rpms/python-cryptography
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:f41
Branches Tags
rpms:rawhide
rpms:main
rpms:f43
rpms:f40
rpms:f41
rpms:f42
rpms:f39
rpms:rhbz2239707
rpms:rhbz2211237
rpms:f36
rpms:f37
rpms:f38
rpms:eln-sha1
rpms:f35
rpms:bz1952522
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f27
rpms:f28
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:epel7
rpms:f21
rpms:f20
rpms:el6
..
compare: rpms:rawhide
Branches Tags
rpms:main
rpms:rawhide
rpms:f43
rpms:f40
rpms:f41
rpms:f42
rpms:f39
rpms:rhbz2239707
rpms:rhbz2211237
rpms:f36
rpms:f37
rpms:f38
rpms:eln-sha1
rpms:f35
rpms:bz1952522
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:f30
rpms:f29
rpms:f27
rpms:f28
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:epel7
rpms:f21
rpms:f20
rpms:el6

16 commits
f41 ... rawhide

Author SHA1 Message Date
Peter Robinson
1a3a50b8d3 Drop pytz test req, only needed for py < 3.9 
The pytz requirement now is only used for CI for py < 3.9:
pytz==2025.2 ; python_full_version < '3.9'

Also drop no longer valid comment snippet
 2025-10-22 13:04:27 +01:00
Python Maint
5e1fd8e20d Rebuilt for Python 3.14.0rc3 bytecode 2025-09-19 13:05:04 +02:00
Python Maint
5e51185593 Rebuilt for Python 3.14.0rc2 bytecode 2025-08-15 13:32:38 +02:00
Fedora Release Engineering
22e34bf150 Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild 2025-07-25 07:25:06 +00:00
Jeremy Cline
8034f94f77
 		Update to v45.0.4 
The upstream release fixes a single issue:

- Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not
  considered secure, and is supported only for backwards compatibility.)

Fixes rhbz #2371350
 2025-06-11 09:31:07 -04:00
Python Maint
65da927d85 Rebuilt for Python 3.14 2025-06-04 18:30:16 +02:00
Python Maint
2fadd7bb9a Bootstrap for Python 3.14 2025-06-03 13:37:55 +02:00
Jeremy Cline
adc63ac786
 		Update to v45.0.3 
This fixes two issues from v45:

  - Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle).
  - Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent.
 2025-05-25 12:49:30 -04:00
Jeremy Cline
f06f4c2804
 		Update to v45.0.2 
This update includes two backwards-incompatible changes with v44:

  - Made SSH private key loading more consistent with other private key
    loading:
    :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
    now raises a TypeError if the key is unencrypted but a password is
    provided (previously no exception was raised), and raises a
    TypeError if the key is encrypted but no password is provided
    (previously a ValueError was raised).
  - The :meth:`VerifiedClient.subject
    <cryptography.x509.verification.VerifiedClient.subjects>` property
    can now be None since a custom extension policy may allow
    certificates without a Subject Alternative Name extension.

Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst
 2025-05-19 10:55:53 -04:00
Yaakov Selkowitz
683f73c2b8 Modernize Rust macro usage 
This adds automatically generated licensing data, and bundled provides for
vendored dependencies in the RHEL builds.
 2025-03-06 14:29:08 -05:00
Yaakov Selkowitz
25b75b110c Do not delete tests/x509 on RHEL 
tests/x509 now provides imports used by tests in other directories,
and no longer require pytz.
 2025-03-03 23:22:02 -05:00
Fabio Valentini
606ff1ca7e
 		Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004) 2025-02-06 13:47:30 +01:00
Jeremy Cline
78a1779124
 		Include fix to exclude Cargo.toml from wheels 
Merged upstream at https://github.com/pyca/cryptography/pull/12091

[skip changelog]
 2025-01-21 18:39:23 +00:00
Jeremy Cline
83987f70ef
 		Update to v44.0.0 
This release is largely adding new features. One behavioral which might
cause issues is:

- Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.

Complete changelog: https://github.com/pyca/cryptography/blob/44.0.0/CHANGELOG.rst
 2025-01-21 15:51:57 +00:00
Fedora Release Engineering
bc4d913fc3 Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild 2025-01-18 13:19:11 +00:00
Francisco Trivino
ed6d65f516 allow sha1 in OAEP 
In FIPS mode, RSA OAEP padding is refused with an error message:
"This combination of padding and hash algorithm is not supported
by this backend."

It picks up the patch in https://github.com/pyca/cryptography/pull/11536
to allow sha1 in OAEP.

Fixes: https://github.com/pyca/cryptography/issues/11512
Related: https://issues.redhat.com/browse/RHEL-40210
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
 2024-09-04 17:54:40 +02:00
5 changed files with 33 additions and 77 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.gitignore vendored
View file

@ -67,3 +67,11 @@
/cryptography-42.0.8-vendor.tar.bz2
/cryptography-43.0.0.tar.gz
/cryptography-43.0.0-vendor.tar.bz2
/cryptography-44.0.0.tar.gz
/cryptography-44.0.0-vendor.tar.bz2
/cryptography-45.0.2.tar.gz
/cryptography-45.0.2-vendor.tar.bz2
/cryptography-45.0.3.tar.gz
/cryptography-45.0.3-vendor.tar.bz2
/cryptography-45.0.4.tar.gz
/cryptography-45.0.4-vendor.tar.bz2

36
11328.patch
View file

@ -1,36 +0,0 @@
From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Mon, 22 Jul 2024 09:09:05 +0200
Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined
Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE
support. Downstream has moved `openssl/engine.h` into a separate RPM
package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The
compiler flag disables PyCA cryptography's ENGINE support successfully.
We also like to build the downstream package without the `engine.h`
header file present.
This commit makes the include conditional. The `ENGINE` type is
defined in `openssl/types.h`.
See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide
See: https://issues.redhat.com/browse/RHEL-33747
Signed-off-by: Christian Heimes <christian@python.org>
---
src/_cffi_src/openssl/engine.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py
index 9629a2c8f929..f47e20327003 100644
--- a/src/_cffi_src/openssl/engine.py
+++ b/src/_cffi_src/openssl/engine.py
@@ -5,7 +5,9 @@
from __future__ import annotations
INCLUDES = """
+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL
#include <openssl/engine.h>
+#endif
"""
TYPES = """

26
11536.patch
View file

@ -1,26 +0,0 @@
From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 3 Sep 2024 20:19:02 -0400
Subject: [PATCH] allow sha1 in OAEP (#11536)
fixes #11512
---
src/rust/src/backend/rsa.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs
index 3c01e7421..066b1412a 100644
--- a/src/rust/src/backend/rsa.rs
+++ b/src/rust/src/backend/rsa.rs
@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu
}
fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool {
- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1())
+ md == &openssl::hash::MessageDigest::sha1()
|| md == &openssl::hash::MessageDigest::sha224()
|| md == &openssl::hash::MessageDigest::sha256()
|| md == &openssl::hash::MessageDigest::sha384()
--
2.46.0

36
python-cryptography.spec
View file

@ -5,23 +5,26 @@
%global srcname cryptography
Name: python-%{srcname}
Version: 43.0.0
Version: 45.0.4
Release: %autorelease
Summary: PyCA's cryptography library
# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
# as well as the Python Software Foundation license for the OS random
# engine derived by CPython.
License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
# Rust crate dependency licenses:
# Apache-2.0
# Apache-2.0 OR MIT
# BSD-3-Clause
# MIT
# MIT OR Apache-2.0
License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0)
URL: https://cryptography.io/en/latest/
Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
# created by ./vendor_rust.py helper script
Source1: cryptography-%{version}-vendor.tar.bz2
Source2: conftest-skipper.py
Patch: 11328.patch
Patch: 11536.patch
ExclusiveArch: %{rust_arches}
BuildRequires: openssl-devel
@ -46,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-pretend
BuildRequires: python%{python3_pkgversion}-pytest-benchmark
BuildRequires: python%{python3_pkgversion}-pytest-xdist
BuildRequires: python%{python3_pkgversion}-pytz
%endif
BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0
%endif
@ -70,14 +72,13 @@ cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%prep
%autosetup -p1 -n %{srcname}-%{version}
%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version}
%if 0%{?fedora}
%cargo_prep
sed -i 's/locked = true//g' pyproject.toml
rm src/rust/Cargo.lock
%else
# RHEL: use vendored Rust crates
%cargo_prep -V 1
%cargo_prep -v vendor
%endif
%if ! 0%{?fedora}
@ -89,9 +90,7 @@ sed -i 's,--benchmark-disable,,' pyproject.toml
%pyproject_buildrequires
%if 0%{?fedora}
# Fedora: use RPMified crates
cd src/rust
%cargo_generate_buildrequires
cd ../..
%endif
@ -101,11 +100,18 @@ export OPENSSL_NO_VENDOR=1
export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
%pyproject_wheel
%cargo_license_summary
%{cargo_license} > LICENSE.dependencies
%if ! 0%{?fedora}
%cargo_vendor_manifest
%endif
%install
# Actually other *.c and *.h are appropriate
# see https://github.com/pyca/cryptography/issues/1463
find . -name .keep -print -delete
find . -name Cargo.toml -print -delete
%pyproject_install
%pyproject_save_files %{srcname}
@ -113,8 +119,8 @@ find . -name .keep -print -delete
%check
%if %{with tests}
%if 0%{?rhel}
# skip benchmark, hypothesis, and pytz tests on RHEL
rm -rf tests/bench tests/hypothesis tests/x509
# skip benchmark and hypothesis tests on RHEL
rm -rf tests/bench tests/hypothesis
# append skipper to skip iso8601 and pretend tests
cat < %{SOURCE2} >> tests/conftest.py
%endif
@ -138,6 +144,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
%doc README.rst docs
%license LICENSE LICENSE.APACHE LICENSE.BSD
%license LICENSE.dependencies
%if ! 0%{?fedora}
%license cargo-vendor.txt
%endif
%changelog

4
sources
View file

@ -1,2 +1,2 @@
SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7
SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924
SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df
SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06