21 changed files with 877 additions and 994 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1,67 +1 @@
-/results_python-cryptography
+SOURCES/cryptography-3.2.1.tar.gz
 /*.src.rpm
 /cryptography-1.3.1.tar.gz
 /cryptography-1.5.3.tar.gz
 /cryptography-1.7.1.tar.gz
 /cryptography-1.7.2.tar.gz
 /cryptography-1.9.tar.gz
 /cryptography-2.0.2.tar.gz
 /cryptography-2.1.tar.gz
 /cryptography-2.1.3.tar.gz
 /cryptography-2.1.4.tar.gz
 /cryptography-2.2.1.tar.gz
 /cryptography-2.3.tar.gz
 /cryptography-2.5.tar.gz
 /cryptography-2.6.1.tar.gz
 /cryptography-2.7.tar.gz
 /cryptography-2.8.tar.gz
 /cryptography-2.9.tar.gz
 /cryptography-2.9.tar.gz.asc
 /cryptography-3.0.tar.gz
 /cryptography-3.0.tar.gz.asc
 /cryptography-3.1.tar.gz
 /cryptography-3.1.tar.gz.asc
 /cryptography-3.2.tar.gz
 /cryptography-3.2.tar.gz.asc
 /cryptography-3.2.1.tar.gz
 /cryptography-3.2.1.tar.gz.asc
 /cryptography-3.3.1.tar.gz
 /cryptography-3.3.1.tar.gz.asc
 /cryptography-3.4.tar.gz
 /cryptography-3.4.tar.gz.asc
 /cryptography-3.4.1.tar.gz
 /cryptography-3.4.1.tar.gz.asc
 /cryptography-3.4.2.tar.gz
 /cryptography-3.4.2.tar.gz.asc
 /cryptography-3.4.4.tar.gz
 /cryptography-3.4.4.tar.gz.asc
 /cryptography-3.4.5.tar.gz
 /cryptography-3.4.5.tar.gz.asc
 /cryptography-3.4.6.tar.gz
 /cryptography-3.4.6.tar.gz.asc
 /cryptography-3.4.7.tar.gz
 /cryptography-3.4.7-vendor.tar.bz2
 /cryptography-35.0.0.tar.gz
 /cryptography-35.0.0-vendor.tar.bz2
 /cryptography-36.0.0.tar.gz
 /cryptography-36.0.0-vendor.tar.bz2
 /cryptography-37.0.2.tar.gz
 /cryptography-37.0.2-vendor.tar.bz2
 /cryptography-39.0.2.tar.gz
 /cryptography-39.0.2-vendor.tar.bz2
 /cryptography-40.0.0.tar.gz
 /cryptography-40.0.0-vendor.tar.bz2
 /cryptography-40.0.1.tar.gz
 /cryptography-40.0.1-vendor.tar.bz2
 /cryptography-40.0.2.tar.gz
 /cryptography-40.0.2-vendor.tar.bz2
 /cryptography-41.0.3.tar.gz
 /cryptography-41.0.3-vendor.tar.bz2
 /cryptography-41.0.5-vendor.tar.bz2
 /cryptography-41.0.5.tar.gz
 /cryptography-41.0.7.tar.gz
 /cryptography-41.0.7-vendor.tar.bz2
 /cryptography-43.0.0.tar.gz
 /cryptography-43.0.0-vendor.tar.bz2
 /cryptography-48.0.0.tar.gz
 /cryptography-48.0.0-vendor.tar.bz2
--- a/.python-cryptography.metadata
+++ b/.python-cryptography.metadata
@ -0,0 +1 @@
 20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz
--- a/14819.patch
+++ b/14819.patch
@ -1,207 +0,0 @@
 From 744e9671dc8f2cc248b89a7b03bdbfa2b0299efe Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Sat, 9 May 2026 08:43:33 +0300
 Subject: [PATCH] fix: fall back to fresh context when EVP_CIPHER_CTX_copy
 fails
 EvpCipherAead pre-initialises a cipher context with the key and
 clones it per operation via EVP_CIPHER_CTX_copy.  When an older FIPS
 provider (e.g. OpenSSL 3.0.7 FIPS module) is loaded alongside a newer
 main library (>= 3.2), EVP_CIPHER_CTX_copy may fail because that
 provider version does not support copying a pre-keyed context.
 Add a copy_fallback field to EvpCipherAead that stores the cipher type
 and key.  If the per-operation copy() fails and a fallback is present,
 encrypt_into/decrypt_into re-initialise a fresh context from the stored
 parameters instead of propagating the error.
 AesGcm on OpenSSL >= 3.2 uses new_with_copy_fallback() to populate the
 field.  Other EvpCipherAead users (AESSIV, AESOCB3, AESGCMSIV,
 ChaCha20Poly1305) are unaffected: they are never used under FIPS so
 copy() never fails for them, and copy_fallback remains None.
 AES_GCM_TAG_LEN replaces the magic 16 literals throughout the AesGcm
 methods.
 Fixes: https://github.com/pyca/cryptography/issues/14795
 Assisted-by: Claude Code (Sonnet 4.6)
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 src/rust/src/backend/aead.rs | 122 ++++++++++++++++++++++++++++++++++-
 1 files changed, 119 insertions(+), 3 deletions(-)
 diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs
 index 842ef5fab2d9..79fdb7b9ab5a 100644
 --- a/src/rust/src/backend/aead.rs
 +++ b/src/rust/src/backend/aead.rs
@@ -31,9 +31,14 @@ pub(crate) struct EvpCipherAead {
     base_decryption_ctx: openssl::cipher_ctx::CipherCtx,
     tag_len: usize,
     tag_first: bool,
 +    // Cipher and key stored to reinitialise a fresh context when
 +    // EVP_CIPHER_CTX_copy fails (e.g. an older FIPS provider loaded alongside
 +    // a newer main library).  None for algorithms where copy always succeeds.
 +    copy_fallback: Option<(&'static openssl::cipher::CipherRef, Vec<u8>)>,
 }
 impl EvpCipherAead {
 +    #[cfg(not(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))]
     pub(crate) fn new(
         cipher: &openssl::cipher::CipherRef,
         key: &[u8],
@@ -50,6 +55,33 @@ impl EvpCipherAead {
             base_decryption_ctx,
             tag_len,
             tag_first,
 +            copy_fallback: None,
 +        })
 +    }
 +
 +    #[cfg(any(
 +        CRYPTOGRAPHY_OPENSSL_320_OR_GREATER,
 +        CRYPTOGRAPHY_IS_BORINGSSL,
 +        CRYPTOGRAPHY_IS_LIBRESSL,
 +        CRYPTOGRAPHY_IS_AWSLC
 +    ))]
 +    pub(crate) fn new_with_copy_fallback(
 +        cipher: &'static openssl::cipher::CipherRef,
 +        key: &[u8],
 +        tag_len: usize,
 +        tag_first: bool,
 +    ) -> CryptographyResult<EvpCipherAead> {
 +        let mut base_encryption_ctx = openssl::cipher_ctx::CipherCtx::new()?;
 +        base_encryption_ctx.encrypt_init(Some(cipher), Some(key), None)?;
 +        let mut base_decryption_ctx = openssl::cipher_ctx::CipherCtx::new()?;
 +        base_decryption_ctx.decrypt_init(Some(cipher), Some(key), None)?;
 +
 +        Ok(EvpCipherAead {
 +            base_encryption_ctx,
 +            base_decryption_ctx,
 +            tag_len,
 +            tag_first,
 +            copy_fallback: Some((cipher, key.to_vec())),
         })
     }
@@ -138,7 +170,13 @@ impl EvpCipherAead {
         buf: &mut [u8],
     ) -> CryptographyResult<()> {
         let mut ctx = openssl::cipher_ctx::CipherCtx::new()?;
 -        ctx.copy(&self.base_encryption_ctx)?;
 +        let copy_result = ctx.copy(&self.base_encryption_ctx);
 +        if copy_result.is_err() {
 +            match &self.copy_fallback {
 +                Some((cipher, key)) => ctx.encrypt_init(Some(*cipher), Some(key), None)?,
 +                None => copy_result?,
 +            }
 +        }
         Self::encrypt_with_context(
             ctx,
@@ -203,7 +241,13 @@ impl EvpCipherAead {
         buf: &mut [u8],
     ) -> CryptographyResult<()> {
         let mut ctx = openssl::cipher_ctx::CipherCtx::new()?;
 -        ctx.copy(&self.base_decryption_ctx)?;
 +        let copy_result = ctx.copy(&self.base_decryption_ctx);
 +        if copy_result.is_err() {
 +            match &self.copy_fallback {
 +                Some((cipher, key)) => ctx.decrypt_init(Some(*cipher), Some(key), None)?,
 +                None => copy_result?,
 +            }
 +        }
         Self::decrypt_with_context(
             ctx,
@@ -260,6 +304,73 @@ impl EvpCipherAead {
     }
 }
 +#[cfg(test)]
 +impl EvpCipherAead {
 +    // Build an instance whose base contexts are uninitialised so that
 +    // EVP_CIPHER_CTX_copy fails with EVP_R_INPUT_NOT_INITIALIZED, forcing
 +    // the encrypt_into / decrypt_into fallback branches (lines 175-177,
 +    // 246-248) to be exercised.
 +    fn with_copy_failure(
 +        copy_fallback: Option<(&'static openssl::cipher::CipherRef, Vec<u8>)>,
 +    ) -> CryptographyResult<Self> {
 +        Ok(EvpCipherAead {
 +            base_encryption_ctx: openssl::cipher_ctx::CipherCtx::new()?,
 +            base_decryption_ctx: openssl::cipher_ctx::CipherCtx::new()?,
 +            tag_len: 16,
 +            tag_first: false,
 +            copy_fallback,
 +        })
 +    }
 +}
 +
 +#[cfg(test)]
 +mod evp_cipher_aead_tests {
 +    use super::*;
 +
 +    // Exercise the Some branch of the copy-fallback match (lines 176, 247):
 +    // copy() fails → fallback reinitialises the context → round-trip succeeds.
 +    #[test]
 +    fn test_copy_fallback_some_roundtrip() {
 +        let key = vec![0u8; 16];
 +        let aead =
 +            EvpCipherAead::with_copy_failure(Some((openssl::cipher::Cipher::aes_128_gcm(), key)))
 +                .unwrap_or_else(|_| panic!("with_copy_failure"));
 +
 +        let nonce = [0u8; 12];
 +        let plaintext = b"hello fallback";
 +        // _py is unused inside encrypt_into / decrypt_into; the GIL token is
 +        // only there for API symmetry with LazyEvpCipherAead.
 +        let py = unsafe { pyo3::Python::assume_attached() };
 +
 +        let mut enc_buf = vec![0u8; plaintext.len() + 16];
 +        aead.encrypt_into(py, plaintext, None, Some(&nonce), &mut enc_buf)
 +            .unwrap_or_else(|_| panic!("encrypt_into"));
 +
 +        let mut dec_buf = vec![0u8; plaintext.len()];
 +        aead.decrypt_into(py, &enc_buf, None, Some(&nonce), &mut dec_buf)
 +            .unwrap_or_else(|_| panic!("decrypt_into"));
 +        assert_eq!(&dec_buf, plaintext);
 +    }
 +
 +    // Exercise the None branch of the copy-fallback match (lines 177, 248):
 +    // copy() fails and there is no fallback → the error must propagate.
 +    #[test]
 +    fn test_copy_fallback_none_propagates_error() {
 +        let aead =
 +            EvpCipherAead::with_copy_failure(None).unwrap_or_else(|_| panic!("with_copy_failure"));
 +        let nonce = [0u8; 12];
 +        let py = unsafe { pyo3::Python::assume_attached() };
 +
 +        let mut buf = vec![0u8; 20];
 +        assert!(aead
 +            .encrypt_into(py, b"data", None, Some(&nonce), &mut buf)
 +            .is_err());
 +        assert!(aead
 +            .decrypt_into(py, b"ciphertext+tag__", None, Some(&nonce), &mut buf)
 +            .is_err());
 +    }
 +}
 +
 struct LazyEvpCipherAead {
     cipher: &'static openssl::cipher::CipherRef,
     key: pyo3::Py<pyo3::PyAny>,
@@ -676,7 +787,12 @@ impl AesGcm {
                 CRYPTOGRAPHY_IS_AWSLC
             ))] {
                 Ok(AesGcm {
 -                    ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?,
 +                    ctx: EvpCipherAead::new_with_copy_fallback(
 +                        cipher,
 +                        key_buf.as_bytes(),
 +                        16,
 +                        false,
 +                    )?,
                 })
             } else {
                 Ok(AesGcm {
 --
 2.47.0
--- a/README.md
+++ b/README.md
@ -1,59 +0,0 @@
 # PyCA cryptography
 https://cryptography.io/en/latest/
 ## Packaging python-cryptography
 The example assumes
 * Fedora Rawhide (f34)
 * PyCA cryptography release ``3.4``
 * Update Bugzilla issue is ``RHBZ#00000001``
 ### Build new python-cryptography
 Switch and update branch
 ```shell
 fedpkg switch-branch rawhide
 fedpkg pull
 ```
 Bump version and get sources
 ```shell
 rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
 spectool -gf python-cryptography.spec
 ```
 Upload new source
 ```shell
 fedpkg new-sources cryptography-3.4.tar.gz
 ```
 Commit changes
 ```shell
 fedpkg commit --clog
 fedpkg push
 ```
 Build
 ```shell
 fedpkg build
 ```
 ## RHEL/CentOS builds
 RHEL and CentOS use a different approach for Rust crates packaging than
 Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
 ``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
 CentOS. Instead python-cryptography uses a tar ball with vendored crates.
 The tar ball is created by a script:
 ```shell
 ./vendor_rust.py
 rhpkg upload cryptography-3.4-vendor.tar.bz2
 ```
--- a/SOURCES/0001-Re-add-deprecated-and-removed-features.patch
+++ b/SOURCES/0001-Re-add-deprecated-and-removed-features.patch
@ -0,0 +1,254 @@
 From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Tue, 27 Oct 2020 16:42:15 +0100
 Subject: [PATCH 1] Re-add deprecated and removed features
 * encode_rfc6979_signature()
 * decode_rfc6979_signature()
 * Certificate.serial property
 * MACContext
 * osrandom engine is disabled
 Signed-off-by: Christian Heimes <cheimes@redhat.com>
 ---
 .../hazmat/backends/openssl/cmac.py           |  3 +-
 .../hazmat/backends/openssl/hmac.py           |  3 +-
 .../hazmat/backends/openssl/x509.py           |  4 ++
 .../hazmat/primitives/asymmetric/utils.py     |  8 ++++
 src/cryptography/hazmat/primitives/cmac.py    |  3 +-
 src/cryptography/hazmat/primitives/hmac.py    |  3 +-
 src/cryptography/hazmat/primitives/mac.py     | 37 +++++++++++++++++++
 src/cryptography/x509/extensions.py           |  6 ++-
 tests/hazmat/backends/test_openssl.py         |  3 ++
 tests/hazmat/primitives/test_asym_utils.py    |  9 +++++
 tests/x509/test_x509.py                       |  1 +
 tests/x509/test_x509_ext.py                   |  5 +++
 12 files changed, 80 insertions(+), 5 deletions(-)
 create mode 100644 src/cryptography/hazmat/primitives/mac.py
 diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
 index 195fc230f..5281f634d 100644
 --- a/src/cryptography/hazmat/backends/openssl/cmac.py
 +++ b/src/cryptography/hazmat/backends/openssl/cmac.py
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
     UnsupportedAlgorithm,
     _Reasons,
 )
 -from cryptography.hazmat.primitives import constant_time
 +from cryptography.hazmat.primitives import constant_time, mac
 from cryptography.hazmat.primitives.ciphers.modes import CBC
 +@utils.register_interface(mac.MACContext)
 class _CMACContext(object):
     def __init__(self, backend, algorithm, ctx=None):
         if not backend.cmac_algorithm_supported(algorithm):
 diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
 index 5024223b2..11c850e10 100644
 --- a/src/cryptography/hazmat/backends/openssl/hmac.py
 +++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
     UnsupportedAlgorithm,
     _Reasons,
 )
 -from cryptography.hazmat.primitives import constant_time, hashes
 +from cryptography.hazmat.primitives import constant_time, hashes, mac
 +@utils.register_interface(mac.MACContext)
 @utils.register_interface(hashes.HashContext)
 class _HMACContext(object):
     def __init__(self, backend, key, algorithm, ctx=None):
 diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
 index 4d0dac764..c9074f59e 100644
 --- a/src/cryptography/hazmat/backends/openssl/x509.py
 +++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -73,6 +73,10 @@ class _Certificate(object):
         self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
         return _asn1_integer_to_int(self._backend, asn1_int)
 +    @property
 +    def serial(self):
 +        return self.serial_number
 +
     def public_key(self):
         pkey = self._backend._lib.X509_get_pubkey(self._x509)
         if pkey == self._backend._ffi.NULL:
 diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
 index 5f9b67786..886d7565b 100644
 --- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
 +++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -39,3 +39,11 @@ class Prehashed(object):
         self._digest_size = algorithm.digest_size
     digest_size = utils.read_only_property("_digest_size")
 +
 +
 +def decode_rfc6979_signature(signature):
 +    return decode_dss_signature(signature)
 +
 +
 +def encode_rfc6979_signature(r, s):
 +    return encode_dss_signature(r, s)
 diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
 index bf962c906..7f37f13cc 100644
 --- a/src/cryptography/hazmat/primitives/cmac.py
 +++ b/src/cryptography/hazmat/primitives/cmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
 )
 from cryptography.hazmat.backends import _get_backend
 from cryptography.hazmat.backends.interfaces import CMACBackend
 -from cryptography.hazmat.primitives import ciphers
 +from cryptography.hazmat.primitives import ciphers, mac
 +@utils.register_interface(mac.MACContext)
 class CMAC(object):
     def __init__(self, algorithm, backend=None, ctx=None):
         backend = _get_backend(backend)
 diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
 index 8c421dc68..6f03a1071 100644
 --- a/src/cryptography/hazmat/primitives/hmac.py
 +++ b/src/cryptography/hazmat/primitives/hmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
 )
 from cryptography.hazmat.backends import _get_backend
 from cryptography.hazmat.backends.interfaces import HMACBackend
 -from cryptography.hazmat.primitives import hashes
 +from cryptography.hazmat.primitives import hashes, mac
 +@utils.register_interface(mac.MACContext)
 @utils.register_interface(hashes.HashContext)
 class HMAC(object):
     def __init__(self, key, algorithm, backend=None, ctx=None):
 diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
 new file mode 100644
 index 000000000..4c95190ba
 --- /dev/null
 +++ b/src/cryptography/hazmat/primitives/mac.py
@@ -0,0 +1,37 @@
 +# This file is dual licensed under the terms of the Apache License, Version
 +# 2.0, and the BSD License. See the LICENSE file in the root of this repository
 +# for complete details.
 +
 +from __future__ import absolute_import, division, print_function
 +
 +import abc
 +
 +import six
 +
 +
 +@six.add_metaclass(abc.ABCMeta)
 +class MACContext(object):
 +    @abc.abstractmethod
 +    def update(self, data):
 +        """
 +        Processes the provided bytes.
 +        """
 +
 +    @abc.abstractmethod
 +    def finalize(self):
 +        """
 +        Returns the message authentication code as bytes.
 +        """
 +
 +    @abc.abstractmethod
 +    def copy(self):
 +        """
 +        Return a MACContext that is a copy of the current context.
 +        """
 +
 +    @abc.abstractmethod
 +    def verify(self, signature):
 +        """
 +        Checks if the generated message authentication code matches the
 +        signature.
 +        """
 diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
 index 130ba69b8..ddbccdf3b 100644
 --- a/src/cryptography/x509/extensions.py
 +++ b/src/cryptography/x509/extensions.py
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
     @classmethod
     def from_issuer_subject_key_identifier(cls, ski):
 +        if isinstance(ski, SubjectKeyIdentifier):
 +            digest = ski.digest
 +        else:
 +            digest = ski.value.digest
         return cls(
 -            key_identifier=ski.digest,
 +            key_identifier=digest,
             authority_cert_issuer=None,
             authority_cert_serial_number=None,
         )
 diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
 index 2f7e7bebf..73c17d84f 100644
 --- a/tests/hazmat/backends/test_openssl.py
 +++ b/tests/hazmat/backends/test_openssl.py
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
         res = backend._lib.ENGINE_free(e)
         assert res == 1
 +    def test_rhel8_no_osrandom(self):
 +        pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
 +
 @pytest.mark.skipif(
     backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
 diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
 index 70bff012f..334b459b5 100644
 --- a/tests/hazmat/primitives/test_asym_utils.py
 +++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
     Prehashed,
     decode_dss_signature,
     encode_dss_signature,
 +    encode_rfc6979_signature,
 +    decode_rfc6979_signature
 )
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
 def test_pass_invalid_prehashed_arg():
     with pytest.raises(TypeError):
         Prehashed(object())
 +
 +
 +def test_deprecated_rfc6979_signature():
 +    sig = encode_rfc6979_signature(1, 1)
 +    assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
 +    decoded = decode_rfc6979_signature(sig)
 +    assert decoded == (1, 1)
 diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
 index 11c80816c..e5bdf17d4 100644
 --- a/tests/x509/test_x509.py
 +++ b/tests/x509/test_x509.py
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
         )
         assert isinstance(cert, x509.Certificate)
         assert cert.serial_number == 11559813051657483483
 +        assert cert.serial == cert.serial_number
         fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
         assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
         assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
 diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
 index 2cd216fb6..ac2b2c03d 100644
 --- a/tests/x509/test_x509_ext.py
 +++ b/tests/x509/test_x509_ext.py
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
         )
         assert ext.value == aki
 +        aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
 +            ski_ext
 +        )
 +        assert ext.value == aki
 +
 class TestNameConstraints(object):
     def test_ipaddress_wrong_type(self):
 -- 
 2.26.2
--- a/SOURCES/0002-Support-pytest-3.4.2.patch
+++ b/SOURCES/0002-Support-pytest-3.4.2.patch
@ -0,0 +1,86 @@
 From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Wed, 28 Oct 2020 14:27:55 +0100
 Subject: [PATCH 2] Support pytest 3.4.2
 ---
 setup.py            | 3 ++-
 tests/conftest.py   | 4 ++--
 tests/test_utils.py | 4 ++--
 tests/utils.py      | 2 +-
 4 files changed, 7 insertions(+), 6 deletions(-)
 diff --git a/setup.py b/setup.py
 index 82800a96e..5678db004 100644
 --- a/setup.py
 +++ b/setup.py
@@ -93,7 +93,8 @@ setup(
     extras_require={
         ":python_version < '3'": ["enum34", "ipaddress"],
         "test": [
 -            "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
 +            "pytest>=3.4.2,<3.6",
 +            "attrs>=17.4.0,<18.0",
             "pretend",
             "iso8601",
             "pytz",
 diff --git a/tests/conftest.py b/tests/conftest.py
 index 4e3124fa7..53c194830 100644
 --- a/tests/conftest.py
 +++ b/tests/conftest.py
@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
 def pytest_runtest_setup(item):
     if openssl_backend._fips_enabled:
 -        for marker in item.iter_markers(name="skip_fips"):
 +        for marker in item.get_marker(name="skip_fips") or []:
             pytest.skip(marker.kwargs["reason"])
@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
 def backend(request):
     required_interfaces = [
         mark.kwargs["interface"]
 -        for mark in request.node.iter_markers("requires_backend_interface")
 +        for mark in request.node.get_marker("requires_backend_interface") or []
     ]
     if not all(
         isinstance(openssl_backend, iface) for iface in required_interfaces
 diff --git a/tests/test_utils.py b/tests/test_utils.py
 index d6afa3b34..e0a1be4f5 100644
 --- a/tests/test_utils.py
 +++ b/tests/test_utils.py
@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
     supported = pretend.stub(
         kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
     )
 -    node = pretend.stub(iter_markers=lambda x: [supported])
 +    node = pretend.stub(get_marker=lambda x: [supported])
     item = pretend.stub(node=node)
     with pytest.raises(pytest.skip.Exception) as exc_info:
         check_backend_support(True, item)
@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
     supported = pretend.stub(
         kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
     )
 -    node = pretend.stub(iter_markers=lambda x: [supported])
 +    node = pretend.stub(get_marker=lambda x: [supported])
     item = pretend.stub(node=node)
     assert check_backend_support(None, item) is None
 diff --git a/tests/utils.py b/tests/utils.py
 index 5d98af00e..a08f79c34 100644
 --- a/tests/utils.py
 +++ b/tests/utils.py
@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
 def check_backend_support(backend, item):
 -    for mark in item.node.iter_markers("supported"):
 +    for mark in item.node.get_marker("supported") or []:
         if not mark.kwargs["only_if"](backend):
             pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
 -- 
 2.26.2
--- a/SOURCES/0003-Skip-iso8601-test-cases.patch
+++ b/SOURCES/0003-Skip-iso8601-test-cases.patch
@ -0,0 +1,73 @@
 From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Thu, 29 Oct 2020 09:21:06 +0100
 Subject: [PATCH 3] Skip iso8601 test cases
 ---
 tests/test_fernet.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
 diff --git a/tests/test_fernet.py b/tests/test_fernet.py
 index 38409b03e..343f3e4ec 100644
 --- a/tests/test_fernet.py
 +++ b/tests/test_fernet.py
@@ -10,7 +10,10 @@ import json
 import os
 import time
 -import iso8601
 +try:
 +    import iso8601
 +except ImportError:
 +    iso8601 = None
 import pytest
@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
 import cryptography_vectors
 +skip_iso8601 = pytest.mark.skipif(
 +    iso8601 is None,
 +    reason="is8601 is not available"
 +)
 +
 +
 def json_parametrize(keys, filename):
     vector_file = cryptography_vectors.open_vector_file(
         os.path.join("fernet", filename), "r"
@@ -49,6 +58,7 @@ def test_default_backend():
     skip_message="Does not support AES CBC",
 )
 class TestFernet(object):
 +    @skip_iso8601
     @json_parametrize(
         ("secret", "now", "iv", "src", "token"),
         "generate.json",
@@ -62,6 +72,7 @@ class TestFernet(object):
         )
         assert actual_token == token.encode("ascii")
 +    @skip_iso8601
     @json_parametrize(
         ("secret", "now", "src", "ttl_sec", "token"),
         "verify.json",
@@ -81,6 +92,7 @@ class TestFernet(object):
         payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
         assert payload == src.encode("ascii")
 +    @skip_iso8601
     @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
     def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
         f = Fernet(secret.encode("ascii"), backend=backend)
@@ -117,6 +129,7 @@ class TestFernet(object):
         with pytest.raises(TypeError):
             f.decrypt(u"")
 +    @skip_iso8601
     def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
         f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
         pt = b"encrypt me"
 -- 
 2.26.2
--- a/SOURCES/0004-Revert-remove-NPN-bindings.patch
+++ b/SOURCES/0004-Revert-remove-NPN-bindings.patch
@ -0,0 +1,75 @@
 From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Mon, 14 Dec 2020 14:13:53 +0100
 Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
 (#4765)"
 This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
 ---
 src/_cffi_src/openssl/ssl.py          | 20 +++++++++++++++++++-
 tests/hazmat/bindings/test_openssl.py |  4 ++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
 index c38e309a1..fa854f5dd 100644
 --- a/src/_cffi_src/openssl/ssl.py
 +++ b/src/_cffi_src/openssl/ssl.py
@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
 static const long TLS_ST_BEFORE;
 static const long TLS_ST_OK;
 +static const long OPENSSL_NPN_NEGOTIATED;
 +
 typedef ... SSL_METHOD;
 typedef ... SSL_CTX;
@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
 long SSL_session_reused(SSL *);
 +void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
 +                                           int (*)(SSL *,
 +                                                   const unsigned char **,
 +                                                   unsigned int *,
 +                                                   void *),
 +                                           void *);
 +void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
 +                                      int (*)(SSL *,
 +                                              unsigned char **,
 +                                              unsigned char *,
 +                                              const unsigned char *,
 +                                              unsigned int,
 +                                              void *),
 +                                      void *);
 int SSL_select_next_proto(unsigned char **, unsigned char *,
                           const unsigned char *, unsigned int,
                           const unsigned char *, unsigned int);
 +void SSL_get0_next_proto_negotiated(const SSL *,
 +                                    const unsigned char **, unsigned *);
 int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
 const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
 static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
 static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
 static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
 -static const long Cryptography_HAS_NEXTPROTONEG = 0;
 +static const long Cryptography_HAS_NEXTPROTONEG = 1;
 static const long Cryptography_HAS_ALPN = 1;
 #if CRYPTOGRAPHY_IS_LIBRESSL
 diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
 index ecee34091..aeb12a0dc 100644
 --- a/tests/hazmat/bindings/test_openssl.py
 +++ b/tests/hazmat/bindings/test_openssl.py
@@ -137,3 +137,7 @@ class TestOpenSSL(object):
         )
         with pytest.raises(RuntimeError):
             _verify_openssl_version(lib)
 +
 +    def test_npn_binding(self):
 +        b = Binding()
 +        assert b.lib.Cryptography_HAS_NEXTPROTONEG
 -- 
 2.29.2
--- a/SOURCES/0005-CVE-2020-36242.patch
+++ b/SOURCES/0005-CVE-2020-36242.patch
@ -0,0 +1,18 @@
 From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
 From: Paul Kehrer <paul.l.kehrer@gmail.com>
 Date: Sun, 7 Feb 2021 11:04:43 -0600
 Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
 diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
 index 2b10681b31..0f96795fdc 100644
 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py
 +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -16,7 +16,7 @@
 class _CipherContext(object):
     _ENCRYPT = 1
     _DECRYPT = 0
 -    _MAX_CHUNK_SIZE = 2 ** 31 - 1
 +    _MAX_CHUNK_SIZE = 2 ** 30 - 1
     def __init__(self, backend, cipher, mode, operation):
         self._backend = backend
--- a/SOURCES/0006-CVE-2023-23931.patch
+++ b/SOURCES/0006-CVE-2023-23931.patch
@ -0,0 +1,42 @@
 From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001
 From: Alex Gaynor <alex.gaynor@gmail.com>
 Date: Tue, 31 Jan 2023 08:33:54 -0500
 Subject: [PATCH] Don't allow update_into to mutate immutable objects
 ---
 src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
 tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
 index 286583f9325..075d68fb905 100644
 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py
 +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
         data_processed = 0
         total_out = 0
         outlen = self._backend._ffi.new("int *")
 -        baseoutbuf = self._backend._ffi.from_buffer(buf)
 +        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
         baseinbuf = self._backend._ffi.from_buffer(data)
         while data_processed != total_data_len:
 diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
 index 02127dd9cab..bf3b047dec2 100644
 --- a/tests/hazmat/primitives/test_ciphers.py
 +++ b/tests/hazmat/primitives/test_ciphers.py
@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
         with pytest.raises(ValueError):
             encryptor.update_into(b"testing", buf)
 +    def test_update_into_immutable(self, backend):
 +        key = b"\x00" * 16
 +        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
 +        encryptor = c.encryptor()
 +        buf = b"\x00" * 32
 +        with pytest.raises((TypeError, BufferError)):
 +            encryptor.update_into(b"testing", buf)
 +
     @pytest.mark.supported(
         only_if=lambda backend: backend.cipher_supported(
             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
--- a/SOURCES/0008-CVE-2023-49083.patch
+++ b/SOURCES/0008-CVE-2023-49083.patch
@ -0,0 +1,45 @@
 From 66cb448876b1e95b637461d13560b970bae09e08 Mon Sep 17 00:00:00 2001
 From: Alex Gaynor <alex.gaynor@gmail.com>
 Date: Wed, 22 Nov 2023 16:49:56 -0500
 Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
 ---
 src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
 tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)
 diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
 index 7c08862b307..adfd7aefe5f 100644
 --- a/src/cryptography/hazmat/backends/openssl/backend.py
 +++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1111,9 +1111,12 @@ def _load_pkcs7_certificates(self, p7) -> list[x509.Certificate]:
                 _Reasons.UNSUPPORTED_SERIALIZATION,
             )
 +        certs: list[x509.Certificate] = []
 +        if p7.d.sign == self._ffi.NULL:
 +            return certs
 +
         sk_x509 = p7.d.sign.cert
         num = self._lib.sk_X509_num(sk_x509)
 -        certs = []
         for i in range(num):
             x509 = self._lib.sk_X509_value(sk_x509, i)
             self.openssl_assert(x509 != self._ffi.NULL)
 diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
 index ceb84e5fb48..434a361057f 100644
 --- a/tests/hazmat/primitives/test_pkcs7.py
 +++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -89,6 +89,12 @@ def test_load_pkcs7_unsupported_type(self, backend):
                 mode="rb",
             )
 +    def test_load_pkcs7_empty_certificates(self):
 +        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
 +
 +        certificates = pkcs7.load_der_pkcs7_certificates(der)
 +        assert certificates == []
 +
 # We have no public verification API and won't be adding one until we get
 # some requirements from users so this function exists to give us basic
--- a/SPECS/python-cryptography.spec
+++ b/SPECS/python-cryptography.spec
@ -0,0 +1,282 @@
 %{!?python3_pkgversion:%global python3_pkgversion 3}
 %global srcname cryptography
 # rhbz#2172416: from_buffer(..., require_writable=True)
 %global cffi_version 1.11.5-6
 Name:           python-%{srcname}
 Version:        3.2.1
 Release:        8%{?dist}
 Summary:        PyCA's cryptography library
 Group:          Development/Libraries
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/
 Source0:        https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
 Patch0001:      0001-Re-add-deprecated-and-removed-features.patch
 Patch0002:      0002-Support-pytest-3.4.2.patch
 Patch0003:	0003-Skip-iso8601-test-cases.patch
 Patch0004:	0004-Revert-remove-NPN-bindings.patch
 Patch0005:	0005-CVE-2020-36242.patch
 # https://github.com/pyca/cryptography/pull/8230
 Patch0006:	0006-CVE-2023-23931.patch
 Patch0007:	0008-CVE-2023-49083.patch
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-pytest >= 3.4.2
 BuildRequires:  python%{python3_pkgversion}-setuptools
 BuildRequires:  python%{python3_pkgversion}-pretend
 # BuildRequires:  python{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
 BuildRequires:  python%{python3_pkgversion}-pytz
 BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
 BuildRequires:  python%{python3_pkgversion}-cffi >= %{cffi_version}
 %description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %package -n  python%{python3_pkgversion}-%{srcname}
 Group:          Development/Libraries
 Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 Requires:       openssl-libs
 Requires:       python%{python3_pkgversion}-six >= 1.4.1
 Requires:       python%{python3_pkgversion}-cffi >= %{cffi_version}
 Conflicts:      python%{python3_pkgversion}-cryptography-vectors < %{version}
 Conflicts:      python%{python3_pkgversion}-cryptography-vectors > %{version}
 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %prep
 %autosetup -p1 -n %{srcname}-%{version}
 %build
 %py3_build
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
 %py3_install
 %check
 # workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
 rm -f tests/hazmat/primitives/test_padding.py
 # don't run hypothesis tests
 rm -rf tests/hypothesis
 PYTHONPATH=%{buildroot}%{python3_sitearch} \
    %{__python3} -m pytest \
    -k "not test_decrypt_invalid_decrypt"
 %files -n python%{python3_pkgversion}-%{srcname}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %{python3_sitearch}/%{srcname}
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 %changelog
 * Wed Jul 02 2025 Francisco Triviño <ftrivino@redhat.com> - 3.2.1-8
 - Fix CVE-2023-49083: NULL-dereference when loading PKCS7 certificates,
  resolves RHEL-97452
 * Fri Dec 01 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-7
 - Fix FTBFS caused by rsa_pkcs1_implicit_rejection OpenSSL feature, resolves: RHEL-17873
 * Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-6
 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172404
 * Tue Jun 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-5
 - Rebuild for RHEL 8.5
 - Resolves: rhbz#1933071
 * Tue Feb 09 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-4
 - CVE-2020-36242: Fixed a bug where certain sequences of update() calls
  when symmetrically encrypting very large payloads (>2GB) could result
  in an integer overflow, leading to buffer overflows.
 - Resolves: rhbz#1926528
 * Mon Dec 14 17:24:01 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-3
 - Conflict with non-matching vector package
 * Mon Dec 14 14:19:42 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
 - Re-add remove NPN bindings, required for pyOpenSSL
 - Resolves: rhbz#1907429
 * Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
 - Rebase to upstream release 3.2.1
 - Resolves: rhbz#1873581
 - Resolves: rhbz#1778939
 - Removed dependencies on python-asn1crypto, python-idna
 * Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
 - Don't activate custom osrandom engine for FIPS compliance
 - Resolves: rhbz#1762667
 * Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
 - Use TLSv1.2 in test as workaround for RHBZ#1615099
 - Resolves: RHBZ#1611738
 * Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
 - New upstream release 2.3
 - Fix AEAD tag truncation bug, CVE-2018-10903, RHBZ#1602755, RHBZ#1602932
 * Tue Jun 19 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-2
 - Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1589754
 - Remove unnecessary copy and shebang mangling
 * Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
 - New upstream release 2.2.1
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
 - New upstream release 2.1.4
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
 - Build requires gcc
 * Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
 - Update Python 2 dependency declarations to new packaging standards
  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Thu Nov 23 2017 Haïkel Guémar <hguemar@fedoraproject.org> - 2.1.3-1
 - Upstream 2.1.3
 * Tue Oct 24 2017 Christian Heimes <cheimes@redhat.com> - 2.1-2
 - Change Requires to openssl-libs
 * Thu Oct 12 2017 Christian Heimes <cheimes@redhat.com> - 2.1-1
 - New upstream release 2.1
 * Wed Sep 27 2017 Troy Dawson <tdawson@redhat.com> - 2.0.2-3
 - Cleanup spec file conditionals
 * Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-2
 - Add workaround for pytest bug
 * Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-1
 - New upstream release 2.0.2
 - Modernize spec
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Tue Jun 27 2017 Christian Heimes <cheimes@redhat.com> - 1.9-1
 - Upstream release 1.9
 * Wed Feb 15 2017 Christian Heimes <cheimes@redhat.com> - 1.7.2-1
 - Update to latest upstream
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 * Thu Jan 05 2017 Matěj Cepl <mcepl@redhat.com> - 1.7.1-1
 - Update to the latest upstream.
 - Add a patch from https://github.com/pyca/cryptography/pull/3328
 * Tue Dec 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-5
 - Enable tests
 * Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-4
 - Rebuild for Python 3.6
 - Disable python3 tests for now
 * Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-3
 - Revert previous change
 * Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-2
 - Disable tests on releases earlier than 24
 * Mon Nov 07 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-1
 - Update to v1.5.3
 - Update source URL
 - Add BR for pytz
 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-4
 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
 * Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-3
 - Remove versioned setuptools dependency
 * Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-2
 - Make it easier to build on EL7
 * Tue May 03 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-1
 - Update to v1.3.1
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Mon Jan 11 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-2
 - Move python-cryptograph => python2-cryptography
 * Sat Jan 09 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-1
 - Update to v1.2.1
 * Wed Nov 11 2015 Robert Kuska <rkuska@redhat.com> - 1.1-1
 - Update to v1.1
 * Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.0.2-2
 - Rebuilt for Python3.5 rebuild
 * Wed Sep 30 2015 Matěj Cepl <mcepl@redhat.com> - 1.0.2-1
 - New upstream release (fix #1267548)
 * Wed Aug 12 2015 Nathaniel McCallum <npmccallum@redhat.com> - 1.0-1
 - New upstream release
 * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Thu May 14 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.9-1
 - New upstream release
 - Run tests on RHEL
 - New deps: python-idna, python-ipaddress
 * Fri Apr 17 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8.2-1
 - New upstream release
 - Add python3-pyasn1 Requires (#1211073)
 * Tue Apr 14 2015 Matej Cepl <mcepl@redhat.com> - 0.8-2
 - Add python-pyasn1 Requires (#1211073)
 * Fri Mar 13 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8-1
 - New upstream release
 - Remove upstreamed patch
 * Wed Mar 04 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-2
 - Add python3-cryptography-vectors build requires
 - Add python-enum34 requires
 * Tue Feb 03 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-1
 - New upstream release. BSD is now an optional license.
 - Fix test running on python3
 - Add upstream patch to fix test paths
 * Fri Nov 07 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-2
 - Fix requires, for reasons why other development files were not
  eliminated see https://github.com/pyca/cryptography/issues/1463.
 * Wed Nov 05 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-1
 - New upstream release.
 * Sun Jun 29 2014 Terry Chia <terrycwk1994@gmail.com> 0.4-1
 - initial version
--- a/252
+++ b/252
@ -1,252 +0,0 @@
 * Sat May 16 2026 Fraser Tweedale <ftweedal@redhat.com> - 48.0.0-1
 - Update to 48.0.0, resolves RHEL-172409
 - Fix AES-GCM with FIPS provider version mismatch, resolves RHEL-173746
 * Tue Jul 02 2024 Jeremy Cline <jeremycline@linux.microsoft.com> - 42.0.8-1
 - Update to 42.0.8, fixes rhbz#2251816
 * Sat Jun 08 2024 Python Maint <python-maint@redhat.com> - 41.0.7-3
 - Rebuilt for Python 3.13
 * Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 41.0.7-2
 - Bootstrap for Python 3.13
 * Thu Feb 01 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 41.0.7-1
 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083
 * Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Fri Dec 01 2023 Fabio Valentini <decathorpe@gmail.com> - 41.0.5-2
 - Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072)
 * Thu Oct 26 2023 Christian Heimes <cheimes@redhat.com> - 41.0.5-1
 - Update to 41.0.5, resolves RHBZ#2239707
 * Mon Aug 14 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-2
 - Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042
 * Wed Aug 09 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-1
 - Update to 41.0.3, resolves rhbz#2211237
 - Use pyo3 0.19
 * Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 40.0.2-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Mon Jul 10 2023 Python Maint <python-maint@redhat.com> - 40.0.2-4
 - Rebuilt for Python 3.12
 * Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 40.0.2-3
 - Bootstrap for Python 3.12
 * Tue Jun 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 40.0.2-2
 - Use vendored rust-pem in RHEL builds
 * Tue Apr 18 2023 Christian Heimes <cheimes@redhat.com> - 40.0.2-1
 - Update to 40.0.2, resolves rhbz#2181430
 * Thu Mar 09 2023 Miro Hrončok <mhroncok@redhat.com> - 39.0.2-2
 - Don't run tests requiring pytz on RHEL
 - Don't try to run tests of vendored dependencies in %%check
 * Sat Mar 04 2023 Christian Heimes <cheimes@redhat.com> - 39.0.2-1
 - Update to 39.0.2, resolves rhbz#2124729
 * Tue Feb 28 2023 Fabio Valentini <decathorpe@gmail.com> - 37.0.2-9
 - Ensure correct compiler flags are used for Rust code.
 * Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 37.0.2-8
 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820
 - Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661
 * Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Fri Dec 09 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-6
 - Enable SHA1 signatures in test suite (ELN-only)
 * Wed Aug 17 2022 Miro Hrončok <mhroncok@redhat.com> - 37.0.2-5
 - Drop unused requirement of python3-six
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-3
 - Rebuilt for Python 3.11
 * Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-2
 - Bootstrap for Python 3.11
 * Thu May 05 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-1
 - Update to 37.0.2, resolves rhbz#2078968
 * Thu Jan 27 2022 Christian Heimes <cheimes@redhat.com> - 36.0.0-3
 - Skip unstable memleak tests, resolves: RHBZ#2042413
 * Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 36.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Mon Nov 22 2021 Christian Heimes <cheimes@redhat.com> - 36.0.0-1
 - Update to 36.0.0, fixes RHBZ#2025347
 * Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0.0-2
 - Require rust-asn1 >= 0.6.4
 * Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0-1
 - Update to 35.0.0 (#2009117)
 * Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.4.7-6
 - Rebuilt with OpenSSL 3.0.0
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.7-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Thu Jun 10 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.4.7-4
 - Don't conditionalize Source: directives
 * Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 3.4.7-3
 - Rebuilt for Python 3.10
 * Tue May 11 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
 - Fix compatibility issue with Python 3.10. Enums now use same
  representation as on Python 3.9. (#1952522)
 - Backport OpenSSL 3.0.0 compatibility patches.
 * Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
 - Update to 3.4.7
 - Remove dependency on python-cryptography-vectors package and use vectors
  directly from Github source tar ball. (#1952024)
 * Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
 - Update to 3.4.6 (#1927044)
 * Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
 - Update to 3.4.5 (#1927044)
 * Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
 - Skip iso8601 and pretend tests on RHEL
 * Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
 - Provide RHEL build infrastructure
 * Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
 - Update to 3.4.4 (#1927044)
 * Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
 - Update to 3.4.2 (#1926339)
 - Package no longer depends on Rust (#1926181)
 * Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
 - Use dynamically generated BuildRequires for PyO3 Rust module.
 - Drop unnecessary CARGO_NET_OFFLINE environment variable.
 * Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
 - Update to 3.4.1 (#1925953)
 * Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
 - Add missing abi3 and pytest dependencies
 * Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
 - Update to 3.4 (#1925953)
 - Remove Python 2 support
 - Remove unused python-idna dependency
 - Add Rust support
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
 - Update to 3.3.1 (#1905756)
 * Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
 - Update to 3.2.1 (#1892153)
 * Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
 - Update to 3.2 (#1891378)
 * Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
 - Update to 3.1 (#1872978)
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
 - Update to 3.0 (#185897)
 * Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
 - Rebuilt for Python 3.9
 * Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
 - add source file verification
 * Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
 - Update to 2.9 (#1820348)
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
 - cryptography 2.8+ no longer depends on python-asn1crypto
 * Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
 - Update to 2.8
 - Resolves: rhbz#1762779
 * Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
 - Skip unit tests that fail with OpenSSL 1.1.1.d
 - Resolves: rhbz#1761194
 - Fix and simplify Python 3 packaging
 * Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
 - Drop Python 2 package
 - Resolves: rhbz#1761081
 * Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
 - Update to 2.7 (#1715680).
 * Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
 - Rebuilt for Python 3.8
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
 - New upstream release 2.6.1, resolves RHBZ#1683691
 * Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
 - Updated to 2.5.
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
 - Use TLSv1.2 in test as workaround for RHBZ#1615143
 * Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
 - New upstream release 2.3
 - Fix AEAD tag truncation bug, RHBZ#1602752
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
 - Rebuilt for Python 3.7
 * Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
 - New upstream release 2.2.1
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
 - New upstream release 2.1.4
 * Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
 - Build requires gcc
 * Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
 - Update Python 2 dependency declarations to new packaging standards
  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
--- a/conftest-skipper.py
+++ b/conftest-skipper.py
@ -1,22 +0,0 @@
 class Skipper:
    """Skip iso8601 and pretend tests
    RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
    all tests that use the excluded modules.
    """
    def parse_date(self, datestring):
        pytest.skip(f"iso8601 module is not available.")
    def stub(self, **kwargs):
        pytest.skip(f"pretend module is not available.")
    def raiser(self, exc):
        pytest.skip(f"pretend module is not available.")
 import sys
 sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
 # recipients: abokovoy, frenaud, kaleem, ftrivino, cheimes
 --- !Policy
 product_versions:
  - rhel-10
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/plans/tests.fmf
+++ b/plans/tests.fmf
@ -1,71 +0,0 @@
 summary: python-cryptography test suite
 provision:
    hardware:
        memory: ">= 8 GB"
 environment:
    OPENSSL_ENABLE_SHA1_SIGNATURES: "yes"
    CRYPTOGRAPHY_SRCDIR: /var/tmp/cryptography-source
 prepare:
  - how: install
    package:
      - python3-cryptography
      - python3-pytest
      - python3-pytest-subtests
  - how: shell
    script: |
      VERSION=$(rpm -q --qf '%{VERSION}' python3-cryptography)
      curl -sLo /var/tmp/cryptography-${VERSION}.tar.gz \
        "https://github.com/pyca/cryptography/archive/${VERSION}/cryptography-${VERSION}.tar.gz"
      tar xf /var/tmp/cryptography-${VERSION}.tar.gz -C /var/tmp/
      ln -sfn /var/tmp/cryptography-${VERSION} $CRYPTOGRAPHY_SRCDIR
      cd $CRYPTOGRAPHY_SRCDIR
      sed -i 's/--benchmark-disable//' pyproject.toml
      # remove tests that depend on python3-hypothesis package
      rm -rf tests/hypothesis/
      # remove tests that depend on python3-iso8601 package
      rm -f tests/test_fernet.py
      cat ${TMT_TREE}/conftest-skipper.py >> tests/conftest.py
 discover:
    how: shell
    tests:
    - name: unittests-basic
      test: cd $CRYPTOGRAPHY_SRCDIR && PYTHONPATH=vectors pytest-3 tests/test_*.py
      duration: 30m
    - name: unittests-x509
      test: cd $CRYPTOGRAPHY_SRCDIR && PYTHONPATH=vectors pytest-3 tests/x509/
      duration: 30m
    - name: unittests-hazmat
      test: cd $CRYPTOGRAPHY_SRCDIR && PYTHONPATH=vectors pytest-3 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
      duration: 30m
    - name: unittests-primitives-aead
      test: cd $CRYPTOGRAPHY_SRCDIR && PYTHONPATH=vectors pytest-3 tests/hazmat/primitives/test_aead.py
      duration: 30m
    - name: unittests-primitives-aes
      test: >-
        cd $CRYPTOGRAPHY_SRCDIR && PYTHONPATH=vectors pytest-3
        tests/hazmat/primitives/test_aes.py::TestAESModeCBC
        tests/hazmat/primitives/test_aes.py::TestAESModeCTR
        tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
      duration: 30m
    - name: unittests-primitives-a-e
      test: >-
        cd $CRYPTOGRAPHY_SRCDIR && PYTHONPATH=vectors pytest-3
        tests/hazmat/primitives/decrepit/test_arc4.py
        tests/hazmat/primitives/test_asym_utils.py
        tests/hazmat/primitives/test_[b-e]*.py
      duration: 30m
    - name: unittests-primitives-f-z
      test: >-
        cd $CRYPTOGRAPHY_SRCDIR && PYTHONPATH=vectors pytest-3
        tests/hazmat/primitives/test_[f-z]*.py
        tests/hazmat/primitives/twofactor
      duration: 30m
 execute:
    how: tmt
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@ -1,150 +0,0 @@
 %bcond_without tests
 %{!?python3_pkgversion:%global python3_pkgversion 3}
 %global srcname cryptography
 Name:           python-%{srcname}
 Version:        48.0.0
 Release:        %autorelease
 Summary:        PyCA's cryptography library
 # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
 # as well as the Python Software Foundation license for the OS random
 # engine derived by CPython.
 License:        (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
 URL:            https://cryptography.io/en/latest/
 Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
                # created by ./vendor_rust.py helper script
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
 # RHEL 10 only has python3-cffi 1.16 and maturin 1.4.0, step down requirements
 Patch:          stepdown-cffi-and-maturin.patch
 # Fix AES-GCM with FIPS provider version mismatch (RHEL-173746)
 # https://github.com/pyca/cryptography/pull/14819
 Patch:          14819.patch
 ExclusiveArch:  %{rust_arches}
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 BuildRequires:  gnupg2
 %if 0%{?fedora}
 BuildRequires:  rust-packaging
 %else
 BuildRequires:  rust-toolset
 %endif
 BuildRequires:  python%{python3_pkgversion}-cffi >= 1.16
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
 BuildRequires:  python%{python3_pkgversion}-maturin >= 1.4
 %if %{with tests}
 %if 0%{?fedora}
 BuildRequires:  python%{python3_pkgversion}-certifi
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
 BuildRequires:  python%{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-pretend
 BuildRequires:  python%{python3_pkgversion}-pytest-benchmark
 BuildRequires:  python%{python3_pkgversion}-pytest-xdist
 BuildRequires:  python%{python3_pkgversion}-pytz
 %endif
 BuildRequires:  python%{python3_pkgversion}-pytest >= 6.2.0
 %endif
 %description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %package -n  python%{python3_pkgversion}-%{srcname}
 Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 Requires:       openssl-libs
 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
 # Can be safely removed in Fedora 37
 Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
 %endif
 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %prep
 %autosetup -p1 -n %{srcname}-%{version}
 %if 0%{?fedora}
 %cargo_prep
 sed -i 's/locked = true//g' pyproject.toml
 rm src/rust/Cargo.lock
 %else
 # RHEL: use vendored Rust crates
 %cargo_prep -V 1
 %endif
 %if ! 0%{?fedora}
 sed -i 's,--benchmark-disable,,' pyproject.toml
 %endif
 %generate_buildrequires
 %pyproject_buildrequires
 %if 0%{?fedora}
 # Fedora: use RPMified crates
 cd src/rust
 %cargo_generate_buildrequires
 cd ../..
 %endif
 %build
 export RUSTFLAGS="%build_rustflags"
 export OPENSSL_NO_VENDOR=1
 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
 %pyproject_wheel
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
 %pyproject_install
 %pyproject_save_files %{srcname}
 %check
 %if %{with tests}
 %if 0%{?rhel}
 # skip benchmark, hypothesis, and pytz tests on RHEL
 rm -rf tests/bench tests/hypothesis tests/x509
 # test_pkcs7.py imports from tests.x509 which we removed above
 rm -f tests/hazmat/primitives/test_pkcs7.py
 # append skipper to skip iso8601 and pretend tests
 cat < %{SOURCE2} >> tests/conftest.py
 %endif
 # enable SHA-1 signatures for RSA tests
 # also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
 export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
 # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
 # not much sense for downstream testing.
 # see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure
 PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
    %{__python3} -m pytest \
    --ignore vendor \
    -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)"
 %endif
 %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %changelog
 %autochangelog
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SHA512 (cryptography-48.0.0.tar.gz) = b38d0ae952bd33149c5358bb1fe9c875b55cc438f62ab0c0ab4d30d651e9d44f2895b39194906e7e9503294ca95a19eba6d97b32d319ed36bb38fa05faf89c6b
 SHA512 (cryptography-48.0.0-vendor.tar.bz2) = fddc63507ce64f6e4a6174b043ed789d8b6f5aea7f6110d95a460eb2327ca39a3bef9a87d1e17732d7782a929358ac821c2b84f39682419cfbb101dbdaa94363
--- a/stepdown-cffi-and-maturin.patch
+++ b/stepdown-cffi-and-maturin.patch
@ -1,44 +0,0 @@
 --- a/Cargo.toml
 +++ b/Cargo.toml
@@ -30,7 +30,8 @@ foreign-types-shared = "0.1"
 openssl = "0.10.79"
 openssl-sys = "0.9.115"
 pem = { version = "3", default-features = false }
 -pyo3 = { version = "0.28", features = ["abi3"] }
 +# Disable abi3 for maturin 1.4.0 compatibility - build for specific Python version
 +pyo3 = { version = "0.28" }
 pyo3-build-config = { version = "0.28" }
 self_cell = "1"
 --- a/pyproject.toml
 +++ b/pyproject.toml
@@ -2,10 +2,10 @@
 # These requirements must be kept sync with the requirements in
 # ./.github/requirements/build-requirements.{in,txt}
 requires = [
 -    "maturin>=1.9.4,<2,!=1.12.0",
 +    "maturin>=1.4.0,<2,!=1.12.0",
     # Must be kept in sync with `project.dependencies`
 -    "cffi>=2.0.0; platform_python_implementation != 'PyPy'",
 +    "cffi>=1.16; platform_python_implementation != 'PyPy'",
     # Used by cffi (which import distutils, and in Python 3.12, distutils has
     # been removed from the stdlib, but installing setuptools puts it back) as
     # well as our build.rs for the rust/cffi bridge.
@@ -22,7 +22,6 @@ authors = [
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 readme = "README.rst"
 license = "Apache-2.0 OR BSD-3-Clause"
 -license-files = [ "LICENSE", "LICENSE.APACHE", "LICENSE.BSD" ]
 classifiers = [
     "Development Status :: 5 - Production/Stable",
     "Intended Audience :: Developers",
@@ -49,7 +48,7 @@ classifiers = [
 requires-python = ">=3.9,!=3.9.0,!=3.9.1"
 dependencies = [
     # Must be kept in sync with `build-system.requires`
 -    "cffi>=2.0.0; platform_python_implementation != 'PyPy'",
 +    "cffi>=1.16; platform_python_implementation != 'PyPy'",
     # Must be kept in sync with ./.github/requirements/build-requirements.{in,txt}
     "typing-extensions>=4.13.2; python_version < '3.11'",
 ]
--- a/vendor_rust.py
+++ b/vendor_rust.py
@ -1,112 +0,0 @@
 #!/usr/bin/python3
 """Vendor PyCA cryptography's Rust crates
 """
 import argparse
 import os
 import re
 import tarfile
 import tempfile
 import shutil
 import subprocess
 import sys
 VENDOR_DIR = "vendor"
 CARGO_TOML = "src/rust/Cargo.toml"
 RE_VERSION = re.compile(r"Version:\s*(.*)")
 parser = argparse.ArgumentParser(description="Vendor Rust packages")
 parser.add_argument(
    "--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
 )
 def cargo(cmd, manifest):
    args = ["cargo", cmd, f"--manifest-path={manifest}"]
    return subprocess.check_call(
        args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
    )
 def tar_reset(tarinfo):
    """Reset user, group, mtime, and mode to create reproducible tar"""
    tarinfo.uid = 0
    tarinfo.gid = 0
    tarinfo.uname = "root"
    tarinfo.gname = "root"
    tarinfo.mtime = 0
    if tarinfo.type == tarfile.DIRTYPE:
        tarinfo.mode = 0o755
    else:
        tarinfo.mode = 0o644
    if tarinfo.pax_headers:
        raise ValueError(tarinfo.name, tarinfo.pax_headers)
    return tarinfo
 def tar_reproducible(tar, basedir):
    """Create reproducible tar file"""
    content = [basedir]
    for root, dirs, files in os.walk(basedir):
        for directory in dirs:
            content.append(os.path.join(root, directory))
        for filename in files:
            content.append(os.path.join(root, filename))
    content.sort()
    for fn in content:
        tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
 def main():
    args = parser.parse_args()
    spec = args.spec
    # change cwd to work in bundle directory
    here = os.path.dirname(os.path.abspath(spec))
    os.chdir(here)
    # extract version number from bundle name
    with open(spec) as f:
        for line in f:
            mo = RE_VERSION.search(line)
            if mo is not None:
                version = mo.group(1)
                break
        else:
            raise ValueError(f"Cannot find version in {spec}")
    bundle_file = f"cryptography-{version}.tar.gz"
    vendor_file = f"cryptography-{version}-vendor.tar.bz2"
    # remove existing vendor directory and file
    if os.path.isdir(VENDOR_DIR):
        shutil.rmtree(VENDOR_DIR)
    try:
        os.unlink(vendor_file)
    except FileNotFoundError:
        pass
    print(f"Getting crates for {bundle_file}", file=sys.stderr)
    # extract tar file in tempdir
    # fetch and vendor Rust crates
    with tempfile.TemporaryDirectory(dir=here) as tmp:
        with tarfile.open(bundle_file) as tar:
            tar.extractall(path=tmp)
        manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
        cargo("fetch", manifest)
        cargo("vendor", manifest)
    print("\nCreating tar ball...", file=sys.stderr)
    with tarfile.open(vendor_file, "x:bz2") as tar:
        tar_reproducible(tar, VENDOR_DIR)
    # remove vendor dir
    shutil.rmtree(VENDOR_DIR)
    parser.exit(0, f"Created {vendor_file}\n")
 if __name__ == "__main__":
    main()
		`@ -0,0 +1 @@`
							`20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz`
		`@ -1,2 +0,0 @@`
			`SHA512 (cryptography-48.0.0.tar.gz) = b38d0ae952bd33149c5358bb1fe9c875b55cc438f62ab0c0ab4d30d651e9d44f2895b39194906e7e9503294ca95a19eba6d97b32d319ed36bb38fa05faf89c6b`
			`SHA512 (cryptography-48.0.0-vendor.tar.bz2) = fddc63507ce64f6e4a6174b043ed789d8b6f5aea7f6110d95a460eb2327ca39a3bef9a87d1e17732d7782a929358ac821c2b84f39682419cfbb101dbdaa94363`