8 changed files with 29 additions and 345 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,15 +1 @@
-/jwcrypto-0.2.0.tar.gz
+SOURCES/jwcrypto-0.5.0.tar.gz
 /jwcrypto-0.2.1.tar.gz
 /jwcrypto-0.3.0.tar.gz
 /jwcrypto-0.3.1.tar.gz
 /jwcrypto-0.3.2.tar.gz
 /jwcrypto-0.4.1.tar.gz
 /jwcrypto-0.4.2.tar.gz
 /jwcrypto-0.5.0.tar.gz
 /jwcrypto-0.6.0.tar.gz
 /jwcrypto-0.8.tar.gz
 /jwcrypto-0.9.1.tar.gz
 /jwcrypto-1.4.tar.gz
 /jwcrypto-1.4.1.tar.gz
 /jwcrypto-1.4.2.tar.gz
 /jwcrypto-1.5.6.tar.gz
--- a/.python-jwcrypto.metadata
+++ b/.python-jwcrypto.metadata
@ -0,0 +1 @@
 8eccc6fbeeee2fedc602998a7c7a97b8bd550e59 SOURCES/jwcrypto-0.5.0.tar.gz
--- a/0001-ignore-deprecated-annotation.patch
+++ b/0001-ignore-deprecated-annotation.patch
@ -1,40 +0,0 @@
 diff -Naur jwcrypto-1.5.6/jwcrypto/jwk.py jwcrypto-1.5.6-new/jwcrypto/jwk.py
 --- jwcrypto-1.5.6/jwcrypto/jwk.py	2024-02-07 13:52:39.000000000 -0300
 +++ jwcrypto-1.5.6-new/jwcrypto/jwk.py	2024-06-12 13:06:28.553972422 -0300
@@ -11,7 +11,15 @@
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric import rsa
 -from typing_extensions import deprecated
 +try:
 +    from typing_extensions import deprecated
 +except ImportError:
 +    def deprecated(_fn, *args):
 +        def inner(func):
 +            return func
 +
 +        return inner
 +
 from jwcrypto.common import JWException
 from jwcrypto.common import base64url_decode, base64url_encode
 diff -Naur jwcrypto-1.5.6/jwcrypto/jwt.py jwcrypto-1.5.6-new/jwcrypto/jwt.py
 --- jwcrypto-1.5.6/jwcrypto/jwt.py	2024-02-07 13:52:39.000000000 -0300
 +++ jwcrypto-1.5.6-new/jwcrypto/jwt.py	2024-06-12 13:26:48.534696766 -0300
@@ -4,7 +4,15 @@
 import time
 import uuid
 -from typing_extensions import deprecated
 +try:
 +    from typing_extensions import deprecated
 +except ImportError:
 +    def deprecated(*args):
 +        def inner(func):
 +            return func
 +
 +        return inner
 +
 from jwcrypto.common import JWException, JWKeyNotFound
 from jwcrypto.common import json_decode, json_encode
--- a/0002-Limit-max-plaintext-size-for-JWE-decompression.patch
+++ b/0002-Limit-max-plaintext-size-for-JWE-decompression.patch
@ -1,153 +0,0 @@
 From 25db861d8b29434838669a94a843af03d29ea6ed Mon Sep 17 00:00:00 2001
 From: Simo Sorce <simo@redhat.com>
 Date: Mon, 6 Apr 2026 10:37:20 -0400
 Subject: [PATCH] Limit max plaintext size for JWE decompression
 This change introduces a maximum plaintext size limit (defaulting to 100MB)
 during JWE decryption and updates the decompression logic to enforce it safely
 using zlib.decompressobj. The decrypt method now accepts a max_plaintext
 parameter to allow overriding the default limit.
 This mitigates memory exhaustion and decompression bomb attacks when
 processing highly compressed malicious JWE payloads.
 Fixes CVE-2026-39373
 Signed-off-by: Simo Sorce <simo@redhat.com>
 ---
 jwcrypto/jwe.py   | 27 +++++++++++++++++++++------
 jwcrypto/tests.py | 34 ++++++++++++++++++++++++++--------
 2 files changed, 47 insertions(+), 14 deletions(-)
 diff --git a/jwcrypto/jwe.py b/jwcrypto/jwe.py
 index e01aa1d..7895928 100644
 --- a/jwcrypto/jwe.py
 +++ b/jwcrypto/jwe.py
@@ -12,7 +12,8 @@
 # Limit the amount of data we are willing to decompress by default.
 default_max_compressed_size = 256 * 1024
 -
 +# Limit the maximum plaintext size to 100MB by default.
 +default_max_plaintext_size = 100 * 1024 * 1024
 # RFC 7516 - 4.1
 # name: (description, supported?)
@@ -376,7 +377,7 @@ def _unwrap_decrypt(self, alg, enc, key, enckey, header,
         return data
     # FIXME: allow to specify which algorithms to accept as valid
 -    def _decrypt(self, key, ppe):
 +    def _decrypt(self, key, ppe, max_plaintext=default_max_plaintext_size):
         jh = self._get_jose_header(ppe.get('header', None))
@@ -434,19 +435,29 @@ def _decrypt(self, key, ppe):
                 raise InvalidJWEData(
                     'Compressed data exceeds maximum allowed'
                     'size' + f' ({default_max_compressed_size})')
 -            self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
 +            do = zlib.decompressobj(wbits=-zlib.MAX_WBITS)
 +            self.plaintext = do.decompress(data, max_plaintext)
 +            if do.unconsumed_tail or not do.eof:
 +                self.plaintext = None
 +                raise InvalidJWEData(
 +                    'Compressed data exceeds maximum allowed'
 +                    'output size' + f' ({max_plaintext})')
         elif compress is None:
             self.plaintext = data
         else:
             raise ValueError('Unknown compression')
 -    def decrypt(self, key):
 +    def decrypt(self, key, max_plaintext=0):
         """Decrypt a JWE token.
         :param key: The (:class:`jwcrypto.jwk.JWK`) decryption key.
         :param key: A (:class:`jwcrypto.jwk.JWK`) decryption key,
          or a (:class:`jwcrypto.jwk.JWKSet`) that contains a key indexed
          by the 'kid' header or (deprecated) a string containing a password.
 +        :param max_plaintext: Maximum plaintext size allowed, 0 means
 +         the library default applies. Application writers are recommended
 +         to set a limit here if they know what is the max plaintext size
 +         for their application.
         :raises InvalidJWEOperation: if the key is not a JWK object.
         :raises InvalidJWEData: if the ciphertext can't be decrypted or
@@ -454,6 +465,10 @@ def decrypt(self, key):
         :raises JWKeyNotFound: if key is a JWKSet and the key is not found.
         """
 +        self.plaintext = None
 +        if max_plaintext == 0:
 +            max_plaintext = default_max_plaintext_size
 +
         if 'ciphertext' not in self.objects:
             raise InvalidJWEOperation("No available ciphertext")
         self.decryptlog = []
@@ -462,14 +477,14 @@ def decrypt(self, key):
         if 'recipients' in self.objects:
             for rec in self.objects['recipients']:
                 try:
 -                    self._decrypt(key, rec)
 +                    self._decrypt(key, rec, max_plaintext=max_plaintext)
                 except Exception as e:  # pylint: disable=broad-except
                     if isinstance(e, JWKeyNotFound):
                         missingkey = True
                     self.decryptlog.append('Failed: [%s]' % repr(e))
         else:
             try:
 -                self._decrypt(key, self.objects)
 +                self._decrypt(key, self.objects, max_plaintext=max_plaintext)
             except Exception as e:  # pylint: disable=broad-except
                 if isinstance(e, JWKeyNotFound):
                     missingkey = True
 diff --git a/jwcrypto/tests.py b/jwcrypto/tests.py
 index cc612eb..3fc4b16 100644
 --- a/jwcrypto/tests.py
 +++ b/jwcrypto/tests.py
@@ -2124,18 +2124,36 @@ def test_jwe_decompression_max(self):
         enc = jwe.JWE(payload.encode('utf-8'),
                       recipient=key,
                       protected=protected_header).serialize(compact=True)
 +        check = jwe.JWE()
 +        check.deserialize(enc)
         with self.assertRaises(jwe.InvalidJWEData):
 -            check = jwe.JWE()
 -            check.deserialize(enc)
             check.decrypt(key)
 -        defmax = jwe.default_max_compressed_size
 -        jwe.default_max_compressed_size = 1000000000
 -        # ensure we can eraise the limit and decrypt
 -        check = jwe.JWE()
 -        check.deserialize(enc)
 +        # raise the limit on compressed token size so we can decrypt
 +        defcmax = jwe.default_max_compressed_size
 +        jwe.default_max_compressed_size = 10 * 1024 * 1024
 +
 +        # this passes if we explicitly allow larger plaintext via API
 +        check.decrypt(key, max_plaintext=1000000000)
 +
 +        # this will still fail because the max plaintext length clamps this
 +        with self.assertRaises(jwe.InvalidJWEData):
 +            check.decrypt(key)
 +
 +        # ensure that now this can work with changed defaults
 +        defpmax = jwe.default_max_plaintext_size
 +        jwe.default_max_plaintext_size = 1000000000
         check.decrypt(key)
 -        jwe.default_max_compressed_size = defmax
 +
 +        # restore limits
 +        jwe.default_max_compressed_size = defcmax
 +
 +        # check that this fails the max compressed header limits
 +        with self.assertRaises(jwe.InvalidJWEData):
 +            check.decrypt(key)
 +
 +        # restore plaintext limits
 +        jwe.default_max_plaintext_size = defpmax
 class JWATests(unittest.TestCase):
--- a/SPECS/python-jwcrypto.spec
+++ b/SPECS/python-jwcrypto.spec
@ -5,51 +5,42 @@
 %bcond_with python3
 %endif
-%if 0%{?fedora} > 31 || 0%{?rhel} > 7
+%if 0%{?rhel} > 7
 # Disable python2 build by default
 %bcond_with python2
 %else
 %bcond_without python2
 %endif
 # Disable auto-generation of python dependencies.
 %{?python_disable_dependency_generator}
 %global srcname jwcrypto
 Name:           python-%{srcname}
-Version:        1.5.6
+Version:        0.5.0
-Release:        3%{?dist}
+Release:        1.1%{?dist}
 Summary:        Implements JWK, JWS, JWE specifications using python-cryptography
 License:        LGPLv3+
 URL:            https://github.com/latchset/%{srcname}
 Source0:        https://github.com/latchset/%{srcname}/releases/download/v%{version}/%{srcname}-%{version}.tar.gz
 Patch1:         0001-ignore-deprecated-annotation.patch
 # Security fix for CVE-2026-39373
 Patch2:         0002-Limit-max-plaintext-size-for-JWE-decompression.patch
 BuildArch:      noarch
-%if 0%{?with_python2}
+%if %{with python2}
 BuildRequires:  python2-devel
 BuildRequires:  python2-setuptools
 BuildRequires:  python2-cryptography >= 1.5
 BuildRequires:  python2-pytest
 %endif
-
+%if %{with python3}
 %if 0%{?with_python3}
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-cryptography >= 2.3
+BuildRequires:  python%{python3_pkgversion}-cryptography >= 1.5
 BuildRequires:  python%{python3_pkgversion}-pytest
 %endif
 %description
 Implements JWK, JWS, JWE specifications using python-cryptography
-
+%if %{with python2}
 %if 0%{?with_python2}
 %package -n python2-%{srcname}
 Summary:        Implements JWK,JWS,JWE specifications using python-cryptography
 Requires:       python2-cryptography >= 1.5
@ -59,11 +50,10 @@ Requires:       python2-cryptography >= 1.5
 Implements JWK, JWS, JWE specifications using python-cryptography
 %endif
-
+%if %{with python3}
 %if 0%{?with_python3}
 %package -n python%{python3_pkgversion}-%{srcname}
 Summary:        Implements JWK, JWS, JWE specifications using python-cryptography
-Requires:       python%{python3_pkgversion}-cryptography >= 2.3
+Requires:       python%{python3_pkgversion}-cryptography >= 1.5
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 %description -n python%{python3_pkgversion}-%{srcname}
@ -73,47 +63,40 @@ Implements JWK, JWS, JWE specifications using python-cryptography
 %prep
 %setup -q -n %{srcname}-%{version}
 %patch -P 1 -p 1
 %patch -P 2 -p 1
 %build
-%if 0%{?with_python2}
+%if %{with python2}
 %py2_build
 %endif
-%if 0%{?with_python3}
+%if %{with python3}
 %py3_build
 %endif
 %check
-%if 0%{?with_python2}
+%if %{with python2}
 %{__python2} -bb -m pytest %{srcname}/test*.py
 %endif
-%if 0%{?with_python3}
+%if %{with python3}
 %{__python3} -bb -m pytest %{srcname}/test*.py
 %endif
 %install
-%if 0%{?with_python2}
+%if %{with python2}
 %py2_install
 %endif
 %if 0%{?with_python3}
 %py3_install
 %endif
 rm -rf %{buildroot}%{_docdir}/%{srcname}
 %if 0%{?with_python2}
 rm -rf %{buildroot}%{python2_sitelib}/%{srcname}/tests{,-cookbook}.py*
 %endif
-%if 0%{?with_python3}
+%if %{with python3}
 %py3_install
 rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/tests{,-cookbook}.py*
 rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*.py*
 %endif
 rm -rf %{buildroot}/usr/share/doc/jwcrypto
-
+%if %{with python2}
 %if 0%{?with_python2}
 %files -n python2-%{srcname}
 %doc README.md
 %license LICENSE
@ -121,7 +104,7 @@ rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*
 %{python2_sitelib}/%{srcname}-%{version}-py%{python2_version}.egg-info
 %endif
-%if 0%{?with_python3}
+%if %{with python3}
 %files -n python%{python3_pkgversion}-%{srcname}
 %doc README.md
 %license LICENSE
@ -131,77 +114,18 @@ rm -rf %{buildroot}%{python3_sitelib}/%{srcname}/__pycache__/tests{,-cookbook}.*
 %changelog
-* Tue Apr 14 2026 Rafael Jeffman <rjeffman@redhat.com> - 1.5.6-3
+* Fri Jun 17 2022 Christian Heimes <cheimes@redhat.com> - 0.5.0-1.1
- Limit max plaintext size for JWE decompression
+- Bump dist to solve version sorting issue, fixes RHBZ#2097800
  Resolves: RHEL-166029
-* Fri Aug 09 2024 Rafael Jeffman <rjeffman@redhat.com> - 1.5.6-2
+* Thu Jun 28 2018 Christian Heimes <cheimes@redhat.com> - 0.5.0-1
 - Disable auto-generation of dependencies
  Related: RHEL-34809
 * Tue Jun 18 2024 Rafael Jeffman <rjeffman@redhat.com> - 1.5.6-1
 - Rebase to version 1.5.6
  Resolve: RHEL-34809
 * Thu Apr 04 2024 Rafael Jeffman <rjeffman@redhat.com> - 0.8-5
 - Address potential DoS with high compression ratio
  Resolves: RHEL-28698
 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.8-4
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.8-3
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Dec 01 2020 Simo Sorce <simo@redhat.com> - 0.8-1
 - Sync with upstream release 0.8
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-9
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-8
 - Rebuilt for Python 3.9
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-6
 - Rebuilt for Python 3.8.0rc1 (#1748018)
 * Thu Aug 29 2019 Christian Heimes <cheimes@redhat.com> - 0.6.0-5
 - Remove Python 2 subpackages from F32+
 - Resolves: RHBZ #1746760
 * Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.6.0-4
 - Rebuilt for Python 3.8
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Nov 05 2018 Christian Heimes <cheimes@redhat.com> - 0.6.0-1
 - New upstream release 0.6.0
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 0.5.0-2
 - Rebuilt for Python 3.7
 * Wed Jun 27 2018 Christian Heimes <cheimes@redhat.com> - 0.5.0-1
 - New upstream release 0.5.0
 - Fixes Coverity scan issue
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.4.2-5
+* Mon Apr 16 2018 Christian Heimes <cheimes@redhat.com> - 0.4.2-5
- Rebuilt for Python 3.7
+- Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1567152
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.2-4
+* Thu Nov 23 2017 Christian Heimes <cheimes@redhat.com> - 0.4.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+- Build Python 3 package on RHEL > 7, fixes RHBZ#1516813
 * Wed Aug 02 2017 Christian Heimes <cheimes@redhat.com> - 0.4.2-3
 - Run tests with bytes warning
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
 # recipients: abokovoy, frenaud, kaleem, ftrivino, cheimes
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (jwcrypto-1.5.6.tar.gz) = 1db62cf247bc006f1737c4603b80e5ca87e1a3db3b3dc37183a9725a8b3cae4baba706b2ec596119877130ab4d56525a01fb9d7efca07e59811d78021aa7ebf5
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,26 +0,0 @@
 ---
 - hosts: localhost
  tags:
    - classic
  pre_tasks:
  - name: Enable CRB for python3-pytest on 1minutetip
    ini_file:
      path: /etc/yum.repos.d/rhel.repo
      section: rhel-CRB
      option: enabled
      value: "1"
      create: no
    ignore_errors: yes
  roles:
  - role: standard-test-source
  - role: standard-test-basic
    required_packages:
      - python3-jwcrypto
      - python3-pytest
    tests:
      - unittests:
          dir: "source"
          # remove jwcrypto Python files to run tests with packages code
          run: >-
            rm -rf jwcrypto/j*.py jwcrypto/__init__.py jwcrypto/__pycache__ &&
            python3 -m pytest jwcrypto/test*.py
		`@ -0,0 +1 @@`
							`8eccc6fbeeee2fedc602998a7c7a97b8bd550e59 SOURCES/jwcrypto-0.5.0.tar.gz`
		`@ -1 +0,0 @@`
			`SHA512 (jwcrypto-1.5.6.tar.gz) = 1db62cf247bc006f1737c4603b80e5ca87e1a3db3b3dc37183a9725a8b3cae4baba706b2ec596119877130ab4d56525a01fb9d7efca07e59811d78021aa7ebf5`