From 1b46516713d0eb0d83125895c02c75db9ba71109a600b74c181754c0c7ababcb Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 31 Jul 2024 21:48:34 +0000 Subject: [PATCH] - Update building of Rust modules to use modern cargo_vendor service - Remove unneeded use-offline-build.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=223 --- .gitattributes | 23 + .gitignore | 1 + _multibuild | 3 + _service | 8 + cryptography-42.0.8.tar.gz | 3 + cryptography-43.0.0.tar.gz | 3 + no-pytest_benchmark.patch | 286 ++++++ python-cryptography.changes | 1721 +++++++++++++++++++++++++++++++++++ python-cryptography.keyring | 34 + python-cryptography.spec | 138 +++ use-offline-build.patch | 14 + vendor.tar.zst | 3 + 12 files changed, 2237 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _multibuild create mode 100644 _service create mode 100644 cryptography-42.0.8.tar.gz create mode 100644 cryptography-43.0.0.tar.gz create mode 100644 no-pytest_benchmark.patch create mode 100644 python-cryptography.changes create mode 100644 python-cryptography.keyring create mode 100644 python-cryptography.spec create mode 100644 use-offline-build.patch create mode 100644 vendor.tar.zst diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..fcc7b97 --- /dev/null +++ b/_multibuild @@ -0,0 +1,3 @@ + + test + diff --git a/_service b/_service new file mode 100644 index 0000000..0544aa1 --- /dev/null +++ b/_service @@ -0,0 +1,8 @@ + + + + cryptography-* + src/rust/Cargo.toml + zst + + diff --git a/cryptography-42.0.8.tar.gz b/cryptography-42.0.8.tar.gz new file mode 100644 index 0000000..a50ef52 --- /dev/null +++ b/cryptography-42.0.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8d09d05439ce7baa8e9e95b07ec5b6c886f548deb7e0f69ef25f64b3bce842f2 +size 671250 diff --git a/cryptography-43.0.0.tar.gz b/cryptography-43.0.0.tar.gz new file mode 100644 index 0000000..57e7661 --- /dev/null +++ b/cryptography-43.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e +size 686873 diff --git a/no-pytest_benchmark.patch b/no-pytest_benchmark.patch new file mode 100644 index 0000000..b183ae2 --- /dev/null +++ b/no-pytest_benchmark.patch @@ -0,0 +1,286 @@ +--- + pyproject.toml | 31 ------------------------- + tests/bench/test_aead.py | 40 ++++++++++++++++----------------- + tests/bench/test_ec_load.py | 8 +++--- + tests/bench/test_hashes.py | 4 +-- + tests/bench/test_hmac.py | 4 +-- + tests/bench/test_x509.py | 16 ++++++------- + 7 files changed, 37 insertions(+), 68 deletions(-) + +Index: cryptography-43.0.0/pyproject.toml +=================================================================== +--- cryptography-43.0.0.orig/pyproject.toml ++++ cryptography-43.0.0/pyproject.toml +@@ -66,8 +66,6 @@ nox = ["nox"] + test = [ + "cryptography_vectors==43.0.0", + "pytest >=6.2.0", +- "pytest-benchmark", +- "pytest-cov", + "pytest-xdist", + "pretend", + "certifi", +@@ -117,7 +115,7 @@ exclude = [ + ] + + [tool.pytest.ini_options] +-addopts = "-r s --capture=no --strict-markers --benchmark-disable" ++addopts = "-r s --capture=no --strict-markers" + console_output_style = "progress-even-when-capture-no" + markers = [ + "skip_fips: this test is not executed in FIPS mode", +@@ -139,33 +137,6 @@ module = [ + ] + ignore_missing_imports = true + +-[tool.coverage.run] +-branch = true +-relative_files = true +-source = [ +- "cryptography", +- "tests/", +-] +- +-[tool.coverage.paths] +-source = [ +- "src/cryptography", +- "*.nox/*/lib*/python*/site-packages/cryptography", +- "*.nox\\*\\Lib\\site-packages\\cryptography", +- "*.nox/pypy/site-packages/cryptography", +-] +-tests =[ +- "tests/", +- "*tests\\", +-] +- +-[tool.coverage.report] +-exclude_lines = [ +- "@abc.abstractmethod", +- "@typing.overload", +- "if typing.TYPE_CHECKING", +-] +- + [tool.ruff] + line-length = 79 + +Index: cryptography-43.0.0/tests/bench/test_aead.py +=================================================================== +--- cryptography-43.0.0.orig/tests/bench/test_aead.py ++++ cryptography-43.0.0/tests/bench/test_aead.py +@@ -26,84 +26,84 @@ def _aead_supported(cls): + not _aead_supported(ChaCha20Poly1305), + reason="Requires OpenSSL with ChaCha20Poly1305 support", + ) +-def test_chacha20poly1305_encrypt(benchmark): ++def test_chacha20poly1305_encrypt(): + chacha = ChaCha20Poly1305(b"\x00" * 32) +- benchmark(chacha.encrypt, b"\x00" * 12, b"hello world plaintext", b"") ++ chacha.encrypt(b"\x00" * 12, b"hello world plaintext", b"") + + + @pytest.mark.skipif( + not _aead_supported(ChaCha20Poly1305), + reason="Requires OpenSSL with ChaCha20Poly1305 support", + ) +-def test_chacha20poly1305_decrypt(benchmark): ++def test_chacha20poly1305_decrypt(): + chacha = ChaCha20Poly1305(b"\x00" * 32) + ct = chacha.encrypt(b"\x00" * 12, b"hello world plaintext", b"") +- benchmark(chacha.decrypt, b"\x00" * 12, ct, b"") ++ chacha.decrypt(b"\x00" * 12, ct, b"") + + +-def test_aesgcm_encrypt(benchmark): ++def test_aesgcm_encrypt(): + aes = AESGCM(b"\x00" * 32) +- benchmark(aes.encrypt, b"\x00" * 12, b"hello world plaintext", None) ++ aes.encrypt(b"\x00" * 12, b"hello world plaintext", None) + + +-def test_aesgcm_decrypt(benchmark): ++def test_aesgcm_decrypt(): + aes = AESGCM(b"\x00" * 32) + ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None) +- benchmark(aes.decrypt, b"\x00" * 12, ct, None) ++ aes.decrypt(b"\x00" * 12, ct, None) + + + @pytest.mark.skipif( + not _aead_supported(AESSIV), + reason="Requires OpenSSL with AES-SIV support", + ) +-def test_aessiv_encrypt(benchmark): ++def test_aessiv_encrypt(): + aes = AESSIV(b"\x00" * 32) +- benchmark(aes.encrypt, b"hello world plaintext", None) ++ aes.encrypt(b"hello world plaintext", None) + + + @pytest.mark.skipif( + not _aead_supported(AESSIV), + reason="Requires OpenSSL with AES-SIV support", + ) +-def test_aessiv_decrypt(benchmark): ++def test_aessiv_decrypt(): + aes = AESSIV(b"\x00" * 32) + ct = aes.encrypt(b"hello world plaintext", None) +- benchmark(aes.decrypt, ct, None) ++ aes.decrypt(ct, None) + + + @pytest.mark.skipif( + not _aead_supported(AESOCB3), + reason="Requires OpenSSL with AES-OCB3 support", + ) +-def test_aesocb3_encrypt(benchmark): ++def test_aesocb3_encrypt(): + aes = AESOCB3(b"\x00" * 32) +- benchmark(aes.encrypt, b"\x00" * 12, b"hello world plaintext", None) ++ aes.encrypt(b"\x00" * 12, b"hello world plaintext", None) + + + @pytest.mark.skipif( + not _aead_supported(AESOCB3), + reason="Requires OpenSSL with AES-OCB3 support", + ) +-def test_aesocb3_decrypt(benchmark): ++def test_aesocb3_decrypt(): + aes = AESOCB3(b"\x00" * 32) + ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None) +- benchmark(aes.decrypt, b"\x00" * 12, ct, None) ++ aes.decrypt(b"\x00" * 12, ct, None) + + + @pytest.mark.skipif( + not _aead_supported(AESCCM), + reason="Requires OpenSSL with AES-CCM support", + ) +-def test_aesccm_encrypt(benchmark): ++def test_aesccm_encrypt(): + aes = AESCCM(b"\x00" * 32) +- benchmark(aes.encrypt, b"\x00" * 12, b"hello world plaintext", None) ++ aes.encrypt(b"\x00" * 12, b"hello world plaintext", None) + + + @pytest.mark.skipif( + not _aead_supported(AESCCM), + reason="Requires OpenSSL with AES-CCM support", + ) +-def test_aesccm_decrypt(benchmark): ++def test_aesccm_decrypt(): + aes = AESCCM(b"\x00" * 32) + ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None) +- benchmark(aes.decrypt, b"\x00" * 12, ct, None) ++ aes.decrypt(b"\x00" * 12, ct, None) +Index: cryptography-43.0.0/tests/bench/test_ec_load.py +=================================================================== +--- cryptography-43.0.0.orig/tests/bench/test_ec_load.py ++++ cryptography-43.0.0/tests/bench/test_ec_load.py +@@ -5,9 +5,9 @@ + from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1 + + +-def test_load_ec_public_numbers(benchmark): +- benchmark(EC_KEY_SECP256R1.public_numbers.public_key) ++def test_load_ec_public_numbers(): ++ EC_KEY_SECP256R1.public_numbers.public_key() + + +-def test_load_ec_private_numbers(benchmark): +- benchmark(EC_KEY_SECP256R1.private_key) ++def test_load_ec_private_numbers(): ++ EC_KEY_SECP256R1.private_key() +Index: cryptography-43.0.0/tests/bench/test_hashes.py +=================================================================== +--- cryptography-43.0.0.orig/tests/bench/test_hashes.py ++++ cryptography-43.0.0/tests/bench/test_hashes.py +@@ -5,10 +5,10 @@ + from cryptography.hazmat.primitives import hashes + + +-def test_sha256(benchmark): ++def test_sha256(): + def bench(): + h = hashes.Hash(hashes.SHA256()) + h.update(b"I love hashing. So much. The best.") + return h.finalize() + +- benchmark(bench) ++ bench() +Index: cryptography-43.0.0/tests/bench/test_hmac.py +=================================================================== +--- cryptography-43.0.0.orig/tests/bench/test_hmac.py ++++ cryptography-43.0.0/tests/bench/test_hmac.py +@@ -5,10 +5,10 @@ + from cryptography.hazmat.primitives import hashes, hmac + + +-def test_hmac_sha256(benchmark): ++def test_hmac_sha256(): + def bench(): + h = hmac.HMAC(b"my extremely secure key", hashes.SHA256()) + h.update(b"I love hashing. So much. The best.") + return h.finalize() + +- benchmark(bench) ++ bench() +Index: cryptography-43.0.0/tests/bench/test_x509.py +=================================================================== +--- cryptography-43.0.0.orig/tests/bench/test_x509.py ++++ cryptography-43.0.0/tests/bench/test_x509.py +@@ -13,40 +13,40 @@ from cryptography import x509 + from ..utils import load_vectors_from_file + + +-def test_object_identifier_constructor(benchmark): +- benchmark(x509.ObjectIdentifier, "1.3.6.1.4.1.11129.2.4.5") ++def test_object_identifier_constructor(): ++ x509.ObjectIdentifier, "1.3.6.1.4.1.11129.2.4.5" + + +-def test_aki_public_bytes(benchmark): ++def test_aki_public_bytes(): + aki = x509.AuthorityKeyIdentifier( + key_identifier=b"\x00" * 16, + authority_cert_issuer=None, + authority_cert_serial_number=None, + ) +- benchmark(aki.public_bytes) ++ aki.public_bytes + + +-def test_load_der_certificate(benchmark): ++def test_load_der_certificate(): + cert_bytes = load_vectors_from_file( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + loader=lambda pemfile: pemfile.read(), + mode="rb", + ) + +- benchmark(x509.load_der_x509_certificate, cert_bytes) ++ x509.load_der_x509_certificate, cert_bytes + + +-def test_load_pem_certificate(benchmark): ++def test_load_pem_certificate(): + cert_bytes = load_vectors_from_file( + os.path.join("x509", "cryptography.io.pem"), + loader=lambda pemfile: pemfile.read(), + mode="rb", + ) + +- benchmark(x509.load_pem_x509_certificate, cert_bytes) ++ x509.load_pem_x509_certificate, cert_bytes + + +-def test_verify_docs_python_org(benchmark, pytestconfig): ++def test_verify_docs_python_org(pytestconfig): + limbo_root = pytestconfig.getoption("--x509-limbo-root", skip=True) + with open(os.path.join(limbo_root, "limbo.json"), "rb") as f: + [testcase] = [ +@@ -78,4 +78,4 @@ def test_verify_docs_python_org(benchmar + ) + verifier.verify(leaf, intermediates) + +- benchmark(bench) ++ bench diff --git a/python-cryptography.changes b/python-cryptography.changes new file mode 100644 index 0000000..cc42851 --- /dev/null +++ b/python-cryptography.changes @@ -0,0 +1,1721 @@ +------------------------------------------------------------------- +Wed Jul 31 21:45:43 UTC 2024 - Matej Cepl + +- Update building of Rust modules to use modern cargo_vendor + service +- Remove unneeded use-offline-build.patch + +------------------------------------------------------------------- +Fri Jul 26 10:33:45 UTC 2024 - Dirk Müller + +- update to 43.0.0: + * BACKWARDS INCOMPATIBLE: Support for OpenSSL less than 1.1.1e + has been removed. Users on older version of OpenSSL will + need to upgrade. + * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.8. + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.3.1. + * Updated the minimum supported Rust version (MSRV) to 1.65.0, + from 1.63.0. + * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generat + e_private_key` now enforces a minimum RSA key size of + 1024-bit. Note that 1024-bit is still considered insecure, + users should generally use a key size of 2048-bits. + * :func:`~cryptography.hazmat.primitives.serialization.pkcs7.se + rialize_certificates` now emits ASN.1 that more closely + follows the recommendations in RFC 2315. + * Added new :doc:`/hazmat/decrepit/index` module which contains + outdated and insecure cryptographic primitives. :class:`~cryp + tography.hazmat.primitives.ciphers.algorithms.CAST5`, :class: + `~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :c + lass:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA + `, and :class:`~cryptography.hazmat.primitives.ciphers.algori + thms.Blowfish`, which were deprecated in 37.0.0, have been + added to this module. They will be removed from the cipher + module in 45.0.0. + * Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit + hms.TripleDES` and :class:`~cryptography.hazmat.primitives.ci + phers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and + deprecated them in the cipher module. They will be removed + from the cipher module in 48.0.0. + * Added support for deterministic + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA` + (RFC 6979) + * Added support for client certificate verification to the + :mod:`X.509 path validation ` + APIs in the form of + :class:`~cryptography.x509.verification.ClientVerifier`, + :class:`~cryptography.x509.verification.VerifiedClient`, and + PolicyBuilder :meth:`~cryptography.x509.verification.PolicyBu + ilder.build_client_verifier`. + * Added Certificate :attr:`~cryptography.x509.Certificate.publi + c_key_algorithm_oid` and Certificate Signing Request :attr:`~ + cryptography.x509.CertificateSigningRequest.public_key_algori + thm_oid` to determine the + :class:`~cryptography.hazmat._oid.PublicKeyAlgorithmOID` + Object Identifier of the public key found inside the + certificate. + * Added :attr:`~cryptography.x509.InvalidityDate.invalidity_dat + e_utc`, a timezone-aware alternative to the naïve datetime + attribute + :attr:`~cryptography.x509.InvalidityDate.invalidity_date`. + * Added support for parsing empty DN string in + :meth:`~cryptography.x509.Name.from_rfc4514_string`. + * Added the following properties that return timezone-aware + datetime objects: + :meth:`~cryptography.x509.ocsp.OCSPResponse.produced_at_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.revocation_time_u + tc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.this_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPResponse.next_update_utc`, + :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.revocation_ + time_utc`, :meth:`~cryptography.x509.ocsp.OCSPSingleResponse. + this_update_utc`, :meth:`~cryptography.x509.ocsp.OCSPSingleRe + sponse.next_update_utc`, These are timezone-aware variants of + existing properties that return naïve datetime objects. + * Added :func:`~cryptography.hazmat.primitives.asymmetric.rsa.r + sa_recover_private_exponent` + * Added :meth:`~cryptography.hazmat.primitives.ciphers.CipherCo + ntext.reset_nonce` for altering the nonce of a cipher context + without initializing a new instance. See the docs for + additional restrictions. + * :class:`~cryptography.x509.NameAttribute` now raises an + exception when attempting to create a common name whose + length is shorter or longer than RFC 5280 permits. + * Added basic support for PKCS7 encryption (including SMIME) + via :class:`~cryptography.hazmat.primitives.serialization.pkc + s7.PKCS7EnvelopeBuilder`. +- add use-offline-build.patch + +------------------------------------------------------------------- +Sat Jun 8 12:04:15 UTC 2024 - Dirk Müller + +- update to 42.0.8: + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.2.2. + +------------------------------------------------------------------- +Tue May 7 16:14:05 UTC 2024 - Dirk Müller + +- update to 42.0.7: + * Restored Windows 7 compatibility for our pre-built wheels. + Note that we do not test on Windows 7 and wheels for our next + release will not support it. Microsoft no longer provides + support for Windows 7 and users are encouraged to upgrade. + +------------------------------------------------------------------- +Tue May 7 07:34:43 UTC 2024 - Dirk Müller + +- update to 42.0.6: + * Fixed compilation when using LibreSSL 3.9.1. + +------------------------------------------------------------------- +Tue Apr 2 13:19:19 UTC 2024 - Dirk Müller + +- update to 42.0.5: + * Limit the number of name constraint checks that will be + performed in :mod:`X.509 path validation + ` to protect against denial + of service attacks. + * Upgrade pyo3 version, which fixes building on PowerPC. + +------------------------------------------------------------------- +Thu Feb 22 17:10:39 UTC 2024 - Daniel Garcia + +- update to 42.0.4 (bsc#1220210, CVE-2024-26130): + * Fixed a null-pointer-dereference and segfault that could occur + when creating a PKCS#12 bundle. Credit to Alexander-Programming + for reporting the issue. CVE-2024-26130 + * Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields + SMIMECapabilities and SignatureAlgorithmIdentifier should now be + correctly encoded according to the definitions in :rfc:2633 + :rfc:3370. +- update to 42.0.3: + * Fixed an initialization issue that caused key loading failures for some + users. +- Drop patch skip_openssl_memleak_test.patch not needed anymore. + +------------------------------------------------------------------- +Wed Jan 31 17:24:29 UTC 2024 - Dirk Müller + +- update to 42.0.2: + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.2.1. + * Fixed an issue that prevented the use of Python buffer + protocol objects in sign and verify methods on asymmetric + keys. + * Fixed an issue with incorrect keyword-argument naming with + EllipticCurvePrivateKey :meth:`~cryptography.hazmat.primitive + s.asymmetric.ec.EllipticCurvePrivateKey.exchange`, + X25519PrivateKey :meth:`~cryptography.hazmat.primitives.asymm + etric.x25519.X25519PrivateKey.exchange`, X448PrivateKey :meth + :`~cryptography.hazmat.primitives.asymmetric.x448.X448Private + Key.exchange`, and DHPrivateKey :meth:`~cryptography.hazmat.p + rimitives.asymmetric.dh.DHPrivateKey.exchange`. + +------------------------------------------------------------------- +Mon Jan 29 14:01:49 UTC 2024 - Dirk Müller + +- update to 42.0.1: + * Fixed an issue with incorrect keyword-argument naming with + EllipticCurvePrivateKey :meth:`~cryptography.hazmat.primitive + s.asymmetric.ec.EllipticCurvePrivateKey.sign`. + * Resolved compatibility issue with loading certain RSA public + keys in :func:`~cryptography.hazmat.primitives.serialization. + load_pem_public_key`. + * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.7. + * BACKWARDS INCOMPATIBLE: Loading a PKCS7 with no content field + using :func:`~cryptography.hazmat.primitives.serialization.pk + cs7.load_pem_pkcs7_certificates` or :func:`~cryptography.hazm + at.primitives.serialization.pkcs7.load_der_pkcs7_certificates + ` will now raise a ValueError rather than return an empty + list. + * Parsing SSH certificates no longer permits malformed critical + options with values, as documented in the 41.0.2 release + notes. + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.2.0. + * Updated the minimum supported Rust version (MSRV) to 1.63.0, + from 1.56.0. + * We now publish both py37 and py39 abi3 wheels. This should + resolve some errors relating to initializing a module + multiple times per process. + * Support :class:`~cryptography.hazmat.primitives.asymmetric.pa + dding.PSS` for X.509 certificate signing requests and + certificate revocation lists with the keyword-only argument + rsa_padding on the sign methods for + :class:`~cryptography.x509.CertificateSigningRequestBuilder` + and + :class:`~cryptography.x509.CertificateRevocationListBuilder`. + * Added support for obtaining X.509 certificate signing request + signature algorithm parameters (including PSS) via :meth:`~cr + yptography.x509.CertificateSigningRequest.signature_algorithm + _parameters`. + * Added support for obtaining X.509 certificate revocation list + signature algorithm parameters (including PSS) via :meth:`~cr + yptography.x509.CertificateRevocationList.signature_algorithm + _parameters`. + * Added mgf property to :class:`~cryptography.hazmat.primitives + .asymmetric.padding.PSS`. + * Added algorithm and mgf properties to :class:`~cryptography.h + azmat.primitives.asymmetric.padding.OAEP`. + * Added the following properties that return timezone-aware + datetime objects: + :meth:`~cryptography.x509.Certificate.not_valid_before_utc`, + :meth:`~cryptography.x509.Certificate.not_valid_after_utc`, : + meth:`~cryptography.x509.RevokedCertificate.revocation_date_u + tc`, :meth:`~cryptography.x509.CertificateRevocationList.next + _update_utc`, :meth:`~cryptography.x509.CertificateRevocation + List.last_update_utc`. These are timezone-aware variants of + existing properties that return naïve datetime objects. + * Deprecated the following properties that return naïve + datetime objects: + :meth:`~cryptography.x509.Certificate.not_valid_before`, + :meth:`~cryptography.x509.Certificate.not_valid_after`, :meth + :`~cryptography.x509.RevokedCertificate.revocation_date`, :me + th:`~cryptography.x509.CertificateRevocationList.next_update` + , :meth:`~cryptography.x509.CertificateRevocationList.last_up + date` in favor of the new timezone-aware variants mentioned + above. + * Added support for :class:`~cryptography.hazmat.primitives.cip + hers.algorithms.ChaCha20` on LibreSSL. + * Added support for RSA PSS signatures in PKCS7 with :meth:`~cr + yptography.hazmat.primitives.serialization.pkcs7.PKCS7Signatu + reBuilder.add_signer`. + * In the next release (43.0.0) of cryptography, loading an + X.509 certificate with a negative serial number will raise an + exception. This has been deprecated since 36.0.0. + * Added support for :class:`~cryptography.hazmat.primitives.cip + hers.aead.AESGCMSIV` when using OpenSSL 3.2.0+. + * Added the :mod:`X.509 path validation + ` APIs for + :class:`~cryptography.x509.Certificate` chains. These APIs + should be considered unstable and not subject to our + stability guarantees until documented as such in a future + release. + * Added support for :class:`~cryptography.hazmat.primitives.cip + hers.algorithms.SM4` + :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` + when using OpenSSL 3.0 or greater. +- use PEP517 build +- switch to new cargo-vendor + +------------------------------------------------------------------- +Tue Nov 28 09:27:57 UTC 2023 - Dirk Müller + +- update to 41.0.7 (CVE-2023-49083, bsc#1217592): + * Fixed compilation when using LibreSSL 3.8.2. + * Fixed a null-pointer-dereference and segfault that could + occur when loading certificates from a PKCS#7 bundle. + Credit to **pkuzco** for reporting the issue. **CVE-2023-49083** + +------------------------------------------------------------------- +Fri Nov 10 13:28:56 UTC 2023 - Dirk Müller + +- update to 41.0.5: + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.1.4. + * Added a function to support an upcoming ``pyOpenSSL`` + release. + +------------------------------------------------------------------- +Thu Oct 5 09:30:35 UTC 2023 - Dirk Müller + +- update to 41.0.4: + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.1.3. + +------------------------------------------------------------------- +Tue Aug 8 10:57:22 UTC 2023 - Dirk Müller + +- update to 41.0.3: + * Fixed performance regression loading DH public keys. + * Fixed a memory leak when using + * :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20 + Poly1305`. + +------------------------------------------------------------------- +Tue Jul 11 13:44:14 UTC 2023 - Dirk Müller + +- update to 41.0.2 (bsc#1213378, CVE-2023-38325): + * Fixed bugs in creating and parsing SSH certificates where + critical options with values were handled incorrectly. + Certificates are now created correctly and parsing accepts + correct values as well as the previously generated + invalid forms with a warning. In the next release, support + for parsing these invalid forms will be removed. + +------------------------------------------------------------------- +Tue Jul 11 11:44:23 UTC 2023 - Johannes Kastl + +- remove patch remove_python_3_6_deprecation_warning.patch as the + warning was already removed upstream + +------------------------------------------------------------------- +Mon Jul 10 22:52:18 UTC 2023 - Matej Cepl + +- Add no-pytest_benchmark.patch, which remove dependency on + pytest-benchmark and coveralls (We don't need no benchmarking + and coverage measurement; bsc#1213005). + +------------------------------------------------------------------- +Mon Jun 19 20:41:45 UTC 2023 - Dirk Müller + +- update to 41.0.1 (bsc#1212568): + * Temporarily allow invalid ECDSA signature algorithm + parameters in X.509 certificates, which are + generated by older versions of Java. + * Allow null bytes in pass phrases when serializing private + keys. + * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than + 1.1.1d has been removed. Users on older version of + OpenSSL will need to upgrade. + * **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been + removed. + * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < + 3.6. + * Updated the minimum supported Rust version (MSRV) to 1.56.0, + from 1.48.0. + * Added support for the + :class:`~cryptography.x509.OCSPAcceptableResponses` + OCSP extension. + * Added support for the + :class:`~cryptography.x509.MSCertificateTemplate` + proprietary Microsoft certificate extension. + * Implemented support for equality checks on all asymmetric + public key types. + * Added support for ``aes256-gcm@openssh.com`` encrypted keys + in :func:`~cryptography.hazmat.primitives.serialization.load_ssh + _private_key`. + * Added support for obtaining X.509 certificate signature + algorithm parameters (including PSS) + +------------------------------------------------------------------- +Fri Apr 21 12:23:51 UTC 2023 - Dirk Müller + +- add sle15_python_module_pythons (jsc#PED-68) + +------------------------------------------------------------------- +Sat Apr 15 10:26:40 UTC 2023 - Dirk Müller + +- update to 40.0.2: + * Fixed compilation when using LibreSSL 3.7.2. + +------------------------------------------------------------------- +Thu Apr 13 22:40:44 UTC 2023 - Matej Cepl + +- Make calling of %{sle15modernpython} optional. + +------------------------------------------------------------------- +Mon Mar 27 06:38:01 UTC 2023 - Johannes Kastl + +- rebase patch remove_python_3_6_deprecation_warning.patch + +------------------------------------------------------------------- +Sun Mar 26 19:56:32 UTC 2023 - Dirk Müller + +- update to 40.0.1: + * Support for Python 3.6 is deprecated and will be removed in + the next release. + * Deprecated the current minimum supported Rust version (MSRV) + of 1.48.0. In the next release we will raise MSRV to 1.56.0. + Users with the latest ``pip`` will typically get a wheel + and not need Rust installed + * Deprecated support for OpenSSL less than 1.1.1d. The next + release of ``cryptography`` will drop support for older versions. + * Deprecated support for DSA keys in + :func:`~cryptography.hazmat.primitives.serialization.load_s + sh_public_key` + and + :func:`~cryptography.hazmat.primitives.serialization.load_s + sh_private_key`. + * Deprecated support for OpenSSH serialization in + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAP + ublicKey` + and + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAP + rivateKey`. + * Added support for parsing SSH certificates in addition to + public keys with + :func:`~cryptography.hazmat.primitives.serialization.load_s + sh_public_identity`. + :func:`~cryptography.hazmat.primitives.serialization.load_s + sh_public_key` continues to support only public keys. + * Added support for generating SSH certificates with + :class:`~cryptography.hazmat.primitives.serialization.SSHCe + rtificateBuilder`. + * Added :meth:`~cryptography.x509.Certificate.verify_directly_i + ssued_by` to + :class:`~cryptography.x509.Certificate`. + * Added a check to :class:`~cryptography.x509.NameConstraints` + to ensure that :class:`~cryptography.x509.DNSName` constraints + do not contain any ``*`` wildcards. + * Removed many unused CFFI OpenSSL bindings. This will not + impact you unless you are using ``cryptography`` to directly + invoke OpenSSL's C API. Note that + these have never been considered a stable, supported, + public API by ``cryptography``, this note is included as a courtesy. + * The X.509 builder classes now raise ``UnsupportedAlgorithm`` + instead of ``ValueError`` if an unsupported hash algorithm is passed. + * Added public union type aliases for type hinting + +------------------------------------------------------------------- +Tue Mar 7 07:34:20 UTC 2023 - Dirk Müller + +- update to 39.0.2: + * Fixed a bug where the content type header was not properly + encoded for PKCS7 signatures when using the ``Text`` option and + ``SMIME`` encoding. + +------------------------------------------------------------------- +Thu Feb 9 09:53:49 UTC 2023 - Matej Cepl + +- Update to 39.0.1 (bsc#1208036, CVE-2023-23931): + * SECURITY ISSUE - Fixed a bug where Cipher.update_into + accepted Python buffer protocol objects, but allowed + immutable buffers. CVE-2023-23931 + * drops CVE-2023-23931-dont-allow-update-into.patch in older dists + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.0.8. + +------------------------------------------------------------------- +Thu Jan 12 10:14:50 UTC 2023 - Johannes Kastl + +- adjust patch remove_python_3_6_deprecation_warning.patch to version + 39.0.0 + +------------------------------------------------------------------- +Mon Jan 2 19:38:58 UTC 2023 - Dirk Müller + +- update to 39.0.0: + * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed. + Users on older version of OpenSSL will need to upgrade. + * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.5. The new + minimum LibreSSL version is 3.5.0. Going forward our policy is to support + versions of LibreSSL that are available in versions of OpenBSD that are + still receiving security support. + * **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and + ``from_encoded_point`` methods on + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`, + which had been deprecated for several years. + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point` + should be used instead. + * **BACKWARDS INCOMPATIBLE:** Support for using MD5 or SHA1 in + :class:`~cryptography.x509.CertificateBuilder`, other X.509 builders, and + PKCS7 has been removed. + * **ANNOUNCEMENT:** The next version of ``cryptography`` (40.0) will + change + the way we link OpenSSL. This will only impact users who build + ``cryptography`` from source (i.e., not from a ``wheel``), and specify their + own version of OpenSSL. For those users, the ``CFLAGS``, ``LDFLAGS``, + ``INCLUDE``, ``LIB``, and ``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS`` environment + variables will no longer be respected. Instead, users will need to + configure their builds `as documented here`_. + * Added support for disabling the legacy provider in OpenSSL 3.0.x + * Added support for disabling RSA key validation checks when loading RSA + keys via + ~cryptography.hazmat.primitives.serialization.load_pem_private_key + ~cryptography.hazmat.primitives.serialization.load_der_private_key + ~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key + * Added support for creating OCSP requests with precomputed hashes using + :meth:`~cryptography.x509.ocsp.OCSPRequestBuilder.add_certificate_by_hash`. + * Added support for loading multiple PEM-encoded X.509 certificates from + a single input via :func:`~cryptography.x509.load_pem_x509_certificates`. + +------------------------------------------------------------------- +Wed Dec 7 16:43:26 UTC 2022 - Yogalakshmi Arunachalam + +- Update to version 38.0.4 + * Fixed compilation when using LibreSSL 3.6.0. + * Fixed error when using py2app to build an application with a cryptography dependency. + +------------------------------------------------------------------- +Thu Nov 3 19:17:35 UTC 2022 - Matej Cepl + +- update to 38.0.3: + - Updated Windows, macOS, and Linux wheels to be compiled + with OpenSSL 3.0.7, which resolves CVE-2022-3602 and + CVE-2022-3786. + +------------------------------------------------------------------- +Thu Sep 29 19:42:06 UTC 2022 - Dirk Müller + +- update to 38.0.1: + * Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically + seen in large CRLs). + * Final deprecation of OpenSSL 1.1.0. The next release of ``cryptography`` + will drop support. + * We no longer ship ``manylinux2010`` wheels. Users should upgrade to the + latest ``pip`` to ensure this doesn't cause issues downloading wheels on + their platform. We now ship ``manylinux_2_28`` wheels for users on new + enough platforms. + * Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. + Users with the latest ``pip`` will typically get a wheel and not need Rust + installed, but check :doc:`/installation` for documentation on installing a + newer ``rustc`` if required. + * :meth:`~cryptography.fernet.Fernet.decrypt` and related methods now accept + both ``str`` and ``bytes`` tokens. + * Parsing ``CertificateSigningRequest`` restores the behavior of enforcing + that the ``Extension`` ``critical`` field must be correctly encoded DER. See + `the issue `_ for complete + details. + * Added two new OpenSSL functions to the bindings to support an upcoming + ``pyOpenSSL`` release. + * When parsing :class:`~cryptography.x509.CertificateRevocationList` and + :class:`~cryptography.x509.CertificateSigningRequest` values, it is now + enforced that the ``version`` value in the input must be valid according to + the rules of :rfc:`2986` and :rfc:`5280`. + * Using MD5 or SHA1 in :class:`~cryptography.x509.CertificateBuilder` and + other X.509 builders is deprecated and support will be removed in the next + version. + * Added additional APIs to + :class:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp`, including + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_hash_algorithm`, + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature_algorithm`, + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.signature`, and + :attr:`~cryptography.x509.certificate_transparency.SignedCertificateTimestamp.extension_bytes`. + * Added :attr:`~cryptography.x509.Certificate.tbs_precertificate_bytes`, allowing + users to access the to-be-signed pre-certificate data needed for signed + certificate timestamp verification. + * :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFHMAC` and + :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC` now support + :attr:`~cryptography.hazmat.primitives.kdf.kbkdf.CounterLocation.MiddleFixed` + counter location. + * Fixed :rfc:`4514` name parsing to reverse the order of the RDNs according + to the section 2.1 of the RFC, affecting method + :meth:`~cryptography.x509.Name.from_rfc4514_string`. + * It is now possible to customize some aspects of encryption when serializing + private keys, using + :meth:`~cryptography.hazmat.primitives.serialization.PrivateFormat.encryption_builder`. + * Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL + versions older than 22.0 will need to upgrade. + * Added + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES128` and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES256` classes. + These classes do not replace + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` (which + allows all AES key lengths), but are intended for applications where + developers want to be explicit about key length. + +------------------------------------------------------------------- +Tue Jul 19 12:07:03 UTC 2022 - Dirk Müller + +- update to 37.0.4: + * updated wheels to b ecompiled against openssl 3.0.5 + +------------------------------------------------------------------- +Thu Jun 9 16:08:17 UTC 2022 - Andreas Schneider + +- Remove Python 3.6 deprecation warning on openSUSE Leap. + * Added remove_python_3_6_deprecation_warning.patch + +------------------------------------------------------------------- +Tue May 24 06:57:55 UTC 2022 - Dirk Müller + +- update to 37.0.2: + * Fixed an issue where parsing an encrypted private key with the public + loader functions would hang waiting for console input on OpenSSL 3.0.x rather + than raising an error. + * Restored some legacy symbols for older ``pyOpenSSL`` users. These will be + removed again in the future, so ``pyOpenSSL`` users should still upgrade + to the latest version of that package when they upgrade ``cryptography``. + * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. + * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.9.x and 3.0.x. + The new minimum LibreSSL version is 3.1+. + * **BACKWARDS INCOMPATIBLE:** Removed ``signer`` and ``verifier`` methods + from the public key and private key classes. These methods were originally + deprecated in version 2.0, but had an extended deprecation timeline due + to usage. Any remaining users should transition to ``sign`` and ``verify``. + * Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by + the OpenSSL project. The next release of ``cryptography`` will be the last + to support compiling with OpenSSL 1.1.0. + * Deprecated Python 3.6 support. Python 3.6 is no longer supported by the + Python core team. Support for Python 3.6 will be removed in a future + ``cryptography`` release. + * Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. + In the next release we will raise MSRV to 1.48.0. Users with the latest + ``pip`` will typically get a wheel and not need Rust installed, but check + :doc:`/installation` for documentation on installing a newer ``rustc`` if + required. + * Deprecated + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA`, and + :class:`~cryptography.hazmat.primitives.ciphers.algorithms.Blowfish` because + they are legacy algorithms with extremely low usage. These will be removed + in a future version of ``cryptography``. + * Added limited support for distinguished names containing a bit string. + * We now ship ``universal2`` wheels on macOS, which contain both ``arm64`` + and ``x86_64`` architectures. Users on macOS should upgrade to the latest + ``pip`` to ensure they can use this wheel, although we will continue to + ship ``x86_64`` specific wheels for now to ease the transition. + * This will be the final release for which we ship ``manylinux2010`` wheels. + Going forward the minimum supported ``manylinux`` ABI for our wheels will + be ``manylinux2014``. The vast majority of users will continue to receive + ``manylinux`` wheels provided they have an up to date ``pip``. For PyPy + wheels this release already requires ``manylinux2014`` for compatibility + with binaries distributed by upstream. + * Added support for multiple + :class:`~cryptography.x509.ocsp.OCSPSingleResponse` in a + :class:`~cryptography.x509.ocsp.OCSPResponse`. + * Restored support for signing certificates and other structures in + :doc:`/x509/index` with SHA3 hash algorithms. + * :class:`~cryptography.hazmat.primitives.ciphers.algorithms.TripleDES` is + disabled in FIPS mode. + * Added support for serialization of PKCS#12 CA friendly names/aliases in + :func:`~cryptography.hazmat.primitives.serialization.pkcs12.serialize_key_and_certificates` + * Added support for 12-15 byte (96 to 120 bit) nonces to + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESOCB3`. This class + previously supported only 12 byte (96 bit). + * Added support for + :class:`~cryptography.hazmat.primitives.ciphers.aead.AESSIV` when using + OpenSSL 3.0.0+. + * Added support for serializing PKCS7 structures from a list of + certificates with + :class:`~cryptography.hazmat.primitives.serialization.pkcs7.serialize_certificates`. + * Added support for parsing :rfc:`4514` strings with + :meth:`~cryptography.x509.Name.from_rfc4514_string`. + * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.AUTO` to + :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This can + be used to verify a signature where the salt length is not already known. + * Added :attr:`~cryptography.hazmat.primitives.asymmetric.padding.PSS.DIGEST_LENGTH` + to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. This + constant will set the salt length to the same length as the ``PSS`` hash + algorithm. + * Added support for loading RSA-PSS key types with + :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key` + and + :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`. + This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a + normal RSA private key, discarding the PSS constraint information. + +------------------------------------------------------------------- +Sat Mar 26 20:10:08 UTC 2022 - Dirk Müller + +- update to 36.0.2: + * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n. + +------------------------------------------------------------------- +Wed Feb 16 19:00:16 UTC 2022 - Dirk Müller + +- split tests in a multibuild variant to optimize rebuild time a bit + +------------------------------------------------------------------- +Mon Dec 20 22:52:53 UTC 2021 - Dirk Müller + +- update to 36.0.1: + * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m. + +------------------------------------------------------------------- +Sat Nov 27 15:56:28 UTC 2021 - Dirk Müller + +- update to 36.0.0: + * FINAL DEPRECATION Support for verifier and signer on our asymmetric key + classes was deprecated in version 2.1. These functions had an extended + deprecation due to usage, however the next version of cryptography will + drop support. Users should migrate to sign and verify. + * The entire X.509 layer is now written in Rust. This allows alternate + asymmetric key implementations that can support cloud key management + services or hardware security modules provided they implement the necessary + interface (for example: EllipticCurvePrivateKey). + * Deprecated the backend argument for all functions. + * Added support for AESOCB3. + * Added support for iterating over arbitrary request attributes. + * Deprecated the get_attribute_for_oid method on CertificateSigningRequest in + favor of get_attribute_for_oid() on the new Attributes object. + * Fixed handling of PEM files to allow loading when certificate and key are + in the same file. + * Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText. + * Allow parsing of negative serial numbers in certificates. Negative serial + numbers are prohibited by RFC 5280 so a deprecation warning will be raised + whenever they are encountered. A future version of cryptography will drop + support for parsing them. + * Added support for parsing PKCS12 files with friendly names for all + certificates with load_pkcs12(), which will return an object of type + PKCS12KeyAndCertificates. + * rfc4514_string() and related methods now have an optional + attr_name_overrides parameter to supply custom OID to name mappings, which + can be used to match vendor-specific extensions. + * BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email + address fields as E in rfc4514_string() methods from version 35.0. + * The previous behavior can be restored with: + name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"}) + * Allow X25519PublicKey and X448PublicKey to be used as public keys when + parsing certificates or creating them with CertificateBuilder. These key + types must be signed with a different signing algorithm as X25519 and X448 + do not support signing. + * Extension values can now be serialized to a DER byte string by calling public_bytes(). + * Added experimental support for compiling against BoringSSL. As BoringSSL + does not commit to a stable API, cryptography tests against the latest + commit only. Please note that several features are not available when + building against BoringSSL. + * Parsing CertificateSigningRequest from DER and PEM now, for a limited time + period, allows the Extension critical field to be incorrectly encoded. See + the issue for complete details. This will be reverted in a future + cryptography release. + * When OCSPNonce are parsed and generated their value is now correctly + wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts + with the original behavior specified in RFC 2560. For a temporary period + for backwards compatibility, we will also parse values that are encoded as + specified in RFC 2560 but this behavior will be removed in a future + release. + * Changed the version scheme. This will result in us incrementing the major + version more frequently, but does not change our existing backwards + compatibility policy. + * BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM + string passed have PEM delimiters of the correct type. For example, parsing + a private key PEM concatenated with a certificate PEM will no longer be + accepted by the PEM certificate parser. + * BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows + negative serial numbers. RFC 5280 has always prohibited these. + * BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during + X.509 parsing will raise an error on initial parse rather than when the + malformed field is accessed. + * Rust is now required for building cryptography, the + CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected. + * Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust. + This should be backwards compatible (modulo the items listed above) and + improve both security and performance. + * Added support for OpenSSL 3.0.0 as a compilation target. + * Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms + are provided for compatibility in regions where they may be required, and + are not generally recommended. + * We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our + manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine + Linux should ensure they upgrade to the latest pip to correctly receive + wheels. + * Added rfc4514_attribute_name attribute to x509.NameAttribute. +- drop disable-uneven-sizes-tests.patch (upstream) +- drop disable-RustExtension.patch: building rust extension now + +------------------------------------------------------------------- +Tue Oct 12 18:54:25 UTC 2021 - Ben Greiner + +- Add disable-RustExtension.patch in order to avoid a build + requirement setuptools_rust +- Next version (35.0) needs a full Rust toolchain. +- Clean runtime, build and test requirements +- Disable python2 build: Not supported anymore + +------------------------------------------------------------------- +Mon Oct 4 07:00:30 UTC 2021 - Adrian Schröter + +- update to 3.4.8 +- keep new rust support disabled for now to avoid new dependencies + +------------------------------------------------------------------- +Mon Apr 26 10:07:08 UTC 2021 - Matej Cepl + +- Remove unnecessary %ifpython3 construct + +------------------------------------------------------------------- +Sun Feb 7 20:11:11 UTC 2021 - Michael Ströder + +- update to 3.3.2 (bsc#1182066, CVE-2020-36242, bsc#1198331): + * SECURITY ISSUE: Fixed a bug where certain sequences of update() + calls when symmetrically encrypting very large payloads (>2GB) could + result in an integer overflow, leading to buffer overflows. + CVE-2020-36242 + - drops CVE-2020-36242-buffer-overflow.patch on older dists + +------------------------------------------------------------------- +Sun Dec 20 09:31:33 UTC 2020 - Dirk Müller + +- update to 3.3.1: + * Re-added a legacy symbol causing problems for older ``pyOpenSSL`` use + +------------------------------------------------------------------- +Wed Dec 9 11:56:30 UTC 2020 - Marcus Rueckert + +- update to 3.3.0 + - BACKWARDS INCOMPATIBLE: Support for Python 3.5 has been removed + due to low usage and maintenance burden. + - BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit + to 1024-bit (8 byte to 128 byte) initialization vectors. This + change is to conform with an upcoming OpenSSL release that will + no longer support sizes outside this window. + - BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we + now raise ValueError rather than UnsupportedAlgorithm when an + unsupported cipher is used. This change is to conform with an + upcoming OpenSSL release that will no longer distinguish + between error types. + - BACKWARDS INCOMPATIBLE: We no longer allow loading of finite + field Diffie-Hellman parameters of less than 512 bits in + length. This change is to conform with an upcoming OpenSSL + release that no longer supports smaller sizes. These keys were + already wildly insecure and should not have been used in any + application outside of testing. + - Updated Windows, macOS, and manylinux wheels to be compiled + with OpenSSL 1.1.1i. + - Python 2 support is deprecated in cryptography. This is the + last release that will support Python 2. + - Added the recover_data_from_signature() function to + RSAPublicKey for recovering the signed data from an RSA + signature. + +------------------------------------------------------------------- +Sun Dec 6 20:37:33 UTC 2020 - Matej Cepl + +- Remove unnecessary dependency virtualenv. + +------------------------------------------------------------------- +Wed Oct 28 14:29:05 UTC 2020 - Michael Ströder + +- update to 3.2.1: + Disable blinding on RSA public keys to address an error with + some versions of OpenSSL. + +------------------------------------------------------------------- +Mon Oct 26 11:39:02 UTC 2020 - Michael Ströder + +- update to 3.2 (bsc#1178168, CVE-2020-25659): + * CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, + to protect against Bleichenbacher vulnerabilities. Due to limitations imposed + by our API, we cannot completely mitigate this vulnerability. + * Support for OpenSSL 1.0.2 has been removed. + * Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder. +- drops 5507-mitigate-Bleichenbacher-attacks.patch on older dists + +------------------------------------------------------------------- +Mon Sep 28 10:49:56 UTC 2020 - Dirk Mueller + +- update to 3.1.1: + * wheels compiled with OpenSSL 1.1.1h. + +------------------------------------------------------------------- +Fri Sep 18 11:15:53 UTC 2020 - Dirk Mueller + +- update to 3.1: + * **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based + :term:`U-label` parsing in various X.509 classes. This support was originally + deprecated in version 2.1 and moved to an extra in 2.5. + * Deprecated OpenSSL 1.0.2 support. OpenSSL 1.0.2 is no longer supported by + the OpenSSL project. The next version of ``cryptography`` will drop support + for it. + * Deprecated support for Python 3.5. This version sees very little use and will + be removed in the next release. + * ``backend`` arguments to functions are no longer required and the + default backend will automatically be selected if no ``backend`` is provided. + * Added initial support for parsing certificates from PKCS7 files with + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` + and + :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` + . + * Calling ``update`` or ``update_into`` on + :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data`` + longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This + also resolves the same issue in :doc:`/fernet`. + +------------------------------------------------------------------- +Tue Jul 28 17:16:47 UTC 2020 - Ondřej Súkup + +- update to 3.0 +- refreshed disable-uneven-sizes-tests.patch and skip_openssl_memleak_test.patch + * Removed support for passing an Extension instance + to from_issuer_subject_key_identifier(), as per our deprecation policy. + * Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed + * Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or newer. + * RSA generate_private_key() no longer accepts public_exponent values except + 65537 and 3 (the latter for legacy purposes). + * X.509 certificate parsing now enforces that the version field contains + a valid value, rather than deferring this check until version is accessed. + * Deprecated support for Python 2 + * Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa + private keys: load_ssh_private_key() for loading and OpenSSH for writing. + * Added support for OpenSSH certificates to load_ssh_public_key(). + * Added encrypt_at_time() and decrypt_at_time() to Fernet. + * Added support for the SubjectInformationAccess X.509 extension. + * Added support for parsing SignedCertificateTimestamps in OCSP responses. + * Added support for parsing attributes in certificate signing requests via get_attribute_for_oid(). + * Added support for encoding attributes in certificate signing requests via add_attribute(). + * On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG + instead of its own OS random engine because these versions of OpenSSL properly reseed on fork. + * Added initial support for creating PKCS12 files with serialize_key_and_certificates(). + +------------------------------------------------------------------- +Fri May 15 08:44:10 UTC 2020 - Michael Ströder + +- update to 2.9.2 + * 2.9.2 - 2020-04-22 + - Updated the macOS wheel to fix an issue where it would not run on macOS versions older than 10.15. + * 2.9.1 - 2020-04-21 + - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1g. + * 2.9 - 2020-04-02 + - BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to + low usage and maintenance burden. + - BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. + Users on older version of OpenSSL will need to upgrade. + - BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed. + - Removed support for calling public_bytes() with no arguments, as per + our deprecation policy. You must now pass encoding and format. + - BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() + returns the RDNs as required by RFC 4514. + - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1f. + - Added support for parsing single_extensions in an OCSP response. + - NameAttribute values can now be empty strings. + +------------------------------------------------------------------- +Thu Oct 17 14:53:32 UTC 2019 - Michael Ströder + +- update to 2.8 + * Added support for Python 3.8. + * Added class methods Poly1305.generate_tag and Poly1305.verify_tag for Poly1305 sign and verify operations. + * Deprecated support for OpenSSL 1.0.1. Support will be removed in cryptography 2.9. + * We now ship manylinux2010 wheels in addition to our manylinux1 wheels. + * Added support for ed25519 and ed448 keys in the CertificateBuilder, CertificateSigningRequestBuilder, CertificateRevocationListBuilder and OCSPResponseBuilder. + * cryptography no longer depends on asn1crypto. + * FreshestCRL is now allowed as a CertificateRevocationList extension. + +------------------------------------------------------------------- +Mon Jun 3 13:45:56 UTC 2019 - Ondřej Súkup + +- update to 2.7 + * BACKWARDS INCOMPATIBLE: Removed the cryptography.hazmat.primitives.mac.MACContext interface. + The CMAC and HMAC APIs have not changed, but they are no longer registered + as MACContext instances. + * Removed support for running our tests with setup.py test. + * Add support for :class:`~cryptography.hazmat.primitives.poly1305.Poly1305` + when using OpenSSL 1.1.1 or newer. + * Support serialization with Encoding.OpenSSH and PublicFormat.OpenSSH + in :meth:`Ed25519PublicKey.public_bytes ` . + * Correctly allow passing a SubjectKeyIdentifier to :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier` + and deprecate passing an Extension object. + +------------------------------------------------------------------- +Wed May 29 14:41:39 UTC 2019 - Tomáš Chvátal + +- Simplify the test execution to be more understandable + +------------------------------------------------------------------- +Thu Feb 28 19:50:33 UTC 2019 - Michael Ströder + +- update to 2.6.1: + * BACKWARDS INCOMPATIBLE: + Removedcryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature + andcryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature, + which had been deprecated for nearly 4 years. Use encode_dss_signature() + and decode_dss_signature()instead. + * BACKWARDS INCOMPATIBLE: Removed cryptography.x509.Certificate.serial, which + had been deprecated for nearly 3 years. Use serial_number instead. + * Updated Windows, macOS, and manylinux1 wheels to be compiled with + OpenSSL 1.1.1b. + * Added support for Ed448 signing when using OpenSSL 1.1.1b or newer. + * Added support for Ed25519 signing when using OpenSSL 1.1.1b or newer. + * load_ssh_public_key() can now load ed25519 public keys. + * Add support for easily mapping an object identifier to its elliptic curve + class viaget_curve_for_oid(). + * Add support for OpenSSL when compiled with the no-engine + (OPENSSL_NO_ENGINE) flag. + +------------------------------------------------------------------- +Fri Jan 25 08:25:35 UTC 2019 - Michael Ströder + +- Dependency on python-idna changed to "Recommends" aligned with + change in upstream source (see below) +- update to 2.5: + * BACKWARDS INCOMPATIBLE: U-label strings were deprecated in version 2.1, + but this version removes the default idna dependency as well. If you still + need this deprecated path please install cryptography with the idna extra: + pip install cryptography[idna]. + * BACKWARDS INCOMPATIBLE: The minimum supported PyPy version is now 5.4. + * Numerous classes and functions have been updated to allow bytes-like + types for keying material and passwords, including symmetric algorithms, + AEAD ciphers, KDFs, loading asymmetric keys, and one time password classes. + * Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.1a. + * Added support for SHA512_224 and SHA512_256 when using OpenSSL 1.1.1. + * Added support for SHA3_224, SHA3_256, SHA3_384, and SHA3_512 when using OpenSSL 1.1.1. + * Added support for X448 key exchange when using OpenSSL 1.1.1. + * Added support for SHAKE128 and SHAKE256 when using OpenSSL 1.1.1. + * Added initial support for parsing PKCS12 files with load_key_and_certificates(). + * Added support for IssuingDistributionPoint. + * Added rfc4514_string() method to x509.Name, + x509.RelativeDistinguishedName, and x509.NameAttribute to format the name + or component an RFC 4514 Distinguished Name string. + * Added from_encoded_point(), which immediately checks if the point is on + the curve and supports compressed points. Deprecated the previous method + from_encoded_point(). + * Added signature_hash_algorithm to OCSPResponse. + * Updated X25519 key exchange support to allow additional serialization + methods. Calling public_bytes() with no arguments has been deprecated. + * Added support for encoding compressed and uncompressed points via + public_bytes(). Deprecated the previous method encode_point(). + +------------------------------------------------------------------- +Thu Jan 3 11:40:58 UTC 2019 - Martin Pluskal + +- Update to version 2.4.2: + * Updated Windows, macOS, and manylinux1 wheels to be compiled + with OpenSSL 1.1.0j. + +------------------------------------------------------------------- +Thu Dec 6 13:13:21 CET 2018 - mcepl@suse.com + +- Update to 2.4.1: + * Dropped support for LibreSSL 2.4.x. + * Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no + longer supported by the OpenSSL project. At this time there + is no time table for dropping support, however we strongly + encourage all users to upgrade or install cryptography from + a wheel. + * Added initial :doc:`OCSP ` support. + * Added support for cryptography.x509.PrecertPoison. + +------------------------------------------------------------------- +Thu Dec 6 11:48:31 UTC 2018 - Tomáš Chvátal + +- Fix fdupes call + +------------------------------------------------------------------- +Tue Aug 21 07:43:31 UTC 2018 - tchvatal@suse.com + +- Update to 2.3.1: + * updated tests for upstream wycheproof changes + * many other tiny test tweaks + +------------------------------------------------------------------- +Wed Jul 18 13:20:58 UTC 2018 - michael@stroeder.com + +- update to 2.3: + * SECURITY ISSUE: finalize_with_tag() allowed tag truncation by default + which can allow tag forgery in some cases. The method now enforces the + min_tag_length provided to the GCM constructor. + * Added support for Python 3.7. + * Added extract_timestamp() to get the authenticated timestamp of a Fernet token. + * Support for Python 2.7.x without hmac.compare_digest has been deprecated. + We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next + cryptography release. + * Fixed multiple issues preventing cryptography from compiling + against LibreSSL 2.7.x. + * Added get_revoked_certificate_by_serial_number for quick + serial number searches in CRLs. + * The RelativeDistinguishedName class now preserves the order of attributes. + Duplicate attributes now raise an error instead of silently discarding duplicates. + * aes_key_unwrap() and aes_key_unwrap_with_padding() now raise InvalidUnwrap + if the wrapped key is an invalid length, instead of ValueError. + +------------------------------------------------------------------- +Tue Jun 12 07:24:12 UTC 2018 - mimi.vx@gmail.com + +- update to 2.2.2 + * fix build on some systems with openssl 1.1.0h + +------------------------------------------------------------------- +Mon Mar 26 07:44:53 UTC 2018 - tchvatal@suse.com + +- Cleanup with spec-cleaner +- Use %setup to unpack all archives do not rely on tar calls + +------------------------------------------------------------------- +Sun Mar 25 20:39:43 UTC 2018 - michael@stroeder.com + +- Update to upstream release 2.2.1: + * Reverted a change to GeneralNames which prohibited having zero elements, + due to breakages. + * Fixed a bug in + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding` + that caused it to raise InvalidUnwrap when key length modulo 8 was zero. + * BACKWARDS INCOMPATIBLE: Support for Python 2.6 has been dropped. + * Resolved a bug in HKDF that incorrectly constrained output size. + * Added + :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP256R1`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP384R1`, and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.BrainpoolP512R1` to + support inter-operating with systems like German smart meters. + * Added token rotation support to :doc:`Fernet ` with + :meth:`~cryptography.fernet.MultiFernet.rotate`. + * Fixed a memory leak in + :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`. + * Added support for AES key wrapping with padding via + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap_with_padding` and + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap_with_padding` . +* Allow loading DSA keys with 224 bit q. + +------------------------------------------------------------------- +Fri Mar 2 16:44:33 UTC 2018 - chris@computersalat.de + +- fix deps for hypothesis, pytest + +------------------------------------------------------------------- +Thu Feb 8 10:54:03 UTC 2018 - tbechtold@suse.com + +- Fix previous change and explicitly require python2 instead of + python because python itself is also provided by python3. + This fixes: + ImportError: No module named _ssl + when using python-cryptography in a python2 build environment + +------------------------------------------------------------------- +Sat Feb 3 13:02:06 UTC 2018 - tchvatal@suse.com + +- Fix the previous change to not pull in py2 on py3 enviroment + +------------------------------------------------------------------- +Sat Jan 27 11:25:02 UTC 2018 - dmueller@suse.com + +- fix requires on python ssl once more after the last change + +------------------------------------------------------------------- +Thu Jan 18 13:30:12 UTC 2018 - tchvatal@suse.com + +- Add proper conditional for the python2, the ifpython works only + for the requires/etc + +------------------------------------------------------------------- +Tue Jan 16 10:14:37 UTC 2018 - dmueller@suse.com + +- add missing dependency on python ssl + +------------------------------------------------------------------- +Fri Dec 8 18:04:13 UTC 2017 - arun@gmx.de + +- update to version 2.1.4: + * Added X509_up_ref for an upcoming pyOpenSSL release. + +------------------------------------------------------------------- +Thu Nov 9 06:06:39 UTC 2017 - arun@gmx.de + +- update to version 2.1.3: + * Updated Windows, macOS, and manylinux1 wheels to be compiled with + OpenSSL 1.1.0g. + +------------------------------------------------------------------- +Fri Nov 3 15:47:03 UTC 2017 - arun@gmx.de + +- update to version 2.1.2: + * Corrected a bug with the manylinux1 wheels where OpenSSL’s stack + was marked executable. + +------------------------------------------------------------------- +Thu Nov 2 08:41:18 UTC 2017 - mimi.vx@gmail.com + +- fix BuildRequires conditions for python3 + +------------------------------------------------------------------- +Thu Oct 12 07:41:48 UTC 2017 - michael@stroeder.com + +- update to 2.1.1 + +------------------------------------------------------------------- +Thu Sep 28 14:50:51 UTC 2017 - sean.marlow@suse.com + +- Fix cffi version requirement. + +------------------------------------------------------------------- +Thu Sep 7 11:18:35 UTC 2017 - vcizek@suse.com + +- Disable memleak tests to fix build with OpenSSL 1.1 (bsc#1055478) + * add skip_openssl_memleak_test.patch + +------------------------------------------------------------------- +Thu Aug 3 23:14:49 UTC 2017 - michael@stroeder.com + +- update to 2.0.3 + +------------------------------------------------------------------- +Thu Jul 27 10:49:07 UTC 2017 - michael@stroeder.com + +- update to 2.0.2 + +------------------------------------------------------------------- +Mon Jul 17 17:08:59 UTC 2017 - michael@stroeder.com + +- update to 2.0 + +------------------------------------------------------------------- +Wed May 31 11:36:35 UTC 2017 - michael@stroeder.com + +- update to 1.9 + +------------------------------------------------------------------- +Tue May 2 12:58:37 UTC 2017 - jmatejek@suse.com + +- add python-packaging to requirements explicitly instead of relying + on setuptools to pull it in + +------------------------------------------------------------------- +Mon Mar 20 20:34:03 UTC 2017 - tbechtold@suse.com + +- Switch to singlespec approach + +------------------------------------------------------------------- +Thu Mar 16 14:13:56 UTC 2017 - tbechtold@suse.com + +- update to 1.8.1 +- Adust Requires and BuildRequires + +------------------------------------------------------------------- +Sun Jan 29 14:57:28 UTC 2017 - michael@stroeder.com + +- update to 1.7.2 + +------------------------------------------------------------------- +Wed Dec 14 20:31:53 UTC 2016 - michael@stroeder.com + +- update to 1.7.1 which contains regression fix for 1.7 + +------------------------------------------------------------------- +Tue Dec 13 12:21:24 UTC 2016 - mimi.vx@gmail.com + +- update to 1.7 +* support for OpenSSL 1.0.0 has been removed. +* Added support for Diffie-Hellman key exchange +* The OS random engine for OpenSSL has been rewritten + +------------------------------------------------------------------- +Wed Nov 23 09:40:23 UTC 2016 - michael@stroeder.com + +- update to 1.6 + +------------------------------------------------------------------- +Fri Nov 11 19:13:36 UTC 2016 - michael@stroeder.com + +- update to 1.5.3 +- python-cryptography-enable-gost.patch is obsolete + +------------------------------------------------------------------- +Mon Sep 26 06:26:21 UTC 2016 - meissner@suse.com + +- python-cryptography-enable-gost.patch: temporary patch + to run tests against 1.0.2i, GOST cert extraction now works. + +------------------------------------------------------------------- +Sun Jul 17 15:07:04 UTC 2016 - matwey.kornilov@gmail.com + +- Introduce requirement setuptools >= 11.3 + to follow egg-info/requires.txt content + +------------------------------------------------------------------- +Mon Jun 6 13:03:35 UTC 2016 - dmueller@suse.com + +- fix download urls + +------------------------------------------------------------------- +Fri Jun 3 19:37:40 UTC 2016 - michael@stroeder.com + +- update to upstream release 1.3.4 + * Added new OpenSSL functions to the bindings to support an upcoming + ``pyOpenSSL`` release. + +------------------------------------------------------------------- +Fri May 6 07:43:10 UTC 2016 - dmueller@suse.com + +- correct source urls + +------------------------------------------------------------------- +Thu May 5 17:08:06 UTC 2016 - michael@stroeder.com + +- update to upstream release 1.3.2 + * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2h. + * Fixed an issue preventing ``cryptography`` from compiling against + LibreSSL 2.3.x. + +------------------------------------------------------------------- +Fri Mar 18 14:39:05 UTC 2016 - michael@stroeder.com + +- removed obsolete cryptography-new-bio-new-type.patch +- update to upstream release 1.3.1 + * Fixed a bug that caused an AttributeError when using mock to patch + some cryptography modules. + * Added support for padding ANSI X.923 with ANSIX923. + * Deprecated support for OpenSSL 0.9.8. Support will be removed in + cryptography 1.4. + * Added support for the PolicyConstraints X.509 extension including both + parsing and generation using CertificateBuilder and + CertificateSigningRequestBuilder. + * Added is_signature_valid to CertificateSigningRequest. + * Fixed an intermittent AssertionError when performing an RSA decryption + on an invalid ciphertext, ValueError is now correctly raised in all + cases. + * Added from_issuer_subject_key_identifier(). + +------------------------------------------------------------------- +Sun Mar 13 21:20:00 UTC 2016 - dmueller@suse.com + +- fix license + +------------------------------------------------------------------- +Wed Mar 2 21:47:58 UTC 2016 - dimstar@opensuse.org + +- Add pkg-config BuildRequires: in order for the last introduced + condition to apply the patch to work, pkg-config has to be + present. + +------------------------------------------------------------------- +Wed Mar 2 14:19:46 UTC 2016 - meissner@suse.com + +- cryptography-new-bio-new-type.patch: openssl 1.0.2g changed + the type of BIO_new_mem_buf() (added a const). + +------------------------------------------------------------------- +Sat Jan 9 16:58:46 UTC 2016 - michael@stroeder.com + +- update to upstream release 1.2.1 + + 1.2.1 - 2016-01-08 + * Reverts a change to an OpenSSL EVP_PKEY object that caused + errors with pyOpenSSL. + 1.2 - 2016-01-08 + * BACKWARDS INCOMPATIBLE: RevokedCertificate extensions now + uses extension classes rather than returning raw values + inside the Extension value. The new classes are: + o CertificateIssuer + o CRLReason + o InvalidityDate + * Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time + there is no time table for actually dropping support, + however we strongly encourage all users to upgrade, as those + versions no longer receive support from the OpenSSL project. + * The Certificate class now has signature and + tbs_certificate_bytes attributes. + * The CertificateSigningRequest class now has signature and + tbs_certrequest_bytes attributes. + * The CertificateRevocationList class now has signature and + tbs_certlist_bytes attributes. + * NameConstraints are now supported in the CertificateBuilder + and CertificateSigningRequestBuilder. + * Support serialization of certificate revocation lists using + the public_bytes() method of CertificateRevocationList. + * Add support for parsing CertificateRevocationList extensions + () in the OpenSSL backend. The following extensions are + currently supported: + o AuthorityInformationAccess + o AuthorityKeyIdentifier + o CRLNumber + o IssuerAlternativeName + * Added CertificateRevocationListBuilder and + RevokedCertificateBuilder to allow creation of CRLs. + * Unrecognized non-critical X.509 extensions are now parsed + into an UnrecognizedExtension object. + +------------------------------------------------------------------- +Wed Dec 30 12:41:26 UTC 2015 - michael@stroeder.com + +- update to 1.1.2: + * Fixed a SIGBUS crash with the OS X wheels caused by redefinition of a + method. + * Fixed a runtime error ``undefined symbol EC_GFp_nistp224_method`` that + occurred with some OpenSSL installations. + * Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2e. + +------------------------------------------------------------------- +Wed Dec 9 10:35:20 UTC 2015 - dmueller@suse.com + +- update to 1.1.1: + * Fixed several small bugs related to compiling the OpenSSL bindings with + unusual OpenSSL configurations. + * Resolved an issue where, depending on the method of installation and + which Python interpreter they were using, users on El Capitan (OS X 10.11) + may have seen an ``InternalError`` on import. + +------------------------------------------------------------------- +Wed Dec 9 10:19:45 UTC 2015 - dmueller@suse.com + +- fix build for sle11 (disable testsuite as it depends on python-hypothesis + which is not available for sle11 anymore) + +------------------------------------------------------------------- +Tue Nov 10 04:16:13 UTC 2015 - tbechtold@suse.com + +- update to 1.1: + * Added support for Elliptic Curve Diffie-Hellman with + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`. + * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`. + * Added support for parsing certificate revocation lists (CRLs) using + :func:`~cryptography.x509.load_pem_x509_crl` and + :func:`~cryptography.x509.load_der_x509_crl`. + * Add support for AES key wrapping with + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`. + * Added a ``__hash__`` method to :class:`~cryptography.x509.Name`. + * Add support for encoding and decoding elliptic curve points to a byte string + form using + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. + * Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`. + * :class:`~cryptography.x509.CertificatePolicies` are now supported in the + :class:`~cryptography.x509.CertificateBuilder`. + * ``countryName`` is now encoded as a ``PrintableString`` when creating subject + and issuer distinguished names with the Certificate and CSR builder classes. + * **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use + of assertions to check response codes where our tests could not trigger a + failure. However, when Python is run with ``-O`` these asserts are optimized + away. If a user ran Python with this flag and got an invalid response code + this could result in undefined behavior or worse. Accordingly, all response + checks from the OpenSSL backend have been converted from ``assert`` + to a true function call. Credit **Emilia Käsper (Google Security Team)** + for the report. + * We now ship OS X wheels that statically link OpenSSL by default. When + installing a wheel on OS X 10.10+ (and using a Python compiled against the + 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for + alternate installation methods if required. + * Set the default string mask to UTF-8 in the OpenSSL backend to resolve + character encoding issues with older versions of OpenSSL. + * Several new OpenSSL bindings have been added to support a future pyOpenSSL + release. + * Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+. +- Remove 2293.patch . Applied in a different way upstream. +- Add BuildRequires for python-hypothesis and python-pyasn1-modules for running + unittests + +------------------------------------------------------------------- +Wed Sep 30 12:01:27 UTC 2015 - dmueller@suse.com + +- require the cffi version it was built against to avoid (bsc#948198) + +------------------------------------------------------------------- +Tue Sep 29 13:54:24 UTC 2015 - tbechtold@suse.com + +- Add 2293.patch for "osrandom engine already registered" (bnc#947679) + +------------------------------------------------------------------- +Thu Sep 17 13:11:06 UTC 2015 - tbechtold@suse.com + +- Add disable-uneven-sizes-tests.patch (bnc#944204) + openssl in SLE12SP1 doesn't allow uneven bit sizes for rsa keys + +------------------------------------------------------------------- +Sat Aug 22 10:30:08 UTC 2015 - tbechtold@suse.com + +- update to 1.0 (fate#318838): + * Switched to the new `cffi`_ ``set_source`` out-of-line API mode for + compilation. This results in significantly faster imports and lowered + memory consumption. Due to this change we no longer support PyPy releases + older than 2.6 nor do we support any released version of PyPy3 (until a + version supporting cffi 1.0 comes out). + * Fix parsing of OpenSSH public keys that have spaces in comments. + * Support serialization of certificate signing requests using the + ``public_bytes`` method of + :class:`~cryptography.x509.CertificateSigningRequest`. + * Support serialization of certificates using the ``public_bytes`` method of + :class:`~cryptography.x509.Certificate`. + * Add ``get_provisioning_uri`` method to + :class:`~cryptography.hazmat.primitives.twofactor.hotp.HOTP` and + :class:`~cryptography.hazmat.primitives.twofactor.totp.TOTP` for generating + provisioning URIs. + * Add :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHash` + and :class:`~cryptography.hazmat.primitives.kdf.concatkdf.ConcatKDFHMAC`. + * Raise a ``TypeError`` when passing objects that are not text as the value to + :class:`~cryptography.x509.NameAttribute`. + * Add support for :class:`~cryptography.x509.OtherName` as a general name + type. + * Added new X.509 extension support in :class:`~cryptography.x509.Certificate` + The following new extensions are now supported: + + * :class:`~cryptography.x509.OCSPNoCheck` + * :class:`~cryptography.x509.InhibitAnyPolicy` + * :class:`~cryptography.x509.IssuerAlternativeName` + * :class:`~cryptography.x509.NameConstraints` + + * Extension support was added to + :class:`~cryptography.x509.CertificateSigningRequest`. + * Add support for creating signed certificates with + :class:`~cryptography.x509.CertificateBuilder`. This includes support for + the following extensions: + + * :class:`~cryptography.x509.BasicConstraints` + * :class:`~cryptography.x509.SubjectAlternativeName` + * :class:`~cryptography.x509.KeyUsage` + * :class:`~cryptography.x509.ExtendedKeyUsage` + * :class:`~cryptography.x509.SubjectKeyIdentifier` + * :class:`~cryptography.x509.AuthorityKeyIdentifier` + * :class:`~cryptography.x509.AuthorityInformationAccess` + * :class:`~cryptography.x509.CRLDistributionPoints` + * :class:`~cryptography.x509.InhibitAnyPolicy` + * :class:`~cryptography.x509.IssuerAlternativeName` + * :class:`~cryptography.x509.OCSPNoCheck` + + * Add support for creating certificate signing requests with + :class:`~cryptography.x509.CertificateSigningRequestBuilder`. This includes + support for the same extensions supported in the ``CertificateBuilder``. + * Deprecate ``encode_rfc6979_signature`` and ``decode_rfc6979_signature`` in + favor of + :func:`~cryptography.hazmat.primitives.asymmetric.utils.encode_dss_signature` + and + :func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`. +- Adjust Requires according to requires.txt + +------------------------------------------------------------------- +Wed Jul 29 18:05:55 UTC 2015 - tbechtold@suse.com + +- update to 0.9.3: + * Updated Windows wheels to be compiled against OpenSSL 1.0.2d. + * Updated Windows wheels to be compiled against OpenSSL 1.0.2c. + * **SECURITY ISSUE**: Fixed a double free in the OpenSSL backend when using DSA + to verify signatures. Note that this only affects PyPy 2.6.0 and (presently + unreleased) CFFI versions greater than 1.1.0. + * Removed support for Python 3.2. This version of Python is rarely used + and caused support headaches. Users affected by this should upgrade to 3.3+. + * Deprecated support for Python 2.6. At the time there is no time table for + actually dropping support, however we strongly encourage all users to upgrade + their Python, as Python 2.6 no longer receives support from the Python core + team. + * Add support for the + :class:`~cryptography.hazmat.primitives.asymmetric.ec.SECP256K1` elliptic + curve. + * Fixed compilation when using an OpenSSL which was compiled with the + ``no-comp`` (``OPENSSL_NO_COMP``) option. + * Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER` + serialization of public keys using the ``public_bytes`` method of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithSerialization`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization`, + and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithSerialization`. + * Support :attr:`~cryptography.hazmat.primitives.serialization.Encoding.DER` + serialization of private keys using the ``private_bytes`` method of + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization`, + and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization`. + * Add support for parsing X.509 certificate signing requests (CSRs) with + :func:`~cryptography.x509.load_pem_x509_csr` and + :func:`~cryptography.x509.load_der_x509_csr`. + * Moved ``cryptography.exceptions.InvalidToken`` to + :class:`cryptography.hazmat.primitives.twofactor.InvalidToken` and deprecated + the old location. This was moved to minimize confusion between this exception + and :class:`cryptography.fernet.InvalidToken`. + * Added support for X.509 extensions in :class:`~cryptography.x509.Certificate` + objects. The following extensions are supported as of this release: + + * :class:`~cryptography.x509.BasicConstraints` + * :class:`~cryptography.x509.AuthorityKeyIdentifier` + * :class:`~cryptography.x509.SubjectKeyIdentifier` + * :class:`~cryptography.x509.KeyUsage` + * :class:`~cryptography.x509.SubjectAlternativeName` + * :class:`~cryptography.x509.ExtendedKeyUsage` + * :class:`~cryptography.x509.CRLDistributionPoints` + * :class:`~cryptography.x509.AuthorityInformationAccess` + * :class:`~cryptography.x509.CertificatePolicies` + + Note that unsupported extensions with the critical flag raise + :class:`~cryptography.x509.UnsupportedExtension` while unsupported extensions + set to non-critical are silently ignored. Read the + :doc:`X.509 documentation` for more information. +- add python-pyasn1, python-ipaddress and python-idna as Requires/BuildRequires + +------------------------------------------------------------------- +Thu Apr 23 06:38:42 UTC 2015 - mcihar@suse.cz + +- Update to 0.8.2: + * Fixed a race condition when initializing the OpenSSL or CommonCrypto backends + in a multi-threaded scenario. + +------------------------------------------------------------------- +Tue Apr 7 10:00:28 UTC 2015 - tbechtold@suse.com + +- update to 0.8.1: + * Updated Windows wheels to be compiled against OpenSSL 1.0.2a. + * func:`~cryptography.hazmat.primitives.serialization.load_ssh_public_key` can + now load elliptic curve public keys. + * Added + :attr:`~cryptography.x509.Certificate.signature_hash_algorithm` support to + :class:`~cryptography.x509.Certificate`. + * Added + :func:`~cryptography.hazmat.primitives.asymmetric.rsa.rsa_recover_prime_factor s` + * :class:`~cryptography.hazmat.primitives.kdf.KeyDerivationFunction` was moved + from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.kdf`. + * Added support for parsing X.509 names. See the + :doc:`X.509 documentation` for more information. + * Added + :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key` to + support loading of DER encoded private keys and + :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key` to + support loading DER encoded public keys. + * Fixed building against LibreSSL, a compile-time substitute for OpenSSL. + * FreeBSD 9.2 was removed from the continuous integration system. + * Updated Windows wheels to be compiled against OpenSSL 1.0.2. + * :func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key` + and :func:`~cryptography.hazmat.primitives.serialization.load_der_public_key` + now support PKCS1 RSA public keys (in addition to the previous support for + SubjectPublicKeyInfo format for RSA, EC, and DSA). + * Added + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization` + and deprecated + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithNumbers`. + * Added + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization.private_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithSerialization`. + * Added + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization` + and deprecated + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithNumbers`. + * Added + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization.private_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithSerialization`. + * Added + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization` + and deprecated + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithNumbers`. + * Added + :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization.private_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithSerialization`. + * Added + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithSerialization` + and deprecated + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithNumbers`. + * Added + :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithSerialization.public_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithSerialization`. + * Added + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithSerialization` + and deprecated + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithNumbers`. + * Added + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithSerialization.public_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithSerialization`. + * Added + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization` + and deprecated + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithNumbers`. + * Added + :meth:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization.public_bytes` + to + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithSerialization`. + * :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` and + :class:`~cryptography.hazmat.primitives.hashes.HashContext` were moved from + :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.hashes`. + * :class:`~cryptography.hazmat.primitives.ciphers.CipherContext`, + :class:`~cryptography.hazmat.primitives.ciphers.AEADCipherContext`, + :class:`~cryptography.hazmat.primitives.ciphers.AEADEncryptionContext`, + :class:`~cryptography.hazmat.primitives.ciphers.CipherAlgorithm`, and + :class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm` + were moved from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.ciphers`. + * :class:`~cryptography.hazmat.primitives.ciphers.modes.Mode`, + :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithInitializationVector`, + :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithNonce`, and + :class:`~cryptography.hazmat.primitives.ciphers.modes.ModeWithAuthenticationTag` + were moved from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.ciphers.modes`. + * :class:`~cryptography.hazmat.primitives.padding.PaddingContext` was moved + from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.padding`. + * + :class:`~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding` + was moved from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.asymmetric.padding`. + * + :class:`~cryptography.hazmat.primitives.asymmetric.AsymmetricSignatureContext` + and + :class:`~cryptography.hazmat.primitives.asymmetric.AsymmetricVerificationContext` + were moved from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.asymmetric`. + * :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParameters`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAParametersWithNumbers`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKeyWithNumbers`, + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey` and + :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKeyWithNumbers` + were moved from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.asymmetric.dsa` + * :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurveSignatureAlgorithm`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKeyWithNumbers`, + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`, + and + :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKeyWithNumbers` + were moved from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.asymmetric.ec`. + * :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`, + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKeyWithNumbers`, + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` and + :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKeyWithNumbers` + were moved from :mod:`~cryptography.hazmat.primitives.interfaces` to + :mod:`~cryptography.hazmat.primitives.asymmetric.rsa`. + * Updated Windows wheels to be compiled against OpenSSL 1.0.1l. + * ``enum34`` is no longer installed on Python 3.4, where it is included in + the standard library. + * Added a new function to the OpenSSL bindings to support additional + functionality in pyOpenSSL. + +------------------------------------------------------------------- +Mon Dec 29 18:08:34 UTC 2014 - jmatejek@suse.com + +- update to 0.7.1 + * backwards-incompatible change: GCM module doesn't truncate tags + by default anymore + * removed deprecated arguments to MFG1 constructor + * ECC support + * added PEM and openssh key loading convenience methods + * support for many new ciphers and new features of existing ones + see CHANGELOG.rst for details +- spec cleanup +- reworked %check section +- added changelog to docs + +------------------------------------------------------------------- +Mon May 19 16:14:52 UTC 2014 - jmatejek@suse.com + +- update to 0.4 + * added IDEA algorithm + * added HOTP, TOTP and CMAC primitives + * improved support for RSA and DSA public key cryptography +- include cryptography_vectors as a source, in order to run the full + test suite (cryptography_vectors seems only useful for testing + this module, so it's probably not worth making a separate installable + package for it) +- drop upstreamed cryptography-custom-install-cmd.patch + +------------------------------------------------------------------- +Mon Mar 31 16:03:46 UTC 2014 - speilicke@suse.com + +- Add cryptography-custom-install-cmd.patch: Fix installation to plat_lib +- Properly invoke testsuite, therefore add dependencies on iso8601 and pretend +- Only use pkg-config for libffi on newer distros, stay with old-style + devel package requires to fix SLE build + +------------------------------------------------------------------- +Mon Feb 24 12:43:32 UTC 2014 - mvyskocil@suse.com + +- Initial packaging of python-cryptography for openSUSE + diff --git a/python-cryptography.keyring b/python-cryptography.keyring new file mode 100644 index 0000000..ffc9177 --- /dev/null +++ b/python-cryptography.keyring @@ -0,0 +1,34 @@ +pub 2048R/29F9ED98 2013-09-01 +uid Paul Kehrer +sub 2048R/9714E575 2013-09-01 + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (GNU/Linux) + +mQENBFIirTsBCADAeRXlWJkJ9SaKmR6+ox2aXOF3TCyfgtoJpf6WvBxbtoEpD//m +5789KO9lPHQrJGR34E36kOkmkHfrLLtmnELCx/UNvLm3VuW31rL3RvTTrxe1Fyft +5JQyYF/WSm6Bnj9yu8fVJUhSGe12SvODD7053bY1bSleMX5I6tGeIXJtih8b5u9u +1WNv0rxZqGLKaYTzgmtNcyKGK9jLKtkRwPivpjgrjeGQ+OHf/mwFY+HEOQUw+Cj4 +5FsCo6jvj+n4r9mYu+Ut6zDOx0cWf66QhZvawDyB2TSSulJsudUETDmoJJ5X9PqH +F/bHBdzc5I6HYy+CezSvDmjC+3DnIB//nXMPABEBAAG0JVBhdWwgS2VocmVyIDxw +YXVsLmwua2VocmVyQGdtYWlsLmNvbT6JATgEEwECACIFAlIirTsCGwMGCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAAAoJECNa5fEp+e2YnM0H/i8bU3gQ/lMGli97Puui +Sm5es3AwE+dC/ubaAB8Hcdm8UH50uOI6JcmLYYcjglnFEQSDzrKg649Dcvjx7hDN +XoCx5V6dC8LcTVES5gGrRr/+ZXtsCVZn2TcLUMQ9bq1yb3jAYxOmWQ1rUvu0Kq+Z +1j9IERKpt3MZcXBlOxHP6zIhaaerLLRn5+SjCHCAZQYsKh9f6fMoRvbmaLyKrLBn +/n9/esn1b0joWEphwOER8UF5fckqDopovGojDXyNEKGGkXTkWtLk69AcaXcBI97X +SqYUmzvnHcAPilpKmfdnvcGPrS/wSY/F4T71aeQ+1QoE83CfavNMQ09g4rETSr3e +Vlq5AQ0EUiKtOwEIANRWXywm/B46dy2paG/dd1ApwdX3siIfnCKXEsLB1iTA5/HW +BZ5+hHRYmI24RyBj9lVhS9UJzpKZE+KLOZRFwMGGp3TxntInflamuI3iC1N7XqCz +gLMFJdHPO60LctbvOHTOx1Scb+AycmymF1HuUFbj1jlYUkwRPOiPvHHWkYQlfeUP +MPFo/M7Ae5FxKA4PYfJRQl62wsBRNE5k7IwOmstyUUnDZXIxpB+wNvpxQpAvWT8B +IyAvtlrkrE53frfyd0KUOR0iSHNcWcUL0L6XvsaOYb4i20bP7YE5XoVzzANbXTa1 +wVtz2yNoI7/8BLb2NMIacykUxryYtu6E9cmnwkkAEQEAAYkBHwQYAQIACQUCUiKt +OwIbDAAKCRAjWuXxKfntmM/yB/91f/17kL4iAS05WgM1xvgmyYJ3FOgP3hyqD5Ur +YkkmoFoF+r6bfBlW8AeOawYTvXinKdv9sM6q0EmiO+iqAuRRfaXZWCDqZdEpy+lv +Ev3jhVyuf8O+d8VEILsKia0cmzn6F1UMdp3E9TDgXr1/hMCuABvbfWzEkRQrGHc2 +cWLXXxko3mykZMLkl0MPGjmzEh87RE55hLk5HroXaMtdyz1knfybVnXgOUxMuqc+ ++wj499FP1jHvTEEknRopxsMe59+CdsoFBR9xs0Ets7K011P4CMKZZAXVwxF551QL +xnqe0Tn1t76rxPJKpyvUM+WtakEVPffuQqSkU8dIJgwwXrZo +=3pQn +-----END PGP PUBLIC KEY BLOCK----- diff --git a/python-cryptography.spec b/python-cryptography.spec new file mode 100644 index 0000000..024768d --- /dev/null +++ b/python-cryptography.spec @@ -0,0 +1,138 @@ +# +# spec file for package python-cryptography +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' +%global flavor @BUILD_FLAVOR@%{nil} +%if "%{flavor}" == "test" +%define psuffix -test +%bcond_without test +%else +%define psuffix %{nil} +%bcond_with test +%endif +%{?sle15_python_module_pythons} +Name: python-cryptography%{psuffix} +Version: 43.0.0 +Release: 0 +Summary: Python library which exposes cryptographic recipes and primitives +License: Apache-2.0 OR BSD-3-Clause +Group: Development/Languages/Python +URL: https://cryptography.io/en/latest/ +Source0: https://files.pythonhosted.org/packages/source/c/cryptography/cryptography-%{version}.tar.gz +# use `osc service manualrun` to regenerate +Source2: vendor.tar.zst +Source4: python-cryptography.keyring +# PATCH-FEATURE-OPENSUSE no-pytest_benchmark.patch mcepl@suse.com +# We don't need no benchmarking and coverage measurement +Patch4: no-pytest_benchmark.patch +BuildRequires: %{python_module cffi >= 1.12} +BuildRequires: %{python_module devel} +BuildRequires: %{python_module exceptiongroup} +BuildRequires: %{python_module maturin} +BuildRequires: %{python_module pip} +BuildRequires: %{python_module setuptools-rust >= 1.7.0} +BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module wheel} +BuildRequires: cargo >= 1.56.0 +BuildRequires: fdupes +BuildRequires: libopenssl-devel +BuildRequires: pkgconfig +BuildRequires: python-rpm-macros +BuildRequires: rust >= 1.56.0 +BuildRequires: zstd +BuildRequires: pkgconfig(libffi) +# python-base is not enough, we need the _ssl module +Requires: python +Requires: python-bcrypt +%requires_eq python-cffi +%if %{with test} +BuildRequires: %{python_module bcrypt} +BuildRequires: %{python_module certifi} +BuildRequires: %{python_module cryptography >= %{version}} +BuildRequires: %{python_module cryptography-vectors = %{version}} +BuildRequires: %{python_module hypothesis >= 1.11.4} +BuildRequires: %{python_module iso8601} +BuildRequires: %{python_module pretend} +BuildRequires: %{python_module pytest > 6.0} +BuildRequires: %{python_module pytest-benchmark} +BuildRequires: %{python_module pytest-subtests} +BuildRequires: %{python_module pytest-xdist} +BuildRequires: %{python_module pytz} +%endif +%python_subpackages + +%description +cryptography is a package designed to expose cryptographic +recipes and primitives to Python developers. Our goal is +for it to be your "cryptographic standard library". It +supports Python 2.7, Python 3.4+, and PyPy-5.3+. + +cryptography includes both high level recipes, and low +level interfaces to common cryptographic algorithms such as +symmetric ciphers, message digests and key derivation +functions. + +%prep +%autosetup -a2 -p1 -n cryptography-%{version} + +%build +cd src/rust +tar xfv %{S:2} +rm -v Cargo.lock +cargo build +cd - + +# https://github.com/pyca/cryptography/issues/9023 +%global _lto_cflags %{nil} +export RUSTFLAGS=%{rustflags} +export CFLAGS="%{optflags} -fno-strict-aliasing" +%pyproject_wheel + +%install +%if !%{with test} +export RUSTFLAGS=%{rustflags} +# Actually other *.c and *.h are appropriate +# see https://github.com/pyca/cryptography/issues/1463 +find . -name .keep -print -delete + +%pyproject_install +%python_expand %fdupes %{buildroot}%{$python_sitearch} +%endif + +%if %{with test} +%check +# won't work for cryptography +# fails with OverflowError on 32bit platform +%ifarch %ix86 %arm ppc +rm -v tests/hazmat/primitives/test_aead.py +# imports test_aead so we need to remove also these +rm -v tests/wycheproof/test_aes.py +rm -v tests/wycheproof/test_chacha20poly1305.py +%endif +%pytest_arch -n auto --ignore-glob=vendor/* +%endif + +%if !%{with test} +%files %{python_files} +%license LICENSE LICENSE.APACHE LICENSE.BSD +%doc CONTRIBUTING.rst CHANGELOG.rst README.rst +%{python_sitearch}/cryptography +%{python_sitearch}/cryptography-%{version}.dist-info +%endif + +%changelog diff --git a/use-offline-build.patch b/use-offline-build.patch new file mode 100644 index 0000000..5f6a1e4 --- /dev/null +++ b/use-offline-build.patch @@ -0,0 +1,14 @@ +Index: cryptography-43.0.0/pyproject.toml +=================================================================== +--- cryptography-43.0.0.orig/pyproject.toml ++++ cryptography-43.0.0/pyproject.toml +@@ -84,7 +84,8 @@ python-source = "src" + python-packages = ["cryptography"] + manifest-path = "src/rust/Cargo.toml" + module-name = "cryptography.hazmat.bindings._rust" +-locked = true ++locked = false ++offline = true + sdist-generator = "git" + features = ["pyo3/abi3-py37"] + include = [ diff --git a/vendor.tar.zst b/vendor.tar.zst new file mode 100644 index 0000000..ccb563c --- /dev/null +++ b/vendor.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ac7727c4e81168618b012aefd3a0bec71280701a76faae14d4981605a438874 +size 1949563