Rebase to 1.5.8
Resolves: RHEL-168727 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
parent
4c6c2f53c0
commit
0feb2bcd2a
1
.gitignore
vendored
1
.gitignore
vendored
@ -13,3 +13,4 @@
|
|||||||
/jwcrypto-1.4.1.tar.gz
|
/jwcrypto-1.4.1.tar.gz
|
||||||
/jwcrypto-1.4.2.tar.gz
|
/jwcrypto-1.4.2.tar.gz
|
||||||
/jwcrypto-1.5.6.tar.gz
|
/jwcrypto-1.5.6.tar.gz
|
||||||
|
/jwcrypto-1.5.8.tar.gz
|
||||||
|
|||||||
@ -1,129 +0,0 @@
|
|||||||
--- a/jwcrypto/jwe.py 2024-03-06 16:44:22.000000000 -0300
|
|
||||||
+++ b/jwcrypto/jwe.py 2026-04-15 23:39:19.769727604 -0300
|
|
||||||
@@ -12,7 +12,8 @@
|
|
||||||
|
|
||||||
# Limit the amount of data we are willing to decompress by default.
|
|
||||||
default_max_compressed_size = 256 * 1024
|
|
||||||
-
|
|
||||||
+# Limit the maximum plaintext size to 100MB by default.
|
|
||||||
+default_max_plaintext_size = 100 * 1024 * 1024
|
|
||||||
|
|
||||||
# RFC 7516 - 4.1
|
|
||||||
# name: (description, supported?)
|
|
||||||
@@ -371,7 +372,7 @@
|
|
||||||
return data
|
|
||||||
|
|
||||||
# FIXME: allow to specify which algorithms to accept as valid
|
|
||||||
- def _decrypt(self, key, ppe):
|
|
||||||
+ def _decrypt(self, key, ppe, max_plaintext=default_max_plaintext_size):
|
|
||||||
|
|
||||||
jh = self._get_jose_header(ppe.get('header', None))
|
|
||||||
|
|
||||||
@@ -429,19 +430,29 @@
|
|
||||||
raise InvalidJWEData(
|
|
||||||
'Compressed data exceeds maximum allowed'
|
|
||||||
'size' + f' ({default_max_compressed_size})')
|
|
||||||
- self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
|
|
||||||
+ do = zlib.decompressobj(wbits=-zlib.MAX_WBITS)
|
|
||||||
+ self.plaintext = do.decompress(data, max_plaintext)
|
|
||||||
+ if do.unconsumed_tail or not do.eof:
|
|
||||||
+ self.plaintext = None
|
|
||||||
+ raise InvalidJWEData(
|
|
||||||
+ 'Compressed data exceeds maximum allowed'
|
|
||||||
+ 'output size' + f' ({max_plaintext})')
|
|
||||||
elif compress is None:
|
|
||||||
self.plaintext = data
|
|
||||||
else:
|
|
||||||
raise ValueError('Unknown compression')
|
|
||||||
|
|
||||||
- def decrypt(self, key):
|
|
||||||
+ def decrypt(self, key, max_plaintext=0):
|
|
||||||
"""Decrypt a JWE token.
|
|
||||||
|
|
||||||
:param key: The (:class:`jwcrypto.jwk.JWK`) decryption key.
|
|
||||||
:param key: A (:class:`jwcrypto.jwk.JWK`) decryption key,
|
|
||||||
or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed
|
|
||||||
by the 'kid' header or (deprecated) a string containing a password.
|
|
||||||
+ :param max_plaintext: Maximum plaintext size allowed, 0 means
|
|
||||||
+ the library default applies. Application writers are recommended
|
|
||||||
+ to set a limit here if they know what is the max plaintext size
|
|
||||||
+ for their application.
|
|
||||||
|
|
||||||
:raises InvalidJWEOperation: if the key is not a JWK object.
|
|
||||||
:raises InvalidJWEData: if the ciphertext can't be decrypted or
|
|
||||||
@@ -449,6 +460,10 @@
|
|
||||||
:raises JWKeyNotFound: if key is a JWKSet and the key is not found.
|
|
||||||
"""
|
|
||||||
|
|
||||||
+ self.plaintext = None
|
|
||||||
+ if max_plaintext == 0:
|
|
||||||
+ max_plaintext = default_max_plaintext_size
|
|
||||||
+
|
|
||||||
if 'ciphertext' not in self.objects:
|
|
||||||
raise InvalidJWEOperation("No available ciphertext")
|
|
||||||
self.decryptlog = []
|
|
||||||
@@ -457,14 +472,14 @@
|
|
||||||
if 'recipients' in self.objects:
|
|
||||||
for rec in self.objects['recipients']:
|
|
||||||
try:
|
|
||||||
- self._decrypt(key, rec)
|
|
||||||
+ self._decrypt(key, rec, max_plaintext=max_plaintext)
|
|
||||||
except Exception as e: # pylint: disable=broad-except
|
|
||||||
if isinstance(e, JWKeyNotFound):
|
|
||||||
missingkey = True
|
|
||||||
self.decryptlog.append('Failed: [%s]' % repr(e))
|
|
||||||
else:
|
|
||||||
try:
|
|
||||||
- self._decrypt(key, self.objects)
|
|
||||||
+ self._decrypt(key, self.objects, max_plaintext=max_plaintext)
|
|
||||||
except Exception as e: # pylint: disable=broad-except
|
|
||||||
if isinstance(e, JWKeyNotFound):
|
|
||||||
missingkey = True
|
|
||||||
|
|
||||||
--- a/jwcrypto/tests.py 2024-03-06 16:44:22.000000000 -0300
|
|
||||||
+++ b/jwcrypto/tests.py 2026-04-15 23:39:19.770346328 -0300
|
|
||||||
@@ -2124,18 +2124,36 @@
|
|
||||||
enc = jwe.JWE(payload.encode('utf-8'),
|
|
||||||
recipient=key,
|
|
||||||
protected=protected_header).serialize(compact=True)
|
|
||||||
+ check = jwe.JWE()
|
|
||||||
+ check.deserialize(enc)
|
|
||||||
with self.assertRaises(jwe.InvalidJWEData):
|
|
||||||
- check = jwe.JWE()
|
|
||||||
- check.deserialize(enc)
|
|
||||||
check.decrypt(key)
|
|
||||||
|
|
||||||
- defmax = jwe.default_max_compressed_size
|
|
||||||
- jwe.default_max_compressed_size = 1000000000
|
|
||||||
- # ensure we can eraise the limit and decrypt
|
|
||||||
- check = jwe.JWE()
|
|
||||||
- check.deserialize(enc)
|
|
||||||
+ # raise the limit on compressed token size so we can decrypt
|
|
||||||
+ defcmax = jwe.default_max_compressed_size
|
|
||||||
+ jwe.default_max_compressed_size = 10 * 1024 * 1024
|
|
||||||
+
|
|
||||||
+ # this passes if we explicitly allow larger plaintext via API
|
|
||||||
+ check.decrypt(key, max_plaintext=1000000000)
|
|
||||||
+
|
|
||||||
+ # this will still fail because the max plaintext length clamps this
|
|
||||||
+ with self.assertRaises(jwe.InvalidJWEData):
|
|
||||||
+ check.decrypt(key)
|
|
||||||
+
|
|
||||||
+ # ensure that now this can work with changed defaults
|
|
||||||
+ defpmax = jwe.default_max_plaintext_size
|
|
||||||
+ jwe.default_max_plaintext_size = 1000000000
|
|
||||||
check.decrypt(key)
|
|
||||||
- jwe.default_max_compressed_size = defmax
|
|
||||||
+
|
|
||||||
+ # restore limits
|
|
||||||
+ jwe.default_max_compressed_size = defcmax
|
|
||||||
+
|
|
||||||
+ # check that this fails the max compressed header limits
|
|
||||||
+ with self.assertRaises(jwe.InvalidJWEData):
|
|
||||||
+ check.decrypt(key)
|
|
||||||
+
|
|
||||||
+ # restore plaintext limits
|
|
||||||
+ jwe.default_max_plaintext_size = defpmax
|
|
||||||
|
|
||||||
|
|
||||||
class JWATests(unittest.TestCase):
|
|
||||||
@ -1,24 +1,22 @@
|
|||||||
%global srcname jwcrypto
|
%global srcname jwcrypto
|
||||||
|
|
||||||
Name: python-%{srcname}
|
Name: python-%{srcname}
|
||||||
Version: 1.5.6
|
Version: 1.5.8
|
||||||
Release: %autorelease
|
Release: %autorelease
|
||||||
Summary: Implements JWK, JWS, JWE specifications using python-cryptography
|
Summary: Implements JWK, JWS, JWE specifications using python-cryptography
|
||||||
|
|
||||||
License: LGPL-3.0-or-later
|
License: LGPL-3.0-or-later
|
||||||
URL: https://github.com/latchset/%{srcname}
|
URL: https://github.com/latchset/%{srcname}
|
||||||
Source0: https://github.com/latchset/%{srcname}/releases/download/v%{version}/%{srcname}-%{version}.tar.gz
|
Source0: https://github.com/latchset/%{srcname}/releases/download/v%{version}/%{srcname}-%{version}.tar.gz
|
||||||
Patch0: 0001-Limit-max-plaintext-size-for-JWE-decompression.patch
|
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: python%{python3_pkgversion}-devel
|
BuildRequires: python%{python3_pkgversion}-devel
|
||||||
BuildRequires: python%{python3_pkgversion}-setuptools
|
BuildRequires: pyproject-rpm-macros
|
||||||
BuildRequires: python%{python3_pkgversion}-cryptography >= 2.3
|
BuildRequires: python%{python3_pkgversion}-pip
|
||||||
|
BuildRequires: python%{python3_pkgversion}-hatchling
|
||||||
|
BuildRequires: python%{python3_pkgversion}-cryptography >= 39.0.0
|
||||||
BuildRequires: python%{python3_pkgversion}-pytest
|
BuildRequires: python%{python3_pkgversion}-pytest
|
||||||
BuildRequires: python%{python3_pkgversion}-typing-extensions
|
BuildRequires: python%{python3_pkgversion}-typing-extensions
|
||||||
%if %{undefined rhel}
|
|
||||||
BuildRequires: python%{python3_pkgversion}-deprecated
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Implements JWK, JWS, JWE specifications using python-cryptography
|
Implements JWK, JWS, JWE specifications using python-cryptography
|
||||||
@ -26,10 +24,7 @@ Implements JWK, JWS, JWE specifications using python-cryptography
|
|||||||
|
|
||||||
%package -n python%{python3_pkgversion}-%{srcname}
|
%package -n python%{python3_pkgversion}-%{srcname}
|
||||||
Summary: Implements JWK, JWS, JWE specifications using python-cryptography
|
Summary: Implements JWK, JWS, JWE specifications using python-cryptography
|
||||||
Requires: python%{python3_pkgversion}-cryptography >= 2.3
|
Requires: python%{python3_pkgversion}-cryptography >= 39.0.0
|
||||||
%if %{undefined rhel}
|
|
||||||
Requires: python%{python3_pkgversion}-deprecated
|
|
||||||
%endif
|
|
||||||
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
|
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
|
||||||
|
|
||||||
%description -n python%{python3_pkgversion}-%{srcname}
|
%description -n python%{python3_pkgversion}-%{srcname}
|
||||||
@ -38,16 +33,10 @@ Implements JWK, JWS, JWE specifications using python-cryptography
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n %{srcname}-%{version}
|
%setup -q -n %{srcname}-%{version}
|
||||||
%patch -P 0 -p1
|
|
||||||
%if %{defined rhel}
|
|
||||||
# avoid python-deprecated dependency
|
|
||||||
sed -i -e '/deprecated/d' setup.py %{srcname}.egg-info/requires.txt
|
|
||||||
sed -i -e '/^from deprecated/d' -e '/@deprecated/d' %{srcname}/*.py
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%py3_build
|
%pyproject_wheel
|
||||||
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
@ -55,7 +44,7 @@ sed -i -e '/^from deprecated/d' -e '/@deprecated/d' %{srcname}/*.py
|
|||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%py3_install
|
%pyproject_install
|
||||||
|
|
||||||
rm -rf %{buildroot}%{_docdir}/%{srcname}
|
rm -rf %{buildroot}%{_docdir}/%{srcname}
|
||||||
rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/tests{,-cookbook}.py*
|
rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/tests{,-cookbook}.py*
|
||||||
@ -66,7 +55,7 @@ rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*
|
|||||||
%doc README.md
|
%doc README.md
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%{python3_sitelib}/%{srcname}
|
%{python3_sitelib}/%{srcname}
|
||||||
%{python3_sitelib}/%{srcname}-%{version}-py%{python3_version}.egg-info
|
%{python3_sitelib}/%{srcname}-%{version}.dist-info
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
|||||||
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (jwcrypto-1.5.6.tar.gz) = 1db62cf247bc006f1737c4603b80e5ca87e1a3db3b3dc37183a9725a8b3cae4baba706b2ec596119877130ab4d56525a01fb9d7efca07e59811d78021aa7ebf5
|
SHA512 (jwcrypto-1.5.8.tar.gz) = 34d1eaef37aa4c21fb645ad9a1be590b9586293dd74f82efdff420487b8a6ab1b24d410d14dc7fe032c07b15d838e4d4a64ad335f0e4650612d39df759fe4a68
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user