From c2c3f7ee33c3b4e235d51a3bfa23b8da2b326436 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 14 Mar 2023 09:12:04 +0100
Subject: [PATCH] Disable SHA-1 signatures on RHEL/ELN

---
 0001-disable-sha1-signature.patch | 13 +++++++++++++
 python-cryptography.spec          | 19 +++++++++++++------
 2 files changed, 26 insertions(+), 6 deletions(-)
 create mode 100644 0001-disable-sha1-signature.patch

diff --git a/0001-disable-sha1-signature.patch b/0001-disable-sha1-signature.patch
new file mode 100644
index 0000000..1f9acc1
--- /dev/null
+++ b/0001-disable-sha1-signature.patch
@@ -0,0 +1,13 @@
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 48f4265b0..31b1f3b20 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -333,7 +333,7 @@ class Backend:
+     ) -> bool:
+         # Dedicated check for hashing algorithm use in message digest for
+         # signatures, e.g. RSA PKCS#1 v1.5 SHA1 (sha1WithRSAEncryption).
+-        if self._fips_enabled and isinstance(algorithm, hashes.SHA1):
++        if isinstance(algorithm, hashes.SHA1):
+             return False
+         return self.hash_supported(algorithm)
+ 
diff --git a/python-cryptography.spec b/python-cryptography.spec
index 38888b0..143b8c5 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -6,7 +6,7 @@
 
 Name:           python-%{srcname}
 Version:        39.0.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        PyCA's cryptography library
 
 # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
@@ -19,6 +19,9 @@ Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
 
+# OpenSSL backend signature_hash_supported(hashes.SHA1) -> False
+Patch0001:      0001-disable-sha1-signature.patch
+
 ExclusiveArch:  %{rust_arches}
 
 BuildRequires:  openssl-devel
@@ -67,7 +70,12 @@ cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 
 %prep
-%autosetup -p1 -n %{srcname}-%{version}
+%autosetup -N -n %{srcname}-%{version}
+%if 0%{?rhel}
+# disable SHA-1 signatures
+%autopatch -p1 0001
+%endif
+
 %if 0%{?fedora}
 %cargo_prep
 rm src/rust/Cargo.lock
@@ -103,10 +111,6 @@ rm -rf tests/hypothesis tests/x509
 cat < %{SOURCE2} >> tests/conftest.py
 %endif
 
-# enable SHA-1 signatures for RSA tests
-# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
-export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
-
 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
 # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
@@ -125,6 +129,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 
 %changelog
+* Tue Mar 14 2023 Christian Heimes <cheimes@redhat.com> - 39.0.2-3
+- Disable SHA-1 signatures on RHEL/ELN
+
 * Thu Mar 09 2023 Miro Hrončok <mhroncok@redhat.com> - 39.0.2-2
 - Don't run tests requiring pytz on RHEL
 - Don't try to run tests of vendored dependencies in %%check