- Add patch add-aki-to-child-certs.patch

* Also add Authority Key Identifiers to children certs.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-trustme?expand=0&rev=29

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

add-aki-to-child-certs.patch

@@ -0,0 +1,96 @@
+From 84e347d9221e304f0158330e5101d23969d424d0 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 27 Mar 2024 11:45:41 +0000
+Subject: [PATCH 1/3] Add AKI to child CA certificates
+
+---
+ src/trustme/__init__.py | 14 +++++++++++---
+ tests/test_trustme.py   |  5 +++++
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py
+index 5fb24fb..0db1bb0 100644
+--- a/src/trustme/__init__.py
++++ b/src/trustme/__init__.py
+@@ -250,14 +250,22 @@ def __init__(
+             sign_key = parent_cert._private_key
+             parent_certificate = parent_cert._certificate
+             issuer = parent_certificate.subject
+-
+-        self._certificate = (
++            ski_ext = parent_certificate.extensions.get_extension_for_class(
++                x509.SubjectKeyIdentifier)
++            aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext.value)
++        else:
++            aki = None
++        cert_builder = (
+             _cert_builder_common(name, issuer, self._private_key.public_key())
+             .add_extension(
+                 x509.BasicConstraints(ca=True, path_length=path_length),
+                 critical=True,
+             )
+-            .add_extension(
++        )
++        if aki:
++            cert_builder = cert_builder.add_extension(aki, critical=False)
++        self._certificate = (
++            cert_builder.add_extension(
+                 x509.KeyUsage(
+                     digital_signature=True,  # OCSP
+                     content_commitment=False,
+diff --git a/tests/test_trustme.py b/tests/test_trustme.py
+index 1d901ad..581716e 100644
+--- a/tests/test_trustme.py
++++ b/tests/test_trustme.py
+@@ -200,6 +200,11 @@ def test_intermediate() -> None:
+     assert_is_ca(child_ca_cert)
+     assert child_ca_cert.issuer == ca_cert.subject
+     assert _path_length(child_ca_cert) == 8
++    aki = child_ca_cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier)
++    assert aki.critical is False
++    expected_aki_key_id = ca_cert.extensions.get_extension_for_class(
++        x509.SubjectKeyIdentifier).value.digest
++    assert aki.value.key_identifier == expected_aki_key_id
+ 
+     child_server = child_ca.issue_cert("test-host.example.org")
+     assert len(child_server.cert_chain_pems) == 2
+
+From f507a28e0f4d97d63716aa5a81669bb747235f07 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 27 Mar 2024 12:02:59 +0000
+Subject: [PATCH 2/3] Fix a typing issue
+
+---
+ src/trustme/__init__.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py
+index 0db1bb0..d126180 100644
+--- a/src/trustme/__init__.py
++++ b/src/trustme/__init__.py
+@@ -246,6 +246,7 @@ def __init__(
+         )
+         issuer = name
+         sign_key = self._private_key
++        aki: Optional[x509.AuthorityKeyIdentifier]
+         if parent_cert is not None:
+             sign_key = parent_cert._private_key
+             parent_certificate = parent_cert._certificate
+
+From cdd2fd61aae9c92f902932bacd6b39189ecde4b1 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 27 Mar 2024 12:09:38 +0000
+Subject: [PATCH 3/3] Add a news entry
+
+---
+ newsfragments/642.bugfix.rst | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 newsfragments/642.bugfix.rst
+
+diff --git a/newsfragments/642.bugfix.rst b/newsfragments/642.bugfix.rst
+new file mode 100644
+index 0000000..9d75e7a
+--- /dev/null
++++ b/newsfragments/642.bugfix.rst
+@@ -0,0 +1 @@
++Add the Authority Key Identifier extension to child CA certificates.

fix2038.patch

@@ -0,0 +1,17 @@
+Author: Bernhard M. Wiedemann <bwiedemann suse de>
+Date: 2023-01-14
+Subject: Fix tests of python-aiosmtplib after 2038
+
+Index: trustme-1.0.0/src/trustme/__init__.py
+===================================================================
+--- trustme-1.0.0.orig/src/trustme/__init__.py
++++ trustme-1.0.0/src/trustme/__init__.py
+@@ -37,7 +37,7 @@ __all__ = ["CA"]
+ # Some versions of cryptography on 32-bit platforms fail if you give
+ # them dates after ~2038-01-19:
+ #   https://github.com/pyca/cryptography/pull/4658
+-DEFAULT_EXPIRY = datetime.datetime(2038, 1, 1)
++DEFAULT_EXPIRY = datetime.datetime(2098, 1, 1)
+ 
+ def _name(name: str, organization_name: Optional[str] = None, common_name: Optional[str] = None) -> x509.Name:
+     name_pieces = [

python-trustme.changes

@@ -0,0 +1,155 @@
+-------------------------------------------------------------------
+Wed Aug 28 06:38:39 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Add patch add-aki-to-child-certs.patch
+  * Also add Authority Key Identifiers to children certs.
+
+-------------------------------------------------------------------
+Tue Mar  5 02:52:27 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
+
+- Switch to pyproject and autosetup macros.
+
+-------------------------------------------------------------------
+Thu Sep  7 11:03:12 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.1.0:
+  * Allow `os.PathLike` in typing of `Blob.write_to_path`
+  * Add support for PyPy 3.10 and Python 3.12
+  * Remove support for Python 3.7
+- drop python 2.x specific conditionals from spec file
+
+-------------------------------------------------------------------
+Sun May 14 16:33:47 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- update to 1.0.0:
+  * Support for ECDSA keys in certificates and use them by default.
+    The type of key used for certificates can be controlled by the
+    key_type parameter on the multiple methods that generate
+    certificates. ECDSA certificates as they can be generated
+    significantly faster.
+  * Support for Python 3.10 and 3.11 (#372, 574)
+
+-------------------------------------------------------------------
+Fri Apr 21 12:38:00 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- add sle15_python_module_pythons (jsc#PED-68)
+
+-------------------------------------------------------------------
+Thu Apr 13 22:45:35 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Make calling of %{sle15modernpython} optional.
+
+-------------------------------------------------------------------
+Mon Jan 16 21:04:12 UTC 2023 - Matej Cepl <mcepl@suse.com>
+
+- Clean up SPEC file
+
+-------------------------------------------------------------------
+Sat Jan 14 10:45:50 UTC 2023 - Bernhard Wiedemann <bwiedemann@suse.com>
+
+- Add fix2038.patch to allow tests of python-aiosmtplib to pass after 2038
+
+-------------------------------------------------------------------
+Mon Aug 30 14:18:19 UTC 2021 - John Paul Adrian Glaubitz <adrian.glaubitz@suse.com>
+
+- Update to 0.9.0
+  * Bump types-cryptography from 3.3.3 to 3.3.5 (#342)
+  * Bump types-pyopenssl from 20.0.4 to 20.0.5 (#343)
+  * Add type annotations (#341)
+  * Bump charset-normalizer from 2.0.3 to 2.0.4 (#340)
+  * Bump sphinx from 4.1.1 to 4.1.2
+  * Bump charset-normalizer from 2.0.2 to 2.0.3
+  * Bump idna from 2.10 to 3.2
+  * Bump sphinx from 4.1.0 to 4.1.1
+  * Bump charset-normalizer from 2.0.1 to 2.0.2
+  * Bump requests from 2.25.1 to 2.26.0 (#333)
+  * Bump sphinx from 4.0.2 to 4.1.0
+  * Bump urllib3 from 1.26.5 to 1.26.6
+  * Bump version to v0.8.0+dev
+- from version 0.8.0
+  * retry codecov more
+  * try codecov harder
+  * require codecov in ci
+  * Update tests/test_trustme.py
+  * close the wrapped sockets to prevent Unraisable ResourceWarnings
+  * Adjust tests
+  * py3.10 needs a new version of pytest
+  * Set correct KU and EKU extensions
+  * test on py 3.10
+  * Bump pytest-cov from 2.12.0 to 2.12.1
+  * Bump certifi from 2020.12.5 to 2021.5.30
+  * Bump urllib3 from 1.26.4 to 1.26.5
+  * Bump sphinxcontrib-htmlhelp from 1.0.3 to 2.0.0
+  * Bump sphinxcontrib-serializinghtml from 1.1.4 to 1.1.5
+  * Bump jinja2 from 2.11.3 to 3.0.1
+  * Bump sphinx from 4.0.1 to 4.0.2
+  * Bump pytest-cov from 2.11.1 to 2.12.0
+  * Bump docutils from 0.16 to 0.17.1
+  * Bump sphinx from 4.0.0 to 4.0.1
+  * Bump service-identity from 18.1.0 to 21.1.0
+  * Bump sphinx from 3.5.4 to 4.0.0
+  * Bump attrs from 21.1.0 to 21.2.0
+  * Bump attrs from 20.3.0 to 21.1.0
+  * Bump six from 1.15.0 to 1.16.0
+  * Bump pygments from 2.8.1 to 2.9.0
+  * Upgrade to GitHub-native Dependabot
+  * Bump babel from 2.9.0 to 2.9.1
+  * Bump sphinx from 3.5.3 to 3.5.4
+  * Bump docutils from 0.16 to 0.17
+  * Bump sphinx from 3.5.2 to 3.5.3
+  * Mention not_after in `issue_cert` signature
+  * Bump urllib3 from 1.26.3 to 1.26.4
+  * Bump pygments from 2.8.0 to 2.8.1
+  * Bump sphinx from 3.5.1 to 3.5.2
+  * Add newsfragment and Python doc for --expires-on
+  * Add an option to set when the certificate should expire (--expires-on)
+  * Bump coverage from 5.4 to 5.5
+  * Bump sphinx from 3.5.0 to 3.5.1
+  * Clarify project vision in README
+  * Bump sphinx from 3.4.3 to 3.5.0
+  * Bump pygments from 2.7.4 to 2.8.0
+  * Bump cffi from 1.14.4 to 1.14.5
+  * Bump version to 0.7.0
+
+-------------------------------------------------------------------
+Sun May  9 17:12:48 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.7.0:
+  - trustme can now be used a command line interface with ``python -m
+    trustme``. Get the help with ``python -m trustme --help``.
+
+-------------------------------------------------------------------
+Thu Mar 12 07:55:07 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
+
+- Fix build without python2
+
+-------------------------------------------------------------------
+Fri Feb  7 15:33:14 UTC 2020 - Marketa Calabkova <mcalabkova@suse.com>
+
+- update to 0.6.0
+  * Allow specifying organization and organization unit in CA and issued certs
+  * Added attr CA.from_pem to import an existing certificate authority;
+    this allows migrating to trustme step-by-step.
+
+-------------------------------------------------------------------
+Tue Jun  4 14:17:59 UTC 2019 - Ondřej Súkup <mimi.vx@gmail.com>
+
+- update to 0.5.2
+ * support cryptography-2.7
+
+-------------------------------------------------------------------
+Fri Apr 26 07:54:32 UTC 2019 - pgajdos@suse.com
+
+- version update to 0.5.1
+  * Update key size to 2048 bits
+
+-------------------------------------------------------------------
+Mon Mar 18 18:02:03 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Replace nonsense summary. Trim storytelling write style
+  from description.
+
+-------------------------------------------------------------------
+Wed Feb 27 11:30:53 UTC 2019 - Ondřej Súkup <mimi.vx@gmail.com>
+
+- initial package

python-trustme.spec

@@ -0,0 +1,73 @@
+#
+# spec file for package python-trustme
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{?sle15_python_module_pythons}
+Name:           python-trustme
+Version:        1.1.0
+Release:        0
+Summary:        Fake CA provider for Python tests
+License:        Apache-2.0 OR MIT
+URL:            https://github.com/python-trio/trustme
+Source:         https://files.pythonhosted.org/packages/source/t/trustme/trustme-%{version}.tar.gz
+Patch0:         fix2038.patch
+# PATCH-FIX-UPSTREAM gh#python-trio/trustme#642
+Patch1:         add-aki-to-child-certs.patch
+BuildRequires:  %{python_module cryptography}
+BuildRequires:  %{python_module idna}
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module pyOpenSSL}
+BuildRequires:  %{python_module pytest}
+BuildRequires:  %{python_module service_identity}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros
+Requires:       python-cryptography >= 41.0.1
+Requires:       python-idna
+BuildArch:      noarch
+%python_subpackages
+
+%description
+trustme is a Python package that provides a fake certificate
+authority (CA) that can be used to generate "fake" TLS certs to use
+in tests. The CA and certificates are fake in the sense of
+https://martinfowler.com/bliki/TestDouble.html, that is, the trust
+circle of the CA is limited to the test environment.
+
+%prep
+%autosetup -p1 -n trustme-%{version}
+
+%build
+%pyproject_wheel
+
+%install
+%pyproject_install
+%python_expand %fdupes %{buildroot}%{$python_sitelib}
+
+%check
+%pytest
+
+%files %{python_files}
+%license LICENSE
+%license LICENSE.MIT
+%license LICENSE.APACHE2
+%doc README.rst
+%{python_sitelib}/trustme
+%{python_sitelib}/trustme-%{version}.dist-info
+
+%changelog