powerel9
/
python-cryptography
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

iniital package creation 

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 1 year ago
commit
7716194151
7 changed files with 836 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 71
      SOURCES/0001-Block-TripleDES-in-FIPS-mode-6879.patch
  2. 319
      SOURCES/0002-Disable-DSA-tests-in-FIPS-mode-6916.patch
  3. 26
      SOURCES/0003-fixes-6927-handle-negative-return-values-from-openss.patch
  4. 24
      SOURCES/0004-Disable-test_openssl_assert_error_on_stack-in-FIPS-m.patch
  5. 67
      SOURCES/0005-Fixed-serialization-of-keyusage-ext-with-no-bits-693.patch
  6. 22
      SOURCES/conftest-skipper.py
  7. 307
      SPECS/python-cryptography.spec

71
SOURCES/0001-Block-TripleDES-in-FIPS-mode-6879.patch
Unescape View File

@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
From d250d169e87168903a543248d0bfd6c37f2f6841 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 22 Feb 2022 00:37:32 +0200
Subject: [PATCH 1/5] Block TripleDES in FIPS mode (#6879)

* Block TripleDES in FIPS mode

NIST SP-800-131A rev 2 lists TripleDES Encryption as disallowed in FIPS 140-3
decryption as legacy use. Three-key TDEA is listed as deprecated
throughout 2023 and disallowed after 2023.

For simplicity we block all use of TripleDES in FIPS mode.

Fixes: #6875
Signed-off-by: Christian Heimes <christian@python.org>

* Fix flake
---
src/cryptography/hazmat/backends/openssl/backend.py | 13 ++++++-------
tests/hazmat/primitives/utils.py | 4 ++++
2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 736452392..f38269e26 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -134,7 +134,9 @@ class Backend(BackendInterface):
b"aes-192-gcm",
b"aes-256-gcm",
}
- _fips_ciphers = (AES, TripleDES)
+ # TripleDES encryption is disallowed/deprecated throughout 2023 in
+ # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA).
+ _fips_ciphers = (AES,)
# Sometimes SHA1 is still permissible. That logic is contained
# within the various *_supported methods.
_fips_hashes = (
@@ -323,12 +325,9 @@ class Backend(BackendInterface):
def cipher_supported(self, cipher, mode):
if self._fips_enabled:
- # FIPS mode requires AES or TripleDES, but only CBC/ECB allowed
- # in TripleDES mode.
- if not isinstance(cipher, self._fips_ciphers) or (
- isinstance(cipher, TripleDES)
- and not isinstance(mode, (CBC, ECB))
- ):
+ # FIPS mode requires AES. TripleDES is disallowed/deprecated in
+ # FIPS 140-3.
+ if not isinstance(cipher, self._fips_ciphers):
return False
try:
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
index 93f117828..a367343ca 100644
--- a/tests/hazmat/primitives/utils.py
+++ b/tests/hazmat/primitives/utils.py
@@ -469,6 +469,10 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, params):
algorithm = supported_cipher_algorithms.get(prf)
assert algorithm is not None
+ # TripleDES is disallowed in FIPS mode.
+ if backend._fips_enabled and algorithm is algorithms.TripleDES:
+ pytest.skip("TripleDES is not supported in FIPS mode.")
+
ctrkdf = KBKDFCMAC(
algorithm,
Mode.CounterMode,
--
2.35.1

319
SOURCES/0002-Disable-DSA-tests-in-FIPS-mode-6916.patch
Unescape View File

@ -0,0 +1,319 @@ @@ -0,0 +1,319 @@
From ff80e3a27408657fef599f44ae1a9a875e005685 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 2 Mar 2022 21:47:04 +0200
Subject: [PATCH 2/5] Disable DSA tests in FIPS mode (#6916)

* Disable DSA tests in FIPS mode

See: #6880

* ignore coverage for nested FIPS check

* Remove if branch

* Remove skip modulus branch

* Keep tests that don't use the backend
---
.../hazmat/backends/openssl/backend.py | 7 ++-
tests/hazmat/primitives/test_dsa.py | 46 +++++++++++--------
tests/hazmat/primitives/test_serialization.py | 24 ++++++++++
tests/x509/test_x509.py | 43 ++++++++++++++---
tests/x509/test_x509_ext.py | 4 ++
5 files changed, 98 insertions(+), 26 deletions(-)

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index f38269e26..a6d0e8872 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -804,7 +804,12 @@ class Backend(BackendInterface):
self.openssl_assert(res == 1)
return evp_pkey
- def dsa_hash_supported(self, algorithm):
+ def dsa_supported(self) -> bool:
+ return not self._fips_enabled
+
+ def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
+ if not self.dsa_supported():
+ return False
return self.hash_supported(algorithm)
def dsa_parameters_supported(self, p, q, g):
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
index 6028b600d..60681683d 100644
--- a/tests/hazmat/primitives/test_dsa.py
+++ b/tests/hazmat/primitives/test_dsa.py
@@ -59,7 +59,12 @@ def test_skip_if_dsa_not_supported(backend):
_skip_if_dsa_not_supported(backend, DummyHashAlgorithm(), 1, 1, 1)
-class TestDSA(object):
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSA:
def test_generate_dsa_parameters(self, backend):
parameters = dsa.generate_parameters(2048, backend)
assert isinstance(parameters, dsa.DSAParameters)
@@ -76,11 +81,6 @@ class TestDSA(object):
),
)
def test_generate_dsa_keys(self, vector, backend):
- if (
- backend._fips_enabled
- and vector["p"] < backend._fips_dsa_min_modulus
- ):
- pytest.skip("Small modulus blocked in FIPS mode")
parameters = dsa.DSAParameterNumbers(
p=vector["p"], q=vector["q"], g=vector["g"]
).parameters(backend)
@@ -389,7 +389,12 @@ class TestDSA(object):
).private_key(backend)
-class TestDSAVerification(object):
+
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSAVerification:
def test_dsa_verification(self, backend, subtests):
vectors = load_vectors_from_file(
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"),
@@ -481,17 +486,12 @@ class TestDSAVerification(object):
Prehashed(hashes.SHA1()) # type: ignore[arg-type]
)
- def test_prehashed_unsupported_in_verifier_ctx(self, backend):
- public_key = DSA_KEY_1024.private_key(backend).public_key()
- with pytest.raises(TypeError), pytest.warns(
- CryptographyDeprecationWarning
- ):
- public_key.verifier(
- b"0" * 64, Prehashed(hashes.SHA1()) # type: ignore[arg-type]
- )
-
-class TestDSASignature(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSASignature:
def test_dsa_signing(self, backend, subtests):
vectors = load_vectors_from_file(
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigGen.txt"),
@@ -695,7 +695,11 @@ class TestDSANumberEquality(object):
assert priv != object()
-class TestDSASerialization(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSASerialization:
@pytest.mark.parametrize(
("fmt", "password"),
itertools.product(
@@ -916,7 +920,11 @@ class TestDSASerialization(object):
)
-class TestDSAPEMPublicKeySerialization(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSAPEMPublicKeySerialization:
@pytest.mark.parametrize(
("key_path", "loader_func", "encoding"),
[
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
index fb6b753de..5a2b9fba5 100644
--- a/tests/hazmat/primitives/test_serialization.py
+++ b/tests/hazmat/primitives/test_serialization.py
@@ -141,6 +141,10 @@ class TestDERSerialization(object):
assert isinstance(key, rsa.RSAPrivateKey)
_check_rsa_private_numbers(key.private_numbers())
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "password"),
[
@@ -341,6 +345,10 @@ class TestDERSerialization(object):
with pytest.raises(ValueError):
load_der_public_key(b"invalid data", backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
"key_file",
[
@@ -422,6 +430,10 @@ class TestPEMSerialization(object):
assert isinstance(key, rsa.RSAPrivateKey)
_check_rsa_private_numbers(key.private_numbers())
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "password"),
[
@@ -490,6 +502,10 @@ class TestPEMSerialization(object):
numbers = key.public_numbers()
assert numbers.e == 65537
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_file"),
[
@@ -894,6 +910,10 @@ class TestPEMSerialization(object):
16,
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_load_pem_dsa_private_key(self, backend):
key = load_vectors_from_file(
os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"),
@@ -2313,6 +2333,10 @@ class TestOpenSSHSerialization(object):
DummyKeySerializationEncryption(),
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("key_path", "supported"),
[
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 23e97a768..7a7a52977 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -2561,7 +2561,21 @@ class TestCertificateBuilder(object):
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
skip_message="Requires OpenSSL with MD5 support",
)
- def test_sign_dsa_with_md5(self, backend):
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
+ @pytest.mark.parametrize(
+ "hash_algorithm",
+ [
+ hashes.MD5(),
+ hashes.SHA3_224(),
+ hashes.SHA3_256(),
+ hashes.SHA3_384(),
+ hashes.SHA3_512(),
+ ],
+ )
+ def test_sign_dsa_with_unsupported_hash(self, hash_algorithm, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateBuilder()
builder = (
@@ -2602,6 +2616,10 @@ class TestCertificateBuilder(object):
with pytest.raises(ValueError):
builder.sign(private_key, hashes.MD5(), backend)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
@pytest.mark.parametrize(
("hashalg", "hashalg_oid"),
[
@@ -2615,9 +2633,6 @@ class TestCertificateBuilder(object):
def test_build_cert_with_dsa_private_key(
self, hashalg, hashalg_oid, backend
):
- if backend._fips_enabled and hashalg is hashes.SHA1:
- pytest.skip("SHA1 not supported in FIPS mode")
-
issuer_private_key = DSA_KEY_2048.private_key(backend)
subject_private_key = DSA_KEY_2048.private_key(backend)
@@ -3646,6 +3661,10 @@ class TestCertificateSigningRequestBuilder(object):
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
skip_message="Requires OpenSSL with MD5 support",
)
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_sign_dsa_with_md5(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
builder = x509.CertificateSigningRequestBuilder().subject_name(
@@ -3969,6 +3988,10 @@ class TestCertificateSigningRequestBuilder(object):
assert basic_constraints.value.ca is True
assert basic_constraints.value.path_length == 2
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_build_ca_request_with_dsa(self, backend):
private_key = DSA_KEY_2048.private_key(backend)
@@ -4319,7 +4342,11 @@ class TestCertificateSigningRequestBuilder(object):
builder.sign(private_key, hashes.SHA512(), backend)
-class TestDSACertificate(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSACertificate:
def test_load_dsa_cert(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
@@ -4444,7 +4471,11 @@ class TestDSACertificate(object):
)
-class TestDSACertificateRequest(object):
+@pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+)
+class TestDSACertificateRequest:
@pytest.mark.parametrize(
("path", "loader_func"),
[
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 4173dece6..66ac43d95 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -1712,6 +1712,10 @@ class TestSubjectKeyIdentifierExtension(object):
ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
assert ext.value == ski
+ @pytest.mark.supported(
+ only_if=lambda backend: backend.dsa_supported(),
+ skip_message="Does not support DSA.",
+ )
def test_from_dsa_public_key(self, backend):
cert = _load_cert(
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
--
2.35.1

26
SOURCES/0003-fixes-6927-handle-negative-return-values-from-openss.patch
Unescape View File

@ -0,0 +1,26 @@ @@ -0,0 +1,26 @@
From 20bafea414bcc08bfcb5b669ecbf9a3438ff7b78 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 3 Mar 2022 15:44:02 -0500
Subject: [PATCH 3/5] fixes #6927 -- handle negative return values from openssl
(#6928)

---
src/cryptography/hazmat/backends/openssl/rsa.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 9bef49d24..dd5d4990b 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -208,7 +208,7 @@ def _rsa_sig_setup(backend, padding, algorithm, key, init_func):
if algorithm is not None:
evp_md = backend._evp_md_non_null_from_algorithm(algorithm)
res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md)
- if res == 0:
+ if res <= 0:
backend._consume_errors()
raise UnsupportedAlgorithm(
"{} is not supported by this backend for RSA signing.".format(
--
2.35.1

24
SOURCES/0004-Disable-test_openssl_assert_error_on_stack-in-FIPS-m.patch
Unescape View File

@ -0,0 +1,24 @@ @@ -0,0 +1,24 @@
From 820d9527070ad2c7724dcecf1a35dbac7d68621d Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Tue, 1 Mar 2022 16:22:51 +0100
Subject: [PATCH 4/5] Disable test_openssl_assert_error_on_stack in FIPS mode

---
tests/hazmat/bindings/test_openssl.py | 1 +
1 file changed, 1 insertion(+)

diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 129928ac0..9839aec4d 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -84,6 +84,7 @@ class TestOpenSSL(object):
with pytest.raises(AttributeError):
b.lib.TLS_ST_OK
+ @pytest.mark.skip_fips(reason="FIPS maps to different error codes")
def test_openssl_assert_error_on_stack(self):
b = Binding()
b.lib.ERR_put_error(
--
2.35.1

67
SOURCES/0005-Fixed-serialization-of-keyusage-ext-with-no-bits-693.patch
Unescape View File

@ -0,0 +1,67 @@ @@ -0,0 +1,67 @@
From 89af85f9d4fc2ef3e89ad1b2a58c751f00f54a4f Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Thu, 3 Mar 2022 16:24:21 -0500
Subject: [PATCH 5/5] Fixed serialization of keyusage ext with no bits (#6930)

fixes #6926
---
src/rust/src/x509/extensions.rs | 17 +++++++++++------
tests/x509/test_x509_ext.py | 14 ++++++++++++++
2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs
index 606566dd9..68b9839a0 100644
--- a/src/rust/src/x509/extensions.rs
+++ b/src/rust/src/x509/extensions.rs
@@ -135,12 +135,17 @@ pub(crate) fn encode_extension(
certificate::set_bit(&mut bs, 7, ext.getattr("encipher_only")?.is_true()?);
certificate::set_bit(&mut bs, 8, ext.getattr("decipher_only")?.is_true()?);
}
- let bits = if bs[1] == 0 { &bs[..1] } else { &bs[..] };
- let unused_bits = bits.last().unwrap().trailing_zeros() as u8;
- Ok(Some(asn1::write_single(&asn1::BitString::new(
- bits,
- unused_bits,
- ))))
+ let (bits, unused_bits) = if bs[1] == 0 {
+ if bs[0] == 0 {
+ (&[][..], 0)
+ } else {
+ (&bs[..1], bs[0].trailing_zeros() as u8)
+ }
+ } else {
+ (&bs[..], bs[1].trailing_zeros() as u8)
+ };
+ let v = asn1::BitString::new(bits, unused_bits).unwrap();
+ Ok(Some(asn1::write_single(&v)))
} else if oid == &*oid::AUTHORITY_INFORMATION_ACCESS_OID
|| oid == &*oid::SUBJECT_INFORMATION_ACCESS_OID
{
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 66ac43d95..2bbba8ec6 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -1137,6 +1137,20 @@ class TestKeyUsage(object):
),
b"\x03\x02\x02\x94",
),
+ (
+ x509.KeyUsage(
+ digital_signature=False,
+ content_commitment=False,
+ key_encipherment=False,
+ data_encipherment=False,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False,
+ ),
+ b"\x03\x01\x00",
+ ),
],
)
def test_public_bytes(self, ext, serialized):
--
2.35.1

22
SOURCES/conftest-skipper.py
Unescape View File

@ -0,0 +1,22 @@ @@ -0,0 +1,22 @@

class Skipper:
"""Skip iso8601 and pretend tests

RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
all tests that use the excluded modules.
"""

def parse_date(self, datestring):
pytest.skip(f"iso8601 module is not available.")

def stub(self, **kwargs):
pytest.skip(f"pretend module is not available.")

def raiser(self, exc):
pytest.skip(f"pretend module is not available.")


import sys

sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()

307
SPECS/python-cryptography.spec
Unescape View File

@ -0,0 +1,307 @@ @@ -0,0 +1,307 @@
%bcond_without tests

%{!?python3_pkgversion:%global python3_pkgversion 3}

%global srcname cryptography
%global pyo3_version 0.13.1

Name: python-%{srcname}
Version: 36.0.1
Release: 2%{?dist}
Summary: PyCA's cryptography library

License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/
Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
# created by ./vendor_rust.py helper script
Source1: cryptography-%{version}-vendor.tar.bz2
Source2: conftest-skipper.py

Patch1: 0001-Block-TripleDES-in-FIPS-mode-6879.patch
Patch2: 0002-Disable-DSA-tests-in-FIPS-mode-6916.patch
Patch3: 0003-fixes-6927-handle-negative-return-values-from-openss.patch
Patch4: 0004-Disable-test_openssl_assert_error_on_stack-in-FIPS-m.patch
Patch5: 0005-Fixed-serialization-of-keyusage-ext-with-no-bits-693.patch

ExclusiveArch: %{rust_arches}

BuildRequires: openssl-devel
BuildRequires: gcc
BuildRequires: gnupg2
%if 0%{?fedora}
BuildRequires: rust-packaging
%else
BuildRequires: rust-toolset
%endif

BuildRequires: python%{python3_pkgversion}-cffi >= 1.7
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3
BuildRequires: python%{python3_pkgversion}-six >= 1.4.1

%if %{with tests}
%if 0%{?fedora}
BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4
BuildRequires: python%{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-pretend
BuildRequires: python%{python3_pkgversion}-pytest-xdist
%endif
BuildRequires: python%{python3_pkgversion}-pytest >= 6.0
BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2
BuildRequires: python%{python3_pkgversion}-pytz
%endif

%description
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.

%package -n python%{python3_pkgversion}-%{srcname}
Summary: PyCA's cryptography library
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}

Requires: openssl-libs
Requires: python%{python3_pkgversion}-six >= 1.4.1
Requires: python%{python3_pkgversion}-cffi >= 1.7
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
# Can be safely removed in Fedora 37
Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
%endif

%description -n python%{python3_pkgversion}-%{srcname}
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.

%prep
%autosetup -p1 -n %{srcname}-%{version}

%generate_buildrequires

%if 0%{?fedora}
# Fedora: use cargo macros to make use of RPMified crates
%cargo_prep
cd src/rust
rm -f Cargo.lock
%cargo_generate_buildrequires
cd ../..
%else
# RHEL: use vendored Rust crates
%cargo_prep -V 1
%endif

%build
%py3_build

%install
# Actually other *.c and *.h are appropriate
# see https://github.com/pyca/cryptography/issues/1463
find . -name .keep -print -delete
%py3_install

%check
%if %{with tests}
%if 0%{?rhel}
# skip hypothesis tests on RHEL
rm -rf tests/hypothesis
# append skipper to skip iso8601 and pretend tests
cat < %{SOURCE2} >> tests/conftest.py
%endif

# enable SHA-1 signatures for RSA tests
# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
export OPENSSL_ENABLE_SHA1_SIGNATURES=yes

# see rhbz#2042413 for memleak. It's unstable with openssl 3.0.1 and makes
# not much sense for downstream testing.
PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
%{__python3} -m pytest \
-k "not (test_openssl_memleak)"
%endif

%files -n python%{python3_pkgversion}-%{srcname}
%doc README.rst docs
%license LICENSE LICENSE.APACHE LICENSE.BSD
%{python3_sitearch}/%{srcname}
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info

%changelog
* Tue Apr 19 2022 Christian Heimes <cheimes@redhat.com> - 36.0.1-2
- Rebuild for gating, related: rhbz#2060787

* Fri Mar 04 2022 Christian Heimes <cheimes@redhat.com> - 36.0.1-6
- Rebase to 36.0.1, related: rhbz#2059630, rhbz#2060787
- OpenSSL 3.0 FIPS mode is now detected correctly, related: rhbz#2054785
- Fix error check from EVP_PKEY_CTX_set_signature_md, related: rhbz#2060343
- Block 3DES in FIPS mode, related: rhbz#2055209
- Disable DSA tests in FIPS mode
- Enable SHA1 signatures in test suite
- Fix serialization of keyusage ext with no bits
- Re-enable tests that are passing again

* Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 3.4.7-8
- Skip unstable memleak tests, backported from Fedora (BZ#2042413)
- Related: rhbz#1990421

* Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 3.4.7-7
- Add automatically generated Obsoletes tag with the python39- prefix
for smoother upgrade from RHEL8
- Related: rhbz#1990421

* Tue Jan 18 2022 Christian Heimes <cheimes@redhat.com> - 3.4.7-6
- Fix gating issues, resolves: rhbz#2039768
- Fix poly1305 test, resolves: rhbz#2043582

* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.7-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688

* Sun Aug 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-4
- Remove bindings to ERR_GET_FUNC, which has been removed in 3.0.0-beta2
- Resolves: rhbz#1953446

* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.7-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
- Related: rhbz#1971065

* Mon Apr 26 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
- Add backports of OpenSSL 3.0.0 fixes (upstream PR #6000)
- Resolves: rhbz#1953446

* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
- Update to 3.4.7
- Remove dependency on python-cryptography-vectors package and use vectors
directly from Github source tar ball. Related: rhbz#1952343

* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.6-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
- Update to 3.4.6 (#1927044)

* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
- Update to 3.4.5 (#1927044)

* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
- Skip iso8601 and pretend tests on RHEL

* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
- Provide RHEL build infrastructure

* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
- Update to 3.4.4 (#1927044)

* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
- Update to 3.4.2 (#1926339)
- Package no longer depends on Rust (#1926181)

* Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
- Use dynamically generated BuildRequires for PyO3 Rust module.
- Drop unnecessary CARGO_NET_OFFLINE environment variable.

* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
- Update to 3.4.1 (#1925953)

* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
- Add missing abi3 and pytest dependencies

* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
- Update to 3.4 (#1925953)
- Remove Python 2 support
- Remove unused python-idna dependency
- Add Rust support

* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
- Update to 3.3.1 (#1905756)

* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
- Update to 3.2.1 (#1892153)

* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
- Update to 3.2 (#1891378)

* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
- Update to 3.1 (#1872978)

* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
- Update to 3.0 (#185897)

* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
- Rebuilt for Python 3.9

* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
- add source file verification

* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
- Update to 2.9 (#1820348)

* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
- cryptography 2.8+ no longer depends on python-asn1crypto

* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
- Update to 2.8
- Resolves: rhbz#1762779

* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
- Skip unit tests that fail with OpenSSL 1.1.1.d
- Resolves: rhbz#1761194
- Fix and simplify Python 3 packaging

* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
- Drop Python 2 package
- Resolves: rhbz#1761081

* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
- Update to 2.7 (#1715680).

* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
- Rebuilt for Python 3.8

* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
- New upstream release 2.6.1, resolves RHBZ#1683691

* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
- Updated to 2.5.

* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
- Use TLSv1.2 in test as workaround for RHBZ#1615143

* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
- New upstream release 2.3
- Fix AEAD tag truncation bug, RHBZ#1602752

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
- Rebuilt for Python 3.7

* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
- New upstream release 2.2.1

* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
- New upstream release 2.1.4

* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
- Build requires gcc

* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)

* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Write Preview
Loading…
Cancel
Save