Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-pyhanko-certvalidator for
openSUSE:Factory checked in at 2025-02-06 22:04:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-pyhanko-certvalidator (Old)
and /work/SRC/openSUSE:Factory/.python-pyhanko-certvalidator.new.2316
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyhanko-certvalidator"
Thu Feb 6 22:04:57 2025 rev:3 rq:1243431 version:0.26.5
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-pyhanko-certvalidator/python-pyhanko-certvalidator.changes
2024-11-13 15:30:02.137658926 +0100
+++
/work/SRC/openSUSE:Factory/.python-pyhanko-certvalidator.new.2316/python-pyhanko-certvalidator.changes
2025-02-06 22:06:29.284744447 +0100
@@ -1,0 +2,11 @@
+Wed Feb 5 13:26:06 UTC 2025 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Update to 0.26.5
+ * Future-proofing against an upcoming `asn1crypto`
+ that is already being shipped in some distro
+ packages.
+ * Address some timing issues in tests.
+- Drop 5dd5ff95b7b104667eb4f39367eb4f4c00fcedd5.patch, merged upstream
+- Use Python 3.11 on SLE-15 by default
+
+-------------------------------------------------------------------
Old:
----
5dd5ff95b7b104667eb4f39367eb4f4c00fcedd5.patch
pyhanko-certvalidator-0.26.4.tar.gz
New:
----
pyhanko-certvalidator-0.26.5.tar.gz
BETA DEBUG BEGIN:
Old: * Address some timing issues in tests.
- Drop 5dd5ff95b7b104667eb4f39367eb4f4c00fcedd5.patch, merged upstream
- Use Python 3.11 on SLE-15 by default
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-pyhanko-certvalidator.spec ++++++
--- /var/tmp/diff_new_pack.zsQ0jZ/_old 2025-02-06 22:06:29.936771315 +0100
+++ /var/tmp/diff_new_pack.zsQ0jZ/_new 2025-02-06 22:06:29.940771480 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-pyhanko-certvalidator
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,14 +16,14 @@
#
+%{?sle15_python_module_pythons}
Name: python-pyhanko-certvalidator
-Version: 0.26.4
+Version: 0.26.5
Release: 0
Summary: Validates X509 certificates and paths
License: MIT
URL: https://github.com/MatthiasValvekens/certvalidator
Source:
https://github.com/MatthiasValvekens/certvalidator/archive/refs/tags/v%{version}.tar.gz#/pyhanko-certvalidator-%{version}.tar.gz
-Patch0:
https://github.com/MatthiasValvekens/certvalidator/commit/5dd5ff95b7b104667eb4f39367eb4f4c00fcedd5.patch
BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools >= 67.4}
BuildRequires: %{python_module wheel}
++++++ pyhanko-certvalidator-0.26.4.tar.gz ->
pyhanko-certvalidator-0.26.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certvalidator-0.26.4/LICENSE
new/certvalidator-0.26.5/LICENSE
--- old/certvalidator-0.26.4/LICENSE 2024-11-12 00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/LICENSE 2024-11-17 15:41:58.000000000 +0100
@@ -1,3 +1,5 @@
+MIT License
+
Copyright (c) 2015-2018 Will Bond <w...@wbond.net>
Copyright (c) 2020-2023 Matthias Valvekens <d...@mvalvekens.be>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certvalidator-0.26.4/changelog.md
new/certvalidator-0.26.5/changelog.md
--- old/certvalidator-0.26.4/changelog.md 2024-11-12 00:50:08.000000000
+0100
+++ new/certvalidator-0.26.5/changelog.md 2024-11-17 15:41:58.000000000
+0100
@@ -1,5 +1,13 @@
# changelog
+
+## 0.26.5
+
+- Future-proofing against an upcoming `asn1crypto`
+ that is already being shipped in some distro
+ packages.
+- Address some timing issues in tests.
+
## 0.26.4
- Bump `aiohttp` requirement to `>=3.8,<3.11`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certvalidator-0.26.4/pyhanko_certvalidator/revinfo/validate_crl.py
new/certvalidator-0.26.5/pyhanko_certvalidator/revinfo/validate_crl.py
--- old/certvalidator-0.26.4/pyhanko_certvalidator/revinfo/validate_crl.py
2024-11-12 00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/pyhanko_certvalidator/revinfo/validate_crl.py
2024-11-17 15:41:58.000000000 +0100
@@ -1329,16 +1329,12 @@
invalid or uses an unsupported algorithm
"""
- signature_algo = certificate_list['signature_algorithm'].signature_algo
- hash_algo = certificate_list['signature_algorithm'].hash_algo
-
try:
validate_sig(
signature=certificate_list['signature'].native,
signed_data=certificate_list['tbs_cert_list'].dump(),
public_key_info=public_key,
- sig_algo=signature_algo,
- hash_algo=hash_algo,
+ signed_digest_algorithm=certificate_list['signature_algorithm'],
parameters=certificate_list['signature_algorithm']['parameters'],
)
except PSSParameterMismatch as e:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certvalidator-0.26.4/pyhanko_certvalidator/revinfo/validate_ocsp.py
new/certvalidator-0.26.5/pyhanko_certvalidator/revinfo/validate_ocsp.py
--- old/certvalidator-0.26.4/pyhanko_certvalidator/revinfo/validate_ocsp.py
2024-11-12 00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/pyhanko_certvalidator/revinfo/validate_ocsp.py
2024-11-17 15:41:58.000000000 +0100
@@ -376,19 +376,14 @@
if response is None:
return False
- # Determine what algorithm was used to sign the response
- signature_algo = response['signature_algorithm'].signature_algo
- hash_algo = response['signature_algorithm'].hash_algo
-
# Verify that the response was properly signed by the validated certificate
tbs_response = response['tbs_response_data']
try:
validate_sig(
signature=response['signature'].native,
signed_data=tbs_response.dump(),
+ signed_digest_algorithm=response['signature_algorithm'],
public_key_info=responder_key,
- sig_algo=signature_algo,
- hash_algo=hash_algo,
parameters=response['signature_algorithm']['parameters'],
)
return True
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certvalidator-0.26.4/pyhanko_certvalidator/util.py
new/certvalidator-0.26.5/pyhanko_certvalidator/util.py
--- old/certvalidator-0.26.4/pyhanko_certvalidator/util.py 2024-11-12
00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/pyhanko_certvalidator/util.py 2024-11-17
15:41:58.000000000 +0100
@@ -197,12 +197,13 @@
signature: bytes,
signed_data: bytes,
public_key_info: PublicKeyInfo,
- sig_algo: str,
- hash_algo: str,
+ signed_digest_algorithm: algos.SignedDigestAlgorithm,
parameters=None,
):
from .errors import DSAParametersUnavailable, PSSParameterMismatch
+ sig_algo = signed_digest_algorithm.signature_algo
+
if (
sig_algo == 'dsa'
and public_key_info['algorithm']['parameters'].native is None
@@ -227,10 +228,12 @@
pub_key = serialization.load_der_public_key(public_key_info.dump())
if sig_algo == 'rsassa_pkcs1v15':
+ hash_algo = signed_digest_algorithm.hash_algo
assert isinstance(pub_key, rsa.RSAPublicKey)
h = getattr(hashes, hash_algo.upper())()
pub_key.verify(signature, signed_data, padding.PKCS1v15(), h)
elif sig_algo == 'rsassa_pss':
+ hash_algo = signed_digest_algorithm.hash_algo
assert isinstance(pub_key, rsa.RSAPublicKey)
assert isinstance(parameters, algos.RSASSAPSSParams)
mga: algos.MaskGenAlgorithm = parameters['mask_gen_algorithm']
@@ -248,10 +251,12 @@
hash_spec = getattr(hashes, hash_algo.upper())()
pub_key.verify(signature, signed_data, pss_padding, hash_spec)
elif sig_algo == 'dsa':
+ hash_algo = signed_digest_algorithm.hash_algo
assert isinstance(pub_key, dsa.DSAPublicKey)
hash_spec = getattr(hashes, hash_algo.upper())()
pub_key.verify(signature, signed_data, hash_spec)
elif sig_algo == 'ecdsa':
+ hash_algo = signed_digest_algorithm.hash_algo
assert isinstance(pub_key, ec.EllipticCurvePublicKey)
hash_spec = getattr(hashes, hash_algo.upper())()
pub_key.verify(signature, signed_data, ec.ECDSA(hash_spec))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certvalidator-0.26.4/pyhanko_certvalidator/validate.py
new/certvalidator-0.26.5/pyhanko_certvalidator/validate.py
--- old/certvalidator-0.26.4/pyhanko_certvalidator/validate.py 2024-11-12
00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/pyhanko_certvalidator/validate.py 2024-11-17
15:41:58.000000000 +0100
@@ -485,9 +485,6 @@
banned_since=digest_allowed.not_allowed_after,
)
- signature_algo = sd_algo.signature_algo
- hash_algo = attr_cert['signature_algorithm'].hash_algo
-
try:
validate_sig(
signature=attr_cert['signature'].native,
@@ -497,8 +494,7 @@
# validation algo)
# low-priority since this only affects DSA in practice
public_key_info=aa_cert.public_key,
- sig_algo=signature_algo,
- hash_algo=hash_algo,
+ signed_digest_algorithm=sd_algo,
parameters=attr_cert['signature_algorithm']['parameters'],
)
except PSSParameterMismatch:
@@ -983,8 +979,7 @@
signature=cert['signature_value'].native,
signed_data=cert['tbs_certificate'].dump(),
public_key_info=self.working_public_key,
- sig_algo=sd_algo.signature_algo,
- hash_algo=sd_algo.hash_algo,
+ signed_digest_algorithm=sd_algo,
parameters=cert['signature_algorithm']['parameters'],
)
except PSSParameterMismatch:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certvalidator-0.26.4/pyhanko_certvalidator/version.py
new/certvalidator-0.26.5/pyhanko_certvalidator/version.py
--- old/certvalidator-0.26.4/pyhanko_certvalidator/version.py 2024-11-12
00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/pyhanko_certvalidator/version.py 2024-11-17
15:41:58.000000000 +0100
@@ -1,5 +1,5 @@
# coding: utf-8
-__version__ = '0.26.4'
-__version_info__ = (0, 26, 4)
+__version__ = '0.26.5'
+__version_info__ = (0, 26, 5)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/certvalidator-0.26.4/tests/test_certificate_validator.py
new/certvalidator-0.26.5/tests/test_certificate_validator.py
--- old/certvalidator-0.26.4/tests/test_certificate_validator.py
2024-11-12 00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/tests/test_certificate_validator.py
2024-11-17 15:41:58.000000000 +0100
@@ -4,6 +4,7 @@
import pytest
from asn1crypto.util import timezone
+from freezegun import freeze_time
from pyhanko_certvalidator import (
CertificateValidator,
@@ -94,6 +95,7 @@
await validator.async_validate_usage({'crl_sign'})
+@freeze_time('2022-05-01')
@pytest.mark.asyncio
async def test_certvalidator_with_params():
cert = load_nist_cert('ValidPolicyMappingTest12EE.crt')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certvalidator-0.26.4/tests/test_policy_proc.py
new/certvalidator-0.26.5/tests/test_policy_proc.py
--- old/certvalidator-0.26.4/tests/test_policy_proc.py 2024-11-12
00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/tests/test_policy_proc.py 2024-11-17
15:41:58.000000000 +0100
@@ -1,7 +1,6 @@
-import os
-
import pytest
from asn1crypto import x509
+from freezegun import freeze_time
from pyhanko_certvalidator.authority import (
CertTrustAnchor,
@@ -49,6 +48,7 @@
assert tree.tree_base.value == expected_name
+@freeze_time('2022-05-01')
@pytest.mark.asyncio
async def test_validate_with_derived():
crt = load_nist_cert('nameConstraintsDN1CACert.crt')
@@ -64,6 +64,7 @@
await async_validate_path(context, path)
+@freeze_time('2022-05-01')
@pytest.mark.asyncio
async def test_validate_with_merged_permitted_subtrees():
crt = load_nist_cert('nameConstraintsDN1CACert.crt')
@@ -93,6 +94,7 @@
await async_validate_path(context, path, parameters=extra_params)
+@freeze_time('2022-05-01')
@pytest.mark.asyncio
async def test_validate_with_merged_excluded_subtrees():
crt = load_nist_cert('nameConstraintsDN3CACert.crt')
@@ -122,6 +124,7 @@
await async_validate_path(context, path, parameters=extra_params)
+@freeze_time('2022-05-01')
@pytest.mark.asyncio
async def test_validate_with_certless_root():
crt = load_nist_cert('nameConstraintsDN1CACert.crt')
@@ -154,6 +157,7 @@
await async_validate_path(context, path, parameters=extra_params)
+@freeze_time('2022-05-01')
@pytest.mark.asyncio
async def test_validate_with_certless_root_failure():
crt = load_nist_cert('nameConstraintsDN1CACert.crt')
@@ -186,6 +190,7 @@
await async_validate_path(context, path, parameters=extra_params)
+@freeze_time('2022-05-01')
@pytest.mark.asyncio
async def test_validate_empty_path_certless_root():
crt = load_nist_cert('nameConstraintsDN1CACert.crt')
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/certvalidator-0.26.4/tests/test_validate.py
new/certvalidator-0.26.5/tests/test_validate.py
--- old/certvalidator-0.26.4/tests/test_validate.py 2024-11-12
00:50:08.000000000 +0100
+++ new/certvalidator-0.26.5/tests/test_validate.py 2024-11-17
15:41:58.000000000 +0100
@@ -9,6 +9,7 @@
import pytest
from asn1crypto import crl, ocsp, x509
from asn1crypto.util import timezone
+from freezegun import freeze_time
from pyhanko_certvalidator import PKIXValidationParams
from pyhanko_certvalidator.authority import Authority, CertTrustAnchor
@@ -617,6 +618,7 @@
return [PKITSTestCase.from_json(obj) for obj in cases]
+@freeze_time('2022-05-01')
@pytest.mark.parametrize(
'test_case', read_pkits_test_params(), ids=lambda case: str(case.test_info)
)
@@ -711,6 +713,7 @@
return [PKITSUserNoticeTestCase.from_json(obj) for obj in cases]
+@freeze_time('2022-05-01')
@pytest.mark.parametrize(
'test_case',
read_pkits_user_notice_test_params(),
@@ -741,6 +744,7 @@
assert qual_obj['qualifier']['explicit_text'].native == test_case.notice
+@freeze_time('2022-05-01')
def test_408020_cps_pointer_qualifier_test20():
cert = load_nist_cert('CPSPointerQualifierTest20EE.crt')
ca_certs = [load_nist_cert('TrustAnchorRootCertificate.crt')]
