e79
rpms:imports/c8-stream-3.8/python-cryptography-2.8-3.module+el8.2.0+5234+f98739b6
rpms:imports/c8/python-cryptography-3.2.1-4.el8
rpms:imports/c8/python-cryptography-2.3-3.el8
rpms:imports/c8/python-cryptography-2.3-2.el8
...
pull from: rpms:c9s
Branches Tags
rpms:c8-stream-3.9
rpms:c9
rpms:c8-beta-stream-3.9
rpms:c8
rpms:stream-python39-3.9-rhel-8.10.0
rpms:c8-beta
rpms:c9-beta
rpms:stream-python38-3.8-rhel-8.10.0
rpms:stream-python39-3.9-rhel-8.9.0
rpms:stream-python38-3.8-rhel-8.9.0
rpms:stream-python39-3.9-bootstrap-rhel-8.9.0
rpms:stream-python38-3.8-bootstrap-rhel-8.9.0
rpms:c9s
rpms:c8-beta-stream-3.8
rpms:c8s-stream-3.9
rpms:c8s-stream-3.8
rpms:c8s
rpms:c8-stream-3.8
rpms:imports/c8-stream-3.9/python-cryptography-3.3.1-3.module_el8.10.0+3765+2f9a457d
rpms:imports/c9/python-cryptography-36.0.1-4.el9
rpms:imports/c8/python-cryptography-3.2.1-7.el8_9
rpms:imports/c8-beta/python-cryptography-3.2.1-6.el8
rpms:imports/c9-beta/python-cryptography-36.0.1-4.el9
rpms:imports/c9/python-cryptography-36.0.1-2.el9
rpms:imports/c9-beta/python-cryptography-36.0.1-2.el9
rpms:imports/c9/python-cryptography-36.0.1-1.el9_0
rpms:imports/c9-beta/python-cryptography-36.0.1-1.el9_0
rpms:imports/c9-beta/python-cryptography-3.4.7-8.el9
rpms:imports/c9-beta/python-cryptography-3.4.7-5.el9
rpms:imports/c8/python-cryptography-3.2.1-5.el8
rpms:imports/c8-beta-stream-3.9/python-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249
rpms:imports/c8-beta-stream-3.8/python-cryptography-2.8-3.module+el8.4.0+8888+89bc7e79
rpms:imports/c8-beta-stream-3.8/python-cryptography-2.8-3.module+el8.2.0+5234+f98739b6
rpms:imports/c8-beta/python-cryptography-3.2.1-5.el8
rpms:imports/c8-beta/python-cryptography-3.2.1-3.el8
rpms:imports/c8-beta/python-cryptography-2.3-3.el8
rpms:imports/c8-beta/python-cryptography-2.3-2.el8
rpms:imports/c8s-stream-3.9/python-cryptography-3.3.1-2.module+el8.4.0+9540+56f9cecb
rpms:imports/c8s-stream-3.8/python-cryptography-2.8-3.module+el8.4.0+8888+89bc7e79
rpms:imports/c8s/python-cryptography-3.2.1-5.el8
rpms:imports/c8s/python-cryptography-3.2.1-4.el8
rpms:imports/c8s/python-cryptography-3.2.1-3.el8
rpms:imports/c8s/python-cryptography-3.2.1-1.el8
rpms:imports/c8s/python-cryptography-2.3-3.el8
rpms:imports/c8-stream-3.9/python-cryptography-3.3.1-2.module+el8.4.0+9822+20bf1249
rpms:imports/c8-stream-3.8/python-cryptography-2.8-3.module+el8.4.0+8888+89bc7e79
rpms:imports/c8-stream-3.8/python-cryptography-2.8-3.module+el8.2.0+5234+f98739b6
rpms:imports/c8/python-cryptography-3.2.1-4.el8
rpms:imports/c8/python-cryptography-2.3-3.el8
rpms:imports/c8/python-cryptography-2.3-2.el8

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

22 changed files with 1226 additions and 785 deletions
Show Stats Expand all files Collapse all files

49
.gitignore vendored
View File

@ -1 +1,48 @@
SOURCES/cryptography-3.2.1.tar.gz
/cryptography-1.3.1.tar.gz
/cryptography-1.5.3.tar.gz
/cryptography-1.7.1.tar.gz
/cryptography-1.7.2.tar.gz
/cryptography-1.9.tar.gz
/cryptography-2.0.2.tar.gz
/cryptography-2.1.tar.gz
/cryptography-2.1.3.tar.gz
/cryptography-2.1.4.tar.gz
/cryptography-2.2.1.tar.gz
/cryptography-2.3.tar.gz
/cryptography-2.5.tar.gz
/cryptography-2.6.1.tar.gz
/cryptography-2.7.tar.gz
/cryptography-2.8.tar.gz
/cryptography-2.9.tar.gz
/cryptography-2.9.tar.gz.asc
/cryptography-3.0.tar.gz
/cryptography-3.0.tar.gz.asc
/cryptography-3.1.tar.gz
/cryptography-3.1.tar.gz.asc
/cryptography-3.2.tar.gz
/cryptography-3.2.tar.gz.asc
/cryptography-3.2.1.tar.gz
/cryptography-3.2.1.tar.gz.asc
/cryptography-3.3.1.tar.gz
/cryptography-3.3.1.tar.gz.asc
/cryptography-3.4.tar.gz
/cryptography-3.4.tar.gz.asc
/cryptography-3.4.1.tar.gz
/cryptography-3.4.1.tar.gz.asc
/cryptography-3.4.2.tar.gz
/cryptography-3.4.2.tar.gz.asc
/cryptography-3.4.4.tar.gz
/cryptography-3.4.4.tar.gz.asc
/cryptography-3.4.5.tar.gz
/cryptography-3.4.5.tar.gz.asc
/cryptography-3.4.6.tar.gz
/cryptography-3.4.6.tar.gz.asc
/cryptography-3.4.6-vendor.tar.bz2
/cryptography-3.4.7.tar.gz
/cryptography-3.4.7-vendor.tar.bz2
/cryptography-36.0.0.tar.gz
/cryptography-36.0.0-vendor.tar.bz2
/cryptography-36.0.1.tar.gz
/cryptography-36.0.1-vendor.tar.bz2
/artifacts
/tests/artifacts

1
.python-cryptography.metadata
View File

@ -1 +0,0 @@
20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz

71
0001-Block-TripleDES-in-FIPS-mode-6879.patch Normal file
View File

@ -0,0 +1,71 @@
From d250d169e87168903a543248d0bfd6c37f2f6841 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 22 Feb 2022 00:37:32 +0200
Subject: [PATCH 1/5] Block TripleDES in FIPS mode (#6879)
* Block TripleDES in FIPS mode
NIST SP-800-131A rev 2 lists TripleDES Encryption as disallowed in FIPS 140-3
decryption as legacy use. Three-key TDEA is listed as deprecated
throughout 2023 and disallowed after 2023.
For simplicity we block all use of TripleDES in FIPS mode.
Fixes: #6875
Signed-off-by: Christian Heimes <christian@python.org>
* Fix flake
---
src/cryptography/hazmat/backends/openssl/backend.py | 13 ++++++-------
tests/hazmat/primitives/utils.py | 4 ++++
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 736452392..f38269e26 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -134,7 +134,9 @@ class Backend(BackendInterface):
b"aes-192-gcm",
b"aes-256-gcm",
}
- _fips_ciphers = (AES, TripleDES)
+ # TripleDES encryption is disallowed/deprecated throughout 2023 in
+ # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA).
+ _fips_ciphers = (AES,)
# Sometimes SHA1 is still permissible. That logic is contained
# within the various *_supported methods.
_fips_hashes = (
@@ -323,12 +325,9 @@ class Backend(BackendInterface):
def cipher_supported(self, cipher, mode):
if self._fips_enabled:
- # FIPS mode requires AES or TripleDES, but only CBC/ECB allowed
- # in TripleDES mode.
- if not isinstance(cipher, self._fips_ciphers) or (
- isinstance(cipher, TripleDES)
- and not isinstance(mode, (CBC, ECB))
- ):
+ # FIPS mode requires AES. TripleDES is disallowed/deprecated in
+ # FIPS 140-3.
+ if not isinstance(cipher, self._fips_ciphers):
return False
try:
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
index 93f117828..a367343ca 100644
--- a/tests/hazmat/primitives/utils.py
+++ b/tests/hazmat/primitives/utils.py
@@ -469,6 +469,10 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, params):
algorithm = supported_cipher_algorithms.get(prf)
assert algorithm is not None
+ # TripleDES is disallowed in FIPS mode.
+ if backend._fips_enabled and algorithm is algorithms.TripleDES:
+ pytest.skip("TripleDES is not supported in FIPS mode.")
+
ctrkdf = KBKDFCMAC(
algorithm,
Mode.CounterMode,
--
2.35.1

319
0002-Disable-DSA-tests-in-FIPS-mode-6916.patch Normal file
View File

@ -0,0 +1,319 @@
From ff80e3a27408657fef599f44ae1a9a875e005685 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 2 Mar 2022 21:47:04 +0200
Subject: [PATCH 2/5] Disable DSA tests in FIPS mode (#6916)
* Disable DSA tests in FIPS mode
See: #6880
* ignore coverage for nested FIPS check
* Remove if branch
* Remove skip modulus branch
* Keep tests that don't use the backend
---
.../hazmat/backends/openssl/backend.py | 7 ++-
tests/hazmat/primitives/test_dsa.py | 46 +++++++++++--------
tests/hazmat/primitives/test_serialization.py | 24 ++++++++++
tests/x509/test_x509.py | 43 ++++++++++++++---
tests/x509/test_x509_ext.py | 4 ++
5 files changed, 98 insertions(+), 26 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index f38269e26..a6d0e8872 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -804,7 +804,12 @@ class Backend(BackendInterface):
self.openssl_assert(res == 1)
return evp_pkey
- def dsa_hash_supported(self, algorithm):
+ def dsa_supported(self) -> bool:
+ return not self._fips_enabled
+
+ def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+ if not self.dsa_supported():
+ return False
return self.hash_supported(algorithm)
def dsa_parameters_supported(self, p, q, g):
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
index 6028b600d..60681683d 100644
--- a/tests/hazmat/primitives/test_dsa.py
+++ b/tests/hazmat/primitives/test_dsa.py
@@ -59,7 +59,12 @@ def test_skip_if_dsa_not_supported(backend):
_skip_if_dsa_not_supported(backend, DummyHashAlgorithm(), 1, 1, 1)
-class TestDSA(object):
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSA:
def test_generate_dsa_parameters(self, backend):
parameters = dsa.generate_parameters(2048, backend)
assert isinstance(parameters, dsa.DSAParameters)
@@ -76,11 +81,6 @@ class TestDSA(object):
),
)
def test_generate_dsa_keys(self, vector, backend):
- if (
- backend._fips_enabled
- and vector["p"] < backend._fips_dsa_min_modulus
- ):
- pytest.skip("Small modulus blocked in FIPS mode")
parameters = dsa.DSAParameterNumbers(
p=vector["p"], q=vector["q"], g=vector["g"]
).parameters(backend)
@@ -389,7 +389,12 @@ class TestDSA(object):
).private_key(backend)
-class TestDSAVerification(object):
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSAVerification:
def test_dsa_verification(self, backend, subtests):
vectors = load_vectors_from_file(
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"),
@@ -481,17 +486,12 @@ class TestDSAVerification(object):
Prehashed(hashes.SHA1()) # type: ignore[arg-type]
)
- def test_prehashed_unsupported_in_verifier_ctx(self, backend):
- public_key = DSA_KEY_1024.private_key(backend).public_key()
- with pytest.raises(TypeError), pytest.warns(
- CryptographyDeprecationWarning
- ):
- public_key.verifier(
- b"0" * 64, Prehashed(hashes.SHA1()) # type: ignore[arg-type]
- )
-
-class TestDSASignature(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSASignature:
def test_dsa_signing(self, backend, subtests):
vectors = load_vectors_from_file(
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigGen.txt"),
@@ -695,7 +695,11 @@ class TestDSANumberEquality(object):
assert priv != object()
-class TestDSASerialization(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSASerialization:
@pytest.mark.parametrize(
("fmt", "password"),
itertools.product(
@@ -916,7 +920,11 @@ class TestDSASerialization(object):
)
-class TestDSAPEMPublicKeySerialization(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSAPEMPublicKeySerialization:
@pytest.mark.parametrize(
("key_path", "loader_func", "encoding"),
[
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
index fb6b753de..5a2b9fba5 100644
--- a/tests/hazmat/primitives/test_serialization.py
+++ b/tests/hazmat/primitives/test_serialization.py
@@ -141,6 +141,10 @@ class TestDERSerialization(object):
assert isinstance(key, rsa.RSAPrivateKey)
_check_rsa_private_numbers(key.private_numbers())
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "password"),
[
@@ -341,6 +345,10 @@ class TestDERSerialization(object):
with pytest.raises(ValueError):
load_der_public_key(b"invalid data", backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
"key_file",
[
@@ -422,6 +430,10 @@ class TestPEMSerialization(object):
assert isinstance(key, rsa.RSAPrivateKey)
_check_rsa_private_numbers(key.private_numbers())
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "password"),
[
@@ -490,6 +502,10 @@ class TestPEMSerialization(object):
numbers = key.public_numbers()
assert numbers.e == 65537
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_file"),
[
@@ -894,6 +910,10 @@ class TestPEMSerialization(object):
16,
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_load_pem_dsa_private_key(self, backend):
key = load_vectors_from_file(
os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"),
@@ -2313,6 +2333,10 @@ class TestOpenSSHSerialization(object):
DummyKeySerializationEncryption(),
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "supported"),
[
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 23e97a768..7a7a52977 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -2561,7 +2561,21 @@ class TestCertificateBuilder(object):
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
skip_message="Requires OpenSSL with MD5 support",
)
- def test_sign_dsa_with_md5(self, backend):
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
+ @pytest.mark.parametrize(
+ "hash_algorithm",
+ [
+ hashes.MD5(),
+ hashes.SHA3_224(),
+ hashes.SHA3_256(),
+ hashes.SHA3_384(),
+ hashes.SHA3_512(),
+ ],
+ )
+ def test_sign_dsa_with_unsupported_hash(self, hash_algorithm, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
builder = (
@@ -2602,6 +2616,10 @@ class TestCertificateBuilder(object):
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("hashalg", "hashalg_oid"),
[
@@ -2615,9 +2633,6 @@ class TestCertificateBuilder(object):
def test_build_cert_with_dsa_private_key(
self, hashalg, hashalg_oid, backend
):
- if backend._fips_enabled and hashalg is hashes.SHA1:
- pytest.skip("SHA1 not supported in FIPS mode")
-
issuer_private_key = DSA_KEY_2048.private_key(backend)
subject_private_key = DSA_KEY_2048.private_key(backend)
@@ -3646,6 +3661,10 @@ class TestCertificateSigningRequestBuilder(object):
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
skip_message="Requires OpenSSL with MD5 support",
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_sign_dsa_with_md5(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
@@ -3969,6 +3988,10 @@ class TestCertificateSigningRequestBuilder(object):
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_build_ca_request_with_dsa(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
@@ -4319,7 +4342,11 @@ class TestCertificateSigningRequestBuilder(object):
builder.sign(private_key, hashes.SHA512(), backend)
-class TestDSACertificate(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSACertificate:
def test_load_dsa_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
@@ -4444,7 +4471,11 @@ class TestDSACertificate(object):
)
-class TestDSACertificateRequest(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSACertificateRequest:
@pytest.mark.parametrize(
("path", "loader_func"),
[
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 4173dece6..66ac43d95 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -1712,6 +1712,10 @@ class TestSubjectKeyIdentifierExtension(object):
ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
assert ext.value == ski
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_from_dsa_public_key(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
--
2.35.1

26
0003-fixes-6927-handle-negative-return-values-from-openss.patch Normal file
View File

@ -0,0 +1,26 @@
From 20bafea414bcc08bfcb5b669ecbf9a3438ff7b78 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 3 Mar 2022 15:44:02 -0500
Subject: [PATCH 3/5] fixes #6927 -- handle negative return values from openssl
(#6928)
---
src/cryptography/hazmat/backends/openssl/rsa.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 9bef49d24..dd5d4990b 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -208,7 +208,7 @@ def _rsa_sig_setup(backend, padding, algorithm, key, init_func):
if algorithm is not None:
evp_md = backend._evp_md_non_null_from_algorithm(algorithm)
res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md)
- if res == 0:
+ if res <= 0:
backend._consume_errors()
raise UnsupportedAlgorithm(
"{} is not supported by this backend for RSA signing.".format(
--
2.35.1

24
0004-Disable-test_openssl_assert_error_on_stack-in-FIPS-m.patch Normal file
View File

@ -0,0 +1,24 @@
From 820d9527070ad2c7724dcecf1a35dbac7d68621d Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 1 Mar 2022 16:22:51 +0100
Subject: [PATCH 4/5] Disable test_openssl_assert_error_on_stack in FIPS mode
---
tests/hazmat/bindings/test_openssl.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 129928ac0..9839aec4d 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -84,6 +84,7 @@ class TestOpenSSL(object):
with pytest.raises(AttributeError):
b.lib.TLS_ST_OK
+ @pytest.mark.skip_fips(reason="FIPS maps to different error codes")
def test_openssl_assert_error_on_stack(self):
b = Binding()
b.lib.ERR_put_error(
--
2.35.1

67
0005-Fixed-serialization-of-keyusage-ext-with-no-bits-693.patch Normal file
View File

@ -0,0 +1,67 @@
From 89af85f9d4fc2ef3e89ad1b2a58c751f00f54a4f Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 3 Mar 2022 16:24:21 -0500
Subject: [PATCH 5/5] Fixed serialization of keyusage ext with no bits (#6930)
fixes #6926
---
src/rust/src/x509/extensions.rs | 17 +++++++++++------
tests/x509/test_x509_ext.py | 14 ++++++++++++++
2 files changed, 25 insertions(+), 6 deletions(-)
diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs
index 606566dd9..68b9839a0 100644
--- a/src/rust/src/x509/extensions.rs
+++ b/src/rust/src/x509/extensions.rs
@@ -135,12 +135,17 @@ pub(crate) fn encode_extension(
certificate::set_bit(&mut bs, 7, ext.getattr("encipher_only")?.is_true()?);
certificate::set_bit(&mut bs, 8, ext.getattr("decipher_only")?.is_true()?);
}
- let bits = if bs[1] == 0 { &bs[..1] } else { &bs[..] };
- let unused_bits = bits.last().unwrap().trailing_zeros() as u8;
- Ok(Some(asn1::write_single(&asn1::BitString::new(
- bits,
- unused_bits,
- ))))
+ let (bits, unused_bits) = if bs[1] == 0 {
+ if bs[0] == 0 {
+ (&[][..], 0)
+ } else {
+ (&bs[..1], bs[0].trailing_zeros() as u8)
+ }
+ } else {
+ (&bs[..], bs[1].trailing_zeros() as u8)
+ };
+ let v = asn1::BitString::new(bits, unused_bits).unwrap();
+ Ok(Some(asn1::write_single(&v)))
} else if oid == &*oid::AUTHORITY_INFORMATION_ACCESS_OID
|| oid == &*oid::SUBJECT_INFORMATION_ACCESS_OID
{
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 66ac43d95..2bbba8ec6 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -1137,6 +1137,20 @@ class TestKeyUsage(object):
),
b"\x03\x02\x02\x94",
),
+ (
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False,
+ ),
+ b"\x03\x01\x00",
+ ),
],
)
def test_public_bytes(self, ext, serialized):
--
2.35.1

0
SOURCES/0006-CVE-2023-23931.patch → 0006-CVE-2023-23931.patch
View File

83
0007-Adapt-for-OpenSSL-RSA-bleichenbacher-mitigation-7895.patch Normal file
View File

@ -0,0 +1,83 @@
From ca92d13436944090faa79ffc25378c45ec564a4d Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Wed, 14 Dec 2022 01:50:06 -0500
Subject: [PATCH] Adapt for OpenSSL RSA bleichenbacher mitigation (#7895)
Attempt to work-around wycheproof tests
---
src/_cffi_src/openssl/rsa.py | 8 ++++++++
tests/hazmat/primitives/test_rsa.py | 5 +++--
tests/wycheproof/test_rsa.py | 20 +++++++++++++++-----
3 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py
index 5d1e163b1..2682ea1e4 100644
--- a/src/_cffi_src/openssl/rsa.py
+++ b/src/_cffi_src/openssl/rsa.py
@@ -18,6 +18,8 @@ static const int RSA_F4;
static const int Cryptography_HAS_RSA_OAEP_MD;
static const int Cryptography_HAS_RSA_OAEP_LABEL;
+
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION;
"""
FUNCTIONS = """
@@ -57,4 +59,10 @@ int (*EVP_PKEY_CTX_set_rsa_oaep_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *,
int) = NULL;
#endif
+
+#if defined(EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION)
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 1;
+#else
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 0;
+#endif
"""
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
index 4fb205db4..0315489dc 100644
--- a/tests/hazmat/primitives/test_rsa.py
+++ b/tests/hazmat/primitives/test_rsa.py
@@ -1551,8 +1551,9 @@ class TestRSADecryption(object):
private_key.decrypt(b"0" * 256, DummyAsymmetricPadding())
@pytest.mark.supported(
- only_if=lambda backend: backend.rsa_padding_supported(
- padding.PKCS1v15()
+ only_if=lambda backend: (
+ backend.rsa_padding_supported(padding.PKCS1v15())
+ and not backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION
),
skip_message="Does not support PKCS1v1.5.",
)
diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py
index 79fd682b7..e6bd8af8a 100644
--- a/tests/wycheproof/test_rsa.py
+++ b/tests/wycheproof/test_rsa.py
@@ -245,8 +245,18 @@ def test_rsa_pkcs1_encryption(backend, wycheproof):
)
assert pt == binascii.unhexlify(wycheproof.testcase["msg"])
else:
- with pytest.raises(ValueError):
- key.decrypt(
- binascii.unhexlify(wycheproof.testcase["ct"]),
- padding.PKCS1v15(),
- )
+ if backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION:
+ try:
+ assert key.decrypt(
+ binascii.unhexlify(wycheproof.testcase["ct"]),
+ padding.PKCS1v15(),
+ ) != binascii.unhexlify(wycheproof.testcase["ct"])
+ except ValueError:
+ # Some raise ValueError due to length mismatch.
+ pass
+ else:
+ with pytest.raises(ValueError):
+ key.decrypt(
+ binascii.unhexlify(wycheproof.testcase["ct"]),
+ padding.PKCS1v15(),
+ )
--
2.40.1

59
README.md Normal file
View File

@ -0,0 +1,59 @@
# PyCA cryptography
https://cryptography.io/en/latest/
## Packaging python-cryptography
The example assumes
* Fedora Rawhide (f34)
* PyCA cryptography release ``3.4``
* Update Bugzilla issue is ``RHBZ#00000001``
### Build new python-cryptography
Switch and update branch
```shell
fedpkg switch-branch rawhide
fedpkg pull
```
Bump version and get sources
```shell
rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
spectool -gf python-cryptography.spec
```
Upload new source
```shell
fedpkg new-sources cryptography-3.4.tar.gz
```
Commit changes
```shell
fedpkg commit --clog
fedpkg push
```
Build
```shell
fedpkg build
```
## RHEL/CentOS builds
RHEL and CentOS use a different approach for Rust crates packaging than
Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
CentOS. Instead python-cryptography uses a tar ball with vendored crates.
The tar ball is created by a script:
```shell
./vendor_rust.py
rhpkg upload cryptography-3.4-vendor.tar.bz2
```

254
SOURCES/0001-Re-add-deprecated-and-removed-features.patch
View File

@ -1,254 +0,0 @@
From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 27 Oct 2020 16:42:15 +0100
Subject: [PATCH 1] Re-add deprecated and removed features
* encode_rfc6979_signature()
* decode_rfc6979_signature()
* Certificate.serial property
* MACContext
* osrandom engine is disabled
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
.../hazmat/backends/openssl/cmac.py | 3 +-
.../hazmat/backends/openssl/hmac.py | 3 +-
.../hazmat/backends/openssl/x509.py | 4 ++
.../hazmat/primitives/asymmetric/utils.py | 8 ++++
src/cryptography/hazmat/primitives/cmac.py | 3 +-
src/cryptography/hazmat/primitives/hmac.py | 3 +-
src/cryptography/hazmat/primitives/mac.py | 37 +++++++++++++++++++
src/cryptography/x509/extensions.py | 6 ++-
tests/hazmat/backends/test_openssl.py | 3 ++
tests/hazmat/primitives/test_asym_utils.py | 9 +++++
tests/x509/test_x509.py | 1 +
tests/x509/test_x509_ext.py | 5 +++
12 files changed, 80 insertions(+), 5 deletions(-)
create mode 100644 src/cryptography/hazmat/primitives/mac.py
diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
index 195fc230f..5281f634d 100644
--- a/src/cryptography/hazmat/backends/openssl/cmac.py
+++ b/src/cryptography/hazmat/backends/openssl/cmac.py
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
UnsupportedAlgorithm,
_Reasons,
)
-from cryptography.hazmat.primitives import constant_time
+from cryptography.hazmat.primitives import constant_time, mac
from cryptography.hazmat.primitives.ciphers.modes import CBC
+@utils.register_interface(mac.MACContext)
class _CMACContext(object):
def __init__(self, backend, algorithm, ctx=None):
if not backend.cmac_algorithm_supported(algorithm):
diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
index 5024223b2..11c850e10 100644
--- a/src/cryptography/hazmat/backends/openssl/hmac.py
+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
UnsupportedAlgorithm,
_Reasons,
)
-from cryptography.hazmat.primitives import constant_time, hashes
+from cryptography.hazmat.primitives import constant_time, hashes, mac
+@utils.register_interface(mac.MACContext)
@utils.register_interface(hashes.HashContext)
class _HMACContext(object):
def __init__(self, backend, key, algorithm, ctx=None):
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4d0dac764..c9074f59e 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -73,6 +73,10 @@ class _Certificate(object):
self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
return _asn1_integer_to_int(self._backend, asn1_int)
+ @property
+ def serial(self):
+ return self.serial_number
+
def public_key(self):
pkey = self._backend._lib.X509_get_pubkey(self._x509)
if pkey == self._backend._ffi.NULL:
diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
index 5f9b67786..886d7565b 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -39,3 +39,11 @@ class Prehashed(object):
self._digest_size = algorithm.digest_size
digest_size = utils.read_only_property("_digest_size")
+
+
+def decode_rfc6979_signature(signature):
+ return decode_dss_signature(signature)
+
+
+def encode_rfc6979_signature(r, s):
+ return encode_dss_signature(r, s)
diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
index bf962c906..7f37f13cc 100644
--- a/src/cryptography/hazmat/primitives/cmac.py
+++ b/src/cryptography/hazmat/primitives/cmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
)
from cryptography.hazmat.backends import _get_backend
from cryptography.hazmat.backends.interfaces import CMACBackend
-from cryptography.hazmat.primitives import ciphers
+from cryptography.hazmat.primitives import ciphers, mac
+@utils.register_interface(mac.MACContext)
class CMAC(object):
def __init__(self, algorithm, backend=None, ctx=None):
backend = _get_backend(backend)
diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
index 8c421dc68..6f03a1071 100644
--- a/src/cryptography/hazmat/primitives/hmac.py
+++ b/src/cryptography/hazmat/primitives/hmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
)
from cryptography.hazmat.backends import _get_backend
from cryptography.hazmat.backends.interfaces import HMACBackend
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, mac
+@utils.register_interface(mac.MACContext)
@utils.register_interface(hashes.HashContext)
class HMAC(object):
def __init__(self, key, algorithm, backend=None, ctx=None):
diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
new file mode 100644
index 000000000..4c95190ba
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/mac.py
@@ -0,0 +1,37 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class MACContext(object):
+ @abc.abstractmethod
+ def update(self, data):
+ """
+ Processes the provided bytes.
+ """
+
+ @abc.abstractmethod
+ def finalize(self):
+ """
+ Returns the message authentication code as bytes.
+ """
+
+ @abc.abstractmethod
+ def copy(self):
+ """
+ Return a MACContext that is a copy of the current context.
+ """
+
+ @abc.abstractmethod
+ def verify(self, signature):
+ """
+ Checks if the generated message authentication code matches the
+ signature.
+ """
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index 130ba69b8..ddbccdf3b 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
@classmethod
def from_issuer_subject_key_identifier(cls, ski):
+ if isinstance(ski, SubjectKeyIdentifier):
+ digest = ski.digest
+ else:
+ digest = ski.value.digest
return cls(
- key_identifier=ski.digest,
+ key_identifier=digest,
authority_cert_issuer=None,
authority_cert_serial_number=None,
)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 2f7e7bebf..73c17d84f 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
res = backend._lib.ENGINE_free(e)
assert res == 1
+ def test_rhel8_no_osrandom(self):
+ pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
+
@pytest.mark.skipif(
backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
index 70bff012f..334b459b5 100644
--- a/tests/hazmat/primitives/test_asym_utils.py
+++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
Prehashed,
decode_dss_signature,
encode_dss_signature,
+ encode_rfc6979_signature,
+ decode_rfc6979_signature
)
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
def test_pass_invalid_prehashed_arg():
with pytest.raises(TypeError):
Prehashed(object())
+
+
+def test_deprecated_rfc6979_signature():
+ sig = encode_rfc6979_signature(1, 1)
+ assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
+ decoded = decode_rfc6979_signature(sig)
+ assert decoded == (1, 1)
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 11c80816c..e5bdf17d4 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
)
assert isinstance(cert, x509.Certificate)
assert cert.serial_number == 11559813051657483483
+ assert cert.serial == cert.serial_number
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 2cd216fb6..ac2b2c03d 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
)
assert ext.value == aki
+ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+ ski_ext
+ )
+ assert ext.value == aki
+
class TestNameConstraints(object):
def test_ipaddress_wrong_type(self):
--
2.26.2

86
SOURCES/0002-Support-pytest-3.4.2.patch
View File

@ -1,86 +0,0 @@
From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 28 Oct 2020 14:27:55 +0100
Subject: [PATCH 2] Support pytest 3.4.2
---
setup.py | 3 ++-
tests/conftest.py | 4 ++--
tests/test_utils.py | 4 ++--
tests/utils.py | 2 +-
4 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/setup.py b/setup.py
index 82800a96e..5678db004 100644
--- a/setup.py
+++ b/setup.py
@@ -93,7 +93,8 @@ setup(
extras_require={
":python_version < '3'": ["enum34", "ipaddress"],
"test": [
- "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
+ "pytest>=3.4.2,<3.6",
+ "attrs>=17.4.0,<18.0",
"pretend",
"iso8601",
"pytz",
diff --git a/tests/conftest.py b/tests/conftest.py
index 4e3124fa7..53c194830 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
def pytest_runtest_setup(item):
if openssl_backend._fips_enabled:
- for marker in item.iter_markers(name="skip_fips"):
+ for marker in item.get_marker(name="skip_fips") or []:
pytest.skip(marker.kwargs["reason"])
@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
def backend(request):
required_interfaces = [
mark.kwargs["interface"]
- for mark in request.node.iter_markers("requires_backend_interface")
+ for mark in request.node.get_marker("requires_backend_interface") or []
]
if not all(
isinstance(openssl_backend, iface) for iface in required_interfaces
diff --git a/tests/test_utils.py b/tests/test_utils.py
index d6afa3b34..e0a1be4f5 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
supported = pretend.stub(
kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
)
- node = pretend.stub(iter_markers=lambda x: [supported])
+ node = pretend.stub(get_marker=lambda x: [supported])
item = pretend.stub(node=node)
with pytest.raises(pytest.skip.Exception) as exc_info:
check_backend_support(True, item)
@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
supported = pretend.stub(
kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
)
- node = pretend.stub(iter_markers=lambda x: [supported])
+ node = pretend.stub(get_marker=lambda x: [supported])
item = pretend.stub(node=node)
assert check_backend_support(None, item) is None
diff --git a/tests/utils.py b/tests/utils.py
index 5d98af00e..a08f79c34 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
def check_backend_support(backend, item):
- for mark in item.node.iter_markers("supported"):
+ for mark in item.node.get_marker("supported") or []:
if not mark.kwargs["only_if"](backend):
pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
--
2.26.2

73
SOURCES/0003-Skip-iso8601-test-cases.patch
View File

@ -1,73 +0,0 @@
From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 29 Oct 2020 09:21:06 +0100
Subject: [PATCH 3] Skip iso8601 test cases
---
tests/test_fernet.py | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/tests/test_fernet.py b/tests/test_fernet.py
index 38409b03e..343f3e4ec 100644
--- a/tests/test_fernet.py
+++ b/tests/test_fernet.py
@@ -10,7 +10,10 @@ import json
import os
import time
-import iso8601
+try:
+ import iso8601
+except ImportError:
+ iso8601 = None
import pytest
@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
import cryptography_vectors
+skip_iso8601 = pytest.mark.skipif(
+ iso8601 is None,
+ reason="is8601 is not available"
+)
+
+
def json_parametrize(keys, filename):
vector_file = cryptography_vectors.open_vector_file(
os.path.join("fernet", filename), "r"
@@ -49,6 +58,7 @@ def test_default_backend():
skip_message="Does not support AES CBC",
)
class TestFernet(object):
+ @skip_iso8601
@json_parametrize(
("secret", "now", "iv", "src", "token"),
"generate.json",
@@ -62,6 +72,7 @@ class TestFernet(object):
)
assert actual_token == token.encode("ascii")
+ @skip_iso8601
@json_parametrize(
("secret", "now", "src", "ttl_sec", "token"),
"verify.json",
@@ -81,6 +92,7 @@ class TestFernet(object):
payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
assert payload == src.encode("ascii")
+ @skip_iso8601
@json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
f = Fernet(secret.encode("ascii"), backend=backend)
@@ -117,6 +129,7 @@ class TestFernet(object):
with pytest.raises(TypeError):
f.decrypt(u"")
+ @skip_iso8601
def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
pt = b"encrypt me"
--
2.26.2

75
SOURCES/0004-Revert-remove-NPN-bindings.patch
View File

@ -1,75 +0,0 @@
From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 14 Dec 2020 14:13:53 +0100
Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
(#4765)"
This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
---
src/_cffi_src/openssl/ssl.py | 20 +++++++++++++++++++-
tests/hazmat/bindings/test_openssl.py | 4 ++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index c38e309a1..fa854f5dd 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
static const long TLS_ST_BEFORE;
static const long TLS_ST_OK;
+static const long OPENSSL_NPN_NEGOTIATED;
+
typedef ... SSL_METHOD;
typedef ... SSL_CTX;
@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
long SSL_session_reused(SSL *);
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
+ int (*)(SSL *,
+ const unsigned char **,
+ unsigned int *,
+ void *),
+ void *);
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
+ int (*)(SSL *,
+ unsigned char **,
+ unsigned char *,
+ const unsigned char *,
+ unsigned int,
+ void *),
+ void *);
int SSL_select_next_proto(unsigned char **, unsigned char *,
const unsigned char *, unsigned int,
const unsigned char *, unsigned int);
+void SSL_get0_next_proto_negotiated(const SSL *,
+ const unsigned char **, unsigned *);
int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
-static const long Cryptography_HAS_NEXTPROTONEG = 0;
+static const long Cryptography_HAS_NEXTPROTONEG = 1;
static const long Cryptography_HAS_ALPN = 1;
#if CRYPTOGRAPHY_IS_LIBRESSL
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index ecee34091..aeb12a0dc 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -137,3 +137,7 @@ class TestOpenSSL(object):
)
with pytest.raises(RuntimeError):
_verify_openssl_version(lib)
+
+ def test_npn_binding(self):
+ b = Binding()
+ assert b.lib.Cryptography_HAS_NEXTPROTONEG
--
2.29.2

18
SOURCES/0005-CVE-2020-36242.patch
View File

@ -1,18 +0,0 @@
From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 7 Feb 2021 11:04:43 -0600
Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 2b10681b31..0f96795fdc 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -16,7 +16,7 @@
class _CipherContext(object):
_ENCRYPT = 1
_DECRYPT = 0
- _MAX_CHUNK_SIZE = 2 ** 31 - 1
+ _MAX_CHUNK_SIZE = 2 ** 30 - 1
def __init__(self, backend, cipher, mode, operation):
self._backend = backend

277
SPECS/python-cryptography.spec
View File

@ -1,277 +0,0 @@
%{!?python3_pkgversion:%global python3_pkgversion 3}
%global srcname cryptography
# rhbz#2172416: from_buffer(..., require_writable=True)
%global cffi_version 1.11.5-6
Name: python-%{srcname}
Version: 3.2.1
Release: 7%{?dist}
Summary: PyCA's cryptography library
Group: Development/Libraries
License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/
Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
Patch0001: 0001-Re-add-deprecated-and-removed-features.patch
Patch0002: 0002-Support-pytest-3.4.2.patch
Patch0003: 0003-Skip-iso8601-test-cases.patch
Patch0004: 0004-Revert-remove-NPN-bindings.patch
Patch0005: 0005-CVE-2020-36242.patch
# https://github.com/pyca/cryptography/pull/8230
Patch0006: 0006-CVE-2023-23931.patch
BuildRequires: openssl-devel
BuildRequires: gcc
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-pytest >= 3.4.2
BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-pretend
# BuildRequires: python{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version}
BuildRequires: python%{python3_pkgversion}-pytz
BuildRequires: python%{python3_pkgversion}-six >= 1.4.1
BuildRequires: python%{python3_pkgversion}-cffi >= %{cffi_version}
%description
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%package -n python%{python3_pkgversion}-%{srcname}
Group: Development/Libraries
Summary: PyCA's cryptography library
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
Requires: openssl-libs
Requires: python%{python3_pkgversion}-six >= 1.4.1
Requires: python%{python3_pkgversion}-cffi >= %{cffi_version}
Conflicts: python%{python3_pkgversion}-cryptography-vectors < %{version}
Conflicts: python%{python3_pkgversion}-cryptography-vectors > %{version}
%description -n python%{python3_pkgversion}-%{srcname}
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%prep
%autosetup -p1 -n %{srcname}-%{version}
%build
%py3_build
%install
# Actually other *.c and *.h are appropriate
# see https://github.com/pyca/cryptography/issues/1463
find . -name .keep -print -delete
%py3_install
%check
# workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
rm -f tests/hazmat/primitives/test_padding.py
# don't run hypothesis tests
rm -rf tests/hypothesis
PYTHONPATH=%{buildroot}%{python3_sitearch} \
%{__python3} -m pytest \
-k "not test_decrypt_invalid_decrypt"
%files -n python%{python3_pkgversion}-%{srcname}
%doc README.rst docs
%license LICENSE LICENSE.APACHE LICENSE.BSD
%{python3_sitearch}/%{srcname}
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
%changelog
* Fri Dec 01 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-7
- Fix FTBFS caused by rsa_pkcs1_implicit_rejection OpenSSL feature, resolves: RHEL-17873
* Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-6
- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172404
* Tue Jun 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-5
- Rebuild for RHEL 8.5
- Resolves: rhbz#1933071
* Tue Feb 09 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-4
- CVE-2020-36242: Fixed a bug where certain sequences of update() calls
when symmetrically encrypting very large payloads (>2GB) could result
in an integer overflow, leading to buffer overflows.
- Resolves: rhbz#1926528
* Mon Dec 14 17:24:01 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-3
- Conflict with non-matching vector package
* Mon Dec 14 14:19:42 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
- Re-add remove NPN bindings, required for pyOpenSSL
- Resolves: rhbz#1907429
* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
- Rebase to upstream release 3.2.1
- Resolves: rhbz#1873581
- Resolves: rhbz#1778939
- Removed dependencies on python-asn1crypto, python-idna
* Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
- Don't activate custom osrandom engine for FIPS compliance
- Resolves: rhbz#1762667
* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
- Use TLSv1.2 in test as workaround for RHBZ#1615099
- Resolves: RHBZ#1611738
* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
- New upstream release 2.3
- Fix AEAD tag truncation bug, CVE-2018-10903, RHBZ#1602755, RHBZ#1602932
* Tue Jun 19 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-2
- Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1589754
- Remove unnecessary copy and shebang mangling
* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
- New upstream release 2.2.1
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
- New upstream release 2.1.4
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
- Build requires gcc
* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Nov 23 2017 Haïkel Guémar <hguemar@fedoraproject.org> - 2.1.3-1
- Upstream 2.1.3
* Tue Oct 24 2017 Christian Heimes <cheimes@redhat.com> - 2.1-2
- Change Requires to openssl-libs
* Thu Oct 12 2017 Christian Heimes <cheimes@redhat.com> - 2.1-1
- New upstream release 2.1
* Wed Sep 27 2017 Troy Dawson <tdawson@redhat.com> - 2.0.2-3
- Cleanup spec file conditionals
* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-2
- Add workaround for pytest bug
* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-1
- New upstream release 2.0.2
- Modernize spec
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Christian Heimes <cheimes@redhat.com> - 1.9-1
- Upstream release 1.9
* Wed Feb 15 2017 Christian Heimes <cheimes@redhat.com> - 1.7.2-1
- Update to latest upstream
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 05 2017 Matěj Cepl <mcepl@redhat.com> - 1.7.1-1
- Update to the latest upstream.
- Add a patch from https://github.com/pyca/cryptography/pull/3328
* Tue Dec 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-5
- Enable tests
* Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-4
- Rebuild for Python 3.6
- Disable python3 tests for now
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-3
- Revert previous change
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-2
- Disable tests on releases earlier than 24
* Mon Nov 07 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-1
- Update to v1.5.3
- Update source URL
- Add BR for pytz
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-4
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-3
- Remove versioned setuptools dependency
* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-2
- Make it easier to build on EL7
* Tue May 03 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-1
- Update to v1.3.1
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Jan 11 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-2
- Move python-cryptograph => python2-cryptography
* Sat Jan 09 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-1
- Update to v1.2.1
* Wed Nov 11 2015 Robert Kuska <rkuska@redhat.com> - 1.1-1
- Update to v1.1
* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.0.2-2
- Rebuilt for Python3.5 rebuild
* Wed Sep 30 2015 Matěj Cepl <mcepl@redhat.com> - 1.0.2-1
- New upstream release (fix #1267548)
* Wed Aug 12 2015 Nathaniel McCallum <npmccallum@redhat.com> - 1.0-1
- New upstream release
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Thu May 14 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.9-1
- New upstream release
- Run tests on RHEL
- New deps: python-idna, python-ipaddress
* Fri Apr 17 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8.2-1
- New upstream release
- Add python3-pyasn1 Requires (#1211073)
* Tue Apr 14 2015 Matej Cepl <mcepl@redhat.com> - 0.8-2
- Add python-pyasn1 Requires (#1211073)
* Fri Mar 13 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8-1
- New upstream release
- Remove upstreamed patch
* Wed Mar 04 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-2
- Add python3-cryptography-vectors build requires
- Add python-enum34 requires
* Tue Feb 03 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-1
- New upstream release. BSD is now an optional license.
- Fix test running on python3
- Add upstream patch to fix test paths
* Fri Nov 07 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-2
- Fix requires, for reasons why other development files were not
eliminated see https://github.com/pyca/cryptography/issues/1463.
* Wed Nov 05 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-1
- New upstream release.
* Sun Jun 29 2014 Terry Chia <terrycwk1994@gmail.com> 0.4-1
- initial version

22
conftest-skipper.py Normal file
View File

@ -0,0 +1,22 @@
class Skipper:
"""Skip iso8601 and pretend tests
RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
all tests that use the excluded modules.
"""
def parse_date(self, datestring):
pytest.skip(f"iso8601 module is not available.")
def stub(self, **kwargs):
pytest.skip(f"pretend module is not available.")
def raiser(self, exc):
pytest.skip(f"pretend module is not available.")
import sys
sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
# recipients: abokovoy, frenaud, kaleem, ftrivino, cheimes
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

318
python-cryptography.spec Normal file
View File

@ -0,0 +1,318 @@
%bcond_without tests
%{!?python3_pkgversion:%global python3_pkgversion 3}
%global srcname cryptography
%global pyo3_version 0.13.1
Name: python-%{srcname}
Version: 36.0.1
Release: 4%{?dist}
Summary: PyCA's cryptography library
License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/
Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
# created by ./vendor_rust.py helper script
Source1: cryptography-%{version}-vendor.tar.bz2
Source2: conftest-skipper.py
Patch1: 0001-Block-TripleDES-in-FIPS-mode-6879.patch
Patch2: 0002-Disable-DSA-tests-in-FIPS-mode-6916.patch
Patch3: 0003-fixes-6927-handle-negative-return-values-from-openss.patch
Patch4: 0004-Disable-test_openssl_assert_error_on_stack-in-FIPS-m.patch
Patch5: 0005-Fixed-serialization-of-keyusage-ext-with-no-bits-693.patch
# https://github.com/pyca/cryptography/pull/8230
Patch6: 0006-CVE-2023-23931.patch
Patch7: 0007-Adapt-for-OpenSSL-RSA-bleichenbacher-mitigation-7895.patch
ExclusiveArch: %{rust_arches}
BuildRequires: openssl-devel
BuildRequires: gcc
BuildRequires: gnupg2
%if 0%{?fedora}
BuildRequires: rust-packaging
%else
BuildRequires: rust-toolset
%endif
BuildRequires: python%{python3_pkgversion}-cffi >= 1.7
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3
BuildRequires: python%{python3_pkgversion}-six >= 1.4.1
%if %{with tests}
%if 0%{?fedora}
BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4
BuildRequires: python%{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-pretend
BuildRequires: python%{python3_pkgversion}-pytest-xdist
%endif
BuildRequires: python%{python3_pkgversion}-pytest >= 6.0
BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2
BuildRequires: python%{python3_pkgversion}-pytz
%endif
%description
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%package -n python%{python3_pkgversion}-%{srcname}
Summary: PyCA's cryptography library
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
Requires: openssl-libs
Requires: python%{python3_pkgversion}-six >= 1.4.1
Requires: python%{python3_pkgversion}-cffi >= 1.7
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
# Can be safely removed in Fedora 37
Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
%endif
%description -n python%{python3_pkgversion}-%{srcname}
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%prep
%autosetup -p1 -n %{srcname}-%{version}
%generate_buildrequires
%if 0%{?fedora}
# Fedora: use cargo macros to make use of RPMified crates
%cargo_prep
cd src/rust
rm -f Cargo.lock
%cargo_generate_buildrequires
cd ../..
%else
# RHEL: use vendored Rust crates
%cargo_prep -V 1
%endif
%build
%py3_build
%install
# Actually other *.c and *.h are appropriate
# see https://github.com/pyca/cryptography/issues/1463
find . -name .keep -print -delete
%py3_install
%check
%if %{with tests}
%if 0%{?rhel}
# skip hypothesis tests on RHEL
rm -rf tests/hypothesis
# append skipper to skip iso8601 and pretend tests
cat < %{SOURCE2} >> tests/conftest.py
%endif
# enable SHA-1 signatures for RSA tests
# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
# see rhbz#2042413 for memleak. It's unstable with openssl 3.0.1 and makes
# not much sense for downstream testing.
# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure
PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
%{__python3} -m pytest \
-k "not (test_openssl_memleak or test_load_ecdsa_no_named_curve)"
%endif
%files -n python%{python3_pkgversion}-%{srcname}
%doc README.rst docs
%license LICENSE LICENSE.APACHE LICENSE.BSD
%{python3_sitearch}/%{srcname}
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
%changelog
* Mon May 15 2023 Christian Heimes <cheimes@redhat.com> - 36.0.1-4
- Fix FTBFS caused by rsa_pkcs1_implicit_rejection OpenSSL feature, resolves rhbz#2203840
* Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 36.0.1-3
- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172399
- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt
* Tue Apr 19 2022 Christian Heimes <cheimes@redhat.com> - 36.0.1-2
- Rebuild for gating, related: rhbz#2060787
* Fri Mar 04 2022 Christian Heimes <cheimes@redhat.com> - 36.0.1-6
- Rebase to 36.0.1, related: rhbz#2059630, rhbz#2060787
- OpenSSL 3.0 FIPS mode is now detected correctly, related: rhbz#2054785
- Fix error check from EVP_PKEY_CTX_set_signature_md, related: rhbz#2060343
- Block 3DES in FIPS mode, related: rhbz#2055209
- Disable DSA tests in FIPS mode
- Enable SHA1 signatures in test suite
- Fix serialization of keyusage ext with no bits
- Re-enable tests that are passing again
* Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 3.4.7-8
- Skip unstable memleak tests, backported from Fedora (BZ#2042413)
- Related: rhbz#1990421
* Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 3.4.7-7
- Add automatically generated Obsoletes tag with the python39- prefix
for smoother upgrade from RHEL8
- Related: rhbz#1990421
* Tue Jan 18 2022 Christian Heimes <cheimes@redhat.com> - 3.4.7-6
- Fix gating issues, resolves: rhbz#2039768
- Fix poly1305 test, resolves: rhbz#2043582
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.7-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Sun Aug 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-4
- Remove bindings to ERR_GET_FUNC, which has been removed in 3.0.0-beta2
- Resolves: rhbz#1953446
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.7-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
- Related: rhbz#1971065
* Mon Apr 26 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
- Add backports of OpenSSL 3.0.0 fixes (upstream PR #6000)
- Resolves: rhbz#1953446
* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
- Update to 3.4.7
- Remove dependency on python-cryptography-vectors package and use vectors
directly from Github source tar ball. Related: rhbz#1952343
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.6-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
- Update to 3.4.6 (#1927044)
* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
- Update to 3.4.5 (#1927044)
* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
- Skip iso8601 and pretend tests on RHEL
* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
- Provide RHEL build infrastructure
* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
- Update to 3.4.4 (#1927044)
* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
- Update to 3.4.2 (#1926339)
- Package no longer depends on Rust (#1926181)
* Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
- Use dynamically generated BuildRequires for PyO3 Rust module.
- Drop unnecessary CARGO_NET_OFFLINE environment variable.
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
- Update to 3.4.1 (#1925953)
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
- Add missing abi3 and pytest dependencies
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
- Update to 3.4 (#1925953)
- Remove Python 2 support
- Remove unused python-idna dependency
- Add Rust support
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
- Update to 3.3.1 (#1905756)
* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
- Update to 3.2.1 (#1892153)
* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
- Update to 3.2 (#1891378)
* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
- Update to 3.1 (#1872978)
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
- Update to 3.0 (#185897)
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
- Rebuilt for Python 3.9
* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
- add source file verification
* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
- Update to 2.9 (#1820348)
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
- cryptography 2.8+ no longer depends on python-asn1crypto
* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
- Update to 2.8
- Resolves: rhbz#1762779
* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
- Skip unit tests that fail with OpenSSL 1.1.1.d
- Resolves: rhbz#1761194
- Fix and simplify Python 3 packaging
* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
- Drop Python 2 package
- Resolves: rhbz#1761081
* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
- Update to 2.7 (#1715680).
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
- Rebuilt for Python 3.8
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
- New upstream release 2.6.1, resolves RHBZ#1683691
* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
- Updated to 2.5.
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
- Use TLSv1.2 in test as workaround for RHBZ#1615143
* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
- New upstream release 2.3
- Fix AEAD tag truncation bug, RHBZ#1602752
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
- Rebuilt for Python 3.7
* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
- New upstream release 2.2.1
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
- New upstream release 2.1.4
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
- Build requires gcc
* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (cryptography-36.0.1.tar.gz) = ea37b0f3941a02a8a2b0203174e2aba061800ece6803814e2360444490aa2d4007f7215b4f014a99912ae54230141d90c1b8eed61ba1826433c5a2d6f4106a21
SHA512 (cryptography-36.0.1-vendor.tar.bz2) = b381c850f6ab346cdf6c0764e88ee3fc3cae132f83742059993574de540e40322892f28ae3c813b34cb5648995e9f4fa0eeb7991aa84ced155fe3e1a1d236cd0

68
tests/tests.yml Normal file
View File

@ -0,0 +1,68 @@
---
#
# 1minutetip --buildroot rhel9
#
- hosts: localhost
tags:
- classic
roles:
- role: standard-test-source
- role: standard-test-basic
required_packages:
- python3-cryptography
- python3-pytest
- python3-pytest-subtests
environment:
PYTHONPATH: "{{ srcdir }}/vectors"
OPENSSL_ENABLE_SHA1_SIGNATURES: "yes"
tests:
- remove_hypothesis:
# remove tests that depend on python3-hypothesis package
dir: "source"
run: rm -rf tests/hypothesis/
- remove_iso8601:
# remove tests that depend on python3-iso8601 package
dir: "source"
run: rm -rf tests/test_fernet.py
- remove_scrypt:
# scrypt tests require more memory than available
dir: "source"
run: rm -f tests/hazmat/primitives/test_scrypt.py
- patch_conftest:
dir: "source"
run: "cat ../conftest-skipper.py >> tests/conftest.py"
# tests take some time, split up to avoid CI timeouts.
- unittests-basic:
dir: "source"
run: pytest-3 tests/test_*.py
- unittests-x509:
dir: "source"
run: pytest-3 tests/x509/
- unittests-hazmat:
dir: "source"
run: pytest-3 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
- unittests-primitives-aead:
dir: "source"
run: pytest-3 tests/hazmat/primitives/test_aead.py
- unittests-primitives-aes:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_aes.py::TestAESModeCBC
tests/hazmat/primitives/test_aes.py::TestAESModeCTR
tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
- unittests-primitives-a-e:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_arc4.py
tests/hazmat/primitives/test_asym_utils.py
tests/hazmat/primitives/test_[b-e]*.py
- unittests-primitives-f-z:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_[f-z]*.py
tests/hazmat/primitives/twofactor

112
vendor_rust.py Executable file
View File

@ -0,0 +1,112 @@
#!/usr/bin/python3
"""Vendor PyCA cryptography's Rust crates
"""
import argparse
import os
import re
import tarfile
import tempfile
import shutil
import subprocess
import sys
VENDOR_DIR = "vendor"
CARGO_TOML = "src/rust/Cargo.toml"
RE_VERSION = re.compile("Version:\s*(.*)")
parser = argparse.ArgumentParser(description="Vendor Rust packages")
parser.add_argument(
"--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
)
def cargo(cmd, manifest):
args = ["cargo", cmd, f"--manifest-path={manifest}"]
return subprocess.check_call(
args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
)
def tar_reset(tarinfo):
"""Reset user, group, mtime, and mode to create reproducible tar"""
tarinfo.uid = 0
tarinfo.gid = 0
tarinfo.uname = "root"
tarinfo.gname = "root"
tarinfo.mtime = 0
if tarinfo.type == tarfile.DIRTYPE:
tarinfo.mode = 0o755
else:
tarinfo.mode = 0o644
if tarinfo.pax_headers:
raise ValueError(tarinfo.name, tarinfo.pax_headers)
return tarinfo
def tar_reproducible(tar, basedir):
"""Create reproducible tar file"""
content = [basedir]
for root, dirs, files in os.walk(basedir):
for directory in dirs:
content.append(os.path.join(root, directory))
for filename in files:
content.append(os.path.join(root, filename))
content.sort()
for fn in content:
tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
def main():
args = parser.parse_args()
spec = args.spec
# change cwd to work in bundle directory
here = os.path.dirname(os.path.abspath(spec))
os.chdir(here)
# extract version number from bundle name
with open(spec) as f:
for line in f:
mo = RE_VERSION.search(line)
if mo is not None:
version = mo.group(1)
break
else:
raise ValueError(f"Cannot find version in {spec}")
bundle_file = f"cryptography-{version}.tar.gz"
vendor_file = f"cryptography-{version}-vendor.tar.bz2"
# remove existing vendor directory and file
if os.path.isdir(VENDOR_DIR):
shutil.rmtree(VENDOR_DIR)
try:
os.unlink(vendor_file)
except FileNotFoundError:
pass
print(f"Getting crates for {bundle_file}", file=sys.stderr)
# extract tar file in tempdir
# fetch and vendor Rust crates
with tempfile.TemporaryDirectory(dir=here) as tmp:
with tarfile.open(bundle_file) as tar:
tar.extractall(path=tmp)
manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
cargo("fetch", manifest)
cargo("vendor", manifest)
print("\nCreating tar ball...", file=sys.stderr)
with tarfile.open(vendor_file, "x:bz2") as tar:
tar_reproducible(tar, VENDOR_DIR)
# remove vendor dir
shutil.rmtree(VENDOR_DIR)
parser.exit(0, f"Created {vendor_file}\n")
if __name__ == "__main__":
main()