From f7b5d3406bb0cb086a01b26cfe87119f9c1ee93b1114c586c61f3b6eb13d636c Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Sat, 12 Jul 2025 08:36:35 +0000 Subject: [PATCH] - update to 45.0.5: * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.1. * Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.) * Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle). * Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent. * Fixed using mypy with cryptography on older versions of Python. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.0. * Support for Python 3.7 is deprecated and will be removed in the next cryptography release. * Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0. * Added support for serialization of PKCS#12 Java truststores in :func:`~cryptography.hazmat.primitives.serialization.pkcs1 2.serialize_java_truststore` * Added :meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon 2id.derive_phc_encoded` and :meth:`~cryptography.hazmat.primi tives.kdf.argon2.Argon2id.verify_phc_encoded` methods to support password hashing in the PHC string format * Added support for PKCS7 decryption and encryption using AES-256 as the content algorithm, in addition to AES-128. * BACKWARDS INCOMPATIBLE: Made SSH private key loading more consistent with other private key loading: :func:`~cryptograp hy.hazmat.primitives.serialization.load_ssh_private_key` now OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=249 --- cryptography-44.0.3.tar.gz | 3 - cryptography-45.0.5.tar.gz | 3 + python-cryptography.changes | 120 ++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 2 +- vendor.tar.zst | 4 +- 5 files changed, 126 insertions(+), 6 deletions(-) delete mode 100644 cryptography-44.0.3.tar.gz create mode 100644 cryptography-45.0.5.tar.gz diff --git a/cryptography-44.0.3.tar.gz b/cryptography-44.0.3.tar.gz deleted file mode 100644 index c93d33d..0000000 --- a/cryptography-44.0.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fe19d8bc5536a91a24a8133328880a41831b6c5df54599a8417b62fe015d3053 -size 711096 diff --git a/cryptography-45.0.5.tar.gz b/cryptography-45.0.5.tar.gz new file mode 100644 index 0000000..9404ff5 --- /dev/null +++ b/cryptography-45.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:72e76caa004ab63accdf26023fccd1d087f6d90ec6048ff33ad0445abf7f605a +size 744903 diff --git a/python-cryptography.changes b/python-cryptography.changes index f448615..b319346 100644 --- a/python-cryptography.changes +++ b/python-cryptography.changes @@ -1,3 +1,123 @@ +------------------------------------------------------------------- +Sat Jul 12 08:36:08 UTC 2025 - Dirk Müller + +- update to 45.0.5: + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.5.1. + * Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This + is not considered secure, and is supported only for backwards + compatibility.) + * Fixed decrypting PKCS#8 files encrypted with long salts (this + impacts keys encrypted by Bouncy Castle). + * Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. + While wildly insecure, this remains prevalent. + * Fixed using mypy with cryptography on older versions of + Python. + * Updated Windows, macOS, and Linux wheels to be compiled with + OpenSSL 3.5.0. + * Support for Python 3.7 is deprecated and will be removed in + the next cryptography release. + * Updated the minimum supported Rust version (MSRV) to 1.74.0, + from 1.65.0. + * Added support for serialization of PKCS#12 Java truststores + in :func:`~cryptography.hazmat.primitives.serialization.pkcs1 + 2.serialize_java_truststore` + * Added :meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon + 2id.derive_phc_encoded` and :meth:`~cryptography.hazmat.primi + tives.kdf.argon2.Argon2id.verify_phc_encoded` methods to + support password hashing in the PHC string format + * Added support for PKCS7 decryption and encryption using + AES-256 as the content algorithm, in addition to AES-128. + * BACKWARDS INCOMPATIBLE: Made SSH private key loading more + consistent with other private key loading: :func:`~cryptograp + hy.hazmat.primitives.serialization.load_ssh_private_key` now + raises a TypeError if the key is unencrypted but a password + is provided (previously no exception was raised), and raises + a TypeError if the key is encrypted but no password is + provided (previously a ValueError was raised). + * Added __copy__ to the :class:`~cryptography.hazmat.primitives + .asymmetric.ec.EllipticCurvePrivateKey`, :class:`~cryptograph + y.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`, :c + lass:`~cryptography.hazmat.primitives.asymmetric.ed25519.Ed25 + 519PublicKey`, :class:`~cryptography.hazmat.primitives.asymme + tric.ed25519.Ed25519PrivateKey`, :class:`~cryptography.hazmat + .primitives.asymmetric.ed448.Ed448PublicKey`, :class:`~crypto + graphy.hazmat.primitives.asymmetric.ed448.Ed448PrivateKey`, : + class:`~cryptography.hazmat.primitives.asymmetric.x25519.X255 + 19PublicKey`, :class:`~cryptography.hazmat.primitives.asymmet + ric.x25519.X25519PrivateKey`, :class:`~cryptography.hazmat.pr + imitives.asymmetric.x448.X448PublicKey`, :class:`~cryptograph + y.hazmat.primitives.asymmetric.x448.X448PrivateKey`, :class:` + ~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey` + , :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAP + ublicKey`, :class:`~cryptography.hazmat.primitives.asymmetric + .dsa.DSAPrivateKey`, :class:`~cryptography.hazmat.primitives. + asymmetric.dsa.DSAPublicKey`, :class:`~cryptography.hazmat.pr + imitives.asymmetric.dh.DHPrivateKey`, and :class:`~cryptograp + hy.hazmat.primitives.asymmetric.dh.DHPublicKey` abstract base + classes. + * We significantly refactored how private key loading ( :func:` + ~cryptography.hazmat.primitives.serialization.load_pem_privat + e_key` and :func:`~cryptography.hazmat.primitives.serializati + on.load_der_private_key`) works. This is intended to be + backwards compatible for all well-formed keys, therefore if + you discover a key that now raises an exception, please file + a bug with instructions for reproducing. + * Added unsafe_skip_rsa_key_validation keyword-argument to :fun + c:`~cryptography.hazmat.primitives.serialization.load_ssh_pri + vate_key`. + * Added :class:`~cryptography.hazmat.primitives.hashes.XOFHash` + to support repeated :meth:`~cryptography.hazmat.primitives.ha + shes.XOFHash.squeeze` operations on extendable output + functions. + * Added :meth:`~cryptography.x509.ocsp.OCSPResponseBuilder.add_ + response_by_hash` method to allow creating OCSP responses + using certificate hash values rather than full certificates. + * Extended the :mod:`X.509 path validation + ` API to support user- + configured extension policies via the + :meth:`PolicyBuilder.extension_policies ` method. + * Deprecated the subject, verification_time and max_chain_depth + properties on + :class:`~cryptography.x509.verification.ClientVerifier` and + :class:`~cryptography.x509.verification.ServerVerifier` in + favor of a new policy property. These properties will be + removed in the next release of cryptography. + * BACKWARDS INCOMPATIBLE: The :meth:`VerifiedClient.subject + ` + property can now be None since a custom extension policy may + allow certificates without a Subject Alternative Name + extension. + * Changed the behavior when the OpenSSL 3 legacy provider fails + to load. Instead of raising an exception, a warning is now + emitted. The CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment + variable can still be used to disable the legacy provider at + runtime. + * Added support for the CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY + environment variable during build time, which prevents the + library from ever attempting to load the legacy provider. + * Added support for the + :class:`~cryptography.x509.PrivateKeyUsagePeriod` X.509 + extension. This extension defines the period during which the + private key corresponding to the certificate's public key may + be used. + * Added support for compiling against `aws-lc`_. + * Parsing X.509 structures now more strictly enforces that Name + structures do not have malformed ASN.1. + * We now publish py311 wheels that utilize the faster + pyo3::buffer::PyBuffer interface, resulting in significantly + improved performance for operations involving small buffers. + * Added :func:`~cryptography.hazmat.primitives.serialization.ss + h_key_fingerprint` for computing fingerprints of SSH public + keys. + * Added support for deterministic ECDSA signing via the new + keyword-only argument ecdsa_deterministic in + :meth:`~cryptography.x509.CertificateBuilder.sign`, :meth:`~c + ryptography.x509.CertificateRevocationListBuilder.sign` and : + meth:`~cryptography.x509.CertificateSigningRequestBuilder.sig + n`. + ------------------------------------------------------------------- Wed May 7 15:45:10 UTC 2025 - Nico Krapp diff --git a/python-cryptography.spec b/python-cryptography.spec index 9dae1ed..e5af8c0 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -28,7 +28,7 @@ %{?sle15_python_module_pythons} Name: python-cryptography%{psuffix} # ALWAYS KEEP IN SYNC WITH python-cryptography-vectors! -Version: 44.0.3 +Version: 45.0.5 Release: 0 Summary: Python library which exposes cryptographic recipes and primitives License: Apache-2.0 OR BSD-3-Clause diff --git a/vendor.tar.zst b/vendor.tar.zst index 8cf031a..c2d8b05 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b18834abb68d0dc0335f0264734f440739dbdcd49504549444546ce0e6c477fa -size 2607240 +oid sha256:cb3f6d6b8893372db6b9f1a6cecfe6094581ba75ddbd48011fdae58726bab5eb +size 2638187