Accepting request 934514 from home:dirkmueller:Factory

- update to 36.0.0:
  * FINAL DEPRECATION Support for verifier and signer on our asymmetric key
    classes was deprecated in version 2.1. These functions had an extended
    deprecation due to usage, however the next version of cryptography will
    drop support. Users should migrate to sign and verify.
  * The entire X.509 layer is now written in Rust. This allows alternate
    asymmetric key implementations that can support cloud key management
    services or hardware security modules provided they implement the necessary
    interface (for example: EllipticCurvePrivateKey).
  * Deprecated the backend argument for all functions.
  * Added support for AESOCB3.
  * Added support for iterating over arbitrary request attributes.
  * Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
    favor of get_attribute_for_oid() on the new Attributes object.
  * Fixed handling of PEM files to allow loading when certificate and key are
    in the same file.
  * Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText.
  * Allow parsing of negative serial numbers in certificates. Negative serial
    numbers are prohibited by RFC 5280 so a deprecation warning will be raised
    whenever they are encountered. A future version of cryptography will drop
    support for parsing them.
  * Added support for parsing PKCS12 files with friendly names for all
    certificates with load_pkcs12(), which will return an object of type
    PKCS12KeyAndCertificates.
  * rfc4514_string() and related methods now have an optional
    attr_name_overrides parameter to supply custom OID to name mappings, which
    can be used to match vendor-specific extensions.
  * BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email
    address fields as E in rfc4514_string() methods from version 35.0.
  * The previous behavior can be restored with:

OBS-URL: https://build.opensuse.org/request/show/934514
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=140

_service

@@ -0,0 +1,7 @@
+<services>
+  <service name="cargo_vendor" mode="disabled">
+    <param name="srcdir">cryptography-36.0.0/src/rust</param>
+  </service>
+  <service name="cargo_audit" mode="disabled">
+  </service>
+</services>

cargo_config

@@ -0,0 +1,5 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"

cryptography-3.4.8.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c
-size 546907

cryptography-3.4.8.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEBf2foWz3VzUNkaVgI1rl8Sn57ZgFAmElKd0ACgkQI1rl8Sn5
-7Zj4mwf6AoZkFckXshuEY9KYUNAd6rrt/J7MKvTXya3zxdH1nCvj+e9VMa3ariCt
-/VZ1f7YEM/brN2YnVe9uN+x1CE5Kt9pL2RANXg6AuT0KWwP2FA7e8alSkG7eHfyv
-zvWfCb8C7IhcoiVGByGF55vRxDQ02n+6/AikBlxQ+3hjQc9HMvjf74SJEhdiCCnu
-D+PHmHuTu1aYw04MzTzhN3UQQewjzttX8xVYpD8nF/N9IxlEZHIAiyiSLUQ44SNR
-S8zbkEHe0yQTx8t39w7Hr0yyFTBW9uNsnyc6+HV9+m3FsAsgVd6ZmpM5JH9vKrYb
-tp8A0Tv5mX5Di0u5ZGjDjjdp+ZeLoQ==
-=aP3q
------END PGP SIGNATURE-----

cryptography-36.0.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:52f769ecb4ef39865719aedc67b4b7eae167bafa48dbc2a26dd36fa56460507f
+size 571931

cryptography-36.0.0.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEBf2foWz3VzUNkaVgI1rl8Sn57ZgFAmGavAgACgkQI1rl8Sn5
+7ZjVMwf/Vv0L4kJu2aTH6fqLLxZiDXUnjm3O1Pat2zG4oXbVC9+n4azPicg7Rlv7
+MRCkZ9GelHErxv6u1yGyj6vY/sM/uk9uQPvoi1iP/4JxPKBj0bHROgN/LqEjfOsF
+75JhM5E0QsifbnUuvcHNp8JNpolMAxxbtqxNs/QUymBAu1UPXRk6drDX3PKYcrpR
+9umfuzflKDulyn6wCnAOivceRzekSgnPh+c71FpNuTpmdrJS5AcdOLnyiKbh47LG
+6N2POSh2OdYq2jWNURxfxOSFMxpN5KMRljTE9IwyQXVBJsc7jKNDWK19dS5t5Rs7
+i+9t3V7CWXFln7bxginWQ2A1SbH6PA==
+=ztCF
+-----END PGP SIGNATURE-----

disable-RustExtension.patch

@@ -1,49 +0,0 @@
-Index: cryptography-3.4.8/setup.py
-===================================================================
---- cryptography-3.4.8.orig/setup.py
-+++ cryptography-3.4.8/setup.py
-@@ -13,18 +13,9 @@ from setuptools import find_packages, se
- try:
-     from setuptools_rust import RustExtension
- except ImportError:
--    print(
--        """
--        =============================DEBUG ASSISTANCE==========================
--        If you are seeing an error here please try the following to
--        successfully install cryptography:
--
--        Upgrade to the latest pip and try again. This will fix errors for most
--        users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
--        =============================DEBUG ASSISTANCE==========================
--        """
--    )
--    raise
-+    print("Could not find setuptools_rust."
-+          "Set CRYPTOGRAPHY_DONT_BUILD_RUST in order to not build with Rust")
-+    RustExtension = None
- 
- 
- base_dir = os.path.dirname(__file__)
-@@ -41,9 +32,9 @@ with open(os.path.join(src_dir, "cryptog
- 
- # `install_requirements` and `setup_requirements` must be kept in sync with
- # `pyproject.toml`
--setuptools_rust = "setuptools-rust>=0.11.4"
-+setuptools_rust = ["setuptools-rust>=0.11.4"] if RustExtension else []
- install_requirements = ["cffi>=1.12"]
--setup_requirements = install_requirements + [setuptools_rust]
-+setup_requirements = install_requirements + setuptools_rust
- 
- if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"):
-     rust_extensions = []
-@@ -129,9 +120,7 @@ try:
-                 "twine >= 1.12.0",
-                 "sphinxcontrib-spelling >= 4.0.1",
-             ],
--            "sdist": [
--                setuptools_rust,
--            ],
-+            "sdist": setuptools_rust,
-             "pep8test": [
-                 "black",
-                 "flake8",

disable-uneven-sizes-tests.patch

@@ -1,14 +0,0 @@
-Index: cryptography-3.0/tests/hazmat/primitives/test_rsa.py
-===================================================================
---- cryptography-3.0.orig/tests/hazmat/primitives/test_rsa.py
-+++ cryptography-3.0/tests/hazmat/primitives/test_rsa.py
-@@ -174,7 +174,8 @@ class TestRSA(object):
-         ("public_exponent", "key_size"),
-         itertools.product(
-             (3, 65537),
--            (1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1536, 2048),
-+            #(1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, 1536, 2048),
-+            (1024, 1026, 1028, 1030, 1536, 2048),
-         ),
-     )
-     def test_generate_rsa_keys(self, backend, public_exponent, key_size):

python-cryptography.changes

@@ -1,3 +1,85 @@
+-------------------------------------------------------------------
+Sat Nov 27 15:56:28 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 36.0.0:
+  * FINAL DEPRECATION Support for verifier and signer on our asymmetric key
+    classes was deprecated in version 2.1. These functions had an extended
+    deprecation due to usage, however the next version of cryptography will
+    drop support. Users should migrate to sign and verify.
+  * The entire X.509 layer is now written in Rust. This allows alternate
+    asymmetric key implementations that can support cloud key management
+    services or hardware security modules provided they implement the necessary
+    interface (for example: EllipticCurvePrivateKey).
+  * Deprecated the backend argument for all functions.
+  * Added support for AESOCB3.
+  * Added support for iterating over arbitrary request attributes.
+  * Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
+    favor of get_attribute_for_oid() on the new Attributes object.
+  * Fixed handling of PEM files to allow loading when certificate and key are
+    in the same file.
+  * Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText.
+  * Allow parsing of negative serial numbers in certificates. Negative serial
+    numbers are prohibited by RFC 5280 so a deprecation warning will be raised
+    whenever they are encountered. A future version of cryptography will drop
+    support for parsing them.
+  * Added support for parsing PKCS12 files with friendly names for all
+    certificates with load_pkcs12(), which will return an object of type
+    PKCS12KeyAndCertificates.
+  * rfc4514_string() and related methods now have an optional
+    attr_name_overrides parameter to supply custom OID to name mappings, which
+    can be used to match vendor-specific extensions.
+  * BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email
+    address fields as E in rfc4514_string() methods from version 35.0.
+  * The previous behavior can be restored with:
+    name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
+  * Allow X25519PublicKey and X448PublicKey to be used as public keys when
+    parsing certificates or creating them with CertificateBuilder. These key
+    types must be signed with a different signing algorithm as X25519 and X448
+    do not support signing.
+  * Extension values can now be serialized to a DER byte string by calling public_bytes().
+  * Added experimental support for compiling against BoringSSL. As BoringSSL
+    does not commit to a stable API, cryptography tests against the latest
+    commit only. Please note that several features are not available when
+    building against BoringSSL.
+  * Parsing CertificateSigningRequest from DER and PEM now, for a limited time
+    period, allows the Extension critical field to be incorrectly encoded. See
+    the issue for complete details. This will be reverted in a future
+    cryptography release.
+  * When OCSPNonce are parsed and generated their value is now correctly
+    wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts
+    with the original behavior specified in RFC 2560. For a temporary period
+    for backwards compatibility, we will also parse values that are encoded as
+    specified in RFC 2560 but this behavior will be removed in a future
+    release.
+  * Changed the version scheme. This will result in us incrementing the major
+    version more frequently, but does not change our existing backwards
+    compatibility policy.
+  * BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM
+    string passed have PEM delimiters of the correct type. For example, parsing
+    a private key PEM concatenated with a certificate PEM will no longer be
+    accepted by the PEM certificate parser.
+  * BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows
+    negative serial numbers. RFC 5280 has always prohibited these.
+  * BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during
+    X.509 parsing will raise an error on initial parse rather than when the
+    malformed field is accessed.
+  * Rust is now required for building cryptography, the
+    CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected.
+  * Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust.
+    This should be backwards compatible (modulo the items listed above) and
+    improve both security and performance.
+  * Added support for OpenSSL 3.0.0 as a compilation target.
+  * Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms
+    are provided for compatibility in regions where they may be required, and
+    are not generally recommended.
+  * We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our
+    manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine
+    Linux should ensure they upgrade to the latest pip to correctly receive
+    wheels.
+  * Added rfc4514_attribute_name attribute to x509.NameAttribute.
+- drop disable-uneven-sizes-tests.patch (upstream)
+- drop disable-RustExtension.patch: building rust extension now 
+
 -------------------------------------------------------------------
 Tue Oct 12 18:54:25 UTC 2021 - Ben Greiner <code@bnavigator.de>
 

python-cryptography.spec

@@ -18,10 +18,9 @@
 
 %{?!python_module:%define python_module() python3-%{**}}
 %define skip_python2 1
-# disabled in order to avoid pulling dependencies -- adrian@suse.de
-%bcond_with rust
+%global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           python-cryptography
-Version:        3.4.8
+Version:        36.0.0
 Release:        0
 Summary:        Python library which exposes cryptographic recipes and primitives
 License:        Apache-2.0 OR BSD-3-Clause
@@ -29,22 +28,24 @@ Group:          Development/Languages/Python
 URL:            https://cryptography.io/en/latest/
 Source0:        https://files.pythonhosted.org/packages/source/c/cryptography/cryptography-%{version}.tar.gz
 Source1:        https://files.pythonhosted.org/packages/source/c/cryptography/cryptography-%{version}.tar.gz.asc
-Source2:        %{name}.keyring
+# use `osc service disabledrun` to regenerate
+Source2:        vendor.tar.xz
+# use `osc service disabledrun` to regenerate
+Source3:        cargo_config
+Source4:        %{name}.keyring
 # PATCH-FIX-SLE disable-uneven-sizes-tests.patch bnc#944204
-Patch1:         disable-uneven-sizes-tests.patch
+#Patch1:         disable-uneven-sizes-tests.patch
 Patch2:         skip_openssl_memleak_test.patch
-# PATCH-FEATURE-OPENSUSE disable-RustExtension.patch -- disable setuptools_rust requirement if not building with rust
-Patch3:         disable-RustExtension.patch
 BuildRequires:  %{python_module cffi >= 1.12}
 BuildRequires:  %{python_module devel}
+BuildRequires:  %{python_module setuptools-rust}
 BuildRequires:  %{python_module setuptools}
-%if %{with rust}
-BuildRequires:  %{python_module setuptools_rust}
-%endif
+BuildRequires:  cargo >= 1.41.0
 BuildRequires:  fdupes
 BuildRequires:  libopenssl-devel
 BuildRequires:  pkgconfig
 BuildRequires:  python-rpm-macros
+BuildRequires:  rust >= 1.41.0
 BuildRequires:  pkgconfig(libffi)
 %requires_eq    python-cffi
 # python-base is not enough, we need the _ssl module
@@ -73,23 +74,21 @@ symmetric ciphers, message digests and key derivation
 functions.
 
 %prep
-%autosetup -p1 -n cryptography-%{version}
+%autosetup -a2 -p1 -n cryptography-%{version}
+mkdir .cargo
+cp %{SOURCE3} .cargo/config
 
 %build
-%if ! %{with rust}
-export CRYPTOGRAPHY_DONT_BUILD_RUST=1
-%endif
+export RUSTFLAGS=%{rustflags}
 export CFLAGS="%{optflags} -fno-strict-aliasing"
 %python_build
 
 %install
+export RUSTFLAGS=%{rustflags}
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
 
-%if ! %{with rust}
-export CRYPTOGRAPHY_DONT_BUILD_RUST=1
-%endif
 %python_install
 %python_expand %fdupes %{buildroot}%{$python_sitearch}
 

vendor.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1927ba06344a149b43901db90858a8f86b81ee33219ba0329fdf6ef1c1d170c7
+size 5896808