Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-cryptography for
openSUSE:Factory checked in at 2023-03-15 18:52:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-cryptography (Old)
and /work/SRC/openSUSE:Factory/.python-cryptography.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-cryptography"
Wed Mar 15 18:52:58 2023 rev:73 rq:1069840 version:39.0.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-cryptography/python-cryptography.changes
2023-02-10 14:33:48.645379302 +0100
+++
/work/SRC/openSUSE:Factory/.python-cryptography.new.31432/python-cryptography.changes
2023-03-15 18:52:58.987896825 +0100
@@ -1,0 +2,8 @@
+Tue Mar 7 07:34:20 UTC 2023 - Dirk Müller <[email protected]>
+
+- update to 39.0.2:
+ * Fixed a bug where the content type header was not properly
+ encoded for PKCS7 signatures when using the ``Text`` option and
+ ``SMIME`` encoding.
+
+-------------------------------------------------------------------
Old:
----
cryptography-39.0.1.tar.gz
New:
----
cryptography-39.0.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-cryptography.spec ++++++
--- /var/tmp/diff_new_pack.LuAcyw/_old 2023-03-15 18:53:00.279903697 +0100
+++ /var/tmp/diff_new_pack.LuAcyw/_new 2023-03-15 18:53:00.287903740 +0100
@@ -28,7 +28,7 @@
%bcond_with test
%endif
Name: python-cryptography%{psuffix}
-Version: 39.0.1
+Version: 39.0.2
Release: 0
Summary: Python library which exposes cryptographic recipes and
primitives
License: Apache-2.0 OR BSD-3-Clause
++++++ cryptography-39.0.1.tar.gz -> cryptography-39.0.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-39.0.1/CHANGELOG.rst
new/cryptography-39.0.2/CHANGELOG.rst
--- old/cryptography-39.0.1/CHANGELOG.rst 2023-02-07 20:21:24.000000000
+0100
+++ new/cryptography-39.0.2/CHANGELOG.rst 2023-03-02 21:52:07.000000000
+0100
@@ -1,6 +1,14 @@
Changelog
=========
+.. _v39-0-2:
+
+39.0.2 - 2023-03-02
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed a bug where the content type header was not properly encoded for
+ PKCS7 signatures when using the ``Text`` option and ``SMIME`` encoding.
+
.. _v39-0-1:
39.0.1 - 2023-02-07
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-39.0.1/PKG-INFO
new/cryptography-39.0.2/PKG-INFO
--- old/cryptography-39.0.1/PKG-INFO 2023-02-07 20:21:36.377044000 +0100
+++ new/cryptography-39.0.2/PKG-INFO 2023-03-02 21:52:17.122015700 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: cryptography
-Version: 39.0.1
+Version: 39.0.2
Summary: cryptography is a package which provides cryptographic recipes and
primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The Python Cryptographic Authority and individual contributors
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-39.0.1/docs/development/test-vectors.rst
new/cryptography-39.0.2/docs/development/test-vectors.rst
--- old/cryptography-39.0.1/docs/development/test-vectors.rst 2023-02-07
20:21:24.000000000 +0100
+++ new/cryptography-39.0.2/docs/development/test-vectors.rst 2023-03-02
21:52:07.000000000 +0100
@@ -22,7 +22,7 @@
continuous integration environments.
We have ensured all test vectors are used as of commit
-``2196000605e45d91097147c9c71f26b72af58003``.
+``b063b4aedae951c69df014cd25fa6d69ae9e8cb9``.
Asymmetric ciphers
~~~~~~~~~~~~~~~~~~
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-39.0.1/src/cryptography/__about__.py
new/cryptography-39.0.2/src/cryptography/__about__.py
--- old/cryptography-39.0.1/src/cryptography/__about__.py 2023-02-07
20:21:24.000000000 +0100
+++ new/cryptography-39.0.2/src/cryptography/__about__.py 2023-03-02
21:52:08.000000000 +0100
@@ -9,7 +9,7 @@
"__copyright__",
]
-__version__ = "39.0.1"
+__version__ = "39.0.2"
__author__ = "The Python Cryptographic Authority and individual contributors"
-__copyright__ = "Copyright 2013-2022 {}".format(__author__)
+__copyright__ = "Copyright 2013-2023 {}".format(__author__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-39.0.1/src/cryptography/hazmat/backends/openssl/utils.py
new/cryptography-39.0.2/src/cryptography/hazmat/backends/openssl/utils.py
--- old/cryptography-39.0.1/src/cryptography/hazmat/backends/openssl/utils.py
2023-02-07 20:21:24.000000000 +0100
+++ new/cryptography-39.0.2/src/cryptography/hazmat/backends/openssl/utils.py
2023-03-02 21:52:08.000000000 +0100
@@ -18,7 +18,10 @@
res = backend._lib.EVP_PKEY_derive_init(ctx)
backend.openssl_assert(res == 1)
res = backend._lib.EVP_PKEY_derive_set_peer(ctx, peer_public_key._evp_pkey)
- backend.openssl_assert(res == 1)
+ if res != 1:
+ errors_with_text = backend._consume_errors_with_text()
+ raise ValueError("Error computing shared key.", errors_with_text)
+
keylen = backend._ffi.new("size_t *")
res = backend._lib.EVP_PKEY_derive(ctx, backend._ffi.NULL, keylen)
backend.openssl_assert(res == 1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-39.0.1/src/cryptography/hazmat/primitives/serialization/pkcs7.py
new/cryptography-39.0.2/src/cryptography/hazmat/primitives/serialization/pkcs7.py
---
old/cryptography-39.0.1/src/cryptography/hazmat/primitives/serialization/pkcs7.py
2023-02-07 20:21:24.000000000 +0100
+++
new/cryptography-39.0.2/src/cryptography/hazmat/primitives/serialization/pkcs7.py
2023-03-02 21:52:08.000000000 +0100
@@ -5,6 +5,7 @@
import email.base64mime
import email.generator
import email.message
+import email.policy
import io
import typing
@@ -177,7 +178,9 @@
return rust_pkcs7.sign_and_serialize(self, encoding, options)
-def _smime_encode(data: bytes, signature: bytes, micalg: str) -> bytes:
+def _smime_encode(
+ data: bytes, signature: bytes, micalg: str, text_mode: bool
+) -> bytes:
# This function works pretty hard to replicate what OpenSSL does
# precisely. For good and for ill.
@@ -192,9 +195,10 @@
m.preamble = "This is an S/MIME signed message\n"
- msg_part = email.message.MIMEPart()
+ msg_part = OpenSSLMimePart()
msg_part.set_payload(data)
- msg_part.add_header("Content-Type", "text/plain")
+ if text_mode:
+ msg_part.add_header("Content-Type", "text/plain")
m.attach(msg_part)
sig_part = email.message.MIMEPart()
@@ -213,7 +217,18 @@
fp = io.BytesIO()
g = email.generator.BytesGenerator(
- fp, maxheaderlen=0, mangle_from_=False, policy=m.policy
+ fp,
+ maxheaderlen=0,
+ mangle_from_=False,
+ policy=m.policy.clone(linesep="\r\n"),
)
g.flatten(m)
return fp.getvalue()
+
+
+class OpenSSLMimePart(email.message.MIMEPart):
+ # A MIMEPart subclass that replicates OpenSSL's behavior of not including
+ # a newline if there are no headers.
+ def _write_headers(self, generator) -> None:
+ if list(self.raw_items()):
+ generator._write_headers(self)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-39.0.1/src/cryptography.egg-info/PKG-INFO
new/cryptography-39.0.2/src/cryptography.egg-info/PKG-INFO
--- old/cryptography-39.0.1/src/cryptography.egg-info/PKG-INFO 2023-02-07
20:21:36.000000000 +0100
+++ new/cryptography-39.0.2/src/cryptography.egg-info/PKG-INFO 2023-03-02
21:52:17.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: cryptography
-Version: 39.0.1
+Version: 39.0.2
Summary: cryptography is a package which provides cryptographic recipes and
primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The Python Cryptographic Authority and individual contributors
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-39.0.1/src/rust/src/pkcs7.rs
new/cryptography-39.0.2/src/rust/src/pkcs7.rs
--- old/cryptography-39.0.1/src/rust/src/pkcs7.rs 2023-02-07
20:21:24.000000000 +0100
+++ new/cryptography-39.0.2/src/rust/src/pkcs7.rs 2023-03-02
21:52:08.000000000 +0100
@@ -136,14 +136,13 @@
.getattr(crate::intern!(py, "PKCS7Options"))?;
let raw_data = builder.getattr(crate::intern!(py, "_data"))?.extract()?;
- let data = if options.contains(pkcs7_options.getattr(crate::intern!(py,
"Binary"))?)? {
- Cow::Borrowed(raw_data)
- } else {
- smime_canonicalize(
- raw_data,
- options.contains(pkcs7_options.getattr(crate::intern!(py,
"Text"))?)?,
- )
- };
+ let text_mode = options.contains(pkcs7_options.getattr(crate::intern!(py,
"Text"))?)?;
+ let (data_with_header, data_without_header) =
+ if options.contains(pkcs7_options.getattr(crate::intern!(py,
"Binary"))?)? {
+ (Cow::Borrowed(raw_data), Cow::Borrowed(raw_data))
+ } else {
+ smime_canonicalize(raw_data, text_mode)
+ };
let content_type_bytes = asn1::write_single(&PKCS7_DATA_OID)?;
let signing_time_bytes =
asn1::write_single(&x509::certificate::time_from_chrono(
@@ -180,7 +179,7 @@
{
(
None,
- x509::sign::sign_data(py, py_private_key, py_hash_alg, &data)?,
+ x509::sign::sign_data(py, py_private_key, py_hash_alg,
&data_with_header)?,
)
} else {
let mut authenticated_attrs = vec![];
@@ -198,7 +197,8 @@
])),
});
- let digest = asn1::write_single(&x509::ocsp::hash_data(py,
py_hash_alg, &data)?)?;
+ let digest =
+ asn1::write_single(&x509::ocsp::hash_data(py, py_hash_alg,
&data_with_header)?)?;
// Gross hack: copy to PyBytes to extend the lifetime to 'p
let digest_bytes = pyo3::types::PyBytes::new(py, &digest);
authenticated_attrs.push(x509::csr::Attribute {
@@ -264,7 +264,7 @@
if options.contains(pkcs7_options.getattr(crate::intern!(py,
"DetachedSignature"))?)? {
None
} else {
- data_tlv_bytes = asn1::write_single(&data.deref())?;
+ data_tlv_bytes = asn1::write_single(&data_with_header.deref())?;
Some(asn1::parse_single(&data_tlv_bytes).unwrap())
};
@@ -290,7 +290,7 @@
content_type: PKCS7_SIGNED_DATA_OID,
content: Some(asn1::parse_single(&signed_data_bytes).unwrap()),
};
- let content_info_bytes = asn1::write_single(&content_info)?;
+ let ci_bytes = asn1::write_single(&content_info)?;
let encoding_class = py
.import("cryptography.hazmat.primitives.serialization")?
@@ -302,43 +302,49 @@
.map(|d| OIDS_TO_MIC_NAME[&d.oid])
.collect::<Vec<_>>()
.join(",");
- Ok(py
+ let smime_encode = py
.import("cryptography.hazmat.primitives.serialization.pkcs7")?
- .getattr(crate::intern!(py, "_smime_encode"))?
- .call1((
- pyo3::types::PyBytes::new(py, &data),
- pyo3::types::PyBytes::new(py, &content_info_bytes),
- mic_algs,
- ))?
+ .getattr(crate::intern!(py, "_smime_encode"))?;
+ Ok(smime_encode
+ .call1((&*data_without_header, &*ci_bytes, mic_algs, text_mode))?
.extract()?)
} else {
// Handles the DER, PEM, and error cases
- encode_der_data(py, "PKCS7".to_string(), content_info_bytes, encoding)
+ encode_der_data(py, "PKCS7".to_string(), ci_bytes, encoding)
}
}
-fn smime_canonicalize(data: &[u8], text_mode: bool) -> Cow<'_, [u8]> {
- let mut new_data = vec![];
+fn smime_canonicalize(data: &[u8], text_mode: bool) -> (Cow<'_, [u8]>, Cow<'_,
[u8]>) {
+ let mut new_data_with_header = vec![];
+ let mut new_data_without_header = vec![];
if text_mode {
- new_data.extend_from_slice(b"Content-Type: text/plain\r\n\r\n");
+ new_data_with_header.extend_from_slice(b"Content-Type:
text/plain\r\n\r\n");
}
let mut last_idx = 0;
for (i, c) in data.iter().copied().enumerate() {
if c == b'\n' && (i == 0 || data[i - 1] != b'\r') {
- new_data.extend_from_slice(&data[last_idx..i]);
- new_data.push(b'\r');
- new_data.push(b'\n');
+ new_data_with_header.extend_from_slice(&data[last_idx..i]);
+ new_data_with_header.push(b'\r');
+ new_data_with_header.push(b'\n');
+
+ new_data_without_header.extend_from_slice(&data[last_idx..i]);
+ new_data_without_header.push(b'\r');
+ new_data_without_header.push(b'\n');
last_idx = i + 1;
}
}
// If there's stuff in new_data, that means we need to copy the rest of
// data over.
- if !new_data.is_empty() {
- new_data.extend_from_slice(&data[last_idx..]);
- Cow::Owned(new_data)
+ if !new_data_with_header.is_empty() {
+ new_data_with_header.extend_from_slice(&data[last_idx..]);
+ new_data_without_header.extend_from_slice(&data[last_idx..]);
+ (
+ Cow::Owned(new_data_with_header),
+ Cow::Owned(new_data_without_header),
+ )
} else {
- Cow::Borrowed(data)
+ (Cow::Borrowed(data), Cow::Borrowed(data))
}
}
@@ -359,27 +365,60 @@
#[test]
fn test_smime_canonicalize() {
- for (input, text_mode, expected, expected_is_borrowed) in [
+ for (
+ input,
+ text_mode,
+ expected_with_header,
+ expected_without_header,
+ expected_is_borrowed,
+ ) in [
// Values with text_mode=false
- (b"" as &[u8], false, b"" as &[u8], true),
- (b"\n", false, b"\r\n", false),
- (b"abc", false, b"abc", true),
- (b"abc\r\ndef\n", false, b"abc\r\ndef\r\n", false),
- (b"abc\r\n", false, b"abc\r\n", true),
- (b"abc\ndef\n", false, b"abc\r\ndef\r\n", false),
+ (b"" as &[u8], false, b"" as &[u8], b"" as &[u8], true),
+ (b"\n", false, b"\r\n", b"\r\n", false),
+ (b"abc", false, b"abc", b"abc", true),
+ (
+ b"abc\r\ndef\n",
+ false,
+ b"abc\r\ndef\r\n",
+ b"abc\r\ndef\r\n",
+ false,
+ ),
+ (b"abc\r\n", false, b"abc\r\n", b"abc\r\n", true),
+ (
+ b"abc\ndef\n",
+ false,
+ b"abc\r\ndef\r\n",
+ b"abc\r\ndef\r\n",
+ false,
+ ),
// Values with text_mode=true
- (b"", true, b"Content-Type: text/plain\r\n\r\n", false),
- (b"abc", true, b"Content-Type: text/plain\r\n\r\nabc", false),
+ (b"", true, b"Content-Type: text/plain\r\n\r\n", b"", false),
+ (
+ b"abc",
+ true,
+ b"Content-Type: text/plain\r\n\r\nabc",
+ b"abc",
+ false,
+ ),
(
b"abc\n",
true,
b"Content-Type: text/plain\r\n\r\nabc\r\n",
+ b"abc\r\n",
false,
),
] {
- let result = smime_canonicalize(input, text_mode);
- assert_eq!(result.deref(), expected);
- assert_eq!(matches!(result, Cow::Borrowed(_)),
expected_is_borrowed);
+ let (result_with_header, result_without_header) =
smime_canonicalize(input, text_mode);
+ assert_eq!(result_with_header.deref(), expected_with_header);
+ assert_eq!(result_without_header.deref(), expected_without_header);
+ assert_eq!(
+ matches!(result_with_header, Cow::Borrowed(_)),
+ expected_is_borrowed
+ );
+ assert_eq!(
+ matches!(result_without_header, Cow::Borrowed(_)),
+ expected_is_borrowed
+ );
}
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-39.0.1/tests/hazmat/primitives/test_pkcs7.py
new/cryptography-39.0.2/tests/hazmat/primitives/test_pkcs7.py
--- old/cryptography-39.0.1/tests/hazmat/primitives/test_pkcs7.py
2023-02-07 20:21:24.000000000 +0100
+++ new/cryptography-39.0.2/tests/hazmat/primitives/test_pkcs7.py
2023-03-02 21:52:08.000000000 +0100
@@ -3,6 +3,7 @@
# for complete details.
+import email.parser
import os
import typing
@@ -289,6 +290,7 @@
sig = builder.sign(serialization.Encoding.SMIME, options)
sig_binary = builder.sign(serialization.Encoding.DER, options)
+ assert b"text/plain" not in sig
# We don't have a generic ASN.1 parser available to us so we instead
# will assert on specific byte sequences being present based on the
# parameters chosen above.
@@ -298,8 +300,17 @@
# as a separate section before the PKCS7 data. So we should expect to
# have data in sig but not in sig_binary
assert data in sig
+ # Parse the message to get the signed data, which is the
+ # first payload in the message
+ message = email.parser.BytesParser().parsebytes(sig)
+ signed_data = message.get_payload()[0].get_payload().encode()
_pkcs7_verify(
- serialization.Encoding.SMIME, sig, data, [cert], options, backend
+ serialization.Encoding.SMIME,
+ sig,
+ signed_data,
+ [cert],
+ options,
+ backend,
)
assert data not in sig_binary
_pkcs7_verify(
@@ -492,10 +503,14 @@
# The text option adds text/plain headers to the S/MIME message
# These headers are only relevant in SMIME mode, not binary, which is
# just the PKCS7 structure itself.
- assert b"text/plain" in sig_pem
- # When passing the Text option the header is prepended so the actual
- # signed data is this.
- signed_data = b"Content-Type: text/plain\r\n\r\nhello world"
+ assert sig_pem.count(b"text/plain") == 1
+ assert b"Content-Type: text/plain\r\n\r\nhello world\r\n" in sig_pem
+ # Parse the message to get the signed data, which is the
+ # first payload in the message
+ message = email.parser.BytesParser().parsebytes(sig_pem)
+ signed_data = message.get_payload()[0].as_bytes(
+ policy=message.policy.clone(linesep="\r\n")
+ )
_pkcs7_verify(
serialization.Encoding.SMIME,
sig_pem,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-39.0.1/tests/wycheproof/test_ecdh.py
new/cryptography-39.0.2/tests/wycheproof/test_ecdh.py
--- old/cryptography-39.0.1/tests/wycheproof/test_ecdh.py 2023-02-07
20:21:24.000000000 +0100
+++ new/cryptography-39.0.2/tests/wycheproof/test_ecdh.py 2023-03-02
21:52:08.000000000 +0100
@@ -21,6 +21,12 @@
"secp521r1": ec.SECP521R1(),
"secp224k1": None,
"secp256k1": ec.SECP256K1(),
+ "sect283r1": ec.SECT283R1(),
+ "sect409r1": ec.SECT409R1(),
+ "sect571r1": ec.SECT571R1(),
+ "sect283k1": ec.SECT283K1(),
+ "sect409k1": ec.SECT409K1(),
+ "sect571k1": ec.SECT571K1(),
"brainpoolP224r1": None,
"brainpoolP256r1": ec.BrainpoolP256R1(),
"brainpoolP320r1": None,
@@ -31,6 +37,7 @@
"brainpoolP320t1": None,
"brainpoolP384t1": None,
"brainpoolP512t1": None,
+ "FRP256v1": None,
}
@@ -46,6 +53,12 @@
"ecdh_secp256r1_test.json",
"ecdh_secp384r1_test.json",
"ecdh_secp521r1_test.json",
+ "ecdh_sect283k1_test.json",
+ "ecdh_sect283r1_test.json",
+ "ecdh_sect409k1_test.json",
+ "ecdh_sect409r1_test.json",
+ "ecdh_sect571k1_test.json",
+ "ecdh_sect571r1_test.json",
)
def test_ecdh(backend, wycheproof):
curve = _CURVES[wycheproof.testgroup["curve"]]
@@ -70,7 +83,13 @@
except UnsupportedAlgorithm:
return
- if wycheproof.valid or wycheproof.acceptable:
+ if wycheproof.valid or (
+ wycheproof.acceptable
+ and not (
+ wycheproof.has_flag("LowOrderPublic")
+ and backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+ )
+ ):
computed_shared = private_key.exchange(ec.ECDH(), public_key)
expected_shared = binascii.unhexlify(wycheproof.testcase["shared"])
assert computed_shared == expected_shared
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-39.0.1/tests/wycheproof/test_ecdsa.py
new/cryptography-39.0.2/tests/wycheproof/test_ecdsa.py
--- old/cryptography-39.0.1/tests/wycheproof/test_ecdsa.py 2023-02-07
20:21:24.000000000 +0100
+++ new/cryptography-39.0.2/tests/wycheproof/test_ecdsa.py 2023-03-02
21:52:08.000000000 +0100
@@ -53,6 +53,11 @@
"ecdsa_secp384r1_sha3_512_test.json",
"ecdsa_secp521r1_sha512_test.json",
"ecdsa_secp521r1_sha3_512_test.json",
+ "ecdsa_secp160k1_sha256_test.json",
+ "ecdsa_secp160r1_sha256_test.json",
+ "ecdsa_secp160r2_sha256_test.json",
+ "ecdsa_secp192k1_sha256_test.json",
+ "ecdsa_secp192r1_sha256_test.json",
)
def test_ecdsa_signature(backend, wycheproof):
try:
++++++ vendor.tar.zst ++++++
Binary files /var/tmp/diff_new_pack.LuAcyw/_old and
/var/tmp/diff_new_pack.LuAcyw/_new differ
