Toshaan Bharvani
1 year ago
commit
7716194151
7 changed files with 836 additions and 0 deletions
@ -0,0 +1,71 @@
@@ -0,0 +1,71 @@
|
||||
From d250d169e87168903a543248d0bfd6c37f2f6841 Mon Sep 17 00:00:00 2001 |
||||
From: Christian Heimes <christian@python.org> |
||||
Date: Tue, 22 Feb 2022 00:37:32 +0200 |
||||
Subject: [PATCH 1/5] Block TripleDES in FIPS mode (#6879) |
||||
|
||||
* Block TripleDES in FIPS mode |
||||
|
||||
NIST SP-800-131A rev 2 lists TripleDES Encryption as disallowed in FIPS 140-3 |
||||
decryption as legacy use. Three-key TDEA is listed as deprecated |
||||
throughout 2023 and disallowed after 2023. |
||||
|
||||
For simplicity we block all use of TripleDES in FIPS mode. |
||||
|
||||
Fixes: #6875 |
||||
Signed-off-by: Christian Heimes <christian@python.org> |
||||
|
||||
* Fix flake |
||||
--- |
||||
src/cryptography/hazmat/backends/openssl/backend.py | 13 ++++++------- |
||||
tests/hazmat/primitives/utils.py | 4 ++++ |
||||
2 files changed, 10 insertions(+), 7 deletions(-) |
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py |
||||
index 736452392..f38269e26 100644 |
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py |
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py |
||||
@@ -134,7 +134,9 @@ class Backend(BackendInterface): |
||||
b"aes-192-gcm", |
||||
b"aes-256-gcm", |
||||
} |
||||
- _fips_ciphers = (AES, TripleDES) |
||||
+ # TripleDES encryption is disallowed/deprecated throughout 2023 in |
||||
+ # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA). |
||||
+ _fips_ciphers = (AES,) |
||||
# Sometimes SHA1 is still permissible. That logic is contained |
||||
# within the various *_supported methods. |
||||
_fips_hashes = ( |
||||
@@ -323,12 +325,9 @@ class Backend(BackendInterface): |
||||
|
||||
def cipher_supported(self, cipher, mode): |
||||
if self._fips_enabled: |
||||
- # FIPS mode requires AES or TripleDES, but only CBC/ECB allowed |
||||
- # in TripleDES mode. |
||||
- if not isinstance(cipher, self._fips_ciphers) or ( |
||||
- isinstance(cipher, TripleDES) |
||||
- and not isinstance(mode, (CBC, ECB)) |
||||
- ): |
||||
+ # FIPS mode requires AES. TripleDES is disallowed/deprecated in |
||||
+ # FIPS 140-3. |
||||
+ if not isinstance(cipher, self._fips_ciphers): |
||||
return False |
||||
|
||||
try: |
||||
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py |
||||
index 93f117828..a367343ca 100644 |
||||
--- a/tests/hazmat/primitives/utils.py |
||||
+++ b/tests/hazmat/primitives/utils.py |
||||
@@ -469,6 +469,10 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, params): |
||||
algorithm = supported_cipher_algorithms.get(prf) |
||||
assert algorithm is not None |
||||
|
||||
+ # TripleDES is disallowed in FIPS mode. |
||||
+ if backend._fips_enabled and algorithm is algorithms.TripleDES: |
||||
+ pytest.skip("TripleDES is not supported in FIPS mode.") |
||||
+ |
||||
ctrkdf = KBKDFCMAC( |
||||
algorithm, |
||||
Mode.CounterMode, |
||||
-- |
||||
2.35.1 |
||||
|
@ -0,0 +1,319 @@
@@ -0,0 +1,319 @@
|
||||
From ff80e3a27408657fef599f44ae1a9a875e005685 Mon Sep 17 00:00:00 2001 |
||||
From: Christian Heimes <christian@python.org> |
||||
Date: Wed, 2 Mar 2022 21:47:04 +0200 |
||||
Subject: [PATCH 2/5] Disable DSA tests in FIPS mode (#6916) |
||||
|
||||
* Disable DSA tests in FIPS mode |
||||
|
||||
See: #6880 |
||||
|
||||
* ignore coverage for nested FIPS check |
||||
|
||||
* Remove if branch |
||||
|
||||
* Remove skip modulus branch |
||||
|
||||
* Keep tests that don't use the backend |
||||
--- |
||||
.../hazmat/backends/openssl/backend.py | 7 ++- |
||||
tests/hazmat/primitives/test_dsa.py | 46 +++++++++++-------- |
||||
tests/hazmat/primitives/test_serialization.py | 24 ++++++++++ |
||||
tests/x509/test_x509.py | 43 ++++++++++++++--- |
||||
tests/x509/test_x509_ext.py | 4 ++ |
||||
5 files changed, 98 insertions(+), 26 deletions(-) |
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py |
||||
index f38269e26..a6d0e8872 100644 |
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py |
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py |
||||
@@ -804,7 +804,12 @@ class Backend(BackendInterface): |
||||
self.openssl_assert(res == 1) |
||||
return evp_pkey |
||||
|
||||
- def dsa_hash_supported(self, algorithm): |
||||
+ def dsa_supported(self) -> bool: |
||||
+ return not self._fips_enabled |
||||
+ |
||||
+ def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool: |
||||
+ if not self.dsa_supported(): |
||||
+ return False |
||||
return self.hash_supported(algorithm) |
||||
|
||||
def dsa_parameters_supported(self, p, q, g): |
||||
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py |
||||
index 6028b600d..60681683d 100644 |
||||
--- a/tests/hazmat/primitives/test_dsa.py |
||||
+++ b/tests/hazmat/primitives/test_dsa.py |
||||
@@ -59,7 +59,12 @@ def test_skip_if_dsa_not_supported(backend): |
||||
_skip_if_dsa_not_supported(backend, DummyHashAlgorithm(), 1, 1, 1) |
||||
|
||||
|
||||
-class TestDSA(object): |
||||
+ |
||||
+@pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+) |
||||
+class TestDSA: |
||||
def test_generate_dsa_parameters(self, backend): |
||||
parameters = dsa.generate_parameters(2048, backend) |
||||
assert isinstance(parameters, dsa.DSAParameters) |
||||
@@ -76,11 +81,6 @@ class TestDSA(object): |
||||
), |
||||
) |
||||
def test_generate_dsa_keys(self, vector, backend): |
||||
- if ( |
||||
- backend._fips_enabled |
||||
- and vector["p"] < backend._fips_dsa_min_modulus |
||||
- ): |
||||
- pytest.skip("Small modulus blocked in FIPS mode") |
||||
parameters = dsa.DSAParameterNumbers( |
||||
p=vector["p"], q=vector["q"], g=vector["g"] |
||||
).parameters(backend) |
||||
@@ -389,7 +389,12 @@ class TestDSA(object): |
||||
).private_key(backend) |
||||
|
||||
|
||||
-class TestDSAVerification(object): |
||||
+ |
||||
+@pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+) |
||||
+class TestDSAVerification: |
||||
def test_dsa_verification(self, backend, subtests): |
||||
vectors = load_vectors_from_file( |
||||
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"), |
||||
@@ -481,17 +486,12 @@ class TestDSAVerification(object): |
||||
Prehashed(hashes.SHA1()) # type: ignore[arg-type] |
||||
) |
||||
|
||||
- def test_prehashed_unsupported_in_verifier_ctx(self, backend): |
||||
- public_key = DSA_KEY_1024.private_key(backend).public_key() |
||||
- with pytest.raises(TypeError), pytest.warns( |
||||
- CryptographyDeprecationWarning |
||||
- ): |
||||
- public_key.verifier( |
||||
- b"0" * 64, Prehashed(hashes.SHA1()) # type: ignore[arg-type] |
||||
- ) |
||||
- |
||||
|
||||
-class TestDSASignature(object): |
||||
+@pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+) |
||||
+class TestDSASignature: |
||||
def test_dsa_signing(self, backend, subtests): |
||||
vectors = load_vectors_from_file( |
||||
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigGen.txt"), |
||||
@@ -695,7 +695,11 @@ class TestDSANumberEquality(object): |
||||
assert priv != object() |
||||
|
||||
|
||||
-class TestDSASerialization(object): |
||||
+@pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+) |
||||
+class TestDSASerialization: |
||||
@pytest.mark.parametrize( |
||||
("fmt", "password"), |
||||
itertools.product( |
||||
@@ -916,7 +920,11 @@ class TestDSASerialization(object): |
||||
) |
||||
|
||||
|
||||
-class TestDSAPEMPublicKeySerialization(object): |
||||
+@pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+) |
||||
+class TestDSAPEMPublicKeySerialization: |
||||
@pytest.mark.parametrize( |
||||
("key_path", "loader_func", "encoding"), |
||||
[ |
||||
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py |
||||
index fb6b753de..5a2b9fba5 100644 |
||||
--- a/tests/hazmat/primitives/test_serialization.py |
||||
+++ b/tests/hazmat/primitives/test_serialization.py |
||||
@@ -141,6 +141,10 @@ class TestDERSerialization(object): |
||||
assert isinstance(key, rsa.RSAPrivateKey) |
||||
_check_rsa_private_numbers(key.private_numbers()) |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
@pytest.mark.parametrize( |
||||
("key_path", "password"), |
||||
[ |
||||
@@ -341,6 +345,10 @@ class TestDERSerialization(object): |
||||
with pytest.raises(ValueError): |
||||
load_der_public_key(b"invalid data", backend) |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
@pytest.mark.parametrize( |
||||
"key_file", |
||||
[ |
||||
@@ -422,6 +430,10 @@ class TestPEMSerialization(object): |
||||
assert isinstance(key, rsa.RSAPrivateKey) |
||||
_check_rsa_private_numbers(key.private_numbers()) |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
@pytest.mark.parametrize( |
||||
("key_path", "password"), |
||||
[ |
||||
@@ -490,6 +502,10 @@ class TestPEMSerialization(object): |
||||
numbers = key.public_numbers() |
||||
assert numbers.e == 65537 |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
@pytest.mark.parametrize( |
||||
("key_file"), |
||||
[ |
||||
@@ -894,6 +910,10 @@ class TestPEMSerialization(object): |
||||
16, |
||||
) |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
def test_load_pem_dsa_private_key(self, backend): |
||||
key = load_vectors_from_file( |
||||
os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"), |
||||
@@ -2313,6 +2333,10 @@ class TestOpenSSHSerialization(object): |
||||
DummyKeySerializationEncryption(), |
||||
) |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
@pytest.mark.parametrize( |
||||
("key_path", "supported"), |
||||
[ |
||||
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py |
||||
index 23e97a768..7a7a52977 100644 |
||||
--- a/tests/x509/test_x509.py |
||||
+++ b/tests/x509/test_x509.py |
||||
@@ -2561,7 +2561,21 @@ class TestCertificateBuilder(object): |
||||
only_if=lambda backend: backend.hash_supported(hashes.MD5()), |
||||
skip_message="Requires OpenSSL with MD5 support", |
||||
) |
||||
- def test_sign_dsa_with_md5(self, backend): |
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
+ @pytest.mark.parametrize( |
||||
+ "hash_algorithm", |
||||
+ [ |
||||
+ hashes.MD5(), |
||||
+ hashes.SHA3_224(), |
||||
+ hashes.SHA3_256(), |
||||
+ hashes.SHA3_384(), |
||||
+ hashes.SHA3_512(), |
||||
+ ], |
||||
+ ) |
||||
+ def test_sign_dsa_with_unsupported_hash(self, hash_algorithm, backend): |
||||
private_key = DSA_KEY_2048.private_key(backend) |
||||
builder = x509.CertificateBuilder() |
||||
builder = ( |
||||
@@ -2602,6 +2616,10 @@ class TestCertificateBuilder(object): |
||||
with pytest.raises(ValueError): |
||||
builder.sign(private_key, hashes.MD5(), backend) |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
@pytest.mark.parametrize( |
||||
("hashalg", "hashalg_oid"), |
||||
[ |
||||
@@ -2615,9 +2633,6 @@ class TestCertificateBuilder(object): |
||||
def test_build_cert_with_dsa_private_key( |
||||
self, hashalg, hashalg_oid, backend |
||||
): |
||||
- if backend._fips_enabled and hashalg is hashes.SHA1: |
||||
- pytest.skip("SHA1 not supported in FIPS mode") |
||||
- |
||||
issuer_private_key = DSA_KEY_2048.private_key(backend) |
||||
subject_private_key = DSA_KEY_2048.private_key(backend) |
||||
|
||||
@@ -3646,6 +3661,10 @@ class TestCertificateSigningRequestBuilder(object): |
||||
only_if=lambda backend: backend.hash_supported(hashes.MD5()), |
||||
skip_message="Requires OpenSSL with MD5 support", |
||||
) |
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
def test_sign_dsa_with_md5(self, backend): |
||||
private_key = DSA_KEY_2048.private_key(backend) |
||||
builder = x509.CertificateSigningRequestBuilder().subject_name( |
||||
@@ -3969,6 +3988,10 @@ class TestCertificateSigningRequestBuilder(object): |
||||
assert basic_constraints.value.ca is True |
||||
assert basic_constraints.value.path_length == 2 |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
def test_build_ca_request_with_dsa(self, backend): |
||||
private_key = DSA_KEY_2048.private_key(backend) |
||||
|
||||
@@ -4319,7 +4342,11 @@ class TestCertificateSigningRequestBuilder(object): |
||||
builder.sign(private_key, hashes.SHA512(), backend) |
||||
|
||||
|
||||
-class TestDSACertificate(object): |
||||
+@pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+) |
||||
+class TestDSACertificate: |
||||
def test_load_dsa_cert(self, backend): |
||||
cert = _load_cert( |
||||
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), |
||||
@@ -4444,7 +4471,11 @@ class TestDSACertificate(object): |
||||
) |
||||
|
||||
|
||||
-class TestDSACertificateRequest(object): |
||||
+@pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+) |
||||
+class TestDSACertificateRequest: |
||||
@pytest.mark.parametrize( |
||||
("path", "loader_func"), |
||||
[ |
||||
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py |
||||
index 4173dece6..66ac43d95 100644 |
||||
--- a/tests/x509/test_x509_ext.py |
||||
+++ b/tests/x509/test_x509_ext.py |
||||
@@ -1712,6 +1712,10 @@ class TestSubjectKeyIdentifierExtension(object): |
||||
ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key()) |
||||
assert ext.value == ski |
||||
|
||||
+ @pytest.mark.supported( |
||||
+ only_if=lambda backend: backend.dsa_supported(), |
||||
+ skip_message="Does not support DSA.", |
||||
+ ) |
||||
def test_from_dsa_public_key(self, backend): |
||||
cert = _load_cert( |
||||
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"), |
||||
-- |
||||
2.35.1 |
||||
|
@ -0,0 +1,26 @@
@@ -0,0 +1,26 @@
|
||||
From 20bafea414bcc08bfcb5b669ecbf9a3438ff7b78 Mon Sep 17 00:00:00 2001 |
||||
From: Alex Gaynor <alex.gaynor@gmail.com> |
||||
Date: Thu, 3 Mar 2022 15:44:02 -0500 |
||||
Subject: [PATCH 3/5] fixes #6927 -- handle negative return values from openssl |
||||
(#6928) |
||||
|
||||
--- |
||||
src/cryptography/hazmat/backends/openssl/rsa.py | 2 +- |
||||
1 file changed, 1 insertion(+), 1 deletion(-) |
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py |
||||
index 9bef49d24..dd5d4990b 100644 |
||||
--- a/src/cryptography/hazmat/backends/openssl/rsa.py |
||||
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py |
||||
@@ -208,7 +208,7 @@ def _rsa_sig_setup(backend, padding, algorithm, key, init_func): |
||||
if algorithm is not None: |
||||
evp_md = backend._evp_md_non_null_from_algorithm(algorithm) |
||||
res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md) |
||||
- if res == 0: |
||||
+ if res <= 0: |
||||
backend._consume_errors() |
||||
raise UnsupportedAlgorithm( |
||||
"{} is not supported by this backend for RSA signing.".format( |
||||
-- |
||||
2.35.1 |
||||
|
@ -0,0 +1,24 @@
@@ -0,0 +1,24 @@
|
||||
From 820d9527070ad2c7724dcecf1a35dbac7d68621d Mon Sep 17 00:00:00 2001 |
||||
From: Christian Heimes <christian@python.org> |
||||
Date: Tue, 1 Mar 2022 16:22:51 +0100 |
||||
Subject: [PATCH 4/5] Disable test_openssl_assert_error_on_stack in FIPS mode |
||||
|
||||
--- |
||||
tests/hazmat/bindings/test_openssl.py | 1 + |
||||
1 file changed, 1 insertion(+) |
||||
|
||||
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py |
||||
index 129928ac0..9839aec4d 100644 |
||||
--- a/tests/hazmat/bindings/test_openssl.py |
||||
+++ b/tests/hazmat/bindings/test_openssl.py |
||||
@@ -84,6 +84,7 @@ class TestOpenSSL(object): |
||||
with pytest.raises(AttributeError): |
||||
b.lib.TLS_ST_OK |
||||
|
||||
+ @pytest.mark.skip_fips(reason="FIPS maps to different error codes") |
||||
def test_openssl_assert_error_on_stack(self): |
||||
b = Binding() |
||||
b.lib.ERR_put_error( |
||||
-- |
||||
2.35.1 |
||||
|
@ -0,0 +1,67 @@
@@ -0,0 +1,67 @@
|
||||
From 89af85f9d4fc2ef3e89ad1b2a58c751f00f54a4f Mon Sep 17 00:00:00 2001 |
||||
From: Alex Gaynor <alex.gaynor@gmail.com> |
||||
Date: Thu, 3 Mar 2022 16:24:21 -0500 |
||||
Subject: [PATCH 5/5] Fixed serialization of keyusage ext with no bits (#6930) |
||||
|
||||
fixes #6926 |
||||
--- |
||||
src/rust/src/x509/extensions.rs | 17 +++++++++++------ |
||||
tests/x509/test_x509_ext.py | 14 ++++++++++++++ |
||||
2 files changed, 25 insertions(+), 6 deletions(-) |
||||
|
||||
diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs |
||||
index 606566dd9..68b9839a0 100644 |
||||
--- a/src/rust/src/x509/extensions.rs |
||||
+++ b/src/rust/src/x509/extensions.rs |
||||
@@ -135,12 +135,17 @@ pub(crate) fn encode_extension( |
||||
certificate::set_bit(&mut bs, 7, ext.getattr("encipher_only")?.is_true()?); |
||||
certificate::set_bit(&mut bs, 8, ext.getattr("decipher_only")?.is_true()?); |
||||
} |
||||
- let bits = if bs[1] == 0 { &bs[..1] } else { &bs[..] }; |
||||
- let unused_bits = bits.last().unwrap().trailing_zeros() as u8; |
||||
- Ok(Some(asn1::write_single(&asn1::BitString::new( |
||||
- bits, |
||||
- unused_bits, |
||||
- )))) |
||||
+ let (bits, unused_bits) = if bs[1] == 0 { |
||||
+ if bs[0] == 0 { |
||||
+ (&[][..], 0) |
||||
+ } else { |
||||
+ (&bs[..1], bs[0].trailing_zeros() as u8) |
||||
+ } |
||||
+ } else { |
||||
+ (&bs[..], bs[1].trailing_zeros() as u8) |
||||
+ }; |
||||
+ let v = asn1::BitString::new(bits, unused_bits).unwrap(); |
||||
+ Ok(Some(asn1::write_single(&v))) |
||||
} else if oid == &*oid::AUTHORITY_INFORMATION_ACCESS_OID |
||||
|| oid == &*oid::SUBJECT_INFORMATION_ACCESS_OID |
||||
{ |
||||
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py |
||||
index 66ac43d95..2bbba8ec6 100644 |
||||
--- a/tests/x509/test_x509_ext.py |
||||
+++ b/tests/x509/test_x509_ext.py |
||||
@@ -1137,6 +1137,20 @@ class TestKeyUsage(object): |
||||
), |
||||
b"\x03\x02\x02\x94", |
||||
), |
||||
+ ( |
||||
+ x509.KeyUsage( |
||||
+ digital_signature=False, |
||||
+ content_commitment=False, |
||||
+ key_encipherment=False, |
||||
+ data_encipherment=False, |
||||
+ key_agreement=False, |
||||
+ key_cert_sign=False, |
||||
+ crl_sign=False, |
||||
+ encipher_only=False, |
||||
+ decipher_only=False, |
||||
+ ), |
||||
+ b"\x03\x01\x00", |
||||
+ ), |
||||
], |
||||
) |
||||
def test_public_bytes(self, ext, serialized): |
||||
-- |
||||
2.35.1 |
||||
|
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
|
||||
class Skipper: |
||||
"""Skip iso8601 and pretend tests |
||||
|
||||
RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip |
||||
all tests that use the excluded modules. |
||||
""" |
||||
|
||||
def parse_date(self, datestring): |
||||
pytest.skip(f"iso8601 module is not available.") |
||||
|
||||
def stub(self, **kwargs): |
||||
pytest.skip(f"pretend module is not available.") |
||||
|
||||
def raiser(self, exc): |
||||
pytest.skip(f"pretend module is not available.") |
||||
|
||||
|
||||
import sys |
||||
|
||||
sys.modules["iso8601"] = sys.modules["pretend"] = Skipper() |
||||
|
@ -0,0 +1,307 @@
@@ -0,0 +1,307 @@
|
||||
%bcond_without tests |
||||
|
||||
%{!?python3_pkgversion:%global python3_pkgversion 3} |
||||
|
||||
%global srcname cryptography |
||||
%global pyo3_version 0.13.1 |
||||
|
||||
Name: python-%{srcname} |
||||
Version: 36.0.1 |
||||
Release: 2%{?dist} |
||||
Summary: PyCA's cryptography library |
||||
|
||||
License: ASL 2.0 or BSD |
||||
URL: https://cryptography.io/en/latest/ |
||||
Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz |
||||
# created by ./vendor_rust.py helper script |
||||
Source1: cryptography-%{version}-vendor.tar.bz2 |
||||
Source2: conftest-skipper.py |
||||
|
||||
Patch1: 0001-Block-TripleDES-in-FIPS-mode-6879.patch |
||||
Patch2: 0002-Disable-DSA-tests-in-FIPS-mode-6916.patch |
||||
Patch3: 0003-fixes-6927-handle-negative-return-values-from-openss.patch |
||||
Patch4: 0004-Disable-test_openssl_assert_error_on_stack-in-FIPS-m.patch |
||||
Patch5: 0005-Fixed-serialization-of-keyusage-ext-with-no-bits-693.patch |
||||
|
||||
ExclusiveArch: %{rust_arches} |
||||
|
||||
BuildRequires: openssl-devel |
||||
BuildRequires: gcc |
||||
BuildRequires: gnupg2 |
||||
%if 0%{?fedora} |
||||
BuildRequires: rust-packaging |
||||
%else |
||||
BuildRequires: rust-toolset |
||||
%endif |
||||
|
||||
BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 |
||||
BuildRequires: python%{python3_pkgversion}-devel |
||||
BuildRequires: python%{python3_pkgversion}-setuptools |
||||
BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 |
||||
BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 |
||||
|
||||
%if %{with tests} |
||||
%if 0%{?fedora} |
||||
BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 |
||||
BuildRequires: python%{python3_pkgversion}-iso8601 |
||||
BuildRequires: python%{python3_pkgversion}-pretend |
||||
BuildRequires: python%{python3_pkgversion}-pytest-xdist |
||||
%endif |
||||
BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 |
||||
BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 |
||||
BuildRequires: python%{python3_pkgversion}-pytz |
||||
%endif |
||||
|
||||
%description |
||||
cryptography is a package designed to expose cryptographic primitives and |
||||
recipes to Python developers. |
||||
|
||||
%package -n python%{python3_pkgversion}-%{srcname} |
||||
Summary: PyCA's cryptography library |
||||
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} |
||||
|
||||
Requires: openssl-libs |
||||
Requires: python%{python3_pkgversion}-six >= 1.4.1 |
||||
Requires: python%{python3_pkgversion}-cffi >= 1.7 |
||||
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 |
||||
# Can be safely removed in Fedora 37 |
||||
Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 |
||||
%endif |
||||
|
||||
%description -n python%{python3_pkgversion}-%{srcname} |
||||
cryptography is a package designed to expose cryptographic primitives and |
||||
recipes to Python developers. |
||||
|
||||
%prep |
||||
%autosetup -p1 -n %{srcname}-%{version} |
||||
|
||||
%generate_buildrequires |
||||
|
||||
%if 0%{?fedora} |
||||
# Fedora: use cargo macros to make use of RPMified crates |
||||
%cargo_prep |
||||
cd src/rust |
||||
rm -f Cargo.lock |
||||
%cargo_generate_buildrequires |
||||
cd ../.. |
||||
%else |
||||
# RHEL: use vendored Rust crates |
||||
%cargo_prep -V 1 |
||||
%endif |
||||
|
||||
%build |
||||
%py3_build |
||||
|
||||
%install |
||||
# Actually other *.c and *.h are appropriate |
||||
# see https://github.com/pyca/cryptography/issues/1463 |
||||
find . -name .keep -print -delete |
||||
%py3_install |
||||
|
||||
%check |
||||
%if %{with tests} |
||||
%if 0%{?rhel} |
||||
# skip hypothesis tests on RHEL |
||||
rm -rf tests/hypothesis |
||||
# append skipper to skip iso8601 and pretend tests |
||||
cat < %{SOURCE2} >> tests/conftest.py |
||||
%endif |
||||
|
||||
# enable SHA-1 signatures for RSA tests |
||||
# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 |
||||
export OPENSSL_ENABLE_SHA1_SIGNATURES=yes |
||||
|
||||
# see rhbz#2042413 for memleak. It's unstable with openssl 3.0.1 and makes |
||||
# not much sense for downstream testing. |
||||
PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ |
||||
%{__python3} -m pytest \ |
||||
-k "not (test_openssl_memleak)" |
||||
%endif |
||||
|
||||
%files -n python%{python3_pkgversion}-%{srcname} |
||||
%doc README.rst docs |
||||
%license LICENSE LICENSE.APACHE LICENSE.BSD |
||||
%{python3_sitearch}/%{srcname} |
||||
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info |
||||
|
||||
%changelog |
||||
* Tue Apr 19 2022 Christian Heimes <cheimes@redhat.com> - 36.0.1-2 |
||||
- Rebuild for gating, related: rhbz#2060787 |
||||
|
||||
* Fri Mar 04 2022 Christian Heimes <cheimes@redhat.com> - 36.0.1-6 |
||||
- Rebase to 36.0.1, related: rhbz#2059630, rhbz#2060787 |
||||
- OpenSSL 3.0 FIPS mode is now detected correctly, related: rhbz#2054785 |
||||
- Fix error check from EVP_PKEY_CTX_set_signature_md, related: rhbz#2060343 |
||||
- Block 3DES in FIPS mode, related: rhbz#2055209 |
||||
- Disable DSA tests in FIPS mode |
||||
- Enable SHA1 signatures in test suite |
||||
- Fix serialization of keyusage ext with no bits |
||||
- Re-enable tests that are passing again |
||||
|
||||
* Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 3.4.7-8 |
||||
- Skip unstable memleak tests, backported from Fedora (BZ#2042413) |
||||
- Related: rhbz#1990421 |
||||
|
||||
* Tue Feb 08 2022 Tomas Orsava <torsava@redhat.com> - 3.4.7-7 |
||||
- Add automatically generated Obsoletes tag with the python39- prefix |
||||
for smoother upgrade from RHEL8 |
||||
- Related: rhbz#1990421 |
||||
|
||||
* Tue Jan 18 2022 Christian Heimes <cheimes@redhat.com> - 3.4.7-6 |
||||
- Fix gating issues, resolves: rhbz#2039768 |
||||
- Fix poly1305 test, resolves: rhbz#2043582 |
||||
|
||||
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.7-5 |
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags |
||||
Related: rhbz#1991688 |
||||
|
||||
* Sun Aug 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-4 |
||||
- Remove bindings to ERR_GET_FUNC, which has been removed in 3.0.0-beta2 |
||||
- Resolves: rhbz#1953446 |
||||
|
||||
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.7-3 |
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0 |
||||
- Related: rhbz#1971065 |
||||
|
||||
* Mon Apr 26 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2 |
||||
- Add backports of OpenSSL 3.0.0 fixes (upstream PR #6000) |
||||
- Resolves: rhbz#1953446 |
||||
|
||||
* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1 |
||||
- Update to 3.4.7 |
||||
- Remove dependency on python-cryptography-vectors package and use vectors |
||||
directly from Github source tar ball. Related: rhbz#1952343 |
||||
|
||||
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.4.6-2 |
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 |
||||
|
||||
* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1 |
||||
- Update to 3.4.6 (#1927044) |
||||
|
||||
* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1 |
||||
- Update to 3.4.5 (#1927044) |
||||
|
||||
* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3 |
||||
- Skip iso8601 and pretend tests on RHEL |
||||
|
||||
* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2 |
||||
- Provide RHEL build infrastructure |
||||
|
||||
* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1 |
||||
- Update to 3.4.4 (#1927044) |
||||
|
||||
* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1 |
||||
- Update to 3.4.2 (#1926339) |
||||
- Package no longer depends on Rust (#1926181) |
||||
|
||||
* Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2 |
||||
- Use dynamically generated BuildRequires for PyO3 Rust module. |
||||
- Drop unnecessary CARGO_NET_OFFLINE environment variable. |
||||
|
||||
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1 |
||||
- Update to 3.4.1 (#1925953) |
||||
|
||||
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2 |
||||
- Add missing abi3 and pytest dependencies |
||||
|
||||
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1 |
||||
- Update to 3.4 (#1925953) |
||||
- Remove Python 2 support |
||||
- Remove unused python-idna dependency |
||||
- Add Rust support |
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild |
||||
|
||||
* Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1 |
||||
- Update to 3.3.1 (#1905756) |
||||
|
||||
* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1 |
||||
- Update to 3.2.1 (#1892153) |
||||
|
||||
* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1 |
||||
- Update to 3.2 (#1891378) |
||||
|
||||
* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1 |
||||
- Update to 3.1 (#1872978) |
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild |
||||
|
||||
* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1 |
||||
- Update to 3.0 (#185897) |
||||
|
||||
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3 |
||||
- Rebuilt for Python 3.9 |
||||
|
||||
* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2 |
||||
- add source file verification |
||||
|
||||
* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1 |
||||
- Update to 2.9 (#1820348) |
||||
|
||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild |
||||
|
||||
* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2 |
||||
- cryptography 2.8+ no longer depends on python-asn1crypto |
||||
|
||||
* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1 |
||||
- Update to 2.8 |
||||
- Resolves: rhbz#1762779 |
||||
|
||||
* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3 |
||||
- Skip unit tests that fail with OpenSSL 1.1.1.d |
||||
- Resolves: rhbz#1761194 |
||||
- Fix and simplify Python 3 packaging |
||||
|
||||
* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2 |
||||
- Drop Python 2 package |
||||
- Resolves: rhbz#1761081 |
||||
|
||||
* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1 |
||||
- Update to 2.7 (#1715680). |
||||
|
||||
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3 |
||||
- Rebuilt for Python 3.8 |
||||
|
||||
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild |
||||
|
||||
* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1 |
||||
- New upstream release 2.6.1, resolves RHBZ#1683691 |
||||
|
||||
* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1 |
||||
- Updated to 2.5. |
||||
|
||||
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild |
||||
|
||||
* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2 |
||||
- Use TLSv1.2 in test as workaround for RHBZ#1615143 |
||||
|
||||
* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1 |
||||
- New upstream release 2.3 |
||||
- Fix AEAD tag truncation bug, RHBZ#1602752 |
||||
|
||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild |
||||
|
||||
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2 |
||||
- Rebuilt for Python 3.7 |
||||
|
||||
* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1 |
||||
- New upstream release 2.2.1 |
||||
|
||||
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1 |
||||
- New upstream release 2.1.4 |
||||
|
||||
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4 |
||||
- Build requires gcc |
||||
|
||||
* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3 |
||||
- Update Python 2 dependency declarations to new packaging standards |
||||
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) |
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2 |
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild |
Loading…
Reference in new issue