commit bf5e92b161f15ed561b9c9ebb9eaac063428a5ce00c242a3ebe0e528f3dc6f7c Author: Steve Kowalik Date: Wed Aug 28 06:39:24 2024 +0000 - Add patch add-aki-to-child-certs.patch * Also add Authority Key Identifiers to children certs. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-trustme?expand=0&rev=29 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/add-aki-to-child-certs.patch b/add-aki-to-child-certs.patch new file mode 100644 index 0000000..fc2826a --- /dev/null +++ b/add-aki-to-child-certs.patch @@ -0,0 +1,96 @@ +From 84e347d9221e304f0158330e5101d23969d424d0 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 27 Mar 2024 11:45:41 +0000 +Subject: [PATCH 1/3] Add AKI to child CA certificates + +--- + src/trustme/__init__.py | 14 +++++++++++--- + tests/test_trustme.py | 5 +++++ + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py +index 5fb24fb..0db1bb0 100644 +--- a/src/trustme/__init__.py ++++ b/src/trustme/__init__.py +@@ -250,14 +250,22 @@ def __init__( + sign_key = parent_cert._private_key + parent_certificate = parent_cert._certificate + issuer = parent_certificate.subject +- +- self._certificate = ( ++ ski_ext = parent_certificate.extensions.get_extension_for_class( ++ x509.SubjectKeyIdentifier) ++ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski_ext.value) ++ else: ++ aki = None ++ cert_builder = ( + _cert_builder_common(name, issuer, self._private_key.public_key()) + .add_extension( + x509.BasicConstraints(ca=True, path_length=path_length), + critical=True, + ) +- .add_extension( ++ ) ++ if aki: ++ cert_builder = cert_builder.add_extension(aki, critical=False) ++ self._certificate = ( ++ cert_builder.add_extension( + x509.KeyUsage( + digital_signature=True, # OCSP + content_commitment=False, +diff --git a/tests/test_trustme.py b/tests/test_trustme.py +index 1d901ad..581716e 100644 +--- a/tests/test_trustme.py ++++ b/tests/test_trustme.py +@@ -200,6 +200,11 @@ def test_intermediate() -> None: + assert_is_ca(child_ca_cert) + assert child_ca_cert.issuer == ca_cert.subject + assert _path_length(child_ca_cert) == 8 ++ aki = child_ca_cert.extensions.get_extension_for_class(x509.AuthorityKeyIdentifier) ++ assert aki.critical is False ++ expected_aki_key_id = ca_cert.extensions.get_extension_for_class( ++ x509.SubjectKeyIdentifier).value.digest ++ assert aki.value.key_identifier == expected_aki_key_id + + child_server = child_ca.issue_cert("test-host.example.org") + assert len(child_server.cert_chain_pems) == 2 + +From f507a28e0f4d97d63716aa5a81669bb747235f07 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 27 Mar 2024 12:02:59 +0000 +Subject: [PATCH 2/3] Fix a typing issue + +--- + src/trustme/__init__.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/trustme/__init__.py b/src/trustme/__init__.py +index 0db1bb0..d126180 100644 +--- a/src/trustme/__init__.py ++++ b/src/trustme/__init__.py +@@ -246,6 +246,7 @@ def __init__( + ) + issuer = name + sign_key = self._private_key ++ aki: Optional[x509.AuthorityKeyIdentifier] + if parent_cert is not None: + sign_key = parent_cert._private_key + parent_certificate = parent_cert._certificate + +From cdd2fd61aae9c92f902932bacd6b39189ecde4b1 Mon Sep 17 00:00:00 2001 +From: Illia Volochii +Date: Wed, 27 Mar 2024 12:09:38 +0000 +Subject: [PATCH 3/3] Add a news entry + +--- + newsfragments/642.bugfix.rst | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 newsfragments/642.bugfix.rst + +diff --git a/newsfragments/642.bugfix.rst b/newsfragments/642.bugfix.rst +new file mode 100644 +index 0000000..9d75e7a +--- /dev/null ++++ b/newsfragments/642.bugfix.rst +@@ -0,0 +1 @@ ++Add the Authority Key Identifier extension to child CA certificates. diff --git a/fix2038.patch b/fix2038.patch new file mode 100644 index 0000000..918b8aa --- /dev/null +++ b/fix2038.patch @@ -0,0 +1,17 @@ +Author: Bernhard M. Wiedemann +Date: 2023-01-14 +Subject: Fix tests of python-aiosmtplib after 2038 + +Index: trustme-1.0.0/src/trustme/__init__.py +=================================================================== +--- trustme-1.0.0.orig/src/trustme/__init__.py ++++ trustme-1.0.0/src/trustme/__init__.py +@@ -37,7 +37,7 @@ __all__ = ["CA"] + # Some versions of cryptography on 32-bit platforms fail if you give + # them dates after ~2038-01-19: + # https://github.com/pyca/cryptography/pull/4658 +-DEFAULT_EXPIRY = datetime.datetime(2038, 1, 1) ++DEFAULT_EXPIRY = datetime.datetime(2098, 1, 1) + + def _name(name: str, organization_name: Optional[str] = None, common_name: Optional[str] = None) -> x509.Name: + name_pieces = [ diff --git a/python-trustme.changes b/python-trustme.changes new file mode 100644 index 0000000..461aff1 --- /dev/null +++ b/python-trustme.changes @@ -0,0 +1,155 @@ +------------------------------------------------------------------- +Wed Aug 28 06:38:39 UTC 2024 - Steve Kowalik + +- Add patch add-aki-to-child-certs.patch + * Also add Authority Key Identifiers to children certs. + +------------------------------------------------------------------- +Tue Mar 5 02:52:27 UTC 2024 - Steve Kowalik + +- Switch to pyproject and autosetup macros. + +------------------------------------------------------------------- +Thu Sep 7 11:03:12 UTC 2023 - Dirk Müller + +- update to 1.1.0: + * Allow `os.PathLike` in typing of `Blob.write_to_path` + * Add support for PyPy 3.10 and Python 3.12 + * Remove support for Python 3.7 +- drop python 2.x specific conditionals from spec file + +------------------------------------------------------------------- +Sun May 14 16:33:47 UTC 2023 - Dirk Müller + +- update to 1.0.0: + * Support for ECDSA keys in certificates and use them by default. + The type of key used for certificates can be controlled by the + key_type parameter on the multiple methods that generate + certificates. ECDSA certificates as they can be generated + significantly faster. + * Support for Python 3.10 and 3.11 (#372, 574) + +------------------------------------------------------------------- +Fri Apr 21 12:38:00 UTC 2023 - Dirk Müller + +- add sle15_python_module_pythons (jsc#PED-68) + +------------------------------------------------------------------- +Thu Apr 13 22:45:35 UTC 2023 - Matej Cepl + +- Make calling of %{sle15modernpython} optional. + +------------------------------------------------------------------- +Mon Jan 16 21:04:12 UTC 2023 - Matej Cepl + +- Clean up SPEC file + +------------------------------------------------------------------- +Sat Jan 14 10:45:50 UTC 2023 - Bernhard Wiedemann + +- Add fix2038.patch to allow tests of python-aiosmtplib to pass after 2038 + +------------------------------------------------------------------- +Mon Aug 30 14:18:19 UTC 2021 - John Paul Adrian Glaubitz + +- Update to 0.9.0 + * Bump types-cryptography from 3.3.3 to 3.3.5 (#342) + * Bump types-pyopenssl from 20.0.4 to 20.0.5 (#343) + * Add type annotations (#341) + * Bump charset-normalizer from 2.0.3 to 2.0.4 (#340) + * Bump sphinx from 4.1.1 to 4.1.2 + * Bump charset-normalizer from 2.0.2 to 2.0.3 + * Bump idna from 2.10 to 3.2 + * Bump sphinx from 4.1.0 to 4.1.1 + * Bump charset-normalizer from 2.0.1 to 2.0.2 + * Bump requests from 2.25.1 to 2.26.0 (#333) + * Bump sphinx from 4.0.2 to 4.1.0 + * Bump urllib3 from 1.26.5 to 1.26.6 + * Bump version to v0.8.0+dev +- from version 0.8.0 + * retry codecov more + * try codecov harder + * require codecov in ci + * Update tests/test_trustme.py + * close the wrapped sockets to prevent Unraisable ResourceWarnings + * Adjust tests + * py3.10 needs a new version of pytest + * Set correct KU and EKU extensions + * test on py 3.10 + * Bump pytest-cov from 2.12.0 to 2.12.1 + * Bump certifi from 2020.12.5 to 2021.5.30 + * Bump urllib3 from 1.26.4 to 1.26.5 + * Bump sphinxcontrib-htmlhelp from 1.0.3 to 2.0.0 + * Bump sphinxcontrib-serializinghtml from 1.1.4 to 1.1.5 + * Bump jinja2 from 2.11.3 to 3.0.1 + * Bump sphinx from 4.0.1 to 4.0.2 + * Bump pytest-cov from 2.11.1 to 2.12.0 + * Bump docutils from 0.16 to 0.17.1 + * Bump sphinx from 4.0.0 to 4.0.1 + * Bump service-identity from 18.1.0 to 21.1.0 + * Bump sphinx from 3.5.4 to 4.0.0 + * Bump attrs from 21.1.0 to 21.2.0 + * Bump attrs from 20.3.0 to 21.1.0 + * Bump six from 1.15.0 to 1.16.0 + * Bump pygments from 2.8.1 to 2.9.0 + * Upgrade to GitHub-native Dependabot + * Bump babel from 2.9.0 to 2.9.1 + * Bump sphinx from 3.5.3 to 3.5.4 + * Bump docutils from 0.16 to 0.17 + * Bump sphinx from 3.5.2 to 3.5.3 + * Mention not_after in `issue_cert` signature + * Bump urllib3 from 1.26.3 to 1.26.4 + * Bump pygments from 2.8.0 to 2.8.1 + * Bump sphinx from 3.5.1 to 3.5.2 + * Add newsfragment and Python doc for --expires-on + * Add an option to set when the certificate should expire (--expires-on) + * Bump coverage from 5.4 to 5.5 + * Bump sphinx from 3.5.0 to 3.5.1 + * Clarify project vision in README + * Bump sphinx from 3.4.3 to 3.5.0 + * Bump pygments from 2.7.4 to 2.8.0 + * Bump cffi from 1.14.4 to 1.14.5 + * Bump version to 0.7.0 + +------------------------------------------------------------------- +Sun May 9 17:12:48 UTC 2021 - Dirk Müller + +- update to 0.7.0: + - trustme can now be used a command line interface with ``python -m + trustme``. Get the help with ``python -m trustme --help``. + +------------------------------------------------------------------- +Thu Mar 12 07:55:07 UTC 2020 - Tomáš Chvátal + +- Fix build without python2 + +------------------------------------------------------------------- +Fri Feb 7 15:33:14 UTC 2020 - Marketa Calabkova + +- update to 0.6.0 + * Allow specifying organization and organization unit in CA and issued certs + * Added attr CA.from_pem to import an existing certificate authority; + this allows migrating to trustme step-by-step. + +------------------------------------------------------------------- +Tue Jun 4 14:17:59 UTC 2019 - Ondřej Súkup + +- update to 0.5.2 + * support cryptography-2.7 + +------------------------------------------------------------------- +Fri Apr 26 07:54:32 UTC 2019 - pgajdos@suse.com + +- version update to 0.5.1 + * Update key size to 2048 bits + +------------------------------------------------------------------- +Mon Mar 18 18:02:03 UTC 2019 - Jan Engelhardt + +- Replace nonsense summary. Trim storytelling write style + from description. + +------------------------------------------------------------------- +Wed Feb 27 11:30:53 UTC 2019 - Ondřej Súkup + +- initial package diff --git a/python-trustme.spec b/python-trustme.spec new file mode 100644 index 0000000..d3c1def --- /dev/null +++ b/python-trustme.spec @@ -0,0 +1,73 @@ +# +# spec file for package python-trustme +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%{?sle15_python_module_pythons} +Name: python-trustme +Version: 1.1.0 +Release: 0 +Summary: Fake CA provider for Python tests +License: Apache-2.0 OR MIT +URL: https://github.com/python-trio/trustme +Source: https://files.pythonhosted.org/packages/source/t/trustme/trustme-%{version}.tar.gz +Patch0: fix2038.patch +# PATCH-FIX-UPSTREAM gh#python-trio/trustme#642 +Patch1: add-aki-to-child-certs.patch +BuildRequires: %{python_module cryptography} +BuildRequires: %{python_module idna} +BuildRequires: %{python_module pip} +BuildRequires: %{python_module pyOpenSSL} +BuildRequires: %{python_module pytest} +BuildRequires: %{python_module service_identity} +BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module wheel} +BuildRequires: fdupes +BuildRequires: python-rpm-macros +Requires: python-cryptography >= 41.0.1 +Requires: python-idna +BuildArch: noarch +%python_subpackages + +%description +trustme is a Python package that provides a fake certificate +authority (CA) that can be used to generate "fake" TLS certs to use +in tests. The CA and certificates are fake in the sense of +https://martinfowler.com/bliki/TestDouble.html, that is, the trust +circle of the CA is limited to the test environment. + +%prep +%autosetup -p1 -n trustme-%{version} + +%build +%pyproject_wheel + +%install +%pyproject_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +%check +%pytest + +%files %{python_files} +%license LICENSE +%license LICENSE.MIT +%license LICENSE.APACHE2 +%doc README.rst +%{python_sitelib}/trustme +%{python_sitelib}/trustme-%{version}.dist-info + +%changelog diff --git a/trustme-1.1.0.tar.gz b/trustme-1.1.0.tar.gz new file mode 100644 index 0000000..48b1b9d --- /dev/null +++ b/trustme-1.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5375ad7fb427074bec956592e0d4ee2a4cf4da68934e1ba4bcf4217126bc45e6 +size 29611