Accepting request 1302472 from devel:languages:python

- Add Make-unsafe-subinterpreter-support-available-via-cfg.patch
  to allow ceph-mgr to load modules (boo#1248987) (forwarded request 1302241 from jimfunk)

OBS-URL: https://build.opensuse.org/request/show/1302472
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-cryptography?expand=0&rev=103

Make-unsafe-subinterpreter-support-available-via-cfg.patch

@@ -0,0 +1,40 @@
+From d59176bc05aa37838fd4a8dd253f47c962f61118 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Tue, 23 Jul 2024 14:41:04 +0200
+Subject: [PATCH] Make unsafe subinterpreter support available via cfg flag
+
+---
+ src/impl_/pymodule.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/vendor/pyo3-0.25.1/src/impl_/pymodule.rs
++++ b/vendor/pyo3-0.25.1/src/impl_/pymodule.rs
+@@ -100,7 +100,7 @@ impl ModuleDef {
+         // that static data is not reused across interpreters.
+         //
+         // PyPy does not have subinterpreters, so no need to check interpreter ID.
+-        #[cfg(not(any(PyPy, GraalPy)))]
++        #[cfg(not(any(PyPy, GraalPy, pyo3_unsafe_allow_subinterpreters)))]
+         {
+             // PyInterpreterState_Get is only available on 3.9 and later, but is missing
+             // from python3.dll for Windows stable API on 3.9
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -29,3 +29,6 @@ openssl-sys = "0.9.108"
+ 
+ [profile.release]
+ overflow-checks = true
++
++[patch.crates-io]
++pyo3 = { path="vendor/pyo3-0.25.1" }
+--- a/Cargo.lock
++++ b/Cargo.lock
+@@ -269,8 +269,6 @@ dependencies = [
+ [[package]]
+ name = "pyo3"
+ version = "0.25.1"
+-source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "8970a78afe0628a3e3430376fc5fd76b6b45c4d43360ffd6cdd40bdde72b682a"
+ dependencies = [
+  "indoc",
+  "libc",

cryptography-45.0.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:72e76caa004ab63accdf26023fccd1d087f6d90ec6048ff33ad0445abf7f605a
+size 744903

no-pytest_benchmark.patch

@@ -1,17 +1,17 @@
-Index: cryptography-44.0.3/pyproject.toml
+Index: cryptography-45.0.5/pyproject.toml
 ===================================================================
---- cryptography-44.0.3.orig/pyproject.toml
+--- cryptography-45.0.5.orig/pyproject.toml
-+++ cryptography-44.0.3/pyproject.toml
++++ cryptography-45.0.5/pyproject.toml
 @@ -67,8 +67,6 @@ nox = ["nox >=2024.04.15", "nox[uv] >=20
  test = [
-     "cryptography_vectors==44.0.3",
+     "cryptography_vectors==45.0.5",
      "pytest >=7.4.0",
 -    "pytest-benchmark >=4.0",
 -    "pytest-cov >=2.10.1",
      "pytest-xdist >=3.5.0",
      "pretend >=0.7",
      "certifi >=2024",
-@@ -118,7 +116,7 @@ exclude = [
+@@ -129,7 +127,7 @@ exclude = [
  ]
  
  [tool.pytest.ini_options]
@@ -20,17 +20,14 @@ Index: cryptography-44.0.3/pyproject.toml
  console_output_style = "progress-even-when-capture-no"
  markers = [
      "skip_fips: this test is not executed in FIPS mode",
-@@ -140,33 +138,6 @@ module = [
+@@ -150,30 +148,6 @@ strict_bytes = true
- ]
+ module = ["pretend"]
  ignore_missing_imports = true
  
 -[tool.coverage.run]
 -branch = true
 -relative_files = true
--source = [
+-source = ["cryptography", "tests/"]
--    "cryptography",
--    "tests/",
--]
 -
 -[tool.coverage.paths]
 -source = [
@@ -39,10 +36,7 @@ Index: cryptography-44.0.3/pyproject.toml
 -    "*.nox\\*\\Lib\\site-packages\\cryptography",
 -    "*.nox/pypy/site-packages/cryptography",
 -]
--tests = [
+-tests = ["tests/", "*tests\\"]
--    "tests/",
--    "*tests\\",
--]
 -
 -[tool.coverage.report]
 -exclude_lines = [
@@ -50,14 +44,17 @@ Index: cryptography-44.0.3/pyproject.toml
 -    "@typing.overload",
 -    "if typing.TYPE_CHECKING",
 -]
+-
+-[tool.coverage.html]
+-show_contexts = true
 -
  [tool.ruff]
  line-length = 79
  
-Index: cryptography-44.0.3/tests/bench/test_aead.py
+Index: cryptography-45.0.5/tests/bench/test_aead.py
 ===================================================================
---- cryptography-44.0.3.orig/tests/bench/test_aead.py
+--- cryptography-45.0.5.orig/tests/bench/test_aead.py
-+++ cryptography-44.0.3/tests/bench/test_aead.py
++++ cryptography-45.0.5/tests/bench/test_aead.py
 @@ -26,84 +26,84 @@ def _aead_supported(cls):
      not _aead_supported(ChaCha20Poly1305),
      reason="Requires OpenSSL with ChaCha20Poly1305 support",
@@ -163,10 +160,10 @@ Index: cryptography-44.0.3/tests/bench/test_aead.py
      ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None)
 -    benchmark(aes.decrypt, b"\x00" * 12, ct, None)
 +    aes.decrypt(b"\x00" * 12, ct, None)
-Index: cryptography-44.0.3/tests/bench/test_ec_load.py
+Index: cryptography-45.0.5/tests/bench/test_ec_load.py
 ===================================================================
---- cryptography-44.0.3.orig/tests/bench/test_ec_load.py
+--- cryptography-45.0.5.orig/tests/bench/test_ec_load.py
-+++ cryptography-44.0.3/tests/bench/test_ec_load.py
++++ cryptography-45.0.5/tests/bench/test_ec_load.py
 @@ -5,9 +5,9 @@
  from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
  
@@ -181,10 +178,10 @@ Index: cryptography-44.0.3/tests/bench/test_ec_load.py
 -    benchmark(EC_KEY_SECP256R1.private_key)
 +def test_load_ec_private_numbers():
 +    EC_KEY_SECP256R1.private_key()
-Index: cryptography-44.0.3/tests/bench/test_hashes.py
+Index: cryptography-45.0.5/tests/bench/test_hashes.py
 ===================================================================
---- cryptography-44.0.3.orig/tests/bench/test_hashes.py
+--- cryptography-45.0.5.orig/tests/bench/test_hashes.py
-+++ cryptography-44.0.3/tests/bench/test_hashes.py
++++ cryptography-45.0.5/tests/bench/test_hashes.py
 @@ -5,10 +5,10 @@
  from cryptography.hazmat.primitives import hashes
  
@@ -198,10 +195,10 @@ Index: cryptography-44.0.3/tests/bench/test_hashes.py
  
 -    benchmark(bench)
 +    bench()
-Index: cryptography-44.0.3/tests/bench/test_hmac.py
+Index: cryptography-45.0.5/tests/bench/test_hmac.py
 ===================================================================
---- cryptography-44.0.3.orig/tests/bench/test_hmac.py
+--- cryptography-45.0.5.orig/tests/bench/test_hmac.py
-+++ cryptography-44.0.3/tests/bench/test_hmac.py
++++ cryptography-45.0.5/tests/bench/test_hmac.py
 @@ -5,10 +5,10 @@
  from cryptography.hazmat.primitives import hashes, hmac
  
@@ -215,10 +212,10 @@ Index: cryptography-44.0.3/tests/bench/test_hmac.py
  
 -    benchmark(bench)
 +    bench()
-Index: cryptography-44.0.3/tests/bench/test_x509.py
+Index: cryptography-45.0.5/tests/bench/test_x509.py
 ===================================================================
---- cryptography-44.0.3.orig/tests/bench/test_x509.py
+--- cryptography-45.0.5.orig/tests/bench/test_x509.py
-+++ cryptography-44.0.3/tests/bench/test_x509.py
++++ cryptography-45.0.5/tests/bench/test_x509.py
 @@ -13,40 +13,40 @@ from cryptography import x509
  from ..utils import load_vectors_from_file
  

python-cryptography.changes

@@ -1,3 +1,129 @@
+-------------------------------------------------------------------
+Mon Sep  1 14:46:55 UTC 2025 - James Oakley <jfunk@opensuse.org>
+
+- Add Make-unsafe-subinterpreter-support-available-via-cfg.patch
+  to allow ceph-mgr to load modules (boo#1248987)
+
+-------------------------------------------------------------------
+Sat Jul 12 08:36:08 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- update to 45.0.5:
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.5.1.
+  * Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This
+    is not considered secure, and is supported only for backwards
+    compatibility.)
+  * Fixed decrypting PKCS#8 files encrypted with long salts (this
+    impacts keys encrypted by Bouncy Castle).
+  * Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5.
+    While wildly insecure, this remains prevalent.
+  * Fixed using mypy with cryptography on older versions of
+    Python.
+  * Updated Windows, macOS, and Linux wheels to be compiled with
+    OpenSSL 3.5.0.
+  * Support for Python 3.7 is deprecated and will be removed in
+    the next cryptography release.
+  * Updated the minimum supported Rust version (MSRV) to 1.74.0,
+    from 1.65.0.
+  * Added support for serialization of PKCS#12 Java truststores
+    in :func:`~cryptography.hazmat.primitives.serialization.pkcs1
+    2.serialize_java_truststore`
+  * Added :meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon
+    2id.derive_phc_encoded` and :meth:`~cryptography.hazmat.primi
+    tives.kdf.argon2.Argon2id.verify_phc_encoded` methods to
+    support password hashing in the PHC string format
+  * Added support for PKCS7 decryption and encryption using
+    AES-256 as the content algorithm, in addition to AES-128.
+  * BACKWARDS INCOMPATIBLE: Made SSH private key loading more
+    consistent with other private key loading: :func:`~cryptograp
+    hy.hazmat.primitives.serialization.load_ssh_private_key` now
+    raises a TypeError if the key is unencrypted but a password
+    is provided (previously no exception was raised), and raises
+    a TypeError if the key is encrypted but no password is
+    provided (previously a ValueError was raised).
+  * Added __copy__ to the :class:`~cryptography.hazmat.primitives
+    .asymmetric.ec.EllipticCurvePrivateKey`, :class:`~cryptograph
+    y.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`, :c
+    lass:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25
+    519PublicKey`, :class:`~cryptography.hazmat.primitives.asymme
+    tric.ed25519.Ed25519PrivateKey`, :class:`~cryptography.hazmat
+    .primitives.asymmetric.ed448.Ed448PublicKey`, :class:`~crypto
+    graphy.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`, :
+    class:`~cryptography.hazmat.primitives.asymmetric.x25519.X255
+    19PublicKey`, :class:`~cryptography.hazmat.primitives.asymmet
+    ric.x25519.X25519PrivateKey`, :class:`~cryptography.hazmat.pr
+    imitives.asymmetric.x448.X448PublicKey`, :class:`~cryptograph
+    y.hazmat.primitives.asymmetric.x448.X448PrivateKey`, :class:`
+    ~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`
+    , :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAP
+    ublicKey`, :class:`~cryptography.hazmat.primitives.asymmetric
+    .dsa.DSAPrivateKey`, :class:`~cryptography.hazmat.primitives.
+    asymmetric.dsa.DSAPublicKey`, :class:`~cryptography.hazmat.pr
+    imitives.asymmetric.dh.DHPrivateKey`, and :class:`~cryptograp
+    hy.hazmat.primitives.asymmetric.dh.DHPublicKey` abstract base
+    classes.
+  * We significantly refactored how private key loading ( :func:`
+    ~cryptography.hazmat.primitives.serialization.load_pem_privat
+    e_key` and :func:`~cryptography.hazmat.primitives.serializati
+    on.load_der_private_key`) works. This is intended to be
+    backwards compatible for all well-formed keys, therefore if
+    you discover a key that now raises an exception, please file
+    a bug with instructions for reproducing.
+  * Added unsafe_skip_rsa_key_validation keyword-argument to :fun
+    c:`~cryptography.hazmat.primitives.serialization.load_ssh_pri
+    vate_key`.
+  * Added :class:`~cryptography.hazmat.primitives.hashes.XOFHash`
+    to support repeated :meth:`~cryptography.hazmat.primitives.ha
+    shes.XOFHash.squeeze` operations on extendable output
+    functions.
+  * Added :meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.add_
+    response_by_hash` method to allow creating OCSP responses
+    using certificate hash values rather than full certificates.
+  * Extended the :mod:`X.509 path validation
+    <cryptography.x509.verification>` API to support user-
+    configured extension policies via the
+    :meth:`PolicyBuilder.extension_policies <cryptography.x509.ve
+    rification.PolicyBuilder.extension_policies>` method.
+  * Deprecated the subject, verification_time and max_chain_depth
+    properties on
+    :class:`~cryptography.x509.verification.ClientVerifier` and
+    :class:`~cryptography.x509.verification.ServerVerifier` in
+    favor of a new policy property. These properties will be
+    removed in the next release of cryptography.
+  * BACKWARDS INCOMPATIBLE: The :meth:`VerifiedClient.subject
+    <cryptography.x509.verification.VerifiedClient.subjects>`
+    property can now be None since a custom extension policy may
+    allow certificates without a Subject Alternative Name
+    extension.
+  * Changed the behavior when the OpenSSL 3 legacy provider fails
+    to load. Instead of raising an exception, a warning is now
+    emitted. The CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment
+    variable can still be used to disable the legacy provider at
+    runtime.
+  * Added support for the CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY
+    environment variable during build time, which prevents the
+    library from ever attempting to load the legacy provider.
+  * Added support for the
+    :class:`~cryptography.x509.PrivateKeyUsagePeriod` X.509
+    extension. This extension defines the period during which the
+    private key corresponding to the certificate's public key may
+    be used.
+  * Added support for compiling against `aws-lc`_.
+  * Parsing X.509 structures now more strictly enforces that Name
+    structures do not have malformed ASN.1.
+  * We now publish py311 wheels that utilize the faster
+    pyo3::buffer::PyBuffer interface, resulting in significantly
+    improved performance for operations involving small buffers.
+  * Added :func:`~cryptography.hazmat.primitives.serialization.ss
+    h_key_fingerprint` for computing fingerprints of SSH public
+    keys.
+  * Added support for deterministic ECDSA signing via the new
+    keyword-only argument ecdsa_deterministic in
+    :meth:`~cryptography.x509.CertificateBuilder.sign`, :meth:`~c
+    ryptography.x509.CertificateRevocationListBuilder.sign` and :
+    meth:`~cryptography.x509.CertificateSigningRequestBuilder.sig
+    n`.
+
 -------------------------------------------------------------------
 Wed May  7 15:45:10 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
 

python-cryptography.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package python-cryptography
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@
 %{?sle15_python_module_pythons}
 Name:           python-cryptography%{psuffix}
 # ALWAYS KEEP IN SYNC WITH python-cryptography-vectors!
-Version:        44.0.3
+Version:        45.0.5
 Release:        0
 Summary:        Python library which exposes cryptographic recipes and primitives
 License:        Apache-2.0 OR BSD-3-Clause
@@ -41,6 +41,8 @@ Source4:        python-cryptography.keyring
 # PATCH-FEATURE-OPENSUSE no-pytest_benchmark.patch mcepl@suse.com
 # We don't need no benchmarking and coverage measurement
 Patch4:         no-pytest_benchmark.patch
+# PATCH-FIX-OPENSUSE Make-unsafe-subinterpreter-support-available-via-cfg.patch boo#1248987
+Patch5:         Make-unsafe-subinterpreter-support-available-via-cfg.patch
 BuildRequires:  %{python_module cffi >= 1.12}
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module exceptiongroup}
@@ -94,7 +96,8 @@ export CARGO_PROFILE_RELEASE_SPLIT_DEBUGINFO=off
 # https://pyo3.rs/main/building-and-distribution#configuring-the-python-version
 %python_expand export PYO3_PYTHON="%{_bindir}/$python"
 %global _lto_cflags %{nil}
-export RUSTFLAGS=%{rustflags}
+RUSTFLAGS=%{rustflags}
+export RUSTFLAGS="$RUSTFLAGS --cfg pyo3_unsafe_allow_subinterpreters"
 export CFLAGS="%{optflags} -fno-strict-aliasing"
 %pyproject_wheel
 
@@ -128,7 +131,6 @@ rm -v tests/wycheproof/test_chacha20poly1305.py
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %doc CONTRIBUTING.rst CHANGELOG.rst README.rst
 %{python_sitearch}/cryptography
-%{python_sitearch}/rust
 %{python_sitearch}/cryptography-%{version}.dist-info
 %endif