Drop pytz test req, only needed for py < 3.9

The pytz requirement now is only used for CI for py < 3.9:
pytz==2025.2 ; python_full_version < '3.9'

Also drop no longer valid comment snippet

.gitignore

@@ -1,3 +1,5 @@
+/results_python-cryptography
+/*.src.rpm
 /cryptography-1.3.1.tar.gz
 /cryptography-1.5.3.tar.gz
 /cryptography-1.7.1.tar.gz
@@ -39,3 +41,37 @@
 /cryptography-3.4.6.tar.gz.asc
 /cryptography-3.4.7.tar.gz
 /cryptography-3.4.7-vendor.tar.bz2
+/cryptography-35.0.0.tar.gz
+/cryptography-35.0.0-vendor.tar.bz2
+/cryptography-36.0.0.tar.gz
+/cryptography-36.0.0-vendor.tar.bz2
+/cryptography-37.0.2.tar.gz
+/cryptography-37.0.2-vendor.tar.bz2
+/cryptography-39.0.2.tar.gz
+/cryptography-39.0.2-vendor.tar.bz2
+/cryptography-40.0.0.tar.gz
+/cryptography-40.0.0-vendor.tar.bz2
+/cryptography-40.0.1.tar.gz
+/cryptography-40.0.1-vendor.tar.bz2
+/cryptography-40.0.2.tar.gz
+/cryptography-40.0.2-vendor.tar.bz2
+/cryptography-41.0.3.tar.gz
+/cryptography-41.0.3-vendor.tar.bz2
+/cryptography-41.0.5-vendor.tar.bz2
+/cryptography-41.0.5.tar.gz
+/cryptography-41.0.7.tar.gz
+/cryptography-41.0.7-vendor.tar.bz2
+/cryptography-42.0.5.tar.gz
+/cryptography-42.0.5-vendor.tar.bz2
+/cryptography-42.0.8.tar.gz
+/cryptography-42.0.8-vendor.tar.bz2
+/cryptography-43.0.0.tar.gz
+/cryptography-43.0.0-vendor.tar.bz2
+/cryptography-44.0.0.tar.gz
+/cryptography-44.0.0-vendor.tar.bz2
+/cryptography-45.0.2.tar.gz
+/cryptography-45.0.2-vendor.tar.bz2
+/cryptography-45.0.3.tar.gz
+/cryptography-45.0.3-vendor.tar.bz2
+/cryptography-45.0.4.tar.gz
+/cryptography-45.0.4-vendor.tar.bz2

0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch

@@ -1,130 +0,0 @@
-From cb1908043d5daa7c5c38945c048c4a2477a46221 Mon Sep 17 00:00:00 2001
-From: Paul Kehrer <paul.l.kehrer@gmail.com>
-Date: Sun, 28 Feb 2021 16:06:11 -0600
-Subject: [PATCH 1/4] fix pkcs12 parse ordering. fixes #5872 (#5879)
-
-* fix pkcs12 parse ordering. fixes #5872
-
-* remove an unneeded print
-
-* simplify the test a bit more
-
-* index
-
-* black
-
-* Update tests/hazmat/primitives/test_pkcs12.py
-
-Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
-
-Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
----
- .../hazmat/backends/openssl/backend.py        |  5 +-
- tests/hazmat/primitives/test_pkcs12.py        | 58 ++++++++++++++++++-
- 2 files changed, 59 insertions(+), 4 deletions(-)
-
-diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
-index 271873d9..a96d08d8 100644
---- a/src/cryptography/hazmat/backends/openssl/backend.py
-+++ b/src/cryptography/hazmat/backends/openssl/backend.py
-@@ -6,6 +6,7 @@
- import collections
- import contextlib
- import itertools
-+import typing
- import warnings
- from contextlib import contextmanager
- 
-@@ -2562,9 +2563,7 @@ class Backend(object):
-             sk_x509 = self._lib.sk_X509_new_null()
-             sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free)
- 
--            # reverse the list when building the stack so that they're encoded
--            # in the order they were originally provided. it is a mystery
--            for ca in reversed(cas):
-+            for ca in cas:
-                 res = self._lib.sk_X509_push(sk_x509, ca._x509)
-                 backend.openssl_assert(res >= 1)
- 
-diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
-index b5de09f9..b1759a1b 100644
---- a/tests/hazmat/primitives/test_pkcs12.py
-+++ b/tests/hazmat/primitives/test_pkcs12.py
-@@ -4,13 +4,15 @@
- 
- 
- import os
-+from datetime import datetime
- 
- import pytest
- 
- from cryptography import x509
- from cryptography.hazmat.backends.interfaces import DERSerializationBackend
- from cryptography.hazmat.backends.openssl.backend import _RC2
--from cryptography.hazmat.primitives import serialization
-+from cryptography.hazmat.primitives import hashes, serialization
-+from cryptography.hazmat.primitives.asymmetric import ec
- from cryptography.hazmat.primitives.serialization import load_pem_private_key
- from cryptography.hazmat.primitives.serialization.pkcs12 import (
-     load_key_and_certificates,
-@@ -273,3 +275,57 @@ class TestPKCS12Creation(object):
-                 DummyKeySerializationEncryption(),
-             )
-         assert str(exc.value) == "Unsupported key encryption type"
-+
-+
-+def test_pkcs12_ordering():
-+    """
-+    In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we
-+    accidentally thought it was **encoding** that did it, leading to bug
-+    https://github.com/pyca/cryptography/issues/5872
-+    This test ensures our ordering is correct going forward.
-+    """
-+
-+    def make_cert(name):
-+        key = ec.generate_private_key(ec.SECP256R1())
-+        subject = x509.Name(
-+            [
-+                x509.NameAttribute(x509.NameOID.COMMON_NAME, name),
-+            ]
-+        )
-+        now = datetime.utcnow()
-+        cert = (
-+            x509.CertificateBuilder()
-+            .subject_name(subject)
-+            .issuer_name(subject)
-+            .public_key(key.public_key())
-+            .serial_number(x509.random_serial_number())
-+            .not_valid_before(now)
-+            .not_valid_after(now)
-+            .sign(key, hashes.SHA256())
-+        )
-+        return (key, cert)
-+
-+    # Make some certificates with distinct names.
-+    a_name = "A" * 20
-+    b_name = "B" * 20
-+    c_name = "C" * 20
-+    a_key, a_cert = make_cert(a_name)
-+    _, b_cert = make_cert(b_name)
-+    _, c_cert = make_cert(c_name)
-+
-+    # Bundle them in a PKCS#12 file in order A, B, C.
-+    p12 = serialize_key_and_certificates(
-+        b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption()
-+    )
-+
-+    # Parse them out. The API should report them in the same order.
-+    (key, cert, certs) = load_key_and_certificates(p12, None)
-+    assert cert == a_cert
-+    assert certs == [b_cert, c_cert]
-+
-+    # The ordering in the PKCS#12 file itself should also match.
-+    a_idx = p12.index(a_name.encode("utf-8"))
-+    b_idx = p12.index(b_name.encode("utf-8"))
-+    c_idx = p12.index(c_name.encode("utf-8"))
-+
-+    assert a_idx < b_idx < c_idx
--- 
-2.31.1
-

0002-WIP-3.0.0-support-5250.patch

@@ -1,415 +0,0 @@
-From a0bece343e38d73d038d4f3a62c2a9638608ac9c Mon Sep 17 00:00:00 2001
-From: Paul Kehrer <paul.l.kehrer@gmail.com>
-Date: Thu, 22 Apr 2021 19:16:38 -0500
-Subject: [PATCH 2/4] [WIP] 3.0.0 support (#5250)
-
-* 3.0.0 support
-
-* almost...there...
-
-* make mypy happy
----
- .github/workflows/ci.yml                      |  7 ++--
- src/_cffi_src/build_openssl.py                |  1 +
- src/_cffi_src/openssl/cryptography.py         |  3 ++
- src/_cffi_src/openssl/err.py                  |  6 +++
- src/_cffi_src/openssl/fips.py                 |  2 +-
- src/_cffi_src/openssl/provider.py             | 40 ++++++++++++++++++
- .../hazmat/backends/openssl/backend.py        | 42 ++++++++++++++++---
- .../hazmat/backends/openssl/ciphers.py        | 15 ++++++-
- .../hazmat/bindings/openssl/_conditional.py   | 11 +++++
- .../hazmat/bindings/openssl/binding.py        | 20 +++++++++
- tests/hazmat/backends/test_openssl_memleak.py |  6 ++-
- tests/hazmat/bindings/test_openssl.py         |  4 +-
- tests/hazmat/primitives/test_dh.py            | 24 ++++++++++-
- 13 files changed, 167 insertions(+), 14 deletions(-)
- create mode 100644 src/_cffi_src/openssl/provider.py
-
-diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
-index cd967a3a..747f84c1 100644
---- a/.github/workflows/ci.yml
-+++ b/.github/workflows/ci.yml
-@@ -18,9 +18,10 @@ jobs:
-           - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"}
-           - {VERSION: "pypy3", TOXENV: "pypy3"}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
--          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}}
--          - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}}
--          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}
-+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}}
-+          - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}}
-+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}
-+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}}
-diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
-index 08499d66..557296ed 100644
---- a/src/_cffi_src/build_openssl.py
-+++ b/src/_cffi_src/build_openssl.py
-@@ -104,6 +104,7 @@ ffi = build_ffi_for_binding(
-         "osrandom_engine",
-         "pem",
-         "pkcs12",
-+        "provider",
-         "rand",
-         "rsa",
-         "ssl",
-diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
-index e2b5a132..06d1e778 100644
---- a/src/_cffi_src/openssl/cryptography.py
-+++ b/src/_cffi_src/openssl/cryptography.py
-@@ -34,6 +34,8 @@ INCLUDES = """
- 
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
-+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \
-+    (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- 
- #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
-     (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
-@@ -53,6 +55,7 @@ INCLUDES = """
- 
- TYPES = """
- static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
-+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
- 
- static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
- static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
-diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
-index 0634b656..8cfeaf5b 100644
---- a/src/_cffi_src/openssl/err.py
-+++ b/src/_cffi_src/openssl/err.py
-@@ -18,6 +18,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM;
- 
- static const int ERR_LIB_EVP;
- static const int ERR_LIB_PEM;
-+static const int ERR_LIB_PROV;
- static const int ERR_LIB_ASN1;
- static const int ERR_LIB_PKCS12;
- 
-@@ -45,4 +46,9 @@ int ERR_GET_REASON(unsigned long);
- """
- 
- CUSTOMIZATIONS = """
-+/* This define is tied to provider support and is conditionally
-+   removed if Cryptography_HAS_PROVIDERS is false */
-+#ifndef ERR_LIB_PROV
-+#define ERR_LIB_PROV 0
-+#endif
- """
-diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py
-index b9d0d64d..23c10af9 100644
---- a/src/_cffi_src/openssl/fips.py
-+++ b/src/_cffi_src/openssl/fips.py
-@@ -17,7 +17,7 @@ int FIPS_mode(void);
- """
- 
- CUSTOMIZATIONS = """
--#if CRYPTOGRAPHY_IS_LIBRESSL
-+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
- static const long Cryptography_HAS_FIPS = 0;
- int (*FIPS_mode_set)(int) = NULL;
- int (*FIPS_mode)(void) = NULL;
-diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py
-new file mode 100644
-index 00000000..d7d659ea
---- /dev/null
-+++ b/src/_cffi_src/openssl/provider.py
-@@ -0,0 +1,40 @@
-+# This file is dual licensed under the terms of the Apache License, Version
-+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
-+# for complete details.
-+
-+
-+INCLUDES = """
-+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
-+#include <openssl/provider.h>
-+#include <openssl/proverr.h>
-+#endif
-+"""
-+
-+TYPES = """
-+static const long Cryptography_HAS_PROVIDERS;
-+
-+typedef ... OSSL_PROVIDER;
-+typedef ... OSSL_LIB_CTX;
-+
-+static const long PROV_R_BAD_DECRYPT;
-+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH;
-+"""
-+
-+FUNCTIONS = """
-+OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *);
-+int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov);
-+"""
-+
-+CUSTOMIZATIONS = """
-+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
-+static const long Cryptography_HAS_PROVIDERS = 1;
-+#else
-+static const long Cryptography_HAS_PROVIDERS = 0;
-+typedef void OSSL_PROVIDER;
-+typedef void OSSL_LIB_CTX;
-+static const long PROV_R_BAD_DECRYPT = 0;
-+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0;
-+OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL;
-+int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL;
-+#endif
-+"""
-diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
-index a96d08d8..86e8f0a8 100644
---- a/src/cryptography/hazmat/backends/openssl/backend.py
-+++ b/src/cryptography/hazmat/backends/openssl/backend.py
-@@ -1281,6 +1281,11 @@ class Backend(object):
-     def _evp_pkey_from_der_traditional_key(self, bio_data, password):
-         key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL)
-         if key != self._ffi.NULL:
-+            # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will
-+            # successfully load but errors are still put on the stack. Tracked
-+            # as https://github.com/openssl/openssl/issues/14996
-+            self._consume_errors()
-+
-             key = self._ffi.gc(key, self._lib.EVP_PKEY_free)
-             if password is not None:
-                 raise TypeError(
-@@ -1448,6 +1453,11 @@ class Backend(object):
-             else:
-                 self._handle_key_loading_error()
- 
-+        # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will
-+        # successfully load but errors are still put on the stack. Tracked
-+        # as https://github.com/openssl/openssl/issues/14996
-+        self._consume_errors()
-+
-         evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
- 
-         if password is not None and userdata.called == 0:
-@@ -1470,11 +1480,22 @@ class Backend(object):
-                 "incorrect format or it may be encrypted with an unsupported "
-                 "algorithm."
-             )
--        elif errors[0]._lib_reason_match(
--            self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
--        ) or errors[0]._lib_reason_match(
--            self._lib.ERR_LIB_PKCS12,
--            self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
-+
-+        elif (
-+            errors[0]._lib_reason_match(
-+                self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
-+            )
-+            or errors[0]._lib_reason_match(
-+                self._lib.ERR_LIB_PKCS12,
-+                self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
-+            )
-+            or (
-+                self._lib.Cryptography_HAS_PROVIDERS
-+                and errors[0]._lib_reason_match(
-+                    self._lib.ERR_LIB_PROV,
-+                    self._lib.PROV_R_BAD_DECRYPT,
-+                )
-+            )
-         ):
-             raise ValueError("Bad decrypt. Incorrect password?")
- 
-@@ -2520,7 +2541,16 @@ class Backend(object):
-         if sk_x509_ptr[0] != self._ffi.NULL:
-             sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free)
-             num = self._lib.sk_X509_num(sk_x509_ptr[0])
--            for i in range(num):
-+
-+            # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the
-+            # certificates.
-+            indices: typing.Iterable[int]
-+            if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
-+                indices = range(num)
-+            else:
-+                indices = reversed(range(num))
-+
-+            for i in indices:
-                 x509 = self._lib.sk_X509_value(sk_x509, i)
-                 self.openssl_assert(x509 != self._ffi.NULL)
-                 x509 = self._ffi.gc(x509, self._lib.X509_free)
-diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
-index 0f96795f..a2dd6894 100644
---- a/src/cryptography/hazmat/backends/openssl/ciphers.py
-+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
-@@ -145,7 +145,13 @@ class _CipherContext(object):
-             res = self._backend._lib.EVP_CipherUpdate(
-                 self._ctx, outbuf, outlen, inbuf, inlen
-             )
--            self._backend.openssl_assert(res != 0)
-+            if res == 0 and isinstance(self._mode, modes.XTS):
-+                raise ValueError(
-+                    "In XTS mode you must supply at least a full block in the "
-+                    "first update call. For AES this is 16 bytes."
-+                )
-+            else:
-+                self._backend.openssl_assert(res != 0)
-             data_processed += inlen
-             total_out += outlen[0]
- 
-@@ -174,6 +180,13 @@ class _CipherContext(object):
-                 errors[0]._lib_reason_match(
-                     self._backend._lib.ERR_LIB_EVP,
-                     self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH,
-+                )
-+                or (
-+                    self._backend._lib.Cryptography_HAS_PROVIDERS
-+                    and errors[0]._lib_reason_match(
-+                        self._backend._lib.ERR_LIB_PROV,
-+                        self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH,
-+                    )
-                 ),
-                 errors=errors,
-             )
-diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
-index 86548357..1f42c7be 100644
---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
-+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
-@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version():
-     ]
- 
- 
-+def cryptography_has_providers():
-+    return [
-+        "OSSL_PROVIDER_load",
-+        "OSSL_PROVIDER_unload",
-+        "ERR_LIB_PROV",
-+        "PROV_R_WRONG_FINAL_BLOCK_LENGTH",
-+        "PROV_R_BAD_DECRYPT",
-+    ]
-+
-+
- # This is a mapping of
- # {condition: function-returning-names-dependent-on-that-condition} so we can
- # loop over them and delete unsupported names at runtime. It will be removed
-@@ -318,4 +328,5 @@ CONDITIONAL_NAMES = {
-     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
-     "Cryptography_HAS_SRTP": cryptography_has_srtp,
-     "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
-+    "Cryptography_HAS_PROVIDERS": cryptography_has_providers,
- }
-diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
-index a2bc36a8..6dcec26a 100644
---- a/src/cryptography/hazmat/bindings/openssl/binding.py
-+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
-@@ -113,6 +113,8 @@ class Binding(object):
-     ffi = ffi
-     _lib_loaded = False
-     _init_lock = threading.Lock()
-+    _legacy_provider: typing.Any = None
-+    _default_provider: typing.Any = None
- 
-     def __init__(self):
-         self._ensure_ffi_initialized()
-@@ -140,6 +142,24 @@ class Binding(object):
-                 # adds all ciphers/digests for EVP
-                 cls.lib.OpenSSL_add_all_algorithms()
-                 cls._register_osrandom_engine()
-+                # As of OpenSSL 3.0.0 we must register a legacy cipher provider
-+                # to get RC2 (needed for junk asymmetric private key
-+                # serialization), RC4, Blowfish, IDEA, SEED, etc. These things
-+                # are ugly legacy, but we aren't going to get rid of them
-+                # any time soon.
-+                if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
-+                    cls._legacy_provider = cls.lib.OSSL_PROVIDER_load(
-+                        cls.ffi.NULL, b"legacy"
-+                    )
-+                    _openssl_assert(
-+                        cls.lib, cls._legacy_provider != cls.ffi.NULL
-+                    )
-+                    cls._default_provider = cls.lib.OSSL_PROVIDER_load(
-+                        cls.ffi.NULL, b"default"
-+                    )
-+                    _openssl_assert(
-+                        cls.lib, cls._default_provider != cls.ffi.NULL
-+                    )
- 
-     @classmethod
-     def init_static_locks(cls):
-diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py
-index 0c96516f..0316b5d9 100644
---- a/tests/hazmat/backends/test_openssl_memleak.py
-+++ b/tests/hazmat/backends/test_openssl_memleak.py
-@@ -82,7 +82,7 @@ def main(argv):
-     assert result == 1
- 
-     # Trigger a bunch of initialization stuff.
--    import cryptography.hazmat.backends.openssl
-+    from cryptography.hazmat.backends.openssl.backend import backend
- 
-     start_heap = set(heap)
- 
-@@ -91,6 +91,10 @@ def main(argv):
-     gc.collect()
-     gc.collect()
- 
-+    if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
-+        lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider)
-+        lib.OSSL_PROVIDER_unload(backend._binding._default_provider)
-+
-     if lib.Cryptography_HAS_OPENSSL_CLEANUP:
-         lib.OPENSSL_cleanup()
- 
-diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
-index fb9a1e36..4d1e3b55 100644
---- a/tests/hazmat/bindings/test_openssl.py
-+++ b/tests/hazmat/bindings/test_openssl.py
-@@ -91,7 +91,9 @@ class TestOpenSSL(object):
-             _openssl_assert(b.lib, False)
- 
-         error = exc_info.value.err_code[0]
--        assert error.code == 101183626
-+        # As of 3.0.0 OpenSSL sets func codes to 0, so the combined
-+        # code is a different value
-+        assert error.code in (101183626, 50331786)
-         assert error.lib == b.lib.ERR_LIB_EVP
-         assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX
-         assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
-diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py
-index 131807fc..bb29919f 100644
---- a/tests/hazmat/primitives/test_dh.py
-+++ b/tests/hazmat/primitives/test_dh.py
-@@ -180,7 +180,23 @@ class TestDH(object):
-         params = dh.DHParameterNumbers(p, int(vector["g"]))
-         param = params.parameters(backend)
-         key = param.generate_private_key()
--        assert key.private_numbers().public_numbers.parameter_numbers == params
-+        # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in
-+        # a scenario where loading a known group with p and g returns a
-+        # re-serialized form that has q as well (the Sophie Germain prime of
-+        # that group). This makes a naive comparison of the parameter numbers
-+        # objects fail, so we have to be a bit smarter
-+        serialized_params = (
-+            key.private_numbers().public_numbers.parameter_numbers
-+        )
-+        if serialized_params.q is None:
-+            # This is the path OpenSSL < 3.0 takes
-+            assert serialized_params == params
-+        else:
-+            assert serialized_params.p == params.p
-+            assert serialized_params.g == params.g
-+            # p = 2q + 1 since it is a Sophie Germain prime, so we can compute
-+            # what we expect OpenSSL to have done here.
-+            assert serialized_params.q == (params.p - 1) // 2
- 
-     @pytest.mark.skip_fips(reason="non-FIPS parameters")
-     @pytest.mark.parametrize(
-@@ -382,6 +398,12 @@ class TestDH(object):
-             assert symkey1 != symkey2
- 
-     @pytest.mark.skip_fips(reason="key_size too small for FIPS")
-+    @pytest.mark.supported(
-+        only_if=lambda backend: (
-+            not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
-+        ),
-+        skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+",
-+    )
-     def test_load_256bit_key_from_pkcs8(self, backend):
-         data = load_vectors_from_file(
-             os.path.join("asymmetric", "DH", "dh_key_256.pem"),
--- 
-2.31.1
-

0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch

@@ -1,151 +0,0 @@
-From 29cf9b8d63ef3437ba11aa29502af8773faa17a7 Mon Sep 17 00:00:00 2001
-From: Paul Kehrer <paul.l.kehrer@gmail.com>
-Date: Wed, 14 Apr 2021 13:15:57 -0500
-Subject: [PATCH 3/4] switch to using EVP_PKEY_derive instead of DH_compute_key
- in DH (#5972)
-
-* switch to using EVP_PKEY_derive instead of DH_compute_key in DH
-
-Where checks are occurring is changing in OpenSSL 3.0 and this makes it
-easier to be consistent (and is the API we should be using anyway). The
-tests change because EVP_PKEY_derive now verifies that we have shared
-parameters, which the test previously only verified by asserting that
-the derived keys didn't match
-
-* review feedback
-
-* type ignores required for typeerror tests. some day i will remember this
----
- src/_cffi_src/openssl/dh.py                   |  1 -
- .../hazmat/backends/openssl/dh.py             | 57 ++++++++++++-------
- tests/hazmat/primitives/test_dh.py            | 19 ++++---
- 3 files changed, 45 insertions(+), 32 deletions(-)
-
-diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py
-index 979dafa9..50989e45 100644
---- a/src/_cffi_src/openssl/dh.py
-+++ b/src/_cffi_src/openssl/dh.py
-@@ -18,7 +18,6 @@ DH *DH_new(void);
- void DH_free(DH *);
- int DH_size(const DH *);
- int DH_generate_key(DH *);
--int DH_compute_key(unsigned char *, const BIGNUM *, DH *);
- DH *DHparams_dup(DH *);
- 
- /* added in 1.1.0 when the DH struct was opaqued */
-diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py
-index 65ddaeec..b928f024 100644
---- a/src/cryptography/hazmat/backends/openssl/dh.py
-+++ b/src/cryptography/hazmat/backends/openssl/dh.py
-@@ -127,35 +127,48 @@ class _DHPrivateKey(dh.DHPrivateKey):
-         )
- 
-     def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes:
--        buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes)
--        pub_key = self._backend._ffi.new("BIGNUM **")
--        self._backend._lib.DH_get0_key(
--            peer_public_key._dh_cdata,  # type: ignore[attr-defined]
--            pub_key,
--            self._backend._ffi.NULL,
-+        if not isinstance(peer_public_key, _DHPublicKey):
-+            raise TypeError("peer_public_key must be a DHPublicKey")
-+
-+        ctx = self._backend._lib.EVP_PKEY_CTX_new(
-+            self._evp_pkey, self._backend._ffi.NULL
-         )
--        self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL)
--        res = self._backend._lib.DH_compute_key(
--            buf, pub_key[0], self._dh_cdata
-+        self._backend.openssl_assert(ctx != self._backend._ffi.NULL)
-+        ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free)
-+        res = self._backend._lib.EVP_PKEY_derive_init(ctx)
-+        self._backend.openssl_assert(res == 1)
-+        res = self._backend._lib.EVP_PKEY_derive_set_peer(
-+            ctx, peer_public_key._evp_pkey
-+        )
-+        # Invalid kex errors here in OpenSSL 3.0 because checks were moved
-+        # to EVP_PKEY_derive_set_peer
-+        self._exchange_assert(res == 1)
-+        keylen = self._backend._ffi.new("size_t *")
-+        res = self._backend._lib.EVP_PKEY_derive(
-+            ctx, self._backend._ffi.NULL, keylen
-         )
-+        # Invalid kex errors here in OpenSSL < 3
-+        self._exchange_assert(res == 1)
-+        self._backend.openssl_assert(keylen[0] > 0)
-+        buf = self._backend._ffi.new("unsigned char[]", keylen[0])
-+        res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen)
-+        self._backend.openssl_assert(res == 1)
- 
--        if res == -1:
-+        key = self._backend._ffi.buffer(buf, keylen[0])[:]
-+        pad = self._key_size_bytes - len(key)
-+
-+        if pad > 0:
-+            key = (b"\x00" * pad) + key
-+
-+        return key
-+
-+    def _exchange_assert(self, ok):
-+        if not ok:
-             errors_with_text = self._backend._consume_errors_with_text()
-             raise ValueError(
--                "Error computing shared key. Public key is likely invalid "
--                "for this exchange.",
-+                "Error computing shared key.",
-                 errors_with_text,
-             )
--        else:
--            self._backend.openssl_assert(res >= 1)
--
--            key = self._backend._ffi.buffer(buf)[:res]
--            pad = self._key_size_bytes - len(key)
--
--            if pad > 0:
--                key = (b"\x00" * pad) + key
--
--            return key
- 
-     def public_key(self) -> dh.DHPublicKey:
-         dh_cdata = _dh_params_dup(self._dh_cdata, self._backend)
-diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py
-index bb29919f..2914f7e7 100644
---- a/tests/hazmat/primitives/test_dh.py
-+++ b/tests/hazmat/primitives/test_dh.py
-@@ -296,6 +296,12 @@ class TestDH(object):
-         assert isinstance(key.private_numbers(), dh.DHPrivateNumbers)
-         assert isinstance(key.parameters(), dh.DHParameters)
- 
-+    def test_exchange_wrong_type(self, backend):
-+        parameters = FFDH3072_P.parameters(backend)
-+        key1 = parameters.generate_private_key()
-+        with pytest.raises(TypeError):
-+            key1.exchange(b"invalidtype")  # type: ignore[arg-type]
-+
-     def test_exchange(self, backend):
-         parameters = FFDH3072_P.parameters(backend)
-         assert isinstance(parameters, dh.DHParameters)
-@@ -386,16 +392,11 @@ class TestDH(object):
-         key2 = private2.private_key(backend)
-         pub_key2 = key2.public_key()
- 
--        if pub_key2.public_numbers().y >= parameters1.p:
--            with pytest.raises(ValueError):
--                key1.exchange(pub_key2)
--        else:
--            symkey1 = key1.exchange(pub_key2)
--            assert symkey1
--
--            symkey2 = key2.exchange(pub_key1)
-+        with pytest.raises(ValueError):
-+            key1.exchange(pub_key2)
- 
--            assert symkey1 != symkey2
-+        with pytest.raises(ValueError):
-+            key2.exchange(pub_key1)
- 
-     @pytest.mark.skip_fips(reason="key_size too small for FIPS")
-     @pytest.mark.supported(
--- 
-2.31.1
-

0004-Use-well-defined-enum-representation.patch

@@ -1,366 +0,0 @@
-From 0a164d2c985b4655929591b191824ed361890b8d Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Mon, 10 May 2021 13:27:54 +0200
-Subject: [PATCH 4/4] Use well-defined enum representation
-
-Python 3.10 changed enum's object and string representation. PyCA
-cryptography now uses a custom subclass of enum.Enum() will well-defined
-__repr__ and __str__ from Python 3.9.
-
-Related: https://bugs.python.org/issue40066
-Fixes: https://github.com/pyca/cryptography/issues/5995
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
----
- .github/workflows/ci.yml                            | 13 +++++++------
- src/cryptography/exceptions.py                      |  4 ++--
- .../hazmat/primitives/_serialization.py             | 11 ++++++-----
- src/cryptography/hazmat/primitives/kdf/kbkdf.py     |  5 ++---
- .../hazmat/primitives/serialization/pkcs7.py        |  4 ++--
- src/cryptography/utils.py                           | 11 +++++++++++
- src/cryptography/x509/base.py                       |  4 ++--
- src/cryptography/x509/certificate_transparency.py   |  7 ++++---
- src/cryptography/x509/extensions.py                 |  5 ++---
- src/cryptography/x509/name.py                       |  3 +--
- src/cryptography/x509/ocsp.py                       |  8 ++++----
- tests/test_cryptography_utils.py                    | 11 +++++++++++
- 12 files changed, 54 insertions(+), 32 deletions(-)
-
-diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
-index 747f84c1..ca298f96 100644
---- a/.github/workflows/ci.yml
-+++ b/.github/workflows/ci.yml
-@@ -18,15 +18,16 @@ jobs:
-           - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"}
-           - {VERSION: "pypy3", TOXENV: "pypy3"}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
--          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}}
--          - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}}
--          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}
--          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}}
-+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}}
-+          - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}}
-+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}
-+          - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha16"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.3"}}
-           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.1"}}
-+          - {VERSION: "3.10-dev", TOXENV: "py310"}
-         RUST:
-           - stable
-     name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"
-@@ -108,8 +109,8 @@ jobs:
-           - {IMAGE: "sid", TOXENV: "py39"}
-           - {IMAGE: "ubuntu-bionic", TOXENV: "py36"}
-           - {IMAGE: "ubuntu-focal", TOXENV: "py38"}
--          - {IMAGE: "ubuntu-rolling", TOXENV: "py38"}
--          - {IMAGE: "ubuntu-rolling", TOXENV: "py38-randomorder"}
-+          - {IMAGE: "ubuntu-rolling", TOXENV: "py39"}
-+          - {IMAGE: "ubuntu-rolling", TOXENV: "py39-randomorder"}
-           - {IMAGE: "fedora", TOXENV: "py39"}
-           - {IMAGE: "alpine", TOXENV: "py38"}
-     name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
-diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py
-index f5860590..3bd98d82 100644
---- a/src/cryptography/exceptions.py
-+++ b/src/cryptography/exceptions.py
-@@ -3,10 +3,10 @@
- # for complete details.
- 
- 
--from enum import Enum
-+from cryptography import utils
- 
- 
--class _Reasons(Enum):
-+class _Reasons(utils.Enum):
-     BACKEND_MISSING_INTERFACE = 0
-     UNSUPPORTED_HASH = 1
-     UNSUPPORTED_CIPHER = 2
-diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py
-index 96a5ed9b..160a6b89 100644
---- a/src/cryptography/hazmat/primitives/_serialization.py
-+++ b/src/cryptography/hazmat/primitives/_serialization.py
-@@ -3,13 +3,14 @@
- # for complete details.
- 
- import abc
--from enum import Enum
-+
-+from cryptography import utils
- 
- # This exists to break an import cycle. These classes are normally accessible
- # from the serialization module.
- 
- 
--class Encoding(Enum):
-+class Encoding(utils.Enum):
-     PEM = "PEM"
-     DER = "DER"
-     OpenSSH = "OpenSSH"
-@@ -18,14 +19,14 @@ class Encoding(Enum):
-     SMIME = "S/MIME"
- 
- 
--class PrivateFormat(Enum):
-+class PrivateFormat(utils.Enum):
-     PKCS8 = "PKCS8"
-     TraditionalOpenSSL = "TraditionalOpenSSL"
-     Raw = "Raw"
-     OpenSSH = "OpenSSH"
- 
- 
--class PublicFormat(Enum):
-+class PublicFormat(utils.Enum):
-     SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1"
-     PKCS1 = "Raw PKCS#1"
-     OpenSSH = "OpenSSH"
-@@ -34,7 +35,7 @@ class PublicFormat(Enum):
-     UncompressedPoint = "X9.62 Uncompressed Point"
- 
- 
--class ParameterFormat(Enum):
-+class ParameterFormat(utils.Enum):
-     PKCS3 = "PKCS3"
- 
- 
-diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py
-index ac36474f..75fe7d51 100644
---- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py
-+++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py
-@@ -4,7 +4,6 @@
- 
- 
- import typing
--from enum import Enum
- 
- from cryptography import utils
- from cryptography.exceptions import (
-@@ -19,11 +18,11 @@ from cryptography.hazmat.primitives import constant_time, hashes, hmac
- from cryptography.hazmat.primitives.kdf import KeyDerivationFunction
- 
- 
--class Mode(Enum):
-+class Mode(utils.Enum):
-     CounterMode = "ctr"
- 
- 
--class CounterLocation(Enum):
-+class CounterLocation(utils.Enum):
-     BeforeFixed = "before_fixed"
-     AfterFixed = "after_fixed"
- 
-diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py
-index bcd9e330..57aac7e3 100644
---- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py
-+++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py
-@@ -3,8 +3,8 @@
- # for complete details.
- 
- import typing
--from enum import Enum
- 
-+from cryptography import utils
- from cryptography import x509
- from cryptography.hazmat.backends import _get_backend
- from cryptography.hazmat.primitives import hashes, serialization
-@@ -35,7 +35,7 @@ _ALLOWED_PRIVATE_KEY_TYPES = typing.Union[
- ]
- 
- 
--class PKCS7Options(Enum):
-+class PKCS7Options(utils.Enum):
-     Text = "Add text/plain MIME type"
-     Binary = "Don't translate input data into canonical MIME format"
-     DetachedSignature = "Don't embed data in the PKCS7 structure"
-diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
-index ef0fc443..9e571cfd 100644
---- a/src/cryptography/utils.py
-+++ b/src/cryptography/utils.py
-@@ -4,6 +4,7 @@
- 
- 
- import abc
-+import enum
- import inspect
- import sys
- import typing
-@@ -162,3 +163,13 @@ int_from_bytes = deprecated(
-     "int_from_bytes is deprecated, use int.from_bytes instead",
-     DeprecatedIn34,
- )
-+
-+
-+# Python 3.10 changed representation of enums. We use well-defined object
-+# representation and string representation from Python 3.9.
-+class Enum(enum.Enum):
-+    def __repr__(self):
-+        return f"<{self.__class__.__name__}.{self._name_}: {self._value_!r}>"
-+
-+    def __str__(self):
-+        return f"{self.__class__.__name__}.{self._name_}"
-diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
-index 5505fa3b..26ec43d5 100644
---- a/src/cryptography/x509/base.py
-+++ b/src/cryptography/x509/base.py
-@@ -7,8 +7,8 @@ import abc
- import datetime
- import os
- import typing
--from enum import Enum
- 
-+from cryptography import utils
- from cryptography.hazmat._types import _PRIVATE_KEY_TYPES, _PUBLIC_KEY_TYPES
- from cryptography.hazmat.backends import _get_backend
- from cryptography.hazmat.primitives import hashes, serialization
-@@ -66,7 +66,7 @@ def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime:
-         return time
- 
- 
--class Version(Enum):
-+class Version(utils.Enum):
-     v1 = 0
-     v3 = 2
- 
-diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py
-index d51bee92..d80f051a 100644
---- a/src/cryptography/x509/certificate_transparency.py
-+++ b/src/cryptography/x509/certificate_transparency.py
-@@ -5,15 +5,16 @@
- 
- import abc
- import datetime
--from enum import Enum
- 
-+from cryptography import utils
- 
--class LogEntryType(Enum):
-+
-+class LogEntryType(utils.Enum):
-     X509_CERTIFICATE = 0
-     PRE_CERTIFICATE = 1
- 
- 
--class Version(Enum):
-+class Version(utils.Enum):
-     v1 = 0
- 
- 
-diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
-index 6cae016a..742f1fa2 100644
---- a/src/cryptography/x509/extensions.py
-+++ b/src/cryptography/x509/extensions.py
-@@ -8,7 +8,6 @@ import datetime
- import hashlib
- import ipaddress
- import typing
--from enum import Enum
- 
- from cryptography import utils
- from cryptography.hazmat._der import (
-@@ -634,7 +633,7 @@ class DistributionPoint(object):
-     crl_issuer = utils.read_only_property("_crl_issuer")
- 
- 
--class ReasonFlags(Enum):
-+class ReasonFlags(utils.Enum):
-     unspecified = "unspecified"
-     key_compromise = "keyCompromise"
-     ca_compromise = "cACompromise"
-@@ -978,7 +977,7 @@ class TLSFeature(ExtensionType):
-         return hash(tuple(self._features))
- 
- 
--class TLSFeatureType(Enum):
-+class TLSFeatureType(utils.Enum):
-     # status_request is defined in RFC 6066 and is used for what is commonly
-     # called OCSP Must-Staple when present in the TLS Feature extension in an
-     # X.509 certificate.
-diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py
-index a579aa21..9069a9f4 100644
---- a/src/cryptography/x509/name.py
-+++ b/src/cryptography/x509/name.py
-@@ -3,14 +3,13 @@
- # for complete details.
- 
- import typing
--from enum import Enum
- 
- from cryptography import utils
- from cryptography.hazmat.backends import _get_backend
- from cryptography.x509.oid import NameOID, ObjectIdentifier
- 
- 
--class _ASN1Type(Enum):
-+class _ASN1Type(utils.Enum):
-     UTF8String = 12
-     NumericString = 18
-     PrintableString = 19
-diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py
-index 1c5de73e..bcf210c1 100644
---- a/src/cryptography/x509/ocsp.py
-+++ b/src/cryptography/x509/ocsp.py
-@@ -6,8 +6,8 @@
- import abc
- import datetime
- import typing
--from enum import Enum
- 
-+from cryptography import utils
- from cryptography import x509
- from cryptography.hazmat.primitives import hashes, serialization
- from cryptography.x509.base import (
-@@ -27,12 +27,12 @@ _OIDS_TO_HASH = {
- }
- 
- 
--class OCSPResponderEncoding(Enum):
-+class OCSPResponderEncoding(utils.Enum):
-     HASH = "By Hash"
-     NAME = "By Name"
- 
- 
--class OCSPResponseStatus(Enum):
-+class OCSPResponseStatus(utils.Enum):
-     SUCCESSFUL = 0
-     MALFORMED_REQUEST = 1
-     INTERNAL_ERROR = 2
-@@ -58,7 +58,7 @@ def _verify_algorithm(algorithm):
-         )
- 
- 
--class OCSPCertStatus(Enum):
-+class OCSPCertStatus(utils.Enum):
-     GOOD = 0
-     REVOKED = 1
-     UNKNOWN = 2
-diff --git a/tests/test_cryptography_utils.py b/tests/test_cryptography_utils.py
-index 6b795e0c..803997ac 100644
---- a/tests/test_cryptography_utils.py
-+++ b/tests/test_cryptography_utils.py
-@@ -2,6 +2,7 @@
- # 2.0, and the BSD License. See the LICENSE file in the root of this repository
- # for complete details.
- 
-+import enum
- import typing
- 
- import pytest
-@@ -51,3 +52,13 @@ class TestCachedProperty(object):
-         assert len(accesses) == 1
-         assert t.t == 14
-         assert len(accesses) == 1
-+
-+
-+def test_enum():
-+    class TestEnum(utils.Enum):
-+        value = "something"
-+
-+    assert issubclass(TestEnum, enum.Enum)
-+    assert isinstance(TestEnum.value, enum.Enum)
-+    assert repr(TestEnum.value) == "<TestEnum.value: 'something'>"
-+    assert str(TestEnum.value) == "TestEnum.value"
--- 
-2.31.1
-

changelog

@@ -0,0 +1,248 @@
+* Tue Jul 02 2024 Jeremy Cline <jeremycline@linux.microsoft.com> - 42.0.8-1
+- Update to 42.0.8, fixes rhbz#2251816
+
+* Sat Jun 08 2024 Python Maint <python-maint@redhat.com> - 41.0.7-3
+- Rebuilt for Python 3.13
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 41.0.7-2
+- Bootstrap for Python 3.13
+
+* Thu Feb 01 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 41.0.7-1
+- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Dec 01 2023 Fabio Valentini <decathorpe@gmail.com> - 41.0.5-2
+- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072)
+
+* Thu Oct 26 2023 Christian Heimes <cheimes@redhat.com> - 41.0.5-1
+- Update to 41.0.5, resolves RHBZ#2239707
+
+* Mon Aug 14 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-2
+- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042
+
+* Wed Aug 09 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-1
+- Update to 41.0.3, resolves rhbz#2211237
+- Use pyo3 0.19
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 40.0.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jul 10 2023 Python Maint <python-maint@redhat.com> - 40.0.2-4
+- Rebuilt for Python 3.12
+
+* Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 40.0.2-3
+- Bootstrap for Python 3.12
+
+* Tue Jun 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 40.0.2-2
+- Use vendored rust-pem in RHEL builds
+
+* Tue Apr 18 2023 Christian Heimes <cheimes@redhat.com> - 40.0.2-1
+- Update to 40.0.2, resolves rhbz#2181430
+
+* Thu Mar 09 2023 Miro Hrončok <mhroncok@redhat.com> - 39.0.2-2
+- Don't run tests requiring pytz on RHEL
+- Don't try to run tests of vendored dependencies in %%check
+
+* Sat Mar 04 2023 Christian Heimes <cheimes@redhat.com> - 39.0.2-1
+- Update to 39.0.2, resolves rhbz#2124729
+
+* Tue Feb 28 2023 Fabio Valentini <decathorpe@gmail.com> - 37.0.2-9
+- Ensure correct compiler flags are used for Rust code.
+
+* Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 37.0.2-8
+- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820
+- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Dec 09 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-6
+- Enable SHA1 signatures in test suite (ELN-only)
+
+* Wed Aug 17 2022 Miro Hrončok <mhroncok@redhat.com> - 37.0.2-5
+- Drop unused requirement of python3-six
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-3
+- Rebuilt for Python 3.11
+
+* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-2
+- Bootstrap for Python 3.11
+
+* Thu May 05 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-1
+- Update to 37.0.2, resolves rhbz#2078968
+
+* Thu Jan 27 2022 Christian Heimes <cheimes@redhat.com> - 36.0.0-3
+- Skip unstable memleak tests, resolves: RHBZ#2042413
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 36.0.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Nov 22 2021 Christian Heimes <cheimes@redhat.com> - 36.0.0-1
+- Update to 36.0.0, fixes RHBZ#2025347
+
+* Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0.0-2
+- Require rust-asn1 >= 0.6.4
+
+* Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0-1
+- Update to 35.0.0 (#2009117)
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.4.7-6
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Jun 10 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.4.7-4
+- Don't conditionalize Source: directives
+
+* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 3.4.7-3
+- Rebuilt for Python 3.10
+
+* Tue May 11 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
+- Fix compatibility issue with Python 3.10. Enums now use same
+  representation as on Python 3.9. (#1952522)
+- Backport OpenSSL 3.0.0 compatibility patches.
+
+* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
+- Update to 3.4.7
+- Remove dependency on python-cryptography-vectors package and use vectors
+  directly from Github source tar ball. (#1952024)
+
+* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
+- Update to 3.4.6 (#1927044)
+
+* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
+- Update to 3.4.5 (#1927044)
+
+* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
+- Skip iso8601 and pretend tests on RHEL
+
+* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
+- Provide RHEL build infrastructure
+
+* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
+- Update to 3.4.4 (#1927044)
+
+* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
+- Update to 3.4.2 (#1926339)
+- Package no longer depends on Rust (#1926181)
+
+* Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
+- Use dynamically generated BuildRequires for PyO3 Rust module.
+- Drop unnecessary CARGO_NET_OFFLINE environment variable.
+
+* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
+- Update to 3.4.1 (#1925953)
+
+* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
+- Add missing abi3 and pytest dependencies
+
+* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
+- Update to 3.4 (#1925953)
+- Remove Python 2 support
+- Remove unused python-idna dependency
+- Add Rust support
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
+- Update to 3.3.1 (#1905756)
+
+* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
+- Update to 3.2.1 (#1892153)
+
+* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
+- Update to 3.2 (#1891378)
+
+* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
+- Update to 3.1 (#1872978)
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
+- Update to 3.0 (#185897)
+
+* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
+- Rebuilt for Python 3.9
+
+* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
+- add source file verification
+
+* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
+- Update to 2.9 (#1820348)
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
+- cryptography 2.8+ no longer depends on python-asn1crypto
+
+* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
+- Update to 2.8
+- Resolves: rhbz#1762779
+
+* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
+- Skip unit tests that fail with OpenSSL 1.1.1.d
+- Resolves: rhbz#1761194
+- Fix and simplify Python 3 packaging
+
+* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
+- Drop Python 2 package
+- Resolves: rhbz#1761081
+
+* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
+- Update to 2.7 (#1715680).
+
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
+- Rebuilt for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
+- New upstream release 2.6.1, resolves RHBZ#1683691
+
+* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
+- Updated to 2.5.
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
+- Use TLSv1.2 in test as workaround for RHBZ#1615143
+
+* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
+- New upstream release 2.3
+- Fix AEAD tag truncation bug, RHBZ#1602752
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
+- Rebuilt for Python 3.7
+
+* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
+- New upstream release 2.2.1
+
+* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
+- New upstream release 2.1.4
+
+* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
+- Build requires gcc
+
+* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

python-cryptography.spec

@@ -3,23 +3,27 @@
 %{!?python3_pkgversion:%global python3_pkgversion 3}
 
 %global srcname cryptography
-%global pyo3_version 0.13.1
 
 Name:           python-%{srcname}
-Version:        3.4.7
-Release:        5%{?dist}
+Version:        45.0.4
+Release:        %autorelease
 Summary:        PyCA's cryptography library
 
-License:        ASL 2.0 or BSD
+# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
+# as well as the Python Software Foundation license for the OS random
+# engine derived by CPython.
+# Rust crate dependency licenses:
+# Apache-2.0
+# Apache-2.0 OR MIT
+# BSD-3-Clause
+# MIT
+# MIT OR Apache-2.0
+License:        (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0)
 URL:            https://cryptography.io/en/latest/
 Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
                 # created by ./vendor_rust.py helper script
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
-Patch0001:      0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch
-Patch0002:      0002-WIP-3.0.0-support-5250.patch
-Patch0003:      0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch
-Patch0004:      0004-Use-well-defined-enum-representation.patch
 
 ExclusiveArch:  %{rust_arches}
 
@@ -32,22 +36,21 @@ BuildRequires:  rust-packaging
 BuildRequires:  rust-toolset
 %endif
 
-BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
+BuildRequires:  python%{python3_pkgversion}-cffi >= 1.12
 BuildRequires:  python%{python3_pkgversion}-devel
 BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-setuptools-rust >= 0.11.3
-BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
+BuildRequires:  python%{python3_pkgversion}-setuptools-rust >= 0.11.4
 
 %if %{with tests}
 %if 0%{?fedora}
+BuildRequires:  python%{python3_pkgversion}-certifi
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
 BuildRequires:  python%{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-pretend
+BuildRequires:  python%{python3_pkgversion}-pytest-benchmark
 BuildRequires:  python%{python3_pkgversion}-pytest-xdist
 %endif
-BuildRequires:  python%{python3_pkgversion}-pytest >= 6.0
-BuildRequires:  python%{python3_pkgversion}-pytest-subtests >= 0.3.2
-BuildRequires:  python%{python3_pkgversion}-pytz
+BuildRequires:  python%{python3_pkgversion}-pytest >= 6.2.0
 %endif
 
 %description
@@ -59,8 +62,6 @@ Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 
 Requires:       openssl-libs
-Requires:       python%{python3_pkgversion}-six >= 1.4.1
-Requires:       python%{python3_pkgversion}-cffi >= 1.7
 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
 # Can be safely removed in Fedora 37
 Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
@@ -71,200 +72,83 @@ cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 
 %prep
-%autosetup -p1 -n %{srcname}-%{version}
-
-%generate_buildrequires
-
+%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version}
 %if 0%{?fedora}
-# Fedora: use cargo macros to make use of RPMified crates
 %cargo_prep
-cd src/rust
-rm -f Cargo.lock
-%cargo_generate_buildrequires
-cd ../..
+sed -i 's/locked = true//g' pyproject.toml
 %else
 # RHEL: use vendored Rust crates
-%cargo_prep -V 1
+%cargo_prep -v vendor
 %endif
 
+%if ! 0%{?fedora}
+sed -i 's,--benchmark-disable,,' pyproject.toml
+%endif
+
+
+%generate_buildrequires
+%pyproject_buildrequires
+%if 0%{?fedora}
+# Fedora: use RPMified crates
+%cargo_generate_buildrequires
+%endif
+
+
 %build
-%py3_build
+export RUSTFLAGS="%build_rustflags"
+export OPENSSL_NO_VENDOR=1
+export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
+%pyproject_wheel
+
+%cargo_license_summary
+%{cargo_license} > LICENSE.dependencies
+%if ! 0%{?fedora}
+%cargo_vendor_manifest
+%endif
+
 
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
-%py3_install
+find . -name Cargo.toml -print -delete
+%pyproject_install
+%pyproject_save_files %{srcname}
+
 
 %check
 %if %{with tests}
 %if 0%{?rhel}
-# skip hypothesis tests on RHEL
-rm -rf tests/hypothesis
+# skip benchmark and hypothesis tests on RHEL
+rm -rf tests/bench tests/hypothesis
 # append skipper to skip iso8601 and pretend tests
 cat < %{SOURCE2} >> tests/conftest.py
 %endif
 
+# enable SHA-1 signatures for RSA tests
+# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
+export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
+
 # see https://github.com/pyca/cryptography/issues/4885 and
 # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
+# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
+# not much sense for downstream testing.
+# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure
 PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
     %{__python3} -m pytest \
-    -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
+    --ignore vendor \
+    -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)"
 %endif
 
-%files -n python%{python3_pkgversion}-%{srcname}
+
+%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
-%{python3_sitearch}/%{srcname}
-%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
+%license LICENSE.dependencies
+%if ! 0%{?fedora}
+%license cargo-vendor.txt
+%endif
+
 
 %changelog
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.7-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Thu Jun 10 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.4.7-4
-- Don't conditionalize Source: directives
-
-* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 3.4.7-3
-- Rebuilt for Python 3.10
-
-* Tue May 11 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
-- Fix compatibility issue with Python 3.10. Enums now use same
-  representation as on Python 3.9. (#1952522)
-- Backport OpenSSL 3.0.0 compatibility patches.
-
-* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
-- Update to 3.4.7
-- Remove dependency on python-cryptography-vectors package and use vectors
-  directly from Github source tar ball. (#1952024)
-
-* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
-- Update to 3.4.6 (#1927044)
-
-* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
-- Update to 3.4.5 (#1927044)
-
-* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
-- Skip iso8601 and pretend tests on RHEL
-
-* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
-- Provide RHEL build infrastructure
-
-* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
-- Update to 3.4.4 (#1927044)
-
-* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
-- Update to 3.4.2 (#1926339)
-- Package no longer depends on Rust (#1926181)
-
-* Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
-- Use dynamically generated BuildRequires for PyO3 Rust module.
-- Drop unnecessary CARGO_NET_OFFLINE environment variable.
-
-* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
-- Update to 3.4.1 (#1925953)
-
-* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
-- Add missing abi3 and pytest dependencies
-
-* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
-- Update to 3.4 (#1925953)
-- Remove Python 2 support
-- Remove unused python-idna dependency
-- Add Rust support
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
-- Update to 3.3.1 (#1905756)
-
-* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
-- Update to 3.2.1 (#1892153)
-
-* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
-- Update to 3.2 (#1891378)
-
-* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
-- Update to 3.1 (#1872978)
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
-- Update to 3.0 (#185897)
-
-* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
-- Rebuilt for Python 3.9
-
-* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
-- add source file verification
-
-* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
-- Update to 2.9 (#1820348)
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
-- cryptography 2.8+ no longer depends on python-asn1crypto
-
-* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
-- Update to 2.8
-- Resolves: rhbz#1762779
-
-* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
-- Skip unit tests that fail with OpenSSL 1.1.1.d
-- Resolves: rhbz#1761194
-- Fix and simplify Python 3 packaging
-
-* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
-- Drop Python 2 package
-- Resolves: rhbz#1761081
-
-* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
-- Update to 2.7 (#1715680).
-
-* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
-- Rebuilt for Python 3.8
-
-* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
-- New upstream release 2.6.1, resolves RHBZ#1683691
-
-* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
-- Updated to 2.5.
-
-* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
-- Use TLSv1.2 in test as workaround for RHBZ#1615143
-
-* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
-- New upstream release 2.3
-- Fix AEAD tag truncation bug, RHBZ#1602752
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
-- Rebuilt for Python 3.7
-
-* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
-- New upstream release 2.2.1
-
-* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
-- New upstream release 2.1.4
-
-* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
-- Build requires gcc
-
-* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
-- Update Python 2 dependency declarations to new packaging standards
-  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+%autochangelog

sources

@@ -1,2 +1,2 @@
-SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9
-SHA512 (cryptography-3.4.7-vendor.tar.bz2) = 67060536b5d48e0497290fb3307329d57e9ac56cb9ee13c2fb1b2f93d059872d411d9dbff3f00bece23a8593d667799de86630b3748337b204f8776ef3f0a387
+SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df
+SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06

vendor_rust.py

@@ -12,7 +12,7 @@ import sys
 
 VENDOR_DIR = "vendor"
 CARGO_TOML = "src/rust/Cargo.toml"
-RE_VERSION = re.compile("Version:\s*(.*)")
+RE_VERSION = re.compile(r"Version:\s*(.*)")
 
 parser = argparse.ArgumentParser(description="Vendor Rust packages")
 parser.add_argument(