The upstream release fixes a single issue:
- Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not
considered secure, and is supported only for backwards compatibility.)
Fixes rhbz #2371350
This fixes two issues from v45:
- Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle).
- Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent.
This update includes two backwards-incompatible changes with v44:
- Made SSH private key loading more consistent with other private key
loading:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
now raises a TypeError if the key is unencrypted but a password is
provided (previously no exception was raised), and raises a
TypeError if the key is encrypted but no password is provided
(previously a ValueError was raised).
- The :meth:`VerifiedClient.subject
<cryptography.x509.verification.VerifiedClient.subjects>` property
can now be None since a custom extension policy may allow
certificates without a Subject Alternative Name extension.
Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst
This release is largely adding new features. One behavioral which might
cause issues is:
- Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.
Complete changelog: https://github.com/pyca/cryptography/blob/44.0.0/CHANGELOG.rst
Upstream switched to maturin in v43[0]. Since we fiddle with the
lockfile maturin wants to update it since upstream configures `lock =
true`. Turn that off.
This fixes the v43 build in rawhide.
[0] https://github.com/pyca/cryptography/pull/8815
[skip changelog]
Additionally, this builds the package with OPENSSL_NO_ENGINE=1
This drops the skip-overflow-tests-32bit.patch as its included in
v43.0.0. It picks up the patch in
https://github.com/pyca/cryptography/pull/11328 to allow building with
OPENSSL_NO_ENGINE=1.
Commit 7b18e1445d ("Update to 41.0.3") introduces a patch that was
applied behind a conditional. This is no longer the case, so revert back
to letting autosetup apply all patches.
[skip changelog]
PyO3 doesn't support Python 3.13 until 0.22, but cryptography 0.42 is
using 0.20 at the moment. Use ABI3 forward compatibility for ELN builds
until cryptography updates.
The Rawhide build is using crates from the distro which must be setting
this in some way, but I'm not familiar enough with PyO3 or Fedora's Rust
packaging to find it quickly.
Fixes rhbz#2295602
There is no additional dependency generated by it, other than tox and tox-current-env.
There is no tox configuration in the source tarball.
If desired, there is a [test] extra, so we could use -x test instead,
but that would break the %if 0%{?fedora} tests dependencies separation.
This reverts commit 2220bc3f08 and bumps
the version up from 42.0.5 to 42.0.8.
Additionally, a dependency on the openssl-devel-engine is necessary.
Longer-term this should be dropped[0].
[0] https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
Co-authored-by: Christian Heimes <cheimes@redhat.com>
Don't allow update_into to mutate immutable objects, resolves rhbz#2171820
Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661
