From 5970a4c06d8e9ed7e2267e625430ee3fd00c9b42bb8bbecca554cffb285256d2 Mon Sep 17 00:00:00 2001 From: Daniel Garcia Date: Wed, 25 Jan 2023 12:27:47 +0000 Subject: [PATCH] - Add remove-sha1.patch to make it compatible with latests versions of cryptography gh#ronf/asyncssh@fae5a9e8baad OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-asyncssh?expand=0&rev=43 --- gss_test.patch | 8 ++-- python-asyncssh.changes | 6 +++ python-asyncssh.spec | 6 ++- remove-sha1.patch | 91 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 106 insertions(+), 5 deletions(-) create mode 100644 remove-sha1.patch diff --git a/gss_test.patch b/gss_test.patch index 821ded2..4727fd2 100644 --- a/gss_test.patch +++ b/gss_test.patch @@ -2,9 +2,11 @@ tests/test_connection.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ---- a/tests/test_connection.py -+++ b/tests/test_connection.py -@@ -1470,7 +1470,7 @@ class _TestConnectionAsyncAcceptor(Serve +Index: asyncssh-2.13.0/tests/test_connection.py +=================================================================== +--- asyncssh-2.13.0.orig/tests/test_connection.py ++++ asyncssh-2.13.0/tests/test_connection.py +@@ -1546,7 +1546,7 @@ class _TestConnectionAsyncAcceptor(Serve conn.logger.info('Acceptor called') diff --git a/python-asyncssh.changes b/python-asyncssh.changes index e30165a..18b8e34 100644 --- a/python-asyncssh.changes +++ b/python-asyncssh.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 25 12:18:38 UTC 2023 - Daniel Garcia + +- Add remove-sha1.patch to make it compatible with latests versions of + cryptography gh#ronf/asyncssh@fae5a9e8baad + ------------------------------------------------------------------- Thu Jan 5 21:06:40 UTC 2023 - Dirk Müller diff --git a/python-asyncssh.spec b/python-asyncssh.spec index 2c5e3f1..e606b5b 100644 --- a/python-asyncssh.spec +++ b/python-asyncssh.spec @@ -16,7 +16,6 @@ # -%{?!python_module:%define python_module() python-%{**} python3-%{**}} %define skip_python2 1 %define skip_python36 1 Name: python-asyncssh @@ -28,6 +27,8 @@ Group: Development/Languages/Python URL: https://github.com/ronf/asyncssh Source: https://files.pythonhosted.org/packages/source/a/asyncssh/asyncssh-%{version}.tar.gz Patch0: gss_test.patch +# PATCH-FIX-UPSTREAM remove-sha1.patch gh#ronf/asyncssh@fae5a9e8baad +Patch1: remove-sha1.patch # SECTION test requirements BuildRequires: %{python_module bcrypt >= 3.1.3} BuildRequires: %{python_module cryptography >= 2.8} @@ -75,6 +76,7 @@ server implementation of the SSHv2 protocol on top of the Python asyncio framewo %files %{python_files} %license LICENSE COPYRIGHT %doc README.rst -%{python_sitelib}/* +%{python_sitelib}/asyncssh +%{python_sitelib}/asyncssh-%{version}*-info %changelog diff --git a/remove-sha1.patch b/remove-sha1.patch new file mode 100644 index 0000000..311f218 --- /dev/null +++ b/remove-sha1.patch @@ -0,0 +1,91 @@ +From fae5a9e8baad8bd505b43e14fc13b9010789865c Mon Sep 17 00:00:00 2001 +From: Ron Frederick +Date: Sat, 7 Jan 2023 21:02:01 -0800 +Subject: [PATCH] Handle elimination of SHA-1 for digital signatures in + cryptograhy 39.0.0 + +This commit changes the default X.509 signature algorithm for DSA and +some unit test code to avoid attempting to use SHA-1 for X.509 certificate +signing, as this is no longer allowed in cryptography 39.0.0. +--- + asyncssh/dsa.py | 2 +- + asyncssh/ecdsa.py | 2 +- + asyncssh/public_key.py | 4 ++-- + asyncssh/rsa.py | 2 +- + tests/test_public_key.py | 2 +- + 5 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/asyncssh/dsa.py b/asyncssh/dsa.py +index d3f95196..1972e1d0 100644 +--- a/asyncssh/dsa.py ++++ b/asyncssh/dsa.py +@@ -41,7 +41,7 @@ class _DSAKey(SSHKey): + _key: Union[DSAPrivateKey, DSAPublicKey] + + algorithm = b'ssh-dss' +- default_hash_name = 'sha1' ++ default_x509_hash = 'sha256' + pem_name = b'DSA' + pkcs8_oid = ObjectIdentifier('1.2.840.10040.4.1') + sig_algorithms = (algorithm,) +diff --git a/asyncssh/ecdsa.py b/asyncssh/ecdsa.py +index 25bad399..57d8d821 100644 +--- a/asyncssh/ecdsa.py ++++ b/asyncssh/ecdsa.py +@@ -54,7 +54,7 @@ class _ECKey(SSHKey): + + _key: Union[ECDSAPrivateKey, ECDSAPublicKey] + +- default_hash_name = 'sha256' ++ default_x509_hash = 'sha256' + pem_name = b'EC' + pkcs8_oid = ObjectIdentifier('1.2.840.10045.2.1') + +diff --git a/asyncssh/public_key.py b/asyncssh/public_key.py +index 75672ed4..a744b3d7 100644 +--- a/asyncssh/public_key.py ++++ b/asyncssh/public_key.py +@@ -240,7 +240,7 @@ class SSHKey: + sig_algorithms: Sequence[bytes] = () + x509_algorithms: Sequence[bytes] = () + all_sig_algorithms: Set[bytes] = set() +- default_hash_name: str = '' ++ default_x509_hash: str = '' + pem_name: bytes = b'' + pkcs8_oid: Optional[ObjectIdentifier] = None + use_executor: bool = False +@@ -385,7 +385,7 @@ def _generate_x509_certificate(self, key: 'SSHKey', subject: str, + 'valid after time') + + if hash_name == (): +- hash_name = key.default_hash_name ++ hash_name = key.default_x509_hash + + if comment == (): + comment = key.get_comment_bytes() +diff --git a/asyncssh/rsa.py b/asyncssh/rsa.py +index 09edc59d..ccfbaa2d 100644 +--- a/asyncssh/rsa.py ++++ b/asyncssh/rsa.py +@@ -52,7 +52,7 @@ class RSAKey(SSHKey): + _key: Union[RSAPrivateKey, RSAPublicKey] + + algorithm = b'ssh-rsa' +- default_hash_name = 'sha256' ++ default_x509_hash = 'sha256' + pem_name = b'RSA' + pkcs8_oid = ObjectIdentifier('1.2.840.113549.1.1.1') + sig_algorithms = (b'rsa-sha2-256', b'rsa-sha2-512', +diff --git a/tests/test_public_key.py b/tests/test_public_key.py +index ad288203..091531a4 100644 +--- a/tests/test_public_key.py ++++ b/tests/test_public_key.py +@@ -2358,7 +2358,7 @@ def test_x509_certificate_hashes(self): + privkey = get_test_key('ssh-rsa') + pubkey = privkey.convert_to_public() + +- for hash_alg in ('sha1', 'sha256', 'sha512'): ++ for hash_alg in ('sha256', 'sha512'): + cert = privkey.generate_x509_user_certificate( + pubkey, 'OU=user', hash_alg=hash_alg) +