Sync from SUSE:ALP:Source:Standard:1.0 python-cryptography revision 8d8e3e25d91408e1046f56c99c1064e0

2024-03-01 16:58:13 +01:00 · 2024-03-01 16:58:13 +01:00 · ddd42f7c3a
commit ddd42f7c3a
parent f5298f8005
9 changed files with 203 additions and 79 deletions
--- a/4
+++ b/4
@ -1,9 +1,7 @@
 <services>
  <service name="download_files" mode="manual"/>
  <service name="cargo_vendor" mode="manual">
-    <param name="srcdir">cryptography-41.0.7/src/rust</param>
+    <param name="srcdir">cryptography-42.0.2/src/rust</param>
    <param name="compression">zst</param>
  </service>
-  <service name="cargo_audit" mode="manual">
-  </service>
 </services>
--- a/5
+++ b/5
@ -1,5 +0,0 @@
-[source.crates-io]
-replace-with = "vendored-sources"
-
-[source.vendored-sources]
-directory = "vendor"
--- a/cryptography-41.0.7.tar.gz
+++ b/cryptography-41.0.7.tar.gz
--- a/cryptography-42.0.4.tar.gz
+++ b/cryptography-42.0.4.tar.gz
--- a/no-pytest_benchmark.patch
+++ b/no-pytest_benchmark.patch
@ -8,9 +8,11 @@
 tests/bench/test_x509.py               |   16 ++++++-------
 7 files changed, 37 insertions(+), 68 deletions(-)

--- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -69,8 +69,6 @@ ssh = ["bcrypt >=3.1.5"]
+Index: cryptography-42.0.1/pyproject.toml
+===================================================================
+--- cryptography-42.0.1.orig/pyproject.toml
+++ cryptography-42.0.1/pyproject.toml
+@@ -71,8 +71,6 @@ ssh = ["bcrypt >=3.1.5"]
 nox = ["nox"]
 test = [
     "pytest >=6.2.0",
@ -18,9 +20,9 @@
 -    "pytest-cov",
     "pytest-xdist",
     "pretend",
- ]
-@@ -85,7 +83,7 @@ line-length = 79
- target-version = ["py37"]
+     "certifi",
+@@ -92,7 +90,7 @@ rust-version = ">=1.63.0"
+ 
 
 [tool.pytest.ini_options]
 -addopts = "-r s --capture=no --strict-markers --benchmark-disable"
@ -28,7 +30,7 @@
 console_output_style = "progress-even-when-capture-no"
 markers = [
     "skip_fips: this test is not executed in FIPS mode",
-@@ -107,33 +105,6 @@ module = [
+@@ -114,33 +112,6 @@ module = [
 ]
 ignore_missing_imports = true
 
@ -60,11 +62,13 @@
 -]
 -
 [tool.ruff]
- # UP006: Minimum Python 3.9
- # UP007, UP038: Minimum Python 3.10
--- a/src/cryptography.egg-info/requires.txt
-+++ b/src/cryptography.egg-info/requires.txt
-@@ -26,8 +26,6 @@ bcrypt>=3.1.5
+ ignore = ['N818']
+ select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF']
+Index: cryptography-42.0.1/src/cryptography.egg-info/requires.txt
+===================================================================
+--- cryptography-42.0.1.orig/src/cryptography.egg-info/requires.txt
+++ cryptography-42.0.1/src/cryptography.egg-info/requires.txt
+@@ -28,8 +28,6 @@ bcrypt>=3.1.5
 
 [test]
 pytest>=6.2.0
@ -72,10 +76,12 @@
 -pytest-cov
 pytest-xdist
 pretend
- 
--- a/tests/bench/test_aead.py
-+++ b/tests/bench/test_aead.py
-@@ -19,84 +19,84 @@ from ..hazmat.primitives.test_aead impor
+ certifi
+Index: cryptography-42.0.1/tests/bench/test_aead.py
+===================================================================
+--- cryptography-42.0.1.orig/tests/bench/test_aead.py
+++ cryptography-42.0.1/tests/bench/test_aead.py
+@@ -26,84 +26,84 @@ def _aead_supported(cls):
     not _aead_supported(ChaCha20Poly1305),
     reason="Requires OpenSSL with ChaCha20Poly1305 support",
 )
@ -180,8 +186,10 @@
     ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None)
 -    benchmark(aes.decrypt, b"\x00" * 12, ct, None)
 +    aes.decrypt(b"\x00" * 12, ct, None)
--- a/tests/bench/test_ec_load.py
-+++ b/tests/bench/test_ec_load.py
+Index: cryptography-42.0.1/tests/bench/test_ec_load.py
+===================================================================
+--- cryptography-42.0.1.orig/tests/bench/test_ec_load.py
+++ cryptography-42.0.1/tests/bench/test_ec_load.py
@@ -5,9 +5,9 @@
 from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
 
@ -196,8 +204,10 @@
 -    benchmark(EC_KEY_SECP256R1.private_key)
 +def test_load_ec_private_numbers():
 +    EC_KEY_SECP256R1.private_key()
--- a/tests/bench/test_hashes.py
-+++ b/tests/bench/test_hashes.py
+Index: cryptography-42.0.1/tests/bench/test_hashes.py
+===================================================================
+--- cryptography-42.0.1.orig/tests/bench/test_hashes.py
+++ cryptography-42.0.1/tests/bench/test_hashes.py
@@ -5,10 +5,10 @@
 from cryptography.hazmat.primitives import hashes
 
@ -211,8 +221,10 @@
 
 -    benchmark(bench)
 +    bench()
--- a/tests/bench/test_hmac.py
-+++ b/tests/bench/test_hmac.py
+Index: cryptography-42.0.1/tests/bench/test_hmac.py
+===================================================================
+--- cryptography-42.0.1.orig/tests/bench/test_hmac.py
+++ cryptography-42.0.1/tests/bench/test_hmac.py
@@ -5,10 +5,10 @@
 from cryptography.hazmat.primitives import hashes, hmac
 
@ -226,16 +238,18 @@
 
 -    benchmark(bench)
 +    bench()
--- a/tests/bench/test_x509.py
-+++ b/tests/bench/test_x509.py
-@@ -9,34 +9,34 @@ from cryptography import x509
+Index: cryptography-42.0.1/tests/bench/test_x509.py
+===================================================================
+--- cryptography-42.0.1.orig/tests/bench/test_x509.py
+++ cryptography-42.0.1/tests/bench/test_x509.py
+@@ -13,40 +13,40 @@ from cryptography import x509
 from ..utils import load_vectors_from_file
 
 
-def test_object_identier_constructor(benchmark):
+-def test_object_identifier_constructor(benchmark):
 -    benchmark(x509.ObjectIdentifier, "1.3.6.1.4.1.11129.2.4.5")
-+def test_object_identier_constructor():
-+    x509.ObjectIdentifier("1.3.6.1.4.1.11129.2.4.5")
+def test_object_identifier_constructor():
+    x509.ObjectIdentifier, "1.3.6.1.4.1.11129.2.4.5"
 
 
 -def test_aki_public_bytes(benchmark):
@ -246,7 +260,7 @@
         authority_cert_serial_number=None,
     )
 -    benchmark(aki.public_bytes)
-+    aki.public_bytes()
+    aki.public_bytes
 
 
 -def test_load_der_certificate(benchmark):
@ -258,7 +272,7 @@
     )
 
 -    benchmark(x509.load_der_x509_certificate, cert_bytes)
-+    x509.load_der_x509_certificate(cert_bytes)
+    x509.load_der_x509_certificate, cert_bytes
 
 
 -def test_load_pem_certificate(benchmark):
@ -270,4 +284,17 @@
     )
 
 -    benchmark(x509.load_pem_x509_certificate, cert_bytes)
-+    x509.load_pem_x509_certificate(cert_bytes)
+    x509.load_pem_x509_certificate, cert_bytes
+ 
+ 
+-def test_verify_docs_python_org(benchmark, pytestconfig):
+def test_verify_docs_python_org(pytestconfig):
+     limbo_root = pytestconfig.getoption("--x509-limbo-root", skip=True)
+     with open(os.path.join(limbo_root, "limbo.json"), "rb") as f:
+         [testcase] = [
+@@ -78,4 +78,4 @@ def test_verify_docs_python_org(benchmar
+         )
+         verifier.verify(leaf, intermediates)
+ 
+-    benchmark(bench)
+    bench
--- a/python-cryptography.changes
+++ b/python-cryptography.changes
@ -1,3 +1,124 @@
+-------------------------------------------------------------------
+Thu Feb 22 17:10:39 UTC 2024 - Daniel Garcia <daniel.garcia@suse.com>
+
+- update to 42.0.4 (bsc#1220210, CVE-2024-26130):
+  * Fixed a null-pointer-dereference and segfault that could occur
+    when creating a PKCS#12 bundle. Credit to Alexander-Programming
+    for reporting the issue. CVE-2024-26130
+  * Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields
+    SMIMECapabilities and SignatureAlgorithmIdentifier should now be
+    correctly encoded according to the definitions in :rfc:2633
+    :rfc:3370.
+- update to 42.0.3:
+  * Fixed an initialization issue that caused key loading failures for some
+    users.
+- Drop patch skip_openssl_memleak_test.patch not needed anymore.
+
+-------------------------------------------------------------------
+Wed Jan 31 17:24:29 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 42.0.2:
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.2.1.
+  * Fixed an issue that prevented the use of Python buffer
+    protocol objects in sign and verify methods on asymmetric
+    keys.
+  * Fixed an issue with incorrect keyword-argument naming with
+    EllipticCurvePrivateKey :meth:`~cryptography.hazmat.primitive
+    s.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
+    X25519PrivateKey :meth:`~cryptography.hazmat.primitives.asymm
+    etric.x25519.X25519PrivateKey.exchange`, X448PrivateKey :meth
+    :`~cryptography.hazmat.primitives.asymmetric.x448.X448Private
+    Key.exchange`, and DHPrivateKey :meth:`~cryptography.hazmat.p
+    rimitives.asymmetric.dh.DHPrivateKey.exchange`.
+
+-------------------------------------------------------------------
+Mon Jan 29 14:01:49 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 42.0.1:
+  * Fixed an issue with incorrect keyword-argument naming with
+    EllipticCurvePrivateKey :meth:`~cryptography.hazmat.primitive
+    s.asymmetric.ec.EllipticCurvePrivateKey.sign`.
+  * Resolved compatibility issue with loading certain RSA public
+    keys in :func:`~cryptography.hazmat.primitives.serialization.
+    load_pem_public_key`.
+  * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.7.
+  * BACKWARDS INCOMPATIBLE: Loading a PKCS7 with no content field
+    using :func:`~cryptography.hazmat.primitives.serialization.pk
+    cs7.load_pem_pkcs7_certificates` or :func:`~cryptography.hazm
+    at.primitives.serialization.pkcs7.load_der_pkcs7_certificates
+    ` will now raise a ValueError rather than return an empty
+    list.
+  * Parsing SSH certificates no longer permits malformed critical
+    options with values, as documented in the 41.0.2 release
+    notes.
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.2.0.
+  * Updated the minimum supported Rust version (MSRV) to 1.63.0,
+    from 1.56.0.
+  * We now publish both py37 and py39 abi3 wheels. This should
+    resolve some errors relating to initializing a module
+    multiple times per process.
+  * Support :class:`~cryptography.hazmat.primitives.asymmetric.pa
+    dding.PSS` for X.509 certificate signing requests and
+    certificate revocation lists with the keyword-only argument
+    rsa_padding on the sign methods for
+    :class:`~cryptography.x509.CertificateSigningRequestBuilder`
+    and
+    :class:`~cryptography.x509.CertificateRevocationListBuilder`.
+  * Added support for obtaining X.509 certificate signing request
+    signature algorithm parameters (including PSS) via :meth:`~cr
+    yptography.x509.CertificateSigningRequest.signature_algorithm
+    _parameters`.
+  * Added support for obtaining X.509 certificate revocation list
+    signature algorithm parameters (including PSS) via :meth:`~cr
+    yptography.x509.CertificateRevocationList.signature_algorithm
+    _parameters`.
+  * Added mgf property to :class:`~cryptography.hazmat.primitives
+    .asymmetric.padding.PSS`.
+  * Added algorithm and mgf properties to :class:`~cryptography.h
+    azmat.primitives.asymmetric.padding.OAEP`.
+  * Added the following properties that return timezone-aware
+    datetime objects:
+    :meth:`~cryptography.x509.Certificate.not_valid_before_utc`,
+    :meth:`~cryptography.x509.Certificate.not_valid_after_utc`, :
+    meth:`~cryptography.x509.RevokedCertificate.revocation_date_u
+    tc`, :meth:`~cryptography.x509.CertificateRevocationList.next
+    _update_utc`, :meth:`~cryptography.x509.CertificateRevocation
+    List.last_update_utc`. These are timezone-aware variants of
+    existing properties that return naïve datetime objects.
+  * Deprecated the following properties that return naïve
+    datetime objects:
+    :meth:`~cryptography.x509.Certificate.not_valid_before`,
+    :meth:`~cryptography.x509.Certificate.not_valid_after`, :meth
+    :`~cryptography.x509.RevokedCertificate.revocation_date`, :me
+    th:`~cryptography.x509.CertificateRevocationList.next_update`
+    , :meth:`~cryptography.x509.CertificateRevocationList.last_up
+    date` in favor of the new timezone-aware variants mentioned
+    above.
+  * Added support for :class:`~cryptography.hazmat.primitives.cip
+    hers.algorithms.ChaCha20` on LibreSSL.
+  * Added support for RSA PSS signatures in PKCS7 with :meth:`~cr
+    yptography.hazmat.primitives.serialization.pkcs7.PKCS7Signatu
+    reBuilder.add_signer`.
+  * In the next release (43.0.0) of cryptography, loading an
+    X.509 certificate with a negative serial number will raise an
+    exception. This has been deprecated since 36.0.0.
+  * Added support for :class:`~cryptography.hazmat.primitives.cip
+    hers.aead.AESGCMSIV` when using OpenSSL 3.2.0+.
+  * Added the :mod:`X.509 path validation
+    <cryptography.x509.verification>` APIs for
+    :class:`~cryptography.x509.Certificate` chains. These APIs
+    should be considered unstable and not subject to our
+    stability guarantees until documented as such in a future
+    release.
+  * Added support for :class:`~cryptography.hazmat.primitives.cip
+    hers.algorithms.SM4`
+    :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM`
+    when using OpenSSL 3.0 or greater.
+- use PEP517 build
+- switch to new cargo-vendor
+
 -------------------------------------------------------------------
 Tue Nov 28 09:27:57 UTC 2023 - Dirk Müller <dmueller@suse.com>

--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@ -1,7 +1,7 @@
 #
-# spec file
+# spec file for package python-cryptography
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -27,27 +27,26 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-cryptography%{psuffix}
-Version:        41.0.7
+Version:        42.0.4
 Release:        0
 Summary:        Python library which exposes cryptographic recipes and primitives
 License:        Apache-2.0 OR BSD-3-Clause
 Group:          Development/Languages/Python
 URL:            https://cryptography.io/en/latest/
 Source0:        https://files.pythonhosted.org/packages/source/c/cryptography/cryptography-%{version}.tar.gz
-# use `osc service disabledrun` to regenerate
+# use `osc service manualrun` to regenerate
 Source2:        vendor.tar.zst
-# use `osc service disabledrun` to regenerate
-Source3:        cargo_config
 Source4:        python-cryptography.keyring
-Patch2:         skip_openssl_memleak_test.patch
 # PATCH-FEATURE-OPENSUSE no-pytest_benchmark.patch mcepl@suse.com
 # We don't need no benchmarking and coverage measurement
 Patch4:         no-pytest_benchmark.patch
 BuildRequires:  %{python_module cffi >= 1.12}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module exceptiongroup}
-BuildRequires:  %{python_module setuptools-rust}
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module setuptools-rust >= 1.7.0}
 BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
 BuildRequires:  cargo >= 1.56.0
 BuildRequires:  fdupes
 BuildRequires:  libopenssl-devel
@ -60,6 +59,7 @@ BuildRequires:  pkgconfig(libffi)
 Requires:       python
 %requires_eq    python-cffi
 %if %{with test}
+BuildRequires:  %{python_module certifi}
 BuildRequires:  %{python_module cryptography >= %{version}}
 BuildRequires:  %{python_module cryptography-vectors = %{version}}
 BuildRequires:  %{python_module hypothesis >= 1.11.4}
@ -85,7 +85,6 @@ functions.

 %prep
 %autosetup -a2 -p1 -n cryptography-%{version}
-cp %{SOURCE3} .cargo/config
 rm -v src/rust/Cargo.lock

 %build
@ -93,7 +92,7 @@ rm -v src/rust/Cargo.lock
 %global _lto_cflags %{nil}
 export RUSTFLAGS=%{rustflags}
 export CFLAGS="%{optflags} -fno-strict-aliasing"
-%python_build
+%pyproject_wheel

 %install
 %if !%{with test}
@ -102,13 +101,20 @@ export RUSTFLAGS=%{rustflags}
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete

-%python_install
+%pyproject_install
 %python_expand %fdupes %{buildroot}%{$python_sitearch}
 %endif

 %if %{with test}
 %check
 # won't work for cryptography
+# fails with OverflowError on 32bit platform
+%ifarch %ix86 %arm ppc
+rm -v tests/hazmat/primitives/test_aead.py
+# imports test_aead so we need to remove also these
+rm -v tests/wycheproof/test_aes.py
+rm -v tests/wycheproof/test_chacha20poly1305.py
+%endif
 %pytest_arch -n auto --ignore-glob=vendor/*
 %endif

@ -117,7 +123,7 @@ find . -name .keep -print -delete
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %doc CONTRIBUTING.rst CHANGELOG.rst README.rst
 %{python_sitearch}/cryptography
-%{python_sitearch}/cryptography-%{version}*-info
+%{python_sitearch}/cryptography-%{version}.dist-info
 %endif

 %changelog
--- a/skip_openssl_memleak_test.patch
+++ b/skip_openssl_memleak_test.patch
@ -1,23 +0,0 @@
---
- tests/hazmat/backends/test_openssl_memleak.py |   10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
--- a/tests/hazmat/backends/test_openssl_memleak.py
-+++ b/tests/hazmat/backends/test_openssl_memleak.py
-@@ -203,12 +203,10 @@ def assert_no_memory_leaks(s, argv=[]):
- 
- 
- def skip_if_memtesting_not_supported():
-    return pytest.mark.skipif(
-        not Binding().lib.Cryptography_HAS_MEM_FUNCTIONS
-        or platform.python_implementation() == "PyPy",
-        reason="Requires OpenSSL memory functions (>=1.1.0) and not PyPy",
-    )
-
-+    return pytest.mark.skip(
-+        reason="Our FIPS openssl startup code invokes CRYPTO_malloc() which prevents later debugging via CRYPTO_set_mem_functions()"
-+     )
-+
- 
- @pytest.mark.skip_fips(reason="FIPS self-test sets allow_customize = 0")
- @skip_if_memtesting_not_supported()
--- a/vendor.tar.zst
+++ b/vendor.tar.zst