diff --git a/openssl-1.1.0i.patch b/openssl-1.1.0i.patch new file mode 100644 index 0000000..4127551 --- /dev/null +++ b/openssl-1.1.0i.patch @@ -0,0 +1,61 @@ +From 0e6c553bc57587dc644430b7336e6bf4d90180a6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 23 Aug 2018 10:52:15 -0500 +Subject: [PATCH] X509Store.add_cert no longer raises an error on duplicate + cert (#787) + +* X509Store.add_cert no longer raises an error on duplicate cert + +--- + src/OpenSSL/crypto.py | 11 ++++++++++- + tests/test_crypto.py | 9 ++++----- + 3 files changed, 16 insertions(+), 7 deletions(-) + + Deprecations: +diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py +index d40f23c2..ea7b354b 100644 +--- a/src/OpenSSL/crypto.py ++++ b/src/OpenSSL/crypto.py +@@ -1607,7 +1607,16 @@ def add_cert(self, cert): + if not isinstance(cert, X509): + raise TypeError() + +- _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0) ++ # As of OpenSSL 1.1.0i adding the same cert to the store more than ++ # once doesn't cause an error. Accordingly, this code now silences ++ # the error for OpenSSL < 1.1.0i as well. ++ if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0: ++ code = _lib.ERR_peek_error() ++ err_reason = _lib.ERR_GET_REASON(code) ++ _openssl_assert( ++ err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE ++ ) ++ _lib.ERR_clear_error() + + def add_crl(self, crl): + """ +diff --git a/tests/test_crypto.py b/tests/test_crypto.py +index d1c261b8..eb4590d0 100644 +--- a/tests/test_crypto.py ++++ b/tests/test_crypto.py +@@ -2016,16 +2016,15 @@ def test_add_cert_wrong_args(self, cert): + with pytest.raises(TypeError): + store.add_cert(cert) + +- def test_add_cert_rejects_duplicate(self): ++ def test_add_cert_accepts_duplicate(self): + """ +- `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is +- made to add the same certificate to the store more than once. ++ `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt ++ is made to add the same certificate to the store more than once. + """ + cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) + store = X509Store() + store.add_cert(cert) +- with pytest.raises(Error): +- store.add_cert(cert) ++ store.add_cert(cert) + + + class TestPKCS12(object): diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 4dd053f..9b22064 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Aug 24 09:08:36 UTC 2018 - tchvatal@suse.com + +- Add patch to work with openssl 1.1.0i+: + * openssl-1.1.0i.patch + ------------------------------------------------------------------- Thu Aug 16 15:48:21 UTC 2018 - tchvatal@suse.com diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 6c82dc1..2cc52f6 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -27,7 +27,8 @@ Group: Development/Languages/Python URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Patch1: skip-networked-test.patch -BuildRequires: %{python_module cryptography >= 2.2.1} +Patch2: openssl-1.1.0i.patch +BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} @@ -35,7 +36,7 @@ BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: python-rpm-macros BuildRequires: python3-Sphinx -Requires: python-cryptography >= 2.2.1 +Requires: python-cryptography >= 2.3.0 Requires: python-six >= 1.5.2 Provides: pyOpenSSL = %{version} BuildArch: noarch @@ -63,7 +64,7 @@ Provides documentation for %{name}. %prep %setup -q -n pyOpenSSL-%{version} -%patch1 -p1 +%autopatch -p1 %build %python_build