- Add Make-unsafe-subinterpreter-support-available-via-cfg.patch

to allow ceph-mgr to load modules (boo#1248987)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=252

Make-unsafe-subinterpreter-support-available-via-cfg.patch

@@ -0,0 +1,40 @@
+From d59176bc05aa37838fd4a8dd253f47c962f61118 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Tue, 23 Jul 2024 14:41:04 +0200
+Subject: [PATCH] Make unsafe subinterpreter support available via cfg flag
+
+---
+ src/impl_/pymodule.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/vendor/pyo3-0.25.1/src/impl_/pymodule.rs
++++ b/vendor/pyo3-0.25.1/src/impl_/pymodule.rs
+@@ -100,7 +100,7 @@ impl ModuleDef {
+         // that static data is not reused across interpreters.
+         //
+         // PyPy does not have subinterpreters, so no need to check interpreter ID.
+-        #[cfg(not(any(PyPy, GraalPy)))]
++        #[cfg(not(any(PyPy, GraalPy, pyo3_unsafe_allow_subinterpreters)))]
+         {
+             // PyInterpreterState_Get is only available on 3.9 and later, but is missing
+             // from python3.dll for Windows stable API on 3.9
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -29,3 +29,6 @@ openssl-sys = "0.9.108"
+ 
+ [profile.release]
+ overflow-checks = true
++
++[patch.crates-io]
++pyo3 = { path="vendor/pyo3-0.25.1" }
+--- a/Cargo.lock
++++ b/Cargo.lock
+@@ -269,8 +269,6 @@ dependencies = [
+ [[package]]
+ name = "pyo3"
+ version = "0.25.1"
+-source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "8970a78afe0628a3e3430376fc5fd76b6b45c4d43360ffd6cdd40bdde72b682a"
+ dependencies = [
+  "indoc",
+  "libc",

_service

@@ -1,7 +1,7 @@
 <services>
   <service name="download_files" mode="manual"/>
   <service name="cargo_vendor" mode="manual">
-    <param name="srcdir">cryptography-42.0.8/src/rust</param>
+    <param name="srcdir">cryptography-*</param>
     <param name="compression">zst</param>
   </service>
 </services>

cryptography-42.0.8.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8d09d05439ce7baa8e9e95b07ec5b6c886f548deb7e0f69ef25f64b3bce842f2
-size 671250

cryptography-45.0.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:72e76caa004ab63accdf26023fccd1d087f6d90ec6048ff33ad0445abf7f605a
+size 744903

no-pytest_benchmark.patch

@@ -1,28 +1,18 @@
----
+Index: cryptography-45.0.5/pyproject.toml
- pyproject.toml                         |   31 -------------------------
- src/cryptography.egg-info/requires.txt |    2 -
- tests/bench/test_aead.py               |   40 ++++++++++++++++-----------------
- tests/bench/test_ec_load.py            |    8 +++---
- tests/bench/test_hashes.py             |    4 +--
- tests/bench/test_hmac.py               |    4 +--
- tests/bench/test_x509.py               |   16 ++++++-------
- 7 files changed, 37 insertions(+), 68 deletions(-)
-
-Index: cryptography-42.0.1/pyproject.toml
 ===================================================================
---- cryptography-42.0.1.orig/pyproject.toml
+--- cryptography-45.0.5.orig/pyproject.toml
-+++ cryptography-42.0.1/pyproject.toml
++++ cryptography-45.0.5/pyproject.toml
-@@ -71,8 +71,6 @@ ssh = ["bcrypt >=3.1.5"]
+@@ -67,8 +67,6 @@ nox = ["nox >=2024.04.15", "nox[uv] >=20
- nox = ["nox"]
  test = [
-     "pytest >=6.2.0",
+     "cryptography_vectors==45.0.5",
--    "pytest-benchmark",
+     "pytest >=7.4.0",
--    "pytest-cov",
+-    "pytest-benchmark >=4.0",
-     "pytest-xdist",
+-    "pytest-cov >=2.10.1",
-     "pretend",
+     "pytest-xdist >=3.5.0",
-     "certifi",
+     "pretend >=0.7",
-@@ -92,7 +90,7 @@ rust-version = ">=1.63.0"
+     "certifi >=2024",
- 
+@@ -129,7 +127,7 @@ exclude = [
+ ]
  
  [tool.pytest.ini_options]
 -addopts = "-r s --capture=no --strict-markers --benchmark-disable"
@@ -30,17 +20,14 @@ Index: cryptography-42.0.1/pyproject.toml
  console_output_style = "progress-even-when-capture-no"
  markers = [
      "skip_fips: this test is not executed in FIPS mode",
-@@ -114,33 +112,6 @@ module = [
+@@ -150,30 +148,6 @@ strict_bytes = true
- ]
+ module = ["pretend"]
  ignore_missing_imports = true
  
 -[tool.coverage.run]
 -branch = true
 -relative_files = true
--source = [
+-source = ["cryptography", "tests/"]
--    "cryptography",
--    "tests/",
--]
 -
 -[tool.coverage.paths]
 -source = [
@@ -49,10 +36,7 @@ Index: cryptography-42.0.1/pyproject.toml
 -    "*.nox\\*\\Lib\\site-packages\\cryptography",
 -    "*.nox/pypy/site-packages/cryptography",
 -]
--tests =[
+-tests = ["tests/", "*tests\\"]
--   "tests/",
--   "*tests\\",
--]
 -
 -[tool.coverage.report]
 -exclude_lines = [
@@ -60,27 +44,17 @@ Index: cryptography-42.0.1/pyproject.toml
 -    "@typing.overload",
 -    "if typing.TYPE_CHECKING",
 -]
+-
+-[tool.coverage.html]
+-show_contexts = true
 -
  [tool.ruff]
- ignore = ['N818']
+ line-length = 79
- select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF']
-Index: cryptography-42.0.1/src/cryptography.egg-info/requires.txt
-===================================================================
---- cryptography-42.0.1.orig/src/cryptography.egg-info/requires.txt
-+++ cryptography-42.0.1/src/cryptography.egg-info/requires.txt
-@@ -28,8 +28,6 @@ bcrypt>=3.1.5
  
- [test]
+Index: cryptography-45.0.5/tests/bench/test_aead.py
- pytest>=6.2.0
--pytest-benchmark
--pytest-cov
- pytest-xdist
- pretend
- certifi
-Index: cryptography-42.0.1/tests/bench/test_aead.py
 ===================================================================
---- cryptography-42.0.1.orig/tests/bench/test_aead.py
+--- cryptography-45.0.5.orig/tests/bench/test_aead.py
-+++ cryptography-42.0.1/tests/bench/test_aead.py
++++ cryptography-45.0.5/tests/bench/test_aead.py
 @@ -26,84 +26,84 @@ def _aead_supported(cls):
      not _aead_supported(ChaCha20Poly1305),
      reason="Requires OpenSSL with ChaCha20Poly1305 support",
@@ -186,10 +160,10 @@ Index: cryptography-42.0.1/tests/bench/test_aead.py
      ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None)
 -    benchmark(aes.decrypt, b"\x00" * 12, ct, None)
 +    aes.decrypt(b"\x00" * 12, ct, None)
-Index: cryptography-42.0.1/tests/bench/test_ec_load.py
+Index: cryptography-45.0.5/tests/bench/test_ec_load.py
 ===================================================================
---- cryptography-42.0.1.orig/tests/bench/test_ec_load.py
+--- cryptography-45.0.5.orig/tests/bench/test_ec_load.py
-+++ cryptography-42.0.1/tests/bench/test_ec_load.py
++++ cryptography-45.0.5/tests/bench/test_ec_load.py
 @@ -5,9 +5,9 @@
  from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
  
@@ -204,10 +178,10 @@ Index: cryptography-42.0.1/tests/bench/test_ec_load.py
 -    benchmark(EC_KEY_SECP256R1.private_key)
 +def test_load_ec_private_numbers():
 +    EC_KEY_SECP256R1.private_key()
-Index: cryptography-42.0.1/tests/bench/test_hashes.py
+Index: cryptography-45.0.5/tests/bench/test_hashes.py
 ===================================================================
---- cryptography-42.0.1.orig/tests/bench/test_hashes.py
+--- cryptography-45.0.5.orig/tests/bench/test_hashes.py
-+++ cryptography-42.0.1/tests/bench/test_hashes.py
++++ cryptography-45.0.5/tests/bench/test_hashes.py
 @@ -5,10 +5,10 @@
  from cryptography.hazmat.primitives import hashes
  
@@ -221,10 +195,10 @@ Index: cryptography-42.0.1/tests/bench/test_hashes.py
  
 -    benchmark(bench)
 +    bench()
-Index: cryptography-42.0.1/tests/bench/test_hmac.py
+Index: cryptography-45.0.5/tests/bench/test_hmac.py
 ===================================================================
---- cryptography-42.0.1.orig/tests/bench/test_hmac.py
+--- cryptography-45.0.5.orig/tests/bench/test_hmac.py
-+++ cryptography-42.0.1/tests/bench/test_hmac.py
++++ cryptography-45.0.5/tests/bench/test_hmac.py
 @@ -5,10 +5,10 @@
  from cryptography.hazmat.primitives import hashes, hmac
  
@@ -238,10 +212,10 @@ Index: cryptography-42.0.1/tests/bench/test_hmac.py
  
 -    benchmark(bench)
 +    bench()
-Index: cryptography-42.0.1/tests/bench/test_x509.py
+Index: cryptography-45.0.5/tests/bench/test_x509.py
 ===================================================================
---- cryptography-42.0.1.orig/tests/bench/test_x509.py
+--- cryptography-45.0.5.orig/tests/bench/test_x509.py
-+++ cryptography-42.0.1/tests/bench/test_x509.py
++++ cryptography-45.0.5/tests/bench/test_x509.py
 @@ -13,40 +13,40 @@ from cryptography import x509
  from ..utils import load_vectors_from_file
  

python-cryptography.changes

@@ -1,3 +1,306 @@
+-------------------------------------------------------------------
+Mon Sep  1 14:46:55 UTC 2025 - James Oakley <jfunk@opensuse.org>
+
+- Add Make-unsafe-subinterpreter-support-available-via-cfg.patch
+  to allow ceph-mgr to load modules (boo#1248987)
+
+-------------------------------------------------------------------
+Sat Jul 12 08:36:08 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 45.0.5:
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.5.1.
+  * Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This
+    is not considered secure, and is supported only for backwards
+    compatibility.)
+  * Fixed decrypting PKCS#8 files encrypted with long salts (this
+    impacts keys encrypted by Bouncy Castle).
+  * Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5.
+    While wildly insecure, this remains prevalent.
+  * Fixed using mypy with cryptography on older versions of
+    Python.
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.5.0.
+  * Support for Python 3.7 is deprecated and will be removed in
+    the next cryptography release.
+  * Updated the minimum supported Rust version (MSRV) to 1.74.0,
+    from 1.65.0.
+  * Added support for serialization of PKCS#12 Java truststores
+    in :func:`~cryptography.hazmat.primitives.serialization.pkcs1
+    2.serialize_java_truststore`
+  * Added :meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon
+    2id.derive_phc_encoded` and :meth:`~cryptography.hazmat.primi
+    tives.kdf.argon2.Argon2id.verify_phc_encoded` methods to
+    support password hashing in the PHC string format
+  * Added support for PKCS7 decryption and encryption using
+    AES-256 as the content algorithm, in addition to AES-128.
+  * BACKWARDS INCOMPATIBLE: Made SSH private key loading more
+    consistent with other private key loading: :func:`~cryptograp
+    hy.hazmat.primitives.serialization.load_ssh_private_key` now
+    raises a TypeError if the key is unencrypted but a password
+    is provided (previously no exception was raised), and raises
+    a TypeError if the key is encrypted but no password is
+    provided (previously a ValueError was raised).
+  * Added __copy__ to the :class:`~cryptography.hazmat.primitives
+    .asymmetric.ec.EllipticCurvePrivateKey`, :class:`~cryptograph
+    y.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`, :c
+    lass:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25
+    519PublicKey`, :class:`~cryptography.hazmat.primitives.asymme
+    tric.ed25519.Ed25519PrivateKey`, :class:`~cryptography.hazmat
+    .primitives.asymmetric.ed448.Ed448PublicKey`, :class:`~crypto
+    graphy.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`, :
+    class:`~cryptography.hazmat.primitives.asymmetric.x25519.X255
+    19PublicKey`, :class:`~cryptography.hazmat.primitives.asymmet
+    ric.x25519.X25519PrivateKey`, :class:`~cryptography.hazmat.pr
+    imitives.asymmetric.x448.X448PublicKey`, :class:`~cryptograph
+    y.hazmat.primitives.asymmetric.x448.X448PrivateKey`, :class:`
+    ~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
+    , :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAP
+    ublicKey`, :class:`~cryptography.hazmat.primitives.asymmetric
+    .dsa.DSAPrivateKey`, :class:`~cryptography.hazmat.primitives.
+    asymmetric.dsa.DSAPublicKey`, :class:`~cryptography.hazmat.pr
+    imitives.asymmetric.dh.DHPrivateKey`, and :class:`~cryptograp
+    hy.hazmat.primitives.asymmetric.dh.DHPublicKey` abstract base
+    classes.
+  * We significantly refactored how private key loading ( :func:`
+    ~cryptography.hazmat.primitives.serialization.load_pem_privat
+    e_key` and :func:`~cryptography.hazmat.primitives.serializati
+    on.load_der_private_key`) works. This is intended to be
+    backwards compatible for all well-formed keys, therefore if
+    you discover a key that now raises an exception, please file
+    a bug with instructions for reproducing.
+  * Added unsafe_skip_rsa_key_validation keyword-argument to :fun
+    c:`~cryptography.hazmat.primitives.serialization.load_ssh_pri
+    vate_key`.
+  * Added :class:`~cryptography.hazmat.primitives.hashes.XOFHash`
+    to support repeated :meth:`~cryptography.hazmat.primitives.ha
+    shes.XOFHash.squeeze` operations on extendable output
+    functions.
+  * Added :meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.add_
+    response_by_hash` method to allow creating OCSP responses
+    using certificate hash values rather than full certificates.
+  * Extended the :mod:`X.509 path validation
+    <cryptography.x509.verification>` API to support user-
+    configured extension policies via the
+    :meth:`PolicyBuilder.extension_policies <cryptography.x509.ve
+    rification.PolicyBuilder.extension_policies>` method.
+  * Deprecated the subject, verification_time and max_chain_depth
+    properties on
+    :class:`~cryptography.x509.verification.ClientVerifier` and
+    :class:`~cryptography.x509.verification.ServerVerifier` in
+    favor of a new policy property. These properties will be
+    removed in the next release of cryptography.
+  * BACKWARDS INCOMPATIBLE: The :meth:`VerifiedClient.subject
+    <cryptography.x509.verification.VerifiedClient.subjects>`
+    property can now be None since a custom extension policy may
+    allow certificates without a Subject Alternative Name
+    extension.
+  * Changed the behavior when the OpenSSL 3 legacy provider fails
+    to load. Instead of raising an exception, a warning is now
+    emitted. The CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment
+    variable can still be used to disable the legacy provider at
+    runtime.
+  * Added support for the CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY
+    environment variable during build time, which prevents the
+    library from ever attempting to load the legacy provider.
+  * Added support for the
+    :class:`~cryptography.x509.PrivateKeyUsagePeriod` X.509
+    extension. This extension defines the period during which the
+    private key corresponding to the certificate's public key may
+    be used.
+  * Added support for compiling against `aws-lc`_.
+  * Parsing X.509 structures now more strictly enforces that Name
+    structures do not have malformed ASN.1.
+  * We now publish py311 wheels that utilize the faster
+    pyo3::buffer::PyBuffer interface, resulting in significantly
+    improved performance for operations involving small buffers.
+  * Added :func:`~cryptography.hazmat.primitives.serialization.ss
+    h_key_fingerprint` for computing fingerprints of SSH public
+    keys.
+  * Added support for deterministic ECDSA signing via the new
+    keyword-only argument ecdsa_deterministic in
+    :meth:`~cryptography.x509.CertificateBuilder.sign`, :meth:`~c
+    ryptography.x509.CertificateRevocationListBuilder.sign` and :
+    meth:`~cryptography.x509.CertificateSigningRequestBuilder.sig
+    n`.
+
+-------------------------------------------------------------------
+Wed May  7 15:45:10 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
+
+- Update to 44.0.3
+  * Fixed compilation when using LibreSSL 4.1.0.
+
+-------------------------------------------------------------------
+Sun Mar 23 21:40:26 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 44.0.2:
+  * We now build wheels for PyPy 3.11.
+
+-------------------------------------------------------------------
+Wed Feb 26 09:41:24 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 44.0.1:
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.4.1.
+  * We now build armv7l manylinux wheels and publish them to
+    PyPI.
+  * We now build manylinux_2_34 wheels and publish them to PyPI.
+
+-------------------------------------------------------------------
+Sun Jan 26 10:59:13 UTC 2025 - Soc Virnyl Estela <uncomfyhalomacro@opensuse.org>
+
+- Update to version 44.0.0:
+  * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
+  * Deprecated Python 3.7 support. Python 3.7 is no longer supported by
+    the Python core team. Support for Python 3.7 will be removed in a future
+    cryptography release.
+  * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
+  * macOS wheels are now built against the macOS 10.13 SDK. Users on older
+    versions of macOS should upgrade, or they will need to build cryptography
+    themselves.
+  * Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.
+  * Added support for timestamp extraction to the :class:`~cryptography.fernet.MultiFernet` class.
+  * Relax the Authority Key Identifier requirements on root CA certificates
+    during X.509 verification to allow fields permitted by RFC 5280 but
+    forbidden by the CA/Browser BRs.
+  * Added support for
+    :class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` when using
+    OpenSSL 3.2.0+.
+  * Added support for the :class:`~cryptography.x509.Admissions` certificate extension.
+  * Added basic support for PKCS7 decryption (including S/MIME 3.2) via 
+    :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`, 
+    :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`,
+    and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`.
+- Update specfile to accommodate new project structure at version 44.0.0
+- Update no-pytest_benchmark.patch
+
+-------------------------------------------------------------------
+Fri Nov  8 10:08:46 UTC 2024 - Ben Greiner <code@bnavigator.de>
+
+- Fix requires_eq replacement for distributions which do not have
+  python3-cffi installed (such as SLE15 python module pythons)
+  * gh#openSUSE/python-rpm-macros#185
+- Remove outdated section in description
+
+-------------------------------------------------------------------
+Tue Nov  5 08:03:40 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Avoid using requires_eq, which after the last modifications
+  conflicts with python singlespec (order of expansion).
+
+-------------------------------------------------------------------
+Tue Oct 22 13:26:21 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 43.0.3:
+  * Fixed release metadata for cryptography-vectors
+  * Fixed compilation when using LibreSSL 4.0.0.
+
+-------------------------------------------------------------------
+Sat Sep 28 19:45:04 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 43.0.1:
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.3.2.
+
+-------------------------------------------------------------------
+Sun Sep 15 08:51:52 UTC 2024 - Andreas Schneider <asn@cryptomilk.org>
+
+- Fix building on SLE based distributions
+
+-------------------------------------------------------------------
+Mon Aug 12 20:36:00 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Fix building optimized binaries with debuginfo.
+
+-------------------------------------------------------------------
+Wed Jul 31 21:45:43 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
+
+- Update building of Rust modules to use modern cargo_vendor
+  service
+- Remove unneeded use-offline-build.patch
+
+-------------------------------------------------------------------
+Fri Jul 26 10:33:45 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- update to 43.0.0:
+  * BACKWARDS INCOMPATIBLE: Support for OpenSSL less than 1.1.1e
+    has been removed.  Users on older version of OpenSSL will
+    need to upgrade.
+  * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.8.
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.3.1.
+  * Updated the minimum supported Rust version (MSRV) to 1.65.0,
+    from 1.63.0.
+  * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generat
+    e_private_key` now enforces a minimum RSA key size of
+    1024-bit. Note that 1024-bit is still considered insecure,
+    users should generally use a key size of 2048-bits.
+  * :func:`~cryptography.hazmat.primitives.serialization.pkcs7.se
+    rialize_certificates` now emits ASN.1 that more closely
+    follows the recommendations in RFC 2315.
+  * Added new :doc:`/hazmat/decrepit/index` module which contains
+    outdated and insecure cryptographic primitives. :class:`~cryp
+    tography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:
+    `~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :c
+    lass:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA
+    `, and :class:`~cryptography.hazmat.primitives.ciphers.algori
+    thms.Blowfish`, which were deprecated in 37.0.0, have been
+    added to this module. They will be removed from the cipher
+    module in 45.0.0.
+  * Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit
+    hms.TripleDES` and :class:`~cryptography.hazmat.primitives.ci
+    phers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and
+    deprecated them in the cipher module. They will be removed
+    from the cipher module in 48.0.0.
+  * Added support for deterministic
+    :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDSA`
+    (RFC 6979)
+  * Added support for client certificate verification to the
+    :mod:`X.509 path validation <cryptography.x509.verification>`
+    APIs in the form of
+    :class:`~cryptography.x509.verification.ClientVerifier`,
+    :class:`~cryptography.x509.verification.VerifiedClient`, and
+    PolicyBuilder :meth:`~cryptography.x509.verification.PolicyBu
+    ilder.build_client_verifier`.
+  * Added Certificate :attr:`~cryptography.x509.Certificate.publi
+    c_key_algorithm_oid` and Certificate Signing Request :attr:`~
+    cryptography.x509.CertificateSigningRequest.public_key_algori
+    thm_oid` to determine the
+    :class:`~cryptography.hazmat._oid.PublicKeyAlgorithmOID`
+    Object Identifier of the public key found inside the
+    certificate.
+  * Added :attr:`~cryptography.x509.InvalidityDate.invalidity_dat
+    e_utc`, a timezone-aware alternative to the naïve datetime
+    attribute
+    :attr:`~cryptography.x509.InvalidityDate.invalidity_date`.
+  * Added support for parsing empty DN string in
+    :meth:`~cryptography.x509.Name.from_rfc4514_string`.
+  * Added the following properties that return timezone-aware
+    datetime objects:
+    :meth:`~cryptography.x509.ocsp.OCSPResponse.produced_at_utc`,
+    :meth:`~cryptography.x509.ocsp.OCSPResponse.revocation_time_u
+    tc`,
+    :meth:`~cryptography.x509.ocsp.OCSPResponse.this_update_utc`,
+    :meth:`~cryptography.x509.ocsp.OCSPResponse.next_update_utc`,
+    :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.revocation_
+    time_utc`, :meth:`~cryptography.x509.ocsp.OCSPSingleResponse.
+    this_update_utc`, :meth:`~cryptography.x509.ocsp.OCSPSingleRe
+    sponse.next_update_utc`, These are timezone-aware variants of
+    existing properties that return naïve datetime objects.
+  * Added :func:`~cryptography.hazmat.primitives.asymmetric.rsa.r
+    sa_recover_private_exponent`
+  * Added :meth:`~cryptography.hazmat.primitives.ciphers.CipherCo
+    ntext.reset_nonce` for altering the nonce of a cipher context
+    without initializing a new instance. See the docs for
+    additional restrictions.
+  * :class:`~cryptography.x509.NameAttribute` now raises an
+    exception when attempting to create a common name whose
+    length is shorter or longer than RFC 5280 permits.
+  * Added basic support for PKCS7 encryption (including SMIME)
+    via :class:`~cryptography.hazmat.primitives.serialization.pkc
+    s7.PKCS7EnvelopeBuilder`.
+- add use-offline-build.patch
+
 -------------------------------------------------------------------
 Sat Jun  8 12:04:15 UTC 2024 - Dirk Müller <dmueller@suse.com>
 

python-cryptography.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-cryptography
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,8 @@
 %endif
 %{?sle15_python_module_pythons}
 Name:           python-cryptography%{psuffix}
-Version:        42.0.8
+# ALWAYS KEEP IN SYNC WITH python-cryptography-vectors!
+Version:        45.0.5
 Release:        0
 Summary:        Python library which exposes cryptographic recipes and primitives
 License:        Apache-2.0 OR BSD-3-Clause
@@ -40,14 +41,18 @@ Source4:        python-cryptography.keyring
 # PATCH-FEATURE-OPENSUSE no-pytest_benchmark.patch mcepl@suse.com
 # We don't need no benchmarking and coverage measurement
 Patch4:         no-pytest_benchmark.patch
+# PATCH-FIX-OPENSUSE Make-unsafe-subinterpreter-support-available-via-cfg.patch boo#1248987
+Patch5:         Make-unsafe-subinterpreter-support-available-via-cfg.patch
 BuildRequires:  %{python_module cffi >= 1.12}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module exceptiongroup}
+BuildRequires:  %{python_module maturin}
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools-rust >= 1.7.0}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
 BuildRequires:  cargo >= 1.56.0
+BuildRequires:  cargo-packaging
 BuildRequires:  fdupes
 BuildRequires:  libopenssl-devel
 BuildRequires:  pkgconfig
@@ -57,8 +62,10 @@ BuildRequires:  zstd
 BuildRequires:  pkgconfig(libffi)
 # python-base is not enough, we need the _ssl module
 Requires:       python
-%requires_eq    python-cffi
+Requires:       python-bcrypt
+Requires:       python-cffi = %(rpm -q --whatprovides python-cffi --qf "%%{version}")
 %if %{with test}
+BuildRequires:  %{python_module bcrypt}
 BuildRequires:  %{python_module certifi}
 BuildRequires:  %{python_module cryptography >= %{version}}
 BuildRequires:  %{python_module cryptography-vectors = %{version}}
@@ -66,6 +73,7 @@ BuildRequires:  %{python_module hypothesis >= 1.11.4}
 BuildRequires:  %{python_module iso8601}
 BuildRequires:  %{python_module pretend}
 BuildRequires:  %{python_module pytest > 6.0}
+BuildRequires:  %{python_module pytest-benchmark}
 BuildRequires:  %{python_module pytest-subtests}
 BuildRequires:  %{python_module pytest-xdist}
 BuildRequires:  %{python_module pytz}
@@ -73,11 +81,6 @@ BuildRequires:  %{python_module pytz}
 %python_subpackages
 
 %description
-cryptography is a package designed to expose cryptographic
-recipes and primitives to Python developers.  Our goal is
-for it to be your "cryptographic standard library". It
-supports Python 2.7, Python 3.4+, and PyPy-5.3+.
-
 cryptography includes both high level recipes, and low
 level interfaces to common cryptographic algorithms such as
 symmetric ciphers, message digests and key derivation
@@ -85,12 +88,16 @@ functions.
 
 %prep
 %autosetup -a2 -p1 -n cryptography-%{version}
-rm -v src/rust/Cargo.lock
 
 %build
-# https://github.com/pyca/cryptography/issues/9023
+export CARGO_NET_OFFLINE=true
+export CARGO_PROFILE_RELEASE_DEBUG=true
+export CARGO_PROFILE_RELEASE_SPLIT_DEBUGINFO=off
+# https://pyo3.rs/main/building-and-distribution#configuring-the-python-version
+%python_expand export PYO3_PYTHON="%{_bindir}/$python"
 %global _lto_cflags %{nil}
-export RUSTFLAGS=%{rustflags}
+RUSTFLAGS=%{rustflags}
+export RUSTFLAGS="$RUSTFLAGS --cfg pyo3_unsafe_allow_subinterpreters"
 export CFLAGS="%{optflags} -fno-strict-aliasing"
 %pyproject_wheel
 
@@ -111,6 +118,7 @@ find . -name .keep -print -delete
 # fails with OverflowError on 32bit platform
 %ifarch %ix86 %arm ppc
 rm -v tests/hazmat/primitives/test_aead.py
+rm -v tests/hazmat/primitives/test_ciphers.py
 # imports test_aead so we need to remove also these
 rm -v tests/wycheproof/test_aes.py
 rm -v tests/wycheproof/test_chacha20poly1305.py

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:9839d58f58507ae33f08c2a78c19a2334d709b8caac522131276c395469b9c34
+oid sha256:66027fde33c455f0cb3d01f7daba90d0e8a87378f1b48bcc5cb23bc2fb9c98bb
-size 5429762
+size 2651262