import CS python3.12-cryptography-41.0.7-1.el8
This commit is contained in:
commit
3460772472
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
SOURCES/cryptography-41.0.7-vendor.tar.bz2
|
||||
SOURCES/cryptography-41.0.7.tar.gz
|
2
.python3.12-cryptography.metadata
Normal file
2
.python3.12-cryptography.metadata
Normal file
@ -0,0 +1,2 @@
|
||||
94ad9fc97d92aae28d40392189655dbf932a1803 SOURCES/cryptography-41.0.7-vendor.tar.bz2
|
||||
fd245c3045ca9b3861f794d1a54cf97e629c19bf SOURCES/cryptography-41.0.7.tar.gz
|
22
SOURCES/conftest-skipper.py
Normal file
22
SOURCES/conftest-skipper.py
Normal file
@ -0,0 +1,22 @@
|
||||
|
||||
class Skipper:
|
||||
"""Skip iso8601 and pretend tests
|
||||
|
||||
RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
|
||||
all tests that use the excluded modules.
|
||||
"""
|
||||
|
||||
def parse_date(self, datestring):
|
||||
pytest.skip(f"iso8601 module is not available.")
|
||||
|
||||
def stub(self, **kwargs):
|
||||
pytest.skip(f"pretend module is not available.")
|
||||
|
||||
def raiser(self, exc):
|
||||
pytest.skip(f"pretend module is not available.")
|
||||
|
||||
|
||||
import sys
|
||||
|
||||
sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
|
||||
|
66
SOURCES/raise-an-exception-for-CVE-2023-49083.patch
Normal file
66
SOURCES/raise-an-exception-for-CVE-2023-49083.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From bb4172af124eda3e4804272dd452863684a00a00 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Kehrer <paul.l.kehrer@gmail.com>
|
||||
Date: Wed, 7 Feb 2024 14:48:09 +0100
|
||||
Subject: [PATCH] raise an exception instead of returning an empty list for
|
||||
pkcs7 cert loading (#9947)
|
||||
|
||||
* raise an exception instead of returning an empty list
|
||||
|
||||
as davidben points out in #9926 we are calling a specific load
|
||||
certificates function and an empty value doesn't necessarily mean empty
|
||||
because PKCS7 contains multitudes. erroring is more correct.
|
||||
|
||||
* changelog
|
||||
|
||||
* Update CHANGELOG.rst
|
||||
|
||||
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
|
||||
---------
|
||||
|
||||
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
---
|
||||
src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
|
||||
tests/hazmat/primitives/test_pkcs7.py | 4 ++--
|
||||
2 files changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
index f1c79008b..3e8b8aa6b 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
@@ -1890,12 +1890,15 @@ class Backend:
|
||||
_Reasons.UNSUPPORTED_SERIALIZATION,
|
||||
)
|
||||
|
||||
- certs: list[x509.Certificate] = []
|
||||
if p7.d.sign == self._ffi.NULL:
|
||||
- return certs
|
||||
+ raise ValueError(
|
||||
+ "The provided PKCS7 has no certificate data, but a cert "
|
||||
+ "loading method was called."
|
||||
+ )
|
||||
|
||||
sk_x509 = p7.d.sign.cert
|
||||
num = self._lib.sk_X509_num(sk_x509)
|
||||
+ certs: list[x509.Certificate] = []
|
||||
for i in range(num):
|
||||
x509 = self._lib.sk_X509_value(sk_x509, i)
|
||||
self.openssl_assert(x509 != self._ffi.NULL)
|
||||
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
|
||||
index f6ad64151..bc006dae3 100644
|
||||
--- a/tests/hazmat/primitives/test_pkcs7.py
|
||||
+++ b/tests/hazmat/primitives/test_pkcs7.py
|
||||
@@ -92,8 +92,8 @@ class TestPKCS7Loading:
|
||||
def test_load_pkcs7_empty_certificates(self, backend):
|
||||
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
|
||||
|
||||
- certificates = pkcs7.load_der_pkcs7_certificates(der)
|
||||
- assert certificates == []
|
||||
+ with pytest.raises(ValueError):
|
||||
+ pkcs7.load_der_pkcs7_certificates(der)
|
||||
|
||||
|
||||
# We have no public verification API and won't be adding one until we get
|
||||
--
|
||||
2.43.0
|
||||
|
270
SPECS/python3.12-cryptography.spec
Normal file
270
SPECS/python3.12-cryptography.spec
Normal file
@ -0,0 +1,270 @@
|
||||
%global __python3 /usr/bin/python3.12
|
||||
%global python3_pkgversion 3.12
|
||||
|
||||
# RHEL: Tests disabled due to missing deps
|
||||
%bcond_with tests
|
||||
|
||||
%global srcname cryptography
|
||||
|
||||
Name: python%{python3_pkgversion}-%{srcname}
|
||||
Version: 41.0.7
|
||||
Release: 1%{?dist}
|
||||
Summary: PyCA's cryptography library
|
||||
|
||||
# We bundle various crates with cryptography which is dual licensed
|
||||
# under the ASL 2.0 or BSD, as well as the Python license
|
||||
# for the OS random engine derived by CPython.
|
||||
|
||||
# in the vendor dir from SOURCE1:
|
||||
# import pathlib, tomllib
|
||||
# bundled = {}
|
||||
# for d in pathlib.Path('.').iterdir():
|
||||
# cargo_toml = d / 'Cargo.toml'
|
||||
# cargo = tomllib.loads(cargo_toml.read_text())
|
||||
# bundled[cargo['package']['name']] = cargo['package']
|
||||
# for pkg in sorted(bundled):
|
||||
# print(f"# {pkg}: {bundled[pkg]['license']}")
|
||||
# the output was then manually de-SPDX'ed
|
||||
# windows-only crates manually removed from this list
|
||||
|
||||
# Inflector: BSD
|
||||
# aliasable: MIT
|
||||
# asn1: BSD
|
||||
# asn1_derive: BSD
|
||||
# autocfg: MIT or ASL 2.0
|
||||
# base64: MIT or ASL 2.0
|
||||
# bitflags: MIT or ASL 2.0
|
||||
# cc: MIT or ASL 2.0
|
||||
# cfg-if: MIT or ASL 2.0
|
||||
# foreign-types: MIT or ASL 2.0
|
||||
# foreign-types-shared: MIT or ASL 2.0
|
||||
# indoc: MIT or ASL 2.0
|
||||
# libc: MIT or ASL 2.0
|
||||
# lock_api: MIT or ASL 2.0
|
||||
# memoffset: MIT
|
||||
# once_cell: MIT or ASL 2.0
|
||||
# openssl: ASL 2.0
|
||||
# openssl-macros: MIT or ASL 2.0
|
||||
# openssl-sys: MIT
|
||||
# ouroboros: MIT or ASL 2.0
|
||||
# ouroboros_macro: MIT or ASL 2.0
|
||||
# parking_lot: MIT or ASL 2.0
|
||||
# parking_lot_core: MIT or ASL 2.0
|
||||
# pem: MIT
|
||||
# pkg-config: MIT or ASL 2.0
|
||||
# proc-macro-error: MIT or ASL 2.0
|
||||
# proc-macro-error-attr: MIT or ASL 2.0
|
||||
# proc-macro2: MIT or ASL 2.0
|
||||
# pyo3: ASL 2.0
|
||||
# pyo3-build-config: ASL 2.0
|
||||
# pyo3-ffi: ASL 2.0
|
||||
# pyo3-macros: ASL 2.0
|
||||
# pyo3-macros-backend: ASL 2.0
|
||||
# quote: MIT or ASL 2.0
|
||||
# redox_syscall: MIT
|
||||
# scopeguard: MIT or ASL 2.0
|
||||
# smallvec: MIT or ASL 2.0
|
||||
# syn: MIT or ASL 2.0
|
||||
# target-lexicon: ASL 2.0 (with LLVM-exception)
|
||||
# unicode-ident: (MIT or ASL 2.0) and Unicode
|
||||
# unindent: MIT or ASL 2.0
|
||||
# vcpkg: MIT or ASL 2.0
|
||||
# version_check: MIT or ASL 2.0
|
||||
License: (ASL 2.0 or BSD) and Python and BSD and MIT and ASL 2.0 and (MIT or ASL 2.0) and Unicode
|
||||
|
||||
URL: https://cryptography.io/en/latest/
|
||||
Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
|
||||
# created by ./vendor_rust.py helper script
|
||||
Source1: cryptography-%{version}-vendor.tar.bz2
|
||||
Source2: conftest-skipper.py
|
||||
|
||||
# Improvement for the fix for CVE-2023-49083
|
||||
# Backported from upstream:
|
||||
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
|
||||
Patch1: raise-an-exception-for-CVE-2023-49083.patch
|
||||
|
||||
ExclusiveArch: %{rust_arches}
|
||||
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnupg2
|
||||
%if 0%{?fedora}
|
||||
BuildRequires: rust-packaging
|
||||
# test_load_with_other_sections in 40.0 fails with pem 1.1.0
|
||||
BuildRequires: rust-pem-devel >= 1.1.1
|
||||
%else
|
||||
BuildRequires: rust-toolset
|
||||
%endif
|
||||
|
||||
BuildRequires: python%{python3_pkgversion}-cffi >= 1.12
|
||||
BuildRequires: python%{python3_pkgversion}-devel
|
||||
BuildRequires: python%{python3_pkgversion}-rpm-macros
|
||||
BuildRequires: python%{python3_pkgversion}-setuptools
|
||||
BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4
|
||||
|
||||
%if %{with tests}
|
||||
%if 0%{?fedora}
|
||||
BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4
|
||||
BuildRequires: python%{python3_pkgversion}-iso8601
|
||||
BuildRequires: python%{python3_pkgversion}-pretend
|
||||
BuildRequires: python%{python3_pkgversion}-pytest-xdist
|
||||
BuildRequires: python%{python3_pkgversion}-pytz
|
||||
%endif
|
||||
BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0
|
||||
BuildRequires: python%{python3_pkgversion}-pytest-benchmark
|
||||
BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0
|
||||
%endif
|
||||
|
||||
Requires: openssl-libs
|
||||
Requires: python%{python3_pkgversion}-cffi >= 1.12
|
||||
|
||||
# Provides for the bundled crates
|
||||
# (continuation of the snippet above the License tag)
|
||||
# for pkg in sorted(bundled):
|
||||
# print(f"Provides: bundled(crate({pkg})) = {bundled[pkg]['version']}")
|
||||
Provides: bundled(crate(Inflector)) = 0.11.4
|
||||
Provides: bundled(crate(aliasable)) = 0.1.3
|
||||
Provides: bundled(crate(asn1)) = 0.15.2
|
||||
Provides: bundled(crate(asn1_derive)) = 0.15.2
|
||||
Provides: bundled(crate(autocfg)) = 1.1.0
|
||||
Provides: bundled(crate(base64)) = 0.13.1
|
||||
Provides: bundled(crate(bitflags)) = 1.3.2
|
||||
Provides: bundled(crate(cc)) = 1.0.79
|
||||
Provides: bundled(crate(cfg-if)) = 1.0.0
|
||||
Provides: bundled(crate(foreign-types)) = 0.3.2
|
||||
Provides: bundled(crate(foreign-types-shared)) = 0.1.1
|
||||
Provides: bundled(crate(indoc)) = 1.0.9
|
||||
Provides: bundled(crate(libc)) = 0.2.144
|
||||
Provides: bundled(crate(lock_api)) = 0.4.9
|
||||
Provides: bundled(crate(memoffset)) = 0.8.0
|
||||
Provides: bundled(crate(once_cell)) = 1.17.2
|
||||
Provides: bundled(crate(openssl)) = 0.10.60
|
||||
Provides: bundled(crate(openssl-macros)) = 0.1.1
|
||||
Provides: bundled(crate(openssl-sys)) = 0.9.96
|
||||
Provides: bundled(crate(ouroboros)) = 0.15.6
|
||||
Provides: bundled(crate(ouroboros_macro)) = 0.15.6
|
||||
Provides: bundled(crate(parking_lot)) = 0.12.1
|
||||
Provides: bundled(crate(parking_lot_core)) = 0.9.7
|
||||
Provides: bundled(crate(pem)) = 1.1.1
|
||||
Provides: bundled(crate(pkg-config)) = 0.3.27
|
||||
Provides: bundled(crate(proc-macro-error)) = 1.0.4
|
||||
Provides: bundled(crate(proc-macro-error-attr)) = 1.0.4
|
||||
Provides: bundled(crate(proc-macro2)) = 1.0.64
|
||||
Provides: bundled(crate(pyo3)) = 0.18.3
|
||||
Provides: bundled(crate(pyo3-build-config)) = 0.18.3
|
||||
Provides: bundled(crate(pyo3-ffi)) = 0.18.3
|
||||
Provides: bundled(crate(pyo3-macros)) = 0.18.3
|
||||
Provides: bundled(crate(pyo3-macros-backend)) = 0.18.3
|
||||
Provides: bundled(crate(quote)) = 1.0.28
|
||||
Provides: bundled(crate(redox_syscall)) = 0.2.16
|
||||
Provides: bundled(crate(scopeguard)) = 1.1.0
|
||||
Provides: bundled(crate(smallvec)) = 1.10.0
|
||||
Provides: bundled(crate(syn)) = 1.0.109
|
||||
Provides: bundled(crate(target-lexicon)) = 0.12.7
|
||||
Provides: bundled(crate(unicode-ident)) = 1.0.9
|
||||
Provides: bundled(crate(unindent)) = 0.1.11
|
||||
Provides: bundled(crate(vcpkg)) = 0.2.15
|
||||
Provides: bundled(crate(version_check)) = 0.9.4
|
||||
|
||||
# Cryptography crates
|
||||
Provides: bundled(crate(cryptography-cffi)) = 0.1.0
|
||||
Provides: bundled(crate(cryptography-openssl)) = 0.1.0
|
||||
Provides: bundled(crate(cryptography-rust)) = 0.1.0
|
||||
Provides: bundled(crate(cryptography-x509)) = 0.1.0
|
||||
|
||||
%description
|
||||
cryptography is a package designed to expose cryptographic primitives and
|
||||
recipes to Python developers.
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{srcname}-%{version}
|
||||
%if 0%{?fedora}
|
||||
%cargo_prep
|
||||
rm src/rust/Cargo.lock
|
||||
%else
|
||||
# RHEL: use vendored Rust crates
|
||||
%cargo_prep -V 1
|
||||
%endif
|
||||
|
||||
%if 0%{?fedora}
|
||||
%generate_buildrequires
|
||||
# Fedora: use RPMified crates
|
||||
cd src/rust
|
||||
%cargo_generate_buildrequires
|
||||
cd ../..
|
||||
%endif
|
||||
|
||||
# Remove cosmetical pytest-subtests 0.10.0 option
|
||||
sed -i 's,--no-subtests-shortletter,,' pyproject.toml
|
||||
|
||||
%build
|
||||
export OPENSSL_NO_VENDOR=1
|
||||
%py3_build
|
||||
|
||||
%install
|
||||
# Actually other *.c and *.h are appropriate
|
||||
# see https://github.com/pyca/cryptography/issues/1463
|
||||
find . -name .keep -print -delete
|
||||
%py3_install
|
||||
|
||||
%check
|
||||
%if %{with tests}
|
||||
%if 0%{?rhel}
|
||||
# skip hypothesis and pytz tests on RHEL
|
||||
rm -rf tests/hypothesis tests/x509
|
||||
# append skipper to skip iso8601 and pretend tests
|
||||
cat < %{SOURCE2} >> tests/conftest.py
|
||||
%endif
|
||||
|
||||
# enable SHA-1 signatures for RSA tests
|
||||
# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
|
||||
export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
|
||||
|
||||
# see https://github.com/pyca/cryptography/issues/4885 and
|
||||
# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
|
||||
# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
|
||||
# not much sense for downstream testing.
|
||||
# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure
|
||||
PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
|
||||
%{__python3} -m pytest \
|
||||
--ignore vendor \
|
||||
-k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)"
|
||||
%endif
|
||||
|
||||
%files -n python%{python3_pkgversion}-%{srcname}
|
||||
%doc README.rst docs
|
||||
%license LICENSE LICENSE.APACHE LICENSE.BSD
|
||||
%{python3_sitearch}/%{srcname}
|
||||
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
|
||||
|
||||
%changelog
|
||||
* Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
|
||||
- Update to 41.0.7, fixes CVE-2023-49083
|
||||
|
||||
* Tue Jan 23 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.5-2
|
||||
- Rebuilt for timestamp .pyc invalidation mode
|
||||
|
||||
* Wed Nov 08 2023 Charalampos Stratakis <cstratak@redhat.com> - 41.0.5-1
|
||||
- Initial package
|
||||
- Fedora contributions by:
|
||||
Alfredo Moralejo <amoralej@redhat.com>
|
||||
Benjamin A. Beasley <code@musicinmybrain.net>
|
||||
Charalampos Stratakis <cstratak@redhat.com>
|
||||
Christian Heimes <christian@python.org>
|
||||
Colin Walters <walters@verbum.org>
|
||||
Dennis Gilmore <dennis@ausil.us>
|
||||
Fabio Valentini <decathorpe@gmail.com>
|
||||
Felix Schwarz <felix.schwarz@oss.schwarz.eu>
|
||||
Haikel Guemar <hguemar@fedoraproject.org>
|
||||
Igor Gnatenko <ignatenkobrain@fedoraproject.org>
|
||||
Iryna Shcherbina <shcherbina.iryna@gmail.com>
|
||||
Lumir Balhar <lbalhar@redhat.com>
|
||||
Matěj Cepl <mcepl@cepl.eu>
|
||||
Miro Hrončok <miro@hroncok.cz>
|
||||
Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Randy Barlow <randy@electronsweatshop.com>
|
||||
Robert Kuska <rkuska@redhat.com>
|
||||
Sahana Prasad <sahana@redhat.com>
|
||||
Stephen Gallagher <sgallagh@redhat.com>
|
||||
Troy Dawson <tdawson@redhat.com>
|
||||
Yaakov Selkowitz <yselkowi@redhat.com>
|
Loading…
Reference in New Issue
Block a user