From 0feb2bcd2a5c3b0516bf4c3da02d2fa3083c7340 Mon Sep 17 00:00:00 2001 From: Rafael Guterres Jeffman Date: Thu, 25 Jun 2026 16:21:12 -0300 Subject: [PATCH] Rebase to 1.5.8 Resolves: RHEL-168727 Signed-off-by: Rafael Guterres Jeffman --- .gitignore | 1 + ...plaintext-size-for-JWE-decompression.patch | 129 ------------------ python-jwcrypto.spec | 29 ++-- sources | 2 +- 4 files changed, 11 insertions(+), 150 deletions(-) delete mode 100644 0001-Limit-max-plaintext-size-for-JWE-decompression.patch diff --git a/.gitignore b/.gitignore index 1d8df6e..ccb8d17 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /jwcrypto-1.4.1.tar.gz /jwcrypto-1.4.2.tar.gz /jwcrypto-1.5.6.tar.gz +/jwcrypto-1.5.8.tar.gz diff --git a/0001-Limit-max-plaintext-size-for-JWE-decompression.patch b/0001-Limit-max-plaintext-size-for-JWE-decompression.patch deleted file mode 100644 index d722f7a..0000000 --- a/0001-Limit-max-plaintext-size-for-JWE-decompression.patch +++ /dev/null @@ -1,129 +0,0 @@ ---- a/jwcrypto/jwe.py 2024-03-06 16:44:22.000000000 -0300 -+++ b/jwcrypto/jwe.py 2026-04-15 23:39:19.769727604 -0300 -@@ -12,7 +12,8 @@ - - # Limit the amount of data we are willing to decompress by default. - default_max_compressed_size = 256 * 1024 -- -+# Limit the maximum plaintext size to 100MB by default. -+default_max_plaintext_size = 100 * 1024 * 1024 - - # RFC 7516 - 4.1 - # name: (description, supported?) -@@ -371,7 +372,7 @@ - return data - - # FIXME: allow to specify which algorithms to accept as valid -- def _decrypt(self, key, ppe): -+ def _decrypt(self, key, ppe, max_plaintext=default_max_plaintext_size): - - jh = self._get_jose_header(ppe.get('header', None)) - -@@ -429,19 +430,29 @@ - raise InvalidJWEData( - 'Compressed data exceeds maximum allowed' - 'size' + f' ({default_max_compressed_size})') -- self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS) -+ do = zlib.decompressobj(wbits=-zlib.MAX_WBITS) -+ self.plaintext = do.decompress(data, max_plaintext) -+ if do.unconsumed_tail or not do.eof: -+ self.plaintext = None -+ raise InvalidJWEData( -+ 'Compressed data exceeds maximum allowed' -+ 'output size' + f' ({max_plaintext})') - elif compress is None: - self.plaintext = data - else: - raise ValueError('Unknown compression') - -- def decrypt(self, key): -+ def decrypt(self, key, max_plaintext=0): - """Decrypt a JWE token. - - :param key: The (:class:`jwcrypto.jwk.JWK`) decryption key. - :param key: A (:class:`jwcrypto.jwk.JWK`) decryption key, - or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed - by the 'kid' header or (deprecated) a string containing a password. -+ :param max_plaintext: Maximum plaintext size allowed, 0 means -+ the library default applies. Application writers are recommended -+ to set a limit here if they know what is the max plaintext size -+ for their application. - - :raises InvalidJWEOperation: if the key is not a JWK object. - :raises InvalidJWEData: if the ciphertext can't be decrypted or -@@ -449,6 +460,10 @@ - :raises JWKeyNotFound: if key is a JWKSet and the key is not found. - """ - -+ self.plaintext = None -+ if max_plaintext == 0: -+ max_plaintext = default_max_plaintext_size -+ - if 'ciphertext' not in self.objects: - raise InvalidJWEOperation("No available ciphertext") - self.decryptlog = [] -@@ -457,14 +472,14 @@ - if 'recipients' in self.objects: - for rec in self.objects['recipients']: - try: -- self._decrypt(key, rec) -+ self._decrypt(key, rec, max_plaintext=max_plaintext) - except Exception as e: # pylint: disable=broad-except - if isinstance(e, JWKeyNotFound): - missingkey = True - self.decryptlog.append('Failed: [%s]' % repr(e)) - else: - try: -- self._decrypt(key, self.objects) -+ self._decrypt(key, self.objects, max_plaintext=max_plaintext) - except Exception as e: # pylint: disable=broad-except - if isinstance(e, JWKeyNotFound): - missingkey = True - ---- a/jwcrypto/tests.py 2024-03-06 16:44:22.000000000 -0300 -+++ b/jwcrypto/tests.py 2026-04-15 23:39:19.770346328 -0300 -@@ -2124,18 +2124,36 @@ - enc = jwe.JWE(payload.encode('utf-8'), - recipient=key, - protected=protected_header).serialize(compact=True) -+ check = jwe.JWE() -+ check.deserialize(enc) - with self.assertRaises(jwe.InvalidJWEData): -- check = jwe.JWE() -- check.deserialize(enc) - check.decrypt(key) - -- defmax = jwe.default_max_compressed_size -- jwe.default_max_compressed_size = 1000000000 -- # ensure we can eraise the limit and decrypt -- check = jwe.JWE() -- check.deserialize(enc) -+ # raise the limit on compressed token size so we can decrypt -+ defcmax = jwe.default_max_compressed_size -+ jwe.default_max_compressed_size = 10 * 1024 * 1024 -+ -+ # this passes if we explicitly allow larger plaintext via API -+ check.decrypt(key, max_plaintext=1000000000) -+ -+ # this will still fail because the max plaintext length clamps this -+ with self.assertRaises(jwe.InvalidJWEData): -+ check.decrypt(key) -+ -+ # ensure that now this can work with changed defaults -+ defpmax = jwe.default_max_plaintext_size -+ jwe.default_max_plaintext_size = 1000000000 - check.decrypt(key) -- jwe.default_max_compressed_size = defmax -+ -+ # restore limits -+ jwe.default_max_compressed_size = defcmax -+ -+ # check that this fails the max compressed header limits -+ with self.assertRaises(jwe.InvalidJWEData): -+ check.decrypt(key) -+ -+ # restore plaintext limits -+ jwe.default_max_plaintext_size = defpmax - - - class JWATests(unittest.TestCase): diff --git a/python-jwcrypto.spec b/python-jwcrypto.spec index d6e8326..6eb6469 100644 --- a/python-jwcrypto.spec +++ b/python-jwcrypto.spec @@ -1,24 +1,22 @@ %global srcname jwcrypto Name: python-%{srcname} -Version: 1.5.6 +Version: 1.5.8 Release: %autorelease Summary: Implements JWK, JWS, JWE specifications using python-cryptography License: LGPL-3.0-or-later URL: https://github.com/latchset/%{srcname} Source0: https://github.com/latchset/%{srcname}/releases/download/v%{version}/%{srcname}-%{version}.tar.gz -Patch0: 0001-Limit-max-plaintext-size-for-JWE-decompression.patch BuildArch: noarch BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-cryptography >= 2.3 +BuildRequires: pyproject-rpm-macros +BuildRequires: python%{python3_pkgversion}-pip +BuildRequires: python%{python3_pkgversion}-hatchling +BuildRequires: python%{python3_pkgversion}-cryptography >= 39.0.0 BuildRequires: python%{python3_pkgversion}-pytest BuildRequires: python%{python3_pkgversion}-typing-extensions -%if %{undefined rhel} -BuildRequires: python%{python3_pkgversion}-deprecated -%endif %description Implements JWK, JWS, JWE specifications using python-cryptography @@ -26,10 +24,7 @@ Implements JWK, JWS, JWE specifications using python-cryptography %package -n python%{python3_pkgversion}-%{srcname} Summary: Implements JWK, JWS, JWE specifications using python-cryptography -Requires: python%{python3_pkgversion}-cryptography >= 2.3 -%if %{undefined rhel} -Requires: python%{python3_pkgversion}-deprecated -%endif +Requires: python%{python3_pkgversion}-cryptography >= 39.0.0 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} %description -n python%{python3_pkgversion}-%{srcname} @@ -38,16 +33,10 @@ Implements JWK, JWS, JWE specifications using python-cryptography %prep %setup -q -n %{srcname}-%{version} -%patch -P 0 -p1 -%if %{defined rhel} -# avoid python-deprecated dependency -sed -i -e '/deprecated/d' setup.py %{srcname}.egg-info/requires.txt -sed -i -e '/^from deprecated/d' -e '/@deprecated/d' %{srcname}/*.py -%endif %build -%py3_build +%pyproject_wheel %check @@ -55,7 +44,7 @@ sed -i -e '/^from deprecated/d' -e '/@deprecated/d' %{srcname}/*.py %install -%py3_install +%pyproject_install rm -rf %{buildroot}%{_docdir}/%{srcname} rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/tests{,-cookbook}.py* @@ -66,7 +55,7 @@ rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.* %doc README.md %license LICENSE %{python3_sitelib}/%{srcname} -%{python3_sitelib}/%{srcname}-%{version}-py%{python3_version}.egg-info +%{python3_sitelib}/%{srcname}-%{version}.dist-info %changelog diff --git a/sources b/sources index 54b297b..9a796ae 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (jwcrypto-1.5.6.tar.gz) = 1db62cf247bc006f1737c4603b80e5ca87e1a3db3b3dc37183a9725a8b3cae4baba706b2ec596119877130ab4d56525a01fb9d7efca07e59811d78021aa7ebf5 +SHA512 (jwcrypto-1.5.8.tar.gz) = 34d1eaef37aa4c21fb645ad9a1be590b9586293dd74f82efdff420487b8a6ab1b24d410d14dc7fe032c07b15d838e4d4a64ad335f0e4650612d39df759fe4a68