Compare commits
No commits in common. "c8-beta" and "0d9288650012fd4fbcc79f74803b46fc1be92944" have entirely different histories.
c8-beta
...
0d92886500
|
@ -0,0 +1 @@
|
|||
1
|
|
@ -1,2 +1,2 @@
|
|||
SOURCES/cryptography-37.0.2-vendor.tar.bz2
|
||||
SOURCES/cryptography-37.0.2.tar.gz
|
||||
/cryptography-37.0.2-vendor.tar.bz2
|
||||
/cryptography-37.0.2.tar.gz
|
||||
|
|
|
@ -1,2 +0,0 @@
|
|||
eca566e4bf80dca2c2619c08ff1ae41d2c326e40 SOURCES/cryptography-37.0.2-vendor.tar.bz2
|
||||
b0a31457545b06b8baa32162a45399f79aabe58d SOURCES/cryptography-37.0.2.tar.gz
|
|
@ -0,0 +1,59 @@
|
|||
# PyCA cryptography
|
||||
|
||||
https://cryptography.io/en/latest/
|
||||
|
||||
## Packaging python-cryptography
|
||||
|
||||
The example assumes
|
||||
|
||||
* Fedora Rawhide (f34)
|
||||
* PyCA cryptography release ``3.4``
|
||||
* Update Bugzilla issue is ``RHBZ#00000001``
|
||||
|
||||
### Build new python-cryptography
|
||||
|
||||
Switch and update branch
|
||||
|
||||
```shell
|
||||
fedpkg switch-branch rawhide
|
||||
fedpkg pull
|
||||
```
|
||||
|
||||
Bump version and get sources
|
||||
|
||||
```shell
|
||||
rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
|
||||
spectool -gf python-cryptography.spec
|
||||
```
|
||||
|
||||
Upload new source
|
||||
|
||||
```shell
|
||||
fedpkg new-sources cryptography-3.4.tar.gz
|
||||
```
|
||||
|
||||
Commit changes
|
||||
|
||||
```shell
|
||||
fedpkg commit --clog
|
||||
fedpkg push
|
||||
```
|
||||
|
||||
Build
|
||||
|
||||
```shell
|
||||
fedpkg build
|
||||
```
|
||||
|
||||
## RHEL/CentOS builds
|
||||
|
||||
RHEL and CentOS use a different approach for Rust crates packaging than
|
||||
Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
|
||||
``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
|
||||
CentOS. Instead python-cryptography uses a tar ball with vendored crates.
|
||||
The tar ball is created by a script:
|
||||
|
||||
```shell
|
||||
./vendor_rust.py
|
||||
rhpkg upload cryptography-3.4-vendor.tar.bz2
|
||||
```
|
|
@ -1,116 +0,0 @@
|
|||
From f7aeb6d308004e078c11f6aaa1d5c6d1a0259146 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
Date: Mon, 27 Nov 2023 13:08:17 -0500
|
||||
Subject: [PATCH 1/2] Fixed crash when loading a PKCS#7 bundle with no
|
||||
certificates (#9926)
|
||||
|
||||
---
|
||||
src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
|
||||
tests/hazmat/primitives/test_pkcs7.py | 6 ++++++
|
||||
2 files changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
index bf34946..c7e95e5 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
@@ -2356,9 +2356,12 @@ class Backend:
|
||||
_Reasons.UNSUPPORTED_SERIALIZATION,
|
||||
)
|
||||
|
||||
+ certs: list[x509.Certificate] = []
|
||||
+ if p7.d.sign == self._ffi.NULL:
|
||||
+ return certs
|
||||
+
|
||||
sk_x509 = p7.d.sign.cert
|
||||
num = self._lib.sk_X509_num(sk_x509)
|
||||
- certs = []
|
||||
for i in range(num):
|
||||
x509 = self._lib.sk_X509_value(sk_x509, i)
|
||||
self.openssl_assert(x509 != self._ffi.NULL)
|
||||
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
|
||||
index 138bc0f..b2d9757 100644
|
||||
--- a/tests/hazmat/primitives/test_pkcs7.py
|
||||
+++ b/tests/hazmat/primitives/test_pkcs7.py
|
||||
@@ -89,6 +89,12 @@ class TestPKCS7Loading:
|
||||
mode="rb",
|
||||
)
|
||||
|
||||
+ def test_load_pkcs7_empty_certificates(self):
|
||||
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
|
||||
+
|
||||
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
|
||||
+ assert certificates == []
|
||||
+
|
||||
|
||||
# We have no public verification API and won't be adding one until we get
|
||||
# some requirements from users so this function exists to give us basic
|
||||
--
|
||||
2.43.0
|
||||
|
||||
|
||||
From d1f3d2caa8001aa8762117dd1df710514a633c39 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Kehrer <paul.l.kehrer@gmail.com>
|
||||
Date: Fri, 1 Dec 2023 13:26:38 -0600
|
||||
Subject: [PATCH 2/2] raise an exception instead of returning an empty list for
|
||||
pkcs7 cert loading (#9947)
|
||||
|
||||
* raise an exception instead of returning an empty list
|
||||
|
||||
as davidben points out in #9926 we are calling a specific load
|
||||
certificates function and an empty value doesn't necessarily mean empty
|
||||
because PKCS7 contains multitudes. erroring is more correct.
|
||||
|
||||
* changelog
|
||||
|
||||
* Update CHANGELOG.rst
|
||||
|
||||
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
|
||||
---------
|
||||
|
||||
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
---
|
||||
src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
|
||||
tests/hazmat/primitives/test_pkcs7.py | 4 ++--
|
||||
2 files changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
index c7e95e5..f8a2f5a 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
@@ -2356,12 +2356,15 @@ class Backend:
|
||||
_Reasons.UNSUPPORTED_SERIALIZATION,
|
||||
)
|
||||
|
||||
- certs: list[x509.Certificate] = []
|
||||
if p7.d.sign == self._ffi.NULL:
|
||||
- return certs
|
||||
+ raise ValueError(
|
||||
+ "The provided PKCS7 has no certificate data, but a cert "
|
||||
+ "loading method was called."
|
||||
+ )
|
||||
|
||||
sk_x509 = p7.d.sign.cert
|
||||
num = self._lib.sk_X509_num(sk_x509)
|
||||
+ certs: list[x509.Certificate] = []
|
||||
for i in range(num):
|
||||
x509 = self._lib.sk_X509_value(sk_x509, i)
|
||||
self.openssl_assert(x509 != self._ffi.NULL)
|
||||
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
|
||||
index b2d9757..7b092b7 100644
|
||||
--- a/tests/hazmat/primitives/test_pkcs7.py
|
||||
+++ b/tests/hazmat/primitives/test_pkcs7.py
|
||||
@@ -92,8 +92,8 @@ class TestPKCS7Loading:
|
||||
def test_load_pkcs7_empty_certificates(self):
|
||||
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
|
||||
|
||||
- certificates = pkcs7.load_der_pkcs7_certificates(der)
|
||||
- assert certificates == []
|
||||
+ with pytest.raises(ValueError):
|
||||
+ pkcs7.load_der_pkcs7_certificates(der)
|
||||
|
||||
|
||||
# We have no public verification API and won't be adding one until we get
|
||||
--
|
||||
2.43.0
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
--- !Policy
|
||||
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
|
@ -0,0 +1,51 @@
|
|||
execute:
|
||||
how: tmt
|
||||
discover:
|
||||
how: shell
|
||||
dist-git-source: true
|
||||
tests:
|
||||
- name: bundled tests - Prepare part
|
||||
require:
|
||||
- python3.11-pytest
|
||||
- python3.11-cryptography
|
||||
- python3.11-pip
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
rm -rf tests/hypothesis/ tests/test_fernet.py \
|
||||
tests/hazmat/primitives/test_scrypt.py &&
|
||||
cat $TMT_TREE/conftest-skipper.py >> tests/conftest.py &&
|
||||
sed -i -e 's/ --benchmark-disable//' pyproject.toml &&
|
||||
pip3.11 install pytz==2022.7.1 pytest-subtests==0.9.0
|
||||
- name: unittests-basic
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
PYTHONPATH=./vectors pytest-3.11 tests/test_*.py
|
||||
- name: unittests-x509
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.11 tests/x509/
|
||||
- name: unittests-hazmat
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
PYTHONPATH=./vectors pytest-3.11 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
|
||||
- name: unittests-primitives-aead
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
PYTHONPATH=./vectors pytest-3.11 tests/hazmat/primitives/test_aead.py
|
||||
- name: unittests-primitives-aes
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
PYTHONPATH=./vectors pytest-3.11 tests/hazmat/primitives/test_aes.py::TestAESModeCBC \
|
||||
tests/hazmat/primitives/test_aes.py::TestAESModeCTR \
|
||||
tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
|
||||
- name: unittests-primitives-a-e
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
PYTHONPATH=./vectors pytest-3.11 tests/hazmat/primitives/test_arc4.py \
|
||||
tests/hazmat/primitives/test_asym_utils.py \
|
||||
tests/hazmat/primitives/test_[b-e]*.py
|
||||
- name: unittests-primitives-f-z
|
||||
test: |
|
||||
cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
|
||||
PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.11 tests/hazmat/primitives/test_[f-z]*.py \
|
||||
tests/hazmat/primitives/twofactor
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
Name: python%{python3_pkgversion}-%{srcname}
|
||||
Version: 37.0.2
|
||||
Release: 6%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: PyCA's cryptography library
|
||||
|
||||
# We bundle various crates with cryptography which is dual licensed
|
||||
|
@ -68,13 +68,6 @@ Source2: conftest-skipper.py
|
|||
# Resolved upstream: https://github.com/pyca/cryptography/commit/94a50a9731f35405f0357fa5f3b177d46a726ab3
|
||||
Patch0: CVE-2023-23931.patch
|
||||
|
||||
# Security fix for CVE-2023-49083: NULL-dereference when loading PKCS7 certificates
|
||||
# Bugzilla tracker: https://bugzilla.redhat.com/show_bug.cgi?id=2255331
|
||||
# Resolved upstream:
|
||||
# https://github.com/pyca/cryptography/commit/1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff
|
||||
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
|
||||
Patch1: CVE-2023-49083.patch
|
||||
|
||||
ExclusiveArch: %{rust_arches}
|
||||
|
||||
BuildRequires: openssl-devel
|
||||
|
@ -177,7 +170,7 @@ cd ../..
|
|||
%endif
|
||||
|
||||
%build
|
||||
export RUSTFLAGS="%build_rustflags"
|
||||
export RUSTFLAGS="%__global_rustflags"
|
||||
%py3_build
|
||||
|
||||
%install
|
||||
|
@ -217,10 +210,6 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
|
|||
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
|
||||
|
||||
%changelog
|
||||
* Fri Jan 26 2024 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-6
|
||||
- Security fix for CVE-2023-49083
|
||||
- Resolves: RHEL-19831
|
||||
|
||||
* Thu Feb 23 2023 Charalampos Stratakis <cstratak@redhat.com> - 37.0.2-5
|
||||
- Bump release for rebuild
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
SHA512 (cryptography-37.0.2-vendor.tar.bz2) = d100fff9406063c7eb1d0caf7f389c15e49715928ae6c9ec7fd60e97f363ea3590d145e8e7f74958ce4857f60e9e4cd28ac69ef44f9e0dc0730e5d08b073bd9b
|
||||
SHA512 (cryptography-37.0.2.tar.gz) = ca6b1e983e79a130b47b1f7cdabeb6041a6102f57483f0820f7bcc6a67e0112b7691f09caa7f391de5aed0a2fee26f394688823da2cd4c8beab553732ac6a305
|
|
@ -0,0 +1,112 @@
|
|||
#!/usr/bin/python3
|
||||
"""Vendor PyCA cryptography's Rust crates
|
||||
"""
|
||||
import argparse
|
||||
import os
|
||||
import re
|
||||
import tarfile
|
||||
import tempfile
|
||||
import shutil
|
||||
import subprocess
|
||||
import sys
|
||||
|
||||
VENDOR_DIR = "vendor"
|
||||
CARGO_TOML = "src/rust/Cargo.toml"
|
||||
RE_VERSION = re.compile("Version:\s*(.*)")
|
||||
|
||||
parser = argparse.ArgumentParser(description="Vendor Rust packages")
|
||||
parser.add_argument(
|
||||
"--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
|
||||
)
|
||||
|
||||
|
||||
def cargo(cmd, manifest):
|
||||
args = ["cargo", cmd, f"--manifest-path={manifest}"]
|
||||
return subprocess.check_call(
|
||||
args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
|
||||
)
|
||||
|
||||
|
||||
def tar_reset(tarinfo):
|
||||
"""Reset user, group, mtime, and mode to create reproducible tar"""
|
||||
tarinfo.uid = 0
|
||||
tarinfo.gid = 0
|
||||
tarinfo.uname = "root"
|
||||
tarinfo.gname = "root"
|
||||
tarinfo.mtime = 0
|
||||
if tarinfo.type == tarfile.DIRTYPE:
|
||||
tarinfo.mode = 0o755
|
||||
else:
|
||||
tarinfo.mode = 0o644
|
||||
if tarinfo.pax_headers:
|
||||
raise ValueError(tarinfo.name, tarinfo.pax_headers)
|
||||
return tarinfo
|
||||
|
||||
|
||||
def tar_reproducible(tar, basedir):
|
||||
"""Create reproducible tar file"""
|
||||
|
||||
content = [basedir]
|
||||
for root, dirs, files in os.walk(basedir):
|
||||
for directory in dirs:
|
||||
content.append(os.path.join(root, directory))
|
||||
for filename in files:
|
||||
content.append(os.path.join(root, filename))
|
||||
content.sort()
|
||||
|
||||
for fn in content:
|
||||
tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
|
||||
|
||||
|
||||
def main():
|
||||
args = parser.parse_args()
|
||||
spec = args.spec
|
||||
|
||||
# change cwd to work in bundle directory
|
||||
here = os.path.dirname(os.path.abspath(spec))
|
||||
os.chdir(here)
|
||||
|
||||
# extract version number from bundle name
|
||||
with open(spec) as f:
|
||||
for line in f:
|
||||
mo = RE_VERSION.search(line)
|
||||
if mo is not None:
|
||||
version = mo.group(1)
|
||||
break
|
||||
else:
|
||||
raise ValueError(f"Cannot find version in {spec}")
|
||||
|
||||
bundle_file = f"cryptography-{version}.tar.gz"
|
||||
vendor_file = f"cryptography-{version}-vendor.tar.bz2"
|
||||
|
||||
# remove existing vendor directory and file
|
||||
if os.path.isdir(VENDOR_DIR):
|
||||
shutil.rmtree(VENDOR_DIR)
|
||||
try:
|
||||
os.unlink(vendor_file)
|
||||
except FileNotFoundError:
|
||||
pass
|
||||
|
||||
print(f"Getting crates for {bundle_file}", file=sys.stderr)
|
||||
|
||||
# extract tar file in tempdir
|
||||
# fetch and vendor Rust crates
|
||||
with tempfile.TemporaryDirectory(dir=here) as tmp:
|
||||
with tarfile.open(bundle_file) as tar:
|
||||
tar.extractall(path=tmp)
|
||||
manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
|
||||
cargo("fetch", manifest)
|
||||
cargo("vendor", manifest)
|
||||
|
||||
print("\nCreating tar ball...", file=sys.stderr)
|
||||
with tarfile.open(vendor_file, "x:bz2") as tar:
|
||||
tar_reproducible(tar, VENDOR_DIR)
|
||||
|
||||
# remove vendor dir
|
||||
shutil.rmtree(VENDOR_DIR)
|
||||
|
||||
parser.exit(0, f"Created {vendor_file}\n")
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
Loading…
Reference in New Issue