python/python-PyKMIP
SHA256
14
0
Fork 0
forked from pool/python-PyKMIP
Code Pull Requests Activity

- Clean up Python 2 leftovers.

Browse Source 
- Add patch crypto-42.patch:
  * Use cryptography.hazmat.primitives.serialization to load private keys.
- Add patch no-ssl-wrap-socket.patch:
  * Do not use removed in Python 3.12 function, ssl.wrap_socket.
- Switch to pyproject macros.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-PyKMIP?expand=0&rev=20
This commit is contained in:
Steve Kowalik
2024-03-28 03:59:22 +00:00
committed by Git OBS Bridge
parent 12487dd91d
commit b611d7c262
4 changed files with 172 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
crypto-42.patch Normal file
View File

@@ -0,0 +1,47 @@
Index: PyKMIP-0.10.0/kmip/services/server/crypto/engine.py
===================================================================
--- PyKMIP-0.10.0.orig/kmip/services/server/crypto/engine.py
+++ PyKMIP-0.10.0/kmip/services/server/crypto/engine.py
@@ -588,10 +588,10 @@ class CryptographyEngine(api.Cryptograph
backend = default_backend()
try:
- public_key = backend.load_der_public_key(encryption_key)
+ public_key = serialization.load_der_public_key(encryption_key)
except Exception:
try:
- public_key = backend.load_pem_public_key(encryption_key)
+ public_key = serialization.load_pem_public_key(encryption_key)
except Exception:
raise exceptions.CryptographicFailure(
"The public key bytes could not be loaded."
@@ -935,14 +935,14 @@ class CryptographyEngine(api.Cryptograph
params["unsafe_skip_rsa_key_validation"] = False
try:
- private_key = backend.load_der_private_key(
+ private_key = serialization.load_der_private_key(
decryption_key,
None,
**params,
)
except Exception:
try:
- private_key = backend.load_pem_private_key(
+ private_key = serialization.load_pem_private_key(
decryption_key,
None,
**params,
@@ -1500,10 +1500,10 @@ class CryptographyEngine(api.Cryptograph
)
try:
- public_key = backend.load_der_public_key(signing_key)
+ public_key = serialization.load_der_public_key(signing_key)
except Exception:
try:
- public_key = backend.load_pem_public_key(signing_key)
+ public_key = serialization.load_pem_public_key(signing_key)
except Exception:
raise exceptions.CryptographicFailure(
"The signing key bytes could not be loaded."

101
no-ssl-wrap-socket.patch Normal file
View File

@@ -0,0 +1,101 @@
From 433ab3ef43241155ee64196574daae2f41feac4e Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Wed, 4 Oct 2023 09:59:43 -0500
Subject: [PATCH 01/11] Add python 3.12 support
---
.github/workflows/tox.yml | 3 ++-
kmip/services/kmip_client.py | 19 +++++++-------
kmip/services/server/server.py | 25 ++++++++++---------
.../tests/unit/services/server/test_server.py | 4 +--
4 files changed, 27 insertions(+), 24 deletions(-)
Index: PyKMIP-0.10.0/kmip/services/kmip_client.py
===================================================================
--- PyKMIP-0.10.0.orig/kmip/services/kmip_client.py
+++ PyKMIP-0.10.0/kmip/services/kmip_client.py
@@ -285,13 +285,15 @@ class KMIPProxy(object):
six.reraise(*last_error)
def _create_socket(self, sock):
- self.socket = ssl.wrap_socket(
+ context = ssl.SSLContext(protocol=self.ssl_version)
+ context.load_verify_locations(capath=self.ca_certs)
+ context.check_hostname = False
+ context.verify_mode = self.cert_reqs
+ if self.certfile:
+ context.load_cert_chain(self.certfile, self.keyfile)
+ self.socket = context.wrap_socket(
sock,
- keyfile=self.keyfile,
- certfile=self.certfile,
- cert_reqs=self.cert_reqs,
- ssl_version=self.ssl_version,
- ca_certs=self.ca_certs,
+ server_side=False,
do_handshake_on_connect=self.do_handshake_on_connect,
suppress_ragged_eofs=self.suppress_ragged_eofs)
self.socket.settimeout(self.timeout)
Index: PyKMIP-0.10.0/kmip/services/server/server.py
===================================================================
--- PyKMIP-0.10.0.orig/kmip/services/server/server.py
+++ PyKMIP-0.10.0/kmip/services/server/server.py
@@ -287,17 +287,22 @@ class KmipServer(object):
for cipher in auth_suite_ciphers:
self._logger.debug(cipher)
- self._socket = ssl.wrap_socket(
+ capath = self.config.settings.get('ca_path')
+ context = ssl.SSLContext(protocol=self.auth_suite.protocol)
+ if capath is not None:
+ context.load_verify_locations(capath=capath)
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.set_ciphers(self.auth_suite.ciphers)
+ certfile = self.config.settings.get('certificate_path')
+ if certfile:
+ keyfile = self.config.settings.get('key_path')
+ context.load_cert_chain(certfile, keyfile=keyfile)
+
+ self._socket = context.wrap_socket(
self._socket,
- keyfile=self.config.settings.get('key_path'),
- certfile=self.config.settings.get('certificate_path'),
server_side=True,
- cert_reqs=ssl.CERT_REQUIRED,
- ssl_version=self.auth_suite.protocol,
- ca_certs=self.config.settings.get('ca_path'),
do_handshake_on_connect=False,
- suppress_ragged_eofs=True,
- ciphers=self.auth_suite.ciphers
+ suppress_ragged_eofs=True
)
try:
Index: PyKMIP-0.10.0/kmip/tests/unit/services/server/test_server.py
===================================================================
--- PyKMIP-0.10.0.orig/kmip/tests/unit/services/server/test_server.py
+++ PyKMIP-0.10.0/kmip/tests/unit/services/server/test_server.py
@@ -210,9 +210,9 @@ class TestKmipServer(testtools.TestCase)
# Test that in ideal cases no errors are generated and the right
# log messages are.
with mock.patch('socket.socket') as socket_mock:
- with mock.patch('ssl.wrap_socket') as ssl_mock:
+ with mock.patch('ssl.SSLContext') as ssl_mock:
socket_mock.return_value = a_mock
- ssl_mock.return_value = b_mock
+ ssl_mock.return_value.wrap_socket.return_value = b_mock
manager_mock.assert_not_called()
monitor_mock.assert_not_called()
@@ -271,9 +271,9 @@ class TestKmipServer(testtools.TestCase)
# Test that a NetworkingError is generated if the socket bind fails.
with mock.patch('socket.socket') as socket_mock:
- with mock.patch('ssl.wrap_socket') as ssl_mock:
+ with mock.patch('ssl.SSLContext') as ssl_mock:
socket_mock.return_value = a_mock
- ssl_mock.return_value = b_mock
+ ssl_mock.return_value.wrap_socket.return_value = b_mock
test_exception = Exception()
b_mock.bind.side_effect = test_exception

10
python-PyKMIP.changes
View File

@@ -1,3 +1,13 @@
-------------------------------------------------------------------
Thu Mar 28 03:58:37 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com>
- Clean up Python 2 leftovers.
- Add patch crypto-42.patch:
* Use cryptography.hazmat.primitives.serialization to load private keys.
- Add patch no-ssl-wrap-socket.patch:
* Do not use removed in Python 3.12 function, ssl.wrap_socket.
- Switch to pyproject macros.
-------------------------------------------------------------------
Fri Sep 8 06:13:02 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>

28
python-PyKMIP.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package python-PyKMIP
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,13 +16,11 @@
#
%bcond_without python2
Name: python-PyKMIP
Version: 0.10.0
Release: 0
Summary: KMIP v11 library
License: Apache-2.0
Group: Development/Languages/Python
URL: https://github.com/OpenKMIP/PyKMIP
Source: https://files.pythonhosted.org/packages/source/P/PyKMIP/PyKMIP-%{version}.tar.gz
# PATCH-FIX-UPSTREAM fix-tests-SQLAlchemy-140.patch gh#OpenKMIP/PyKMIP#656 mcepl@suse.com
@@ -30,18 +28,24 @@ Source: https://files.pythonhosted.org/packages/source/P/PyKMIP/PyKMIP-%
Patch0: fix-tests-SQLAlchemy-140.patch
# https://github.com/OpenKMIP/PyKMIP/issues/668
Patch1: python-PyKMIP-no-mock.patch
# PATCH-FIX-OPENSUSE crypto-39.patch gh#OpenKMIP/PyKMIP#689
# PATCH-FIX-UPSTREAM crypto-39.patch gh#OpenKMIP/PyKMIP#689
Patch2: crypto-39.patch
# PATCH-FIX-UPSTREAM fix_test_mac_with_cryptographic_failure.patch gh#OpenKMIP/PyKMIP#702
Patch3: fix_test_mac_with_cryptographic_failure.patch
# PATCH-FIX-OPENSUSE Use cryptography.hazmat.primitives.serialization for loading private keys.
Patch4: crypto-42.patch
# PATCH-FIX-UPSTREAM Based on gh#OpenKMIP/PyKMIP#707, including some changes suggested
Patch5: no-ssl-wrap-socket.patch
BuildRequires: %{python_module SQLAlchemy}
BuildRequires: %{python_module cryptography}
BuildRequires: %{python_module devel}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module requests}
BuildRequires: %{python_module setuptools}
BuildRequires: %{python_module six}
BuildRequires: %{python_module testtools}
BuildRequires: %{python_module wheel}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
Requires: python-SQLAlchemy
@@ -49,14 +53,8 @@ Requires: python-cryptography
Requires: python-requests
Requires: python-six
Requires(post): update-alternatives
Requires(postun):update-alternatives
Requires(postun): update-alternatives
BuildArch: noarch
%if %{with python2}
BuildRequires: python-enum34
%endif
%ifpython2
Requires: python-enum34
%endif
%python_subpackages
%description
@@ -69,12 +67,14 @@ Standards`_ (OASIS). PyKMIP supports a subset of features in versions
%prep
%autosetup -p1 -n PyKMIP-%{version}
# Not needed, we use Python 3.4+ only
sed -i '/"enum-compat",/d' setup.py
%build
%python_build
%pyproject_wheel
%install
%python_install
%pyproject_install
%python_clone -a %{buildroot}%{_bindir}/pykmip-server
%python_expand %fdupes %{buildroot}%{$python_sitelib}
@@ -91,7 +91,7 @@ Standards`_ (OASIS). PyKMIP supports a subset of features in versions
%license LICENSE.txt
%doc README.rst
%{python_sitelib}/kmip
%{python_sitelib}/PyKMIP-%{version}*-info
%{python_sitelib}/PyKMIP-%{version}.dist-info
%python_alternative %{_bindir}/pykmip-server
%changelog