pool/python-pyOpenSSL
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- update to 19.0

Browse Source 
- fixed build deps.
- drop patches: openssl-1.1.0i.patch
                openssl-1.1.1.patch
                opensuse_ca.patch
                tls13-renegotiation.patch
 * X509Store.add_cert no longer raises an error if you add a duplicate cert.
 * pyOpenSSL now works with OpenSSL 1.1.1.
 * pyOpenSSL now handles NUL bytes in X509Name.get_components()

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=58
This commit is contained in:
Ondřej Súkup 2019-03-02 16:33:31 +00:00 committed by Git OBS Bridge
parent 673132b30c
commit d631fa8ab1
8 changed files with 69 additions and 280 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
openssl-1.1.0i.patch
View File

@ -1,61 +0,0 @@
From 0e6c553bc57587dc644430b7336e6bf4d90180a6 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Thu, 23 Aug 2018 10:52:15 -0500
Subject: [PATCH] X509Store.add_cert no longer raises an error on duplicate
cert (#787)
* X509Store.add_cert no longer raises an error on duplicate cert
---
src/OpenSSL/crypto.py | 11 ++++++++++-
tests/test_crypto.py | 9 ++++-----
3 files changed, 16 insertions(+), 7 deletions(-)
Deprecations:
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index d40f23c2..ea7b354b 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1607,7 +1607,16 @@ def add_cert(self, cert):
if not isinstance(cert, X509):
raise TypeError()
- _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0)
+ # As of OpenSSL 1.1.0i adding the same cert to the store more than
+ # once doesn't cause an error. Accordingly, this code now silences
+ # the error for OpenSSL < 1.1.0i as well.
+ if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0:
+ code = _lib.ERR_peek_error()
+ err_reason = _lib.ERR_GET_REASON(code)
+ _openssl_assert(
+ err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE
+ )
+ _lib.ERR_clear_error()
def add_crl(self, crl):
"""
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index d1c261b8..eb4590d0 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -2016,16 +2016,15 @@ def test_add_cert_wrong_args(self, cert):
with pytest.raises(TypeError):
store.add_cert(cert)
- def test_add_cert_rejects_duplicate(self):
+ def test_add_cert_accepts_duplicate(self):
"""
- `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is
- made to add the same certificate to the store more than once.
+ `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt
+ is made to add the same certificate to the store more than once.
"""
cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
store = X509Store()
store.add_cert(cert)
- with pytest.raises(Error):
- store.add_cert(cert)
+ store.add_cert(cert)
class TestPKCS12(object):

218
openssl-1.1.1.patch
View File

@ -7,162 +7,23 @@ Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1
tests/test_crypto.py | 12 +++++++----- tests/test_crypto.py | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-) 1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/tests/test_crypto.py b/tests/test_crypto.py Index: pyOpenSSL-19.0.0/tests/test_ssl.py
index eb4590d0..4983d6ac 100644 ===================================================================
--- a/tests/test_crypto.py --- pyOpenSSL-19.0.0.orig/tests/test_ssl.py
+++ b/tests/test_crypto.py +++ pyOpenSSL-19.0.0/tests/test_ssl.py
@@ -3161,10 +3161,10 @@ def test_export_pem(self): @@ -410,18 +410,17 @@ class TestContext(object):
dumped_crl = crl.export(
self.cert, self.pkey, days=20, digest=b"sha256"
)
- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
+ text = _runopenssl(
+ dumped_crl, b"crl", b"-noout", b"-text", b"-nameopt", ""
+ )
- # These magic values are based on the way the CRL above was constructed
- # and with what certificate it was exported.
text.index(b'Serial Number: 03AB')
text.index(b'Superseded')
text.index(
@@ -3184,7 +3184,8 @@ def test_export_der(self):
self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
)
text = _runopenssl(
- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER",
+ b"-nameopt", ""
)
text.index(b'Serial Number: 03AB')
text.index(b'Superseded')
@@ -3207,7 +3208,8 @@ def test_export_text(self):
self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
)
text = _runopenssl(
- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER",
+ b"-nameopt", ""
)
# text format
From 17d793266477c9812fdf3311741f175b24c07ed7 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 11 Sep 2018 17:54:22 -0400
Subject: [PATCH 2/7] make these asserts both 1.1.1 and earlier friendly
---
tests/test_crypto.py | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index 4983d6ac..c08f81c3 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3167,9 +3167,9 @@ def test_export_pem(self):
text.index(b'Serial Number: 03AB')
text.index(b'Superseded')
- text.index(
- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'
- )
+ text.index(b'Issuer:')
+ text.index(b'C=US')
+ text.index(b'CN=Testing Root CA')
def test_export_der(self):
"""
@@ -3189,9 +3189,9 @@ def test_export_der(self):
)
text.index(b'Serial Number: 03AB')
text.index(b'Superseded')
- text.index(
- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'
- )
+ text.index(b'Issuer:')
+ text.index(b'C=US')
+ text.index(b'CN=Testing Root CA')
# Flaky because we compare the output of running commands which sometimes
# varies by 1 second
From f43cdc5cb6c5f1ccf7983d2c7b8f3304d5130662 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 11 Sep 2018 18:09:49 -0400
Subject: [PATCH 3/7] Fix setsession test by excluding TLS 1.3
TLS 1.3 changes how resumption works, and the precise assertion we use here doesn't hold for it.
---
tests/test_ssl.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index fbf07603..4845eca3 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -2539,7 +2539,7 @@ def test_client_set_session(self):
"""
key = load_privatekey(FILETYPE_PEM, server_key_pem)
cert = load_certificate(FILETYPE_PEM, server_cert_pem)
- ctx = Context(SSLv23_METHOD)
+ ctx = Context(TLSv1_2_METHOD)
ctx.use_privatekey(key)
ctx.use_certificate(cert)
ctx.set_session_id("unity-test")
From 71f44a0d979a10c69692dad2098841029363323f Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 11 Sep 2018 19:42:38 -0400
Subject: [PATCH 4/7] Make this always behave like 1.1.1
---
src/OpenSSL/SSL.py | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 5cf39c0d..910ce680 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1182,9 +1182,8 @@ def set_cipher_list(self, cipher_list):
if not isinstance(cipher_list, bytes):
raise TypeError("cipher_list must be a byte string.")
- _openssl_assert(
- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1
- )
+ # This can return an error if there's no ciphersuites, but we don't care.
+ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list)
def set_client_ca_list(self, certificate_authorities):
"""
From 457b6d391de7f0355def4a596ddb66eede63ae75 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 11 Sep 2018 19:43:49 -0400
Subject: [PATCH 5/7] Update tests for the new behavior
---
tests/test_ssl.py | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 4845eca3..a5fb4df9 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -409,19 +409,18 @@ def test_set_cipher_list(self, context, cipher_string):
conn = Connection(context, None)
assert "AES128-SHA" in conn.get_cipher_list() assert "AES128-SHA" in conn.get_cipher_list()
+
+ def test_set_cipher_list_imaginary(self, context):
+ # Doesn't raise an exception
+ context.set_cipher_list(b"gibberish")
- @pytest.mark.parametrize("cipher_list,error", [ - @pytest.mark.parametrize("cipher_list,error", [
- (object(), TypeError), - (object(), TypeError),
- ("imaginary-cipher", Error), - ("imaginary-cipher", Error),
- ]) - ])
- def test_set_cipher_list_wrong_args(self, context, cipher_list, error): - def test_set_cipher_list_wrong_args(self, context, cipher_list, error):
+ def test_set_cipher_list_imaginary(self, context):
+ # Doesn't raise an exception
+ context.set_cipher_list(b"gibberish")
+
+ def test_set_cipher_list_wrong_args(self, context): + def test_set_cipher_list_wrong_args(self, context):
""" """
`Context.set_cipher_list` raises `TypeError` when passed a non-string `Context.set_cipher_list` raises `TypeError` when passed a non-string
@ -177,50 +38,29 @@ index 4845eca3..a5fb4df9 100644
def test_load_client_ca(self, context, ca_file): def test_load_client_ca(self, context, ca_file):
""" """
@@ -3836,7 +3835,7 @@ class TestOCSP(object):
:param request_ocsp: Whether the client will actually ask for OCSP
stapling. Useful for testing only.
"""
- ctx = Context(SSLv23_METHOD)
+ ctx = Context(TLSv1_2_METHOD)
ctx.set_ocsp_client_callback(callback, data)
client = Connection(ctx)
From d735cdba24a0a6a908e316743e03faf0fd7a7f8a Mon Sep 17 00:00:00 2001 Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py
From: Alex Gaynor <alex.gaynor@gmail.com> ===================================================================
Date: Tue, 11 Sep 2018 19:48:07 -0400 --- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py
Subject: [PATCH 6/7] flake8 +++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py
@@ -1182,9 +1182,9 @@ class Context(object):
---
src/OpenSSL/SSL.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 910ce680..a0469f10 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1182,7 +1182,8 @@ def set_cipher_list(self, cipher_list):
if not isinstance(cipher_list, bytes): if not isinstance(cipher_list, bytes):
raise TypeError("cipher_list must be a byte string.") raise TypeError("cipher_list must be a byte string.")
- # This can return an error if there's no ciphersuites, but we don't care. - _openssl_assert(
- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1
- )
+ # This can return an error if there's no ciphersuites, but we don't + # This can return an error if there's no ciphersuites, but we don't
+ # care. + # care.
_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) + _lib.SSL_CTX_set_cipher_list(self._context, cipher_list)
# In OpenSSL 1.1.1 setting the cipher list will always return TLS 1.3
def set_client_ca_list(self, certificate_authorities): # ciphers even if you pass an invalid cipher. Applications (like
# Twisted) have tests that depend on an error being raised if an
From cf1e7619862652e81879541a6af38b793ede47a1 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 11 Sep 2018 20:01:26 -0400
Subject: [PATCH 7/7] flake8
---
tests/test_ssl.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index a5fb4df9..39e76500 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -409,7 +409,7 @@ def test_set_cipher_list(self, context, cipher_string):
conn = Connection(context, None)
assert "AES128-SHA" in conn.get_cipher_list()
-
+
def test_set_cipher_list_imaginary(self, context):
# Doesn't raise an exception
context.set_cipher_list(b"gibberish")

14
opensuse_ca.patch Normal file
View File

@ -0,0 +1,14 @@
Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py
===================================================================
--- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py
+++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py
@@ -221,7 +221,8 @@ SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HAND
_CERTIFICATE_FILE_LOCATIONS = [
"/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6
- "/etc/ssl/ca-bundle.pem", # OpenSUSE
+ "/var/lib/ca-certificates/ca-bundle.pem", #openSUSE real locaction
+ "/etc/ssl/ca-bundle.pem", # openSUSE
"/etc/pki/tls/cacert.pem", # OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7
]

3
pyOpenSSL-18.0.0.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580
size 167296

3
pyOpenSSL-19.0.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200
size 168551

13
python-pyOpenSSL.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Sat Mar 2 16:29:39 UTC 2019 - Ondřej Súkup <mimi.vx@gmail.com>
- update to 19.0
- fixed build deps.
- drop patches: openssl-1.1.0i.patch
openssl-1.1.1.patch
opensuse_ca.patch
tls13-renegotiation.patch
* X509Store.add_cert no longer raises an error if you add a duplicate cert.
* pyOpenSSL now works with OpenSSL 1.1.1.
* pyOpenSSL now handles NUL bytes in X509Name.get_components()
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Mar 1 18:06:10 UTC 2019 - Hans-Peter Jansen <hpj@urpla.net> Fri Mar 1 18:06:10 UTC 2019 - Hans-Peter Jansen <hpj@urpla.net>

9
python-pyOpenSSL.spec
View File

@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}} %{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define oldpython python %define oldpython python
Name: python-pyOpenSSL Name: python-pyOpenSSL
Version: 18.0.0 Version: 19.0.0
Release: 0 Release: 0
Summary: Python wrapper module around the OpenSSL library Summary: Python wrapper module around the OpenSSL library
License: Apache-2.0 License: Apache-2.0
@ -27,16 +27,16 @@ Group: Development/Languages/Python
URL: https://github.com/pyca/pyopenssl URL: https://github.com/pyca/pyopenssl
Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz
Patch1: skip-networked-test.patch Patch1: skip-networked-test.patch
Patch2: openssl-1.1.0i.patch
Patch3: openssl-1.1.1.patch
Patch4: tls13-renegotiation.patch
BuildRequires: %{python_module cffi} BuildRequires: %{python_module cffi}
BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module cryptography >= 2.3.0}
BuildRequires: %{python_module flaky} BuildRequires: %{python_module flaky}
BuildRequires: %{python_module pretend} BuildRequires: %{python_module pretend}
BuildRequires: %{python_module pytest >= 3.0.1} BuildRequires: %{python_module pytest >= 3.0.1}
BuildRequires: %{python_module setuptools} BuildRequires: %{python_module setuptools}
BuildRequires: %{python_module six}
BuildRequires: ca-certificates-mozilla
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: openssl
BuildRequires: python-rpm-macros BuildRequires: python-rpm-macros
Requires: python-cffi Requires: python-cffi
Requires: python-cryptography >= 2.3.0 Requires: python-cryptography >= 2.3.0
@ -61,6 +61,7 @@ other things) a cffi-based interface to OpenSSL.
%prep %prep
%setup -q -n pyOpenSSL-%{version} %setup -q -n pyOpenSSL-%{version}
%autopatch -p1 %autopatch -p1
/usr/lib/ca-certificates/update.d/99certbundle.run
%build %build
%python_build %python_build

26
tls13-renegotiation.patch
View File

@ -1,7 +1,7 @@
Index: pyOpenSSL-18.0.0/tests/test_ssl.py Index: pyOpenSSL-19.0.0/tests/test_ssl.py
=================================================================== ===================================================================
--- pyOpenSSL-18.0.0.orig/tests/test_ssl.py 2018-10-30 20:43:38.806954080 +0100 --- pyOpenSSL-19.0.0.orig/tests/test_ssl.py
+++ pyOpenSSL-18.0.0/tests/test_ssl.py 2018-10-30 20:58:46.133504622 +0100 +++ pyOpenSSL-19.0.0/tests/test_ssl.py
@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): @@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object):
""" """
Tests for SSL renegotiation APIs. Tests for SSL renegotiation APIs.
@ -10,25 +10,7 @@ Index: pyOpenSSL-18.0.0/tests/test_ssl.py
def test_total_renegotiations(self): def test_total_renegotiations(self):
""" """
`Connection.total_renegotiations` returns `0` before any renegotiations `Connection.total_renegotiations` returns `0` before any renegotiations
@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object): @@ -3219,6 +3220,25 @@ class TestConnectionRenegotiate(object):
"""
Go through a complete renegotiation cycle.
"""
- server, client = loopback()
+ # renegotiation works with TLS version <= 1.2
+ def makeServer12(socket):
+ ctx = Context(TLSv1_2_METHOD)
+ ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+ ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+ server = Connection(ctx, socket)
+ server.set_accept_state()
+ return server
+
+ server, client = loopback(server_factory=makeServer12)
server.send(b"hello world")
@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object):
while False is server.renegotiate_pending(): while False is server.renegotiate_pending():
pass pass