Hello community,
here is the log from the commit of package python-pyOpenSSL for
openSUSE:Factory checked in at 2019-03-04 09:12:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-pyOpenSSL (Old)
and /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyOpenSSL"
Mon Mar 4 09:12:16 2019 rev:33 rq:680975 version:19.0.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-pyOpenSSL/python-pyOpenSSL.changes
2019-03-01 20:28:46.106020782 +0100
+++
/work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.28833/python-pyOpenSSL.changes
2019-03-04 09:12:17.744688214 +0100
@@ -1,0 +2,22 @@
+Sat Mar 2 16:29:39 UTC 2019 - Ondřej Súkup <[email protected]>
+
+- update to 19.0
+- fixed build deps.
+- drop patches: openssl-1.1.0i.patch
+ openssl-1.1.1.patch
+ opensuse_ca.patch
+ tls13-renegotiation.patch
+ * X509Store.add_cert no longer raises an error if you add a duplicate cert.
+ * pyOpenSSL now works with OpenSSL 1.1.1.
+ * pyOpenSSL now handles NUL bytes in X509Name.get_components()
+
+-------------------------------------------------------------------
+Fri Mar 1 18:06:10 UTC 2019 - Hans-Peter Jansen <[email protected]>
+
+- remove everything to build docs:
+ - local-intersphinx-inventories.patch
+ - fetch-intersphinx-inventories.sh
+ - python3.inv
+ - crypto.inv
+
+-------------------------------------------------------------------
Old:
----
crypto.inv
fetch-intersphinx-inventories.sh
local-intersphinx-inventories.patch
openssl-1.1.0i.patch
openssl-1.1.1.patch
pyOpenSSL-18.0.0.tar.gz
python3.inv
tls13-renegotiation.patch
New:
----
pyOpenSSL-19.0.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-pyOpenSSL.spec ++++++
--- /var/tmp/diff_new_pack.X6zrFu/_old 2019-03-04 09:12:18.416688093 +0100
+++ /var/tmp/diff_new_pack.X6zrFu/_new 2019-03-04 09:12:18.416688093 +0100
@@ -19,30 +19,25 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define oldpython python
Name: python-pyOpenSSL
-Version: 18.0.0
+Version: 19.0.0
Release: 0
Summary: Python wrapper module around the OpenSSL library
License: Apache-2.0
Group: Development/Languages/Python
URL: https://github.com/pyca/pyopenssl
Source:
https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz
-Source1: python3.inv
-Source2: crypto.inv
-Source3: fetch-intersphinx-inventories.sh
Patch1: skip-networked-test.patch
-Patch2: openssl-1.1.0i.patch
-Patch3: openssl-1.1.1.patch
-Patch4: tls13-renegotiation.patch
-Patch5: local-intersphinx-inventories.patch
BuildRequires: %{python_module cffi}
BuildRequires: %{python_module cryptography >= 2.3.0}
BuildRequires: %{python_module flaky}
BuildRequires: %{python_module pretend}
BuildRequires: %{python_module pytest >= 3.0.1}
BuildRequires: %{python_module setuptools}
+BuildRequires: %{python_module six}
+BuildRequires: ca-certificates-mozilla
BuildRequires: fdupes
+BuildRequires: openssl
BuildRequires: python-rpm-macros
-BuildRequires: python3-Sphinx
Requires: python-cffi
Requires: python-cryptography >= 2.3.0
Requires: python-six >= 1.5.2
@@ -63,28 +58,16 @@
cryptography (<https://github.com/pyca/cryptography>), which provides (among
other things) a cffi-based interface to OpenSSL.
-%package -n %{name}-doc
-Summary: Documentation for %{name}
-Group: Documentation/HTML
-
-%description -n %{name}-doc
-Provides documentation for %{name}.
-
%prep
%setup -q -n pyOpenSSL-%{version}
%autopatch -p1
-# prepare local intersphinx inventories, fetch with
fetch-intersphinx-inventories.sh
-cp -v %{S:1} doc/
-cp -v %{S:2} doc/
-
%build
%python_build
%install
%python_install
%python_expand %fdupes %{buildroot}%{$python_sitelib}
-PYTHONPATH="%{buildroot}%{python3_sitelib}" python3 setup.py build_sphinx &&
rm build/sphinx/html/.buildinfo
%check
export LC_ALL=en_US.UTF-8
@@ -98,8 +81,4 @@
%{python_sitelib}/OpenSSL/
%{python_sitelib}/pyOpenSSL-%{version}-py*.egg-info
-%files -n %{name}-doc
-%doc build/sphinx/html/
-%doc examples/
-
%changelog
++++++ pyOpenSSL-18.0.0.tar.gz -> pyOpenSSL-19.0.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/CHANGELOG.rst
new/pyOpenSSL-19.0.0/CHANGELOG.rst
--- old/pyOpenSSL-18.0.0/CHANGELOG.rst 2018-05-16 21:14:32.000000000 +0200
+++ new/pyOpenSSL-19.0.0/CHANGELOG.rst 2019-01-21 20:22:32.000000000 +0100
@@ -4,6 +4,35 @@
Versions are year-based with a strict backward-compatibility policy.
The third digit is only for regressions.
+19.0.0 (2019-01-21)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- ``X509Store.add_cert`` no longer raises an error if you add a duplicate cert.
+ `#787 <https://github.com/pyca/pyopenssl/pull/787>`_
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+*none*
+
+
+Changes:
+^^^^^^^^
+
+- pyOpenSSL now works with OpenSSL 1.1.1.
+ `#805 <https://github.com/pyca/pyopenssl/pull/805>`_
+- pyOpenSSL now handles NUL bytes in ``X509Name.get_components()``
+ `#804 <https://github.com/pyca/pyopenssl/pull/804>`_
+
+
+
+----
+
18.0.0 (2018-05-16)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/PKG-INFO
new/pyOpenSSL-19.0.0/PKG-INFO
--- old/pyOpenSSL-18.0.0/PKG-INFO 2018-05-16 21:15:39.000000000 +0200
+++ new/pyOpenSSL-19.0.0/PKG-INFO 2019-01-21 20:23:03.000000000 +0100
@@ -1,10 +1,12 @@
-Metadata-Version: 1.1
+Metadata-Version: 2.1
Name: pyOpenSSL
-Version: 18.0.0
+Version: 19.0.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
-Author: Hynek Schlawack
-Author-email: [email protected]
+Author: The pyOpenSSL developers
+Author-email: [email protected]
+Maintainer: Hynek Schlawack
+Maintainer-email: [email protected]
License: Apache License, Version 2.0
Description: ========================================================
pyOpenSSL -- A Python wrapper around the OpenSSL library
@@ -58,15 +60,15 @@
Release Information
===================
- 18.0.0 (2018-05-16)
+ 19.0.0 (2019-01-21)
-------------------
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- - The minimum ``cryptography`` version is now 2.2.1.
- - Support for Python 2.6 has been dropped.
+ - ``X509Store.add_cert`` no longer raises an error if you add a
duplicate cert.
+ `#787 <https://github.com/pyca/pyopenssl/pull/787>`_
Deprecations:
@@ -78,12 +80,11 @@
Changes:
^^^^^^^^
- - Added ``Connection.get_certificate`` to retrieve the local
certificate.
- `#733 <https://github.com/pyca/pyopenssl/pull/733>`_
- - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by
default.
- `#753 <https://github.com/pyca/pyopenssl/pull/753>`_
- - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP
keying material.
- `#734 <https://github.com/pyca/pyopenssl/pull/734>`_
+ - pyOpenSSL now works with OpenSSL 1.1.1.
+ `#805 <https://github.com/pyca/pyopenssl/pull/805>`_
+ - pyOpenSSL now handles NUL bytes in ``X509Name.get_components()``
+ `#804 <https://github.com/pyca/pyopenssl/pull/804>`_
+
`Full changelog <https://pyopenssl.org/en/stable/changelog.html>`_.
@@ -101,8 +102,11 @@
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
+Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Networking
+Provides-Extra: docs
+Provides-Extra: test
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/setup.cfg
new/pyOpenSSL-19.0.0/setup.cfg
--- old/pyOpenSSL-18.0.0/setup.cfg 2018-05-16 21:15:39.000000000 +0200
+++ new/pyOpenSSL-19.0.0/setup.cfg 2019-01-21 20:23:03.000000000 +0100
@@ -19,5 +19,4 @@
[egg_info]
tag_build =
tag_date = 0
-tag_svn_revision = 0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/setup.py
new/pyOpenSSL-19.0.0/setup.py
--- old/pyOpenSSL-18.0.0/setup.py 2018-05-16 21:14:32.000000000 +0200
+++ new/pyOpenSSL-19.0.0/setup.py 2019-01-21 20:04:11.000000000 +0100
@@ -49,7 +49,7 @@
read_file("README.rst") + "\n\n" +
"Release Information\n" +
"===================\n\n" +
- re.search("(\d{2}.\d.\d \(.*?\)\n.*?)\n\n\n----\n",
+ re.search(r"(\d{2}.\d.\d \(.*?\)\n.*?)\n\n\n----\n",
read_file("CHANGELOG.rst"), re.S).group(1) +
"\n\n`Full changelog " +
"<{uri}en/stable/changelog.html>`_.\n\n"
@@ -82,6 +82,7 @@
'Programming Language :: Python :: 3.4',
'Programming Language :: Python :: 3.5',
'Programming Language :: Python :: 3.6',
+ 'Programming Language :: Python :: 3.7',
'Programming Language :: Python :: Implementation :: CPython',
'Programming Language :: Python :: Implementation :: PyPy',
@@ -94,7 +95,7 @@
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
- "cryptography>=2.2.1",
+ "cryptography>=2.3",
"six>=1.5.2"
],
extras_require={
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/src/OpenSSL/SSL.py
new/pyOpenSSL-19.0.0/src/OpenSSL/SSL.py
--- old/pyOpenSSL-18.0.0/src/OpenSSL/SSL.py 2018-05-16 21:14:32.000000000
+0200
+++ new/pyOpenSSL-19.0.0/src/OpenSSL/SSL.py 2019-01-21 20:04:11.000000000
+0100
@@ -523,13 +523,8 @@
if not ocsp_data:
return 3 # SSL_TLSEXT_ERR_NOACK
- # Pass the data to OpenSSL. Insanely, OpenSSL doesn't make a
- # private copy of this data, so we need to keep it alive, but
- # it *does* want to free it itself if it gets replaced. This
- # somewhat bonkers behaviour means we need to use
- # OPENSSL_malloc directly, which is a pain in the butt to work
- # with. It's ok for us to "leak" the memory here because
- # OpenSSL now owns it and will free it.
+ # OpenSSL takes ownership of this data and expects it to have
+ # been allocated by OPENSSL_malloc.
ocsp_data_length = len(ocsp_data)
data_ptr = _lib.OPENSSL_malloc(ocsp_data_length)
_ffi.buffer(data_ptr, ocsp_data_length)[:] = ocsp_data
@@ -1190,6 +1185,19 @@
_openssl_assert(
_lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1
)
+ # In OpenSSL 1.1.1 setting the cipher list will always return TLS 1.3
+ # ciphers even if you pass an invalid cipher. Applications (like
+ # Twisted) have tests that depend on an error being raised if an
+ # invalid cipher string is passed, but without the following check
+ # for the TLS 1.3 specific cipher suites it would never error.
+ tmpconn = Connection(self, None)
+ _openssl_assert(
+ tmpconn.get_cipher_list() != [
+ 'TLS_AES_256_GCM_SHA384',
+ 'TLS_CHACHA20_POLY1305_SHA256',
+ 'TLS_AES_128_GCM_SHA256'
+ ]
+ )
def set_client_ca_list(self, certificate_authorities):
"""
@@ -1367,7 +1375,7 @@
return 0
self._tlsext_servername_callback = _ffi.callback(
- "int (*)(const SSL *, int *, void *)", wrapper)
+ "int (*)(SSL *, int *, void *)", wrapper)
_lib.SSL_CTX_set_tlsext_servername_callback(
self._context, self._tlsext_servername_callback)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/src/OpenSSL/crypto.py
new/pyOpenSSL-19.0.0/src/OpenSSL/crypto.py
--- old/pyOpenSSL-18.0.0/src/OpenSSL/crypto.py 2018-05-16 21:14:32.000000000
+0200
+++ new/pyOpenSSL-19.0.0/src/OpenSSL/crypto.py 2019-01-21 20:04:11.000000000
+0100
@@ -71,6 +71,8 @@
TYPE_RSA = _lib.EVP_PKEY_RSA
TYPE_DSA = _lib.EVP_PKEY_DSA
+TYPE_DH = _lib.EVP_PKEY_DH
+TYPE_EC = _lib.EVP_PKEY_EC
class Error(Exception):
@@ -288,15 +290,15 @@
if not isinstance(bits, int):
raise TypeError("bits must be an integer")
- # TODO Check error return
- exponent = _lib.BN_new()
- exponent = _ffi.gc(exponent, _lib.BN_free)
- _lib.BN_set_word(exponent, _lib.RSA_F4)
-
if type == TYPE_RSA:
if bits <= 0:
raise ValueError("Invalid number of bits")
+ # TODO Check error return
+ exponent = _lib.BN_new()
+ exponent = _ffi.gc(exponent, _lib.BN_free)
+ _lib.BN_set_word(exponent, _lib.RSA_F4)
+
rsa = _lib.RSA_new()
result = _lib.RSA_generate_key_ex(rsa, bits, exponent, _ffi.NULL)
@@ -695,11 +697,11 @@
nid = _lib.OBJ_obj2nid(fname)
name = _lib.OBJ_nid2sn(nid)
- result.append((
- _ffi.string(name),
- _ffi.string(
- _lib.ASN1_STRING_data(fval),
- _lib.ASN1_STRING_length(fval))))
+ # ffi.string does not handle strings containing NULL bytes
+ # (which may have been generated by old, broken software)
+ value = _ffi.buffer(_lib.ASN1_STRING_data(fval),
+ _lib.ASN1_STRING_length(fval))[:]
+ result.append((_ffi.string(name), value))
return result
@@ -902,7 +904,7 @@
:param crypto_req: A ``cryptography`` X.509 certificate signing request
:type crypto_req: ``cryptography.x509.CertificateSigningRequest``
- :rtype: PKey
+ :rtype: X509Req
.. versionadded:: 17.1.0
"""
@@ -1115,7 +1117,7 @@
:param crypto_key: A ``cryptography`` X.509 certificate.
:type crypto_key: ``cryptography.x509.Certificate``
- :rtype: PKey
+ :rtype: X509
.. versionadded:: 17.1.0
"""
@@ -1128,7 +1130,8 @@
def set_version(self, version):
"""
- Set the version number of the certificate.
+ Set the version number of the certificate. Note that the
+ version value is zero-based, eg. a value of 0 is V1.
:param version: The version number of the certificate.
:type version: :py:class:`int`
@@ -1607,7 +1610,16 @@
if not isinstance(cert, X509):
raise TypeError()
- _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0)
+ # As of OpenSSL 1.1.0i adding the same cert to the store more than
+ # once doesn't cause an error. Accordingly, this code now silences
+ # the error for OpenSSL < 1.1.0i as well.
+ if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0:
+ code = _lib.ERR_peek_error()
+ err_reason = _lib.ERR_GET_REASON(code)
+ _openssl_assert(
+ err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE
+ )
+ _lib.ERR_clear_error()
def add_crl(self, crl):
"""
@@ -1942,7 +1954,7 @@
"""
A certificate revocation.
"""
- #
http://www.openssl.org/docs/apps/x509v3_config.html#CRL_distribution_points_
+ #
https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#CRL-distribution-points
# which differs from crl_reasons of crypto/x509v3/v3_enum.c that matches
# OCSP_crl_reason_str. We use the latter, just like the command line
# program.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/src/OpenSSL/version.py
new/pyOpenSSL-19.0.0/src/OpenSSL/version.py
--- old/pyOpenSSL-18.0.0/src/OpenSSL/version.py 2018-05-16 21:14:32.000000000
+0200
+++ new/pyOpenSSL-19.0.0/src/OpenSSL/version.py 2019-01-21 20:22:32.000000000
+0100
@@ -11,7 +11,7 @@
"__title__", "__uri__", "__version__",
]
-__version__ = "18.0.0"
+__version__ = "19.0.0"
__title__ = "pyOpenSSL"
__uri__ = "https://pyopenssl.org/";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/src/pyOpenSSL.egg-info/PKG-INFO
new/pyOpenSSL-19.0.0/src/pyOpenSSL.egg-info/PKG-INFO
--- old/pyOpenSSL-18.0.0/src/pyOpenSSL.egg-info/PKG-INFO 2018-05-16
21:15:38.000000000 +0200
+++ new/pyOpenSSL-19.0.0/src/pyOpenSSL.egg-info/PKG-INFO 2019-01-21
20:23:03.000000000 +0100
@@ -1,10 +1,12 @@
-Metadata-Version: 1.1
+Metadata-Version: 2.1
Name: pyOpenSSL
-Version: 18.0.0
+Version: 19.0.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
-Author: Hynek Schlawack
-Author-email: [email protected]
+Author: The pyOpenSSL developers
+Author-email: [email protected]
+Maintainer: Hynek Schlawack
+Maintainer-email: [email protected]
License: Apache License, Version 2.0
Description: ========================================================
pyOpenSSL -- A Python wrapper around the OpenSSL library
@@ -58,15 +60,15 @@
Release Information
===================
- 18.0.0 (2018-05-16)
+ 19.0.0 (2019-01-21)
-------------------
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- - The minimum ``cryptography`` version is now 2.2.1.
- - Support for Python 2.6 has been dropped.
+ - ``X509Store.add_cert`` no longer raises an error if you add a
duplicate cert.
+ `#787 <https://github.com/pyca/pyopenssl/pull/787>`_
Deprecations:
@@ -78,12 +80,11 @@
Changes:
^^^^^^^^
- - Added ``Connection.get_certificate`` to retrieve the local
certificate.
- `#733 <https://github.com/pyca/pyopenssl/pull/733>`_
- - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by
default.
- `#753 <https://github.com/pyca/pyopenssl/pull/753>`_
- - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP
keying material.
- `#734 <https://github.com/pyca/pyopenssl/pull/734>`_
+ - pyOpenSSL now works with OpenSSL 1.1.1.
+ `#805 <https://github.com/pyca/pyopenssl/pull/805>`_
+ - pyOpenSSL now handles NUL bytes in ``X509Name.get_components()``
+ `#804 <https://github.com/pyca/pyopenssl/pull/804>`_
+
`Full changelog <https://pyopenssl.org/en/stable/changelog.html>`_.
@@ -101,8 +102,11 @@
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
+Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Networking
+Provides-Extra: docs
+Provides-Extra: test
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/src/pyOpenSSL.egg-info/requires.txt
new/pyOpenSSL-19.0.0/src/pyOpenSSL.egg-info/requires.txt
--- old/pyOpenSSL-18.0.0/src/pyOpenSSL.egg-info/requires.txt 2018-05-16
21:15:38.000000000 +0200
+++ new/pyOpenSSL-19.0.0/src/pyOpenSSL.egg-info/requires.txt 2019-01-21
20:23:03.000000000 +0100
@@ -1,4 +1,4 @@
-cryptography>=2.2.1
+cryptography>=2.3
six>=1.5.2
[docs]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/tests/test_crypto.py
new/pyOpenSSL-19.0.0/tests/test_crypto.py
--- old/pyOpenSSL-18.0.0/tests/test_crypto.py 2018-05-16 21:14:32.000000000
+0200
+++ new/pyOpenSSL-19.0.0/tests/test_crypto.py 2019-01-21 20:04:11.000000000
+0100
@@ -1214,6 +1214,17 @@
subject = cert.get_subject()
assert "null.python.org\x00example.org" == subject.commonName
+ def test_load_nul_byte_components(self):
+ """
+ An `X509Name` from an `X509` instance loaded from a file can have a
+ NUL byte in the value of its components
+ """
+ cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM)
+ subject = cert.get_subject()
+ components = subject.get_components()
+ ccn = [value for name, value in components if name == b'CN']
+ assert ccn[0] == b'null.python.org\x00example.org'
+
def test_set_attribute_failure(self):
"""
If the value of an attribute cannot be set for some reason then
@@ -2016,16 +2027,15 @@
with pytest.raises(TypeError):
store.add_cert(cert)
- def test_add_cert_rejects_duplicate(self):
+ def test_add_cert_accepts_duplicate(self):
"""
- `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is
- made to add the same certificate to the store more than once.
+ `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt
+ is made to add the same certificate to the store more than once.
"""
cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM)
store = X509Store()
store.add_cert(cert)
- with pytest.raises(Error):
- store.add_cert(cert)
+ store.add_cert(cert)
class TestPKCS12(object):
@@ -3157,20 +3167,20 @@
representing a serial number, a revoked reason, and certificate issuer
information.
"""
- crl = self._get_crl()
# PEM format
- dumped_crl = crl.export(
+ dumped_crl = self._get_crl().export(
self.cert, self.pkey, days=20, digest=b"sha256"
)
- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text")
-
- # These magic values are based on the way the CRL above was constructed
- # and with what certificate it was exported.
- text.index(b'Serial Number: 03AB')
- text.index(b'Superseded')
- text.index(
- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'
- )
+ crl = x509.load_pem_x509_crl(dumped_crl, backend)
+ revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
+ assert revoked is not None
+ assert crl.issuer == x509.Name([
+ x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
+ x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
+ x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
+ x509.NameAttribute(x509.NameOID.COMMON_NAME, u"Testing Root CA"),
+ ])
def test_export_der(self):
"""
@@ -3181,17 +3191,19 @@
crl = self._get_crl()
# DER format
- dumped_crl = crl.export(
+ dumped_crl = self._get_crl().export(
self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
)
- text = _runopenssl(
- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
- )
- text.index(b'Serial Number: 03AB')
- text.index(b'Superseded')
- text.index(
- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA'
- )
+ crl = x509.load_der_x509_crl(dumped_crl, backend)
+ revoked = crl.get_revoked_certificate_by_serial_number(0x03AB)
+ assert revoked is not None
+ assert crl.issuer == x509.Name([
+ x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u"US"),
+ x509.NameAttribute(x509.NameOID.STATE_OR_PROVINCE_NAME, u"IL"),
+ x509.NameAttribute(x509.NameOID.LOCALITY_NAME, u"Chicago"),
+ x509.NameAttribute(x509.NameOID.ORGANIZATION_NAME, u"Testing"),
+ x509.NameAttribute(x509.NameOID.COMMON_NAME, u"Testing Root CA"),
+ ])
# Flaky because we compare the output of running commands which sometimes
# varies by 1 second
@@ -3208,7 +3220,8 @@
self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5"
)
text = _runopenssl(
- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER"
+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER",
+ b"-nameopt", b""
)
# text format
@@ -3779,7 +3792,7 @@
class TestEllipticCurveEquality(EqualityTestsMixin):
"""
- Tests `_EllipticCurve`\ 's implementation of ``==`` and ``!=``.
+ Tests `_EllipticCurve`'s implementation of ``==`` and ``!=``.
"""
curve_factory = EllipticCurveFactory()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/tests/test_ssl.py
new/pyOpenSSL-19.0.0/tests/test_ssl.py
--- old/pyOpenSSL-18.0.0/tests/test_ssl.py 2018-05-16 21:14:32.000000000
+0200
+++ new/pyOpenSSL-19.0.0/tests/test_ssl.py 2019-01-21 20:04:11.000000000
+0100
@@ -216,14 +216,14 @@
return [(cakey, cacert), (ikey, icert), (skey, scert)]
-def loopback_client_factory(socket):
- client = Connection(Context(SSLv23_METHOD), socket)
+def loopback_client_factory(socket, version=SSLv23_METHOD):
+ client = Connection(Context(version), socket)
client.set_connect_state()
return client
-def loopback_server_factory(socket):
- ctx = Context(SSLv23_METHOD)
+def loopback_server_factory(socket, version=SSLv23_METHOD):
+ ctx = Context(version)
ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server = Connection(ctx, socket)
@@ -1307,13 +1307,13 @@
exception, verification fails and the exception is propagated to the
caller of `Connection.do_handshake`.
"""
- serverContext = Context(TLSv1_METHOD)
+ serverContext = Context(TLSv1_2_METHOD)
serverContext.use_privatekey(
load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
serverContext.use_certificate(
load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
- clientContext = Context(TLSv1_METHOD)
+ clientContext = Context(TLSv1_2_METHOD)
def verify_callback(*args):
raise Exception("silly verify failure")
@@ -2539,7 +2539,7 @@
"""
key = load_privatekey(FILETYPE_PEM, server_key_pem)
cert = load_certificate(FILETYPE_PEM, server_cert_pem)
- ctx = Context(SSLv23_METHOD)
+ ctx = Context(TLSv1_2_METHOD)
ctx.use_privatekey(key)
ctx.use_certificate(cert)
ctx.set_session_id("unity-test")
@@ -2632,7 +2632,7 @@
# always happen on all platforms (FreeBSD and OS X particular) for the
# very last bit of available buffer space.
msg = b"x"
- for i in range(1024 * 1024 * 4):
+ for i in range(1024 * 1024 * 64):
try:
client_socket.send(msg)
except error as e:
@@ -3193,7 +3193,10 @@
"""
Go through a complete renegotiation cycle.
"""
- server, client = loopback()
+ server, client = loopback(
+ lambda s: loopback_server_factory(s, TLSv1_2_METHOD),
+ lambda s: loopback_client_factory(s, TLSv1_2_METHOD),
+ )
server.send(b"hello world")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-18.0.0/tox.ini new/pyOpenSSL-19.0.0/tox.ini
--- old/pyOpenSSL-18.0.0/tox.ini 2018-05-16 21:14:32.000000000 +0200
+++ new/pyOpenSSL-19.0.0/tox.ini 2019-01-21 20:04:11.000000000 +0100
@@ -1,5 +1,5 @@
[tox]
-envlist =
{pypy,pypy3,py27,py34,py35,py36}{,-cryptographyMaster,-cryptographyMinimum},py27-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report
+envlist =
{pypy,pypy3,py27,py34,py35,py36,py37}{,-cryptographyMaster,-cryptographyMinimum},py27-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report
[testenv]
whitelist_externals =
@@ -10,7 +10,7 @@
deps =
coverage>=4.2
cryptographyMaster: git+https://github.com/pyca/cryptography.git
- cryptographyMinimum: cryptography==2.2.1
+ cryptographyMinimum: cryptography==2.3.0
setenv =
# Do not allow the executing environment to pollute the test environment
# with extra packages.
@@ -27,6 +27,7 @@
git+https://github.com/twisted/twisted
idna
service_identity
+ bcrypt
passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM
commands =
python -c "import OpenSSL.SSL;
print(OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION))"
@@ -38,7 +39,7 @@
deps =
pyasn1
ndg-httpsclient
-passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM
+passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM
TRAVIS_INFRA
whitelist_externals =
rm
commands =
