diff --git a/backport-CVE-2024-26130.patch b/backport-CVE-2024-26130.patch deleted file mode 100644 index 9b0d27961d09f02c9255a7d09ae2ecf0eca571f1..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-26130.patch +++ /dev/null @@ -1,63 +0,0 @@ -From fc9611c3260f4d38a87227febf43d758938a8a75 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Mon, 19 Feb 2024 11:50:28 -0500 -Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't - match (#10423) - ---- - .../hazmat/backends/openssl/backend.py | 9 +++++++++ - tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ - 2 files changed, 27 insertions(+) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 5d9eb27..12fbebe 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -826,6 +826,15 @@ class Backend: - mac_iter, - 0, - ) -+ if p12 == self._ffi.NULL: -+ errors = self._consume_errors() -+ raise ValueError( -+ ( -+ "Failed to create PKCS12 (does the key match the " -+ "certificate?)" -+ ), -+ errors, -+ ) - - if ( - self._lib.Cryptography_HAS_PKCS12_SET_MAC -diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py -index cd9c279..cd7bcaf 100644 ---- a/tests/hazmat/primitives/test_pkcs12.py -+++ b/tests/hazmat/primitives/test_pkcs12.py -@@ -657,6 +657,24 @@ class TestPKCS12Creation: - b"name", cakey, cacert, [], algorithm - ) - -+ @pytest.mark.supported( -+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, -+ skip_message="Requires OpenSSL with PKCS12_set_mac", -+ ) -+ def test_set_mac_key_certificate_mismatch(self, backend): -+ cacert, _ = _load_ca(backend) -+ key = ec.generate_private_key(ec.SECP256R1()) -+ encryption = ( -+ serialization.PrivateFormat.PKCS12.encryption_builder() -+ .hmac_hash(hashes.SHA256()) -+ .build(b"password") -+ ) -+ -+ with pytest.raises(ValueError): -+ serialize_key_and_certificates( -+ b"name", key, cacert, [], encryption -+ ) -+ - - @pytest.mark.skip_fips( - reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." --- -2.27.0 - diff --git a/backport-provide-openssl-apis-related-to-SM-for-python.patch b/backport-provide-openssl-apis-related-to-SM-for-python.patch deleted file mode 100644 index 68f469a5e2265c599a56e0e4e1116bcecae6cdca..0000000000000000000000000000000000000000 --- a/backport-provide-openssl-apis-related-to-SM-for-python.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 52325495900f1bd9e1f228f24c81c0746520dc85 Mon Sep 17 00:00:00 2001 -From: hanxinke -Date: Tue, 3 Aug 2021 10:45:22 +0800 -Subject: [PATCH] provide openssl apis related to SM for python - -Signed-off-by: hanxinke ---- - src/_cffi_src/openssl/evp.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py -index 54f5388..c304684 100644 ---- a/src/_cffi_src/openssl/evp.py -+++ b/src/_cffi_src/openssl/evp.py -@@ -32,6 +32,7 @@ static const int EVP_CTRL_AEAD_SET_TAG; - - static const int Cryptography_HAS_SCRYPT; - static const int Cryptography_HAS_EVP_PKEY_DHX; -+static const int EVP_PKEY_SM2; - static const long Cryptography_HAS_300_FIPS; - static const long Cryptography_HAS_300_EVP_CIPHER; - """ -@@ -69,6 +70,9 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); - int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, - EVP_PKEY *); - -+int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t); -+int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, -+ size_t siglen); - - int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *); - int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); -@@ -84,6 +88,9 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); - - int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); - -+void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); -+const EVP_MD *EVP_sm3(void); -+ - int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); - """ - --- -2.27.0 - diff --git a/cargo-vendor-cache b/cargo-vendor-cache new file mode 100644 index 0000000000000000000000000000000000000000..b79753d6f725d7a7cbe48fdf7b80fd6ed3c8433c Binary files /dev/null and b/cargo-vendor-cache differ diff --git a/cargo-vendor-cache.tar.gz b/cargo-vendor-cache.tar.gz deleted file mode 100644 index f1876f8d92316969e6b445be4322040bbd070b57..0000000000000000000000000000000000000000 Binary files a/cargo-vendor-cache.tar.gz and /dev/null differ diff --git a/cryptography-42.0.2.tar.gz b/cryptography-42.0.2.tar.gz deleted file mode 100644 index b68881182ef1eede839a433ca3a3999b3f8366d2..0000000000000000000000000000000000000000 Binary files a/cryptography-42.0.2.tar.gz and /dev/null differ diff --git a/cryptography-45.0.5.tar.gz b/cryptography-45.0.5.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..57554c75628f3488f26ecb9477c1be310e001ae2 Binary files /dev/null and b/cryptography-45.0.5.tar.gz differ diff --git a/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch new file mode 100644 index 0000000000000000000000000000000000000000..91953fd86353384cb17deb51145070e327f3702a --- /dev/null +++ b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch @@ -0,0 +1,479 @@ +From fe6fe6fac2671a37eba40b4c6b2e8f356605761d Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Tue, 29 Jul 2025 09:55:25 +0800 +Subject: [PATCH] disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + +--- + src/rust/src/backend/rsa.rs | 6 +- + tests/hazmat/primitives/test_pkcs7.py | 304 +++++++++++++------------- + tests/hazmat/primitives/test_rsa.py | 16 +- + 3 files changed, 172 insertions(+), 154 deletions(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index b490e1c..7e65ca2 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -92,7 +92,11 @@ fn setup_encryption_ctx( + } + + let padding_enum = if padding.is_instance(&types::PKCS1V15.get(py)?)? { +- openssl::rsa::Padding::PKCS1 ++ return Err(CryptographyError::from( ++ pyo3::exceptions::PyValueError::new_err( ++ "RSA PKCS#1v1.5 has security problems and it has been banned.", ++ ), ++ )); + } else if padding.is_instance(&types::OAEP.get(py)?)? { + if !padding + .getattr(pyo3::intern!(py, "_mgf"))? +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 1496a23..ec691de 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -982,45 +982,46 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.SMIME, options) +- assert b"MIME-Version: 1.0\n" in enveloped +- assert b"Content-Transfer-Encoding: base64\n" in enveloped +- message = email.parser.BytesParser().parsebytes(enveloped) +- assert message.get_content_disposition() == "attachment" +- assert message.get_filename() == "smime.p7m" +- assert message.get_content_type() == "application/pkcs7-mime" +- assert message.get_param("smime-type") == "enveloped-data" +- assert message.get_param("name") == "smime.p7m" +- +- payload = message.get_payload(decode=True) +- assert isinstance(payload, bytes) +- +- # We want to know if we've serialized something that has the parameters +- # we expect, so we match on specific byte strings of OIDs & DER values. +- # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) +- assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload +- # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) +- assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload +- # cryptography CA (the recipient's Common Name) +- assert ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" +- b"\x20\x43\x41" +- ) in payload ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.SMIME, options) ++ assert b"MIME-Version: 1.0\n" in enveloped ++ assert b"Content-Transfer-Encoding: base64\n" in enveloped ++ message = email.parser.BytesParser().parsebytes(enveloped) ++ assert message.get_content_disposition() == "attachment" ++ assert message.get_filename() == "smime.p7m" ++ assert message.get_content_type() == "application/pkcs7-mime" ++ assert message.get_param("smime-type") == "enveloped-data" ++ assert message.get_param("name") == "smime.p7m" ++ ++ payload = message.get_payload(decode=True) ++ assert isinstance(payload, bytes) ++ ++ # We want to know if we've serialized something that has the parameters ++ # we expect, so we match on specific byte strings of OIDs & DER values. ++ # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) ++ assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload ++ # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) ++ assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload ++ # cryptography CA (the recipient's Common Name) ++ assert ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" ++ b"\x20\x43\x41" ++ ) in payload + +- decrypted_bytes = pkcs7.pkcs7_decrypt_smime( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) ++ decrypted_bytes = pkcs7.pkcs7_decrypt_smime( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) + +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", +@@ -1035,33 +1036,34 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, options) + +- # We want to know if we've serialized something that has the parameters +- # we expect, so we match on specific byte strings of OIDs & DER values. +- # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) +- assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped +- # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) +- assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped +- # cryptography CA (the recipient's Common Name) +- assert ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" +- b"\x20\x43\x41" +- ) in enveloped ++ # We want to know if we've serialized something that has the parameters ++ # we expect, so we match on specific byte strings of OIDs & DER values. ++ # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) ++ assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped ++ # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) ++ assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped ++ # cryptography CA (the recipient's Common Name) ++ assert ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" ++ b"\x20\x43\x41" ++ ) in enveloped + +- decrypted_bytes = pkcs7.pkcs7_decrypt_der( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ decrypted_bytes = pkcs7.pkcs7_decrypt_der( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", +@@ -1076,21 +1078,22 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, options) +- decrypted_bytes = pkcs7.pkcs7_decrypt_pem( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, options) ++ decrypted_bytes = pkcs7.pkcs7_decrypt_pem( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) + +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + def test_smime_encrypt_multiple_recipients(self, backend): + data = b"hello world\n" +@@ -1101,13 +1104,14 @@ class TestPKCS7EnvelopeBuilder: + .add_recipient(cert) + .add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) +- # cryptography CA (the recipient's Common Name) +- common_name_bytes = ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" +- b"\x70\x68\x79\x20\x43\x41" +- ) +- assert enveloped.count(common_name_bytes) == 2 ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ # cryptography CA (the recipient's Common Name) ++ common_name_bytes = ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" ++ b"\x70\x68\x79\x20\x43\x41" ++ ) ++ assert enveloped.count(common_name_bytes) == 2 + + + @pytest.mark.supported( +@@ -1170,14 +1174,15 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, options) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_aes_256_cbc_encrypted_content( + self, backend, data, certificate, private_key +@@ -1189,14 +1194,15 @@ class TestPKCS7Decrypt: + .set_content_encryption_algorithm(algorithms.AES256) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, []) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_pem( +- enveloped, certificate, private_key, [] +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_pem( ++ enveloped, certificate, private_key, [] ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + @pytest.mark.parametrize( + "header", +@@ -1219,15 +1225,16 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt( +- serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] +- ) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt( ++ serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] ++ ) + +- # Test decryption with text option +- decrypted = pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] +- ) +- assert decrypted == base_data.encode() ++ # Test decryption with text option ++ decrypted = pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) ++ assert decrypted == base_data.encode() + + @pytest.mark.parametrize("options", [[], [pkcs7.PKCS7Options.Text]]) + def test_pkcs7_decrypt_pem( +@@ -1239,14 +1246,15 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, options) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_pem( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_pem( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_pem_with_wrong_tag( + self, backend, data, certificate, private_key +@@ -1269,13 +1277,14 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.SMIME, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.SMIME, options) + +- # Test decryption +- decrypted = pkcs7.pkcs7_decrypt_smime( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption ++ decrypted = pkcs7.pkcs7_decrypt_smime( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_no_encrypted_content( + self, backend, data, certificate, private_key +@@ -1299,13 +1308,14 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) + +- # Test decryption with text option +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] +- ) ++ # Test decryption with text option ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) + + def test_pkcs7_decrypt_text_html_content_type( + self, backend, certificate, private_key +@@ -1317,16 +1327,17 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt( +- serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] +- ) +- +- # Test decryption with text option +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt( ++ serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] + ) + ++ # Test decryption with text option ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) ++ + def test_smime_decrypt_no_recipient_match( + self, backend, data, certificate, rsa_key_2048: rsa.RSAPrivateKey + ): +@@ -1336,21 +1347,22 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) + +- # Prepare another RSA chain +- another_private_key = RSA_KEY_2048_ALT.private_key( +- unsafe_skip_rsa_key_validation=True +- ) +- _, another_cert = _generate_ca_and_leaf( +- rsa_key_2048, another_private_key +- ) +- +- # Test decryption with another RSA chain +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, another_cert, another_private_key, [] ++ # Prepare another RSA chain ++ another_private_key = RSA_KEY_2048_ALT.private_key( ++ unsafe_skip_rsa_key_validation=True + ) ++ _, another_cert = _generate_ca_and_leaf( ++ rsa_key_2048, another_private_key ++ ) ++ ++ # Test decryption with another RSA chain ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, another_cert, another_private_key, [] ++ ) + + def test_smime_decrypt_unsupported_key_encryption_algorithm( + self, backend, data, certificate, private_key +@@ -1373,7 +1385,7 @@ class TestPKCS7Decrypt: + mode="rb", + ) + +- with pytest.raises(exceptions.UnsupportedAlgorithm): ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): + pkcs7.pkcs7_decrypt_pem(enveloped, certificate, private_key, []) + + def test_smime_decrypt_not_enveloped( +diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py +index 17c8c7c..7af9899 100644 +--- a/tests/hazmat/primitives/test_rsa.py ++++ b/tests/hazmat/primitives/test_rsa.py +@@ -1710,8 +1710,9 @@ class TestRSADecryption: + ).private_key(backend, unsafe_skip_rsa_key_validation=True) + ciphertext = binascii.unhexlify(example["encryption"]) + assert len(ciphertext) == (skey.key_size + 7) // 8 +- message = skey.decrypt(ciphertext, padding.PKCS1v15()) +- assert message == binascii.unhexlify(example["message"]) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ message = skey.decrypt(ciphertext, padding.PKCS1v15()) ++ assert message == binascii.unhexlify(example["message"]) + + def test_unsupported_padding( + self, rsa_key_2048: rsa.RSAPrivateKey, backend +@@ -2069,11 +2070,12 @@ class TestRSAEncryption: + _check_fips_key_length(backend, private_key) + pt = b"encrypt me!" + public_key = private_key.public_key() +- ct = public_key.encrypt(pt, pad) +- assert ct != pt +- assert len(ct) == (public_key.key_size + 7) // 8 +- recovered_pt = private_key.decrypt(ct, pad) +- assert recovered_pt == pt ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ ct = public_key.encrypt(pt, pad) ++ assert ct != pt ++ assert len(ct) == (public_key.key_size + 7) // 8 ++ recovered_pt = private_key.decrypt(ct, pad) ++ assert recovered_pt == pt + + @pytest.mark.parametrize( + ("key_data", "pad"), +-- +2.27.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index f9a1d541ab2e2960f680a67b8387f38fb475286a..0605d9a9ec7c8e6593870e96a5e66c55a6e4750d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,24 +1,23 @@ %global pypi_name cryptography Name: python-%{pypi_name} -Version: 42.0.2 +Version: 45.0.5 Release: 2 Summary: PyCA's cryptography library -License: ASL 2.0 or BSD -URL: https://cryptography.io/en/latest/ -Source0: %{pypi_source %{pypi_name}} +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +URL: https://cryptography.io/en/latest/ +Source0: %{pypi_source %{pypi_name}} # For Rust offline compile # Decompress the source code of cryptography, then enter ./src/rust directory, # execute "cargo vendor" to obtain "vendor" directory (Internet connection required), -# finally, tar -czvf cargo-vendor-cache.tar.gz vendor +# finally, tar -czvf cargo-vendor-cache vendor # Note: Cargo needs to be consistent with the cargo version in the compile environment. -Source1: cargo-vendor-cache.tar.gz +Source1: cargo-vendor-cache -Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch -Patch6003: backport-CVE-2024-26130.patch +Patch9000: disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch BuildRequires: openssl-devel cargo BuildRequires: gcc -BuildRequires: rust-packaging +BuildRequires: rust-packaging rust BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 @@ -31,8 +30,12 @@ BuildRequires: python%{python3_pkgversion}-pytz BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 1.7.0 BuildRequires: python%{python3_pkgversion}-wheel +BuildRequires: python%{python3_pkgversion}-maturin BuildRequires: python3-pip BuildRequires: python3-pytest-subtests +BuildRequires: python3-pytest-benchmark +BuildRequires: python3-certifi +BuildRequires: python3-bcrypt %description cryptography is a package designed to expose cryptographic primitives and @@ -63,6 +66,9 @@ replace-with = "vendored-sources" [source.vendored-sources] directory = "src/rust/vendor" + +[profile.release] +debug = true # https://doc.rust-lang.org/rustc/codegen-options/index.html#debuginfo EOF @@ -73,7 +79,7 @@ EOF %pyproject_install %check -#PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest --ignore vendor +PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest --ignore vendor %files -n python%{python3_pkgversion}-%{pypi_name} %defattr(-,root,root) @@ -81,12 +87,33 @@ EOF %license LICENSE LICENSE.APACHE LICENSE.BSD %{python3_sitearch}/%{pypi_name} %{python3_sitearch}/%{pypi_name}-%{version}.dist-info +%exclude %{python3_sitearch}/rust/* %files help %defattr(-,root,root) %doc README.rst docs %changelog +* Thu Jul 24 2025 shixuantong - 45.0.5-2 +- disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + +* Wed Jul 16 2025 Dongxing Wang - 45.0.5-1 +- Upgrade package to 45.0.5 + +* Thu Jan 16 2025 Ge Wang - 44.0.0-1 +- update to version 44.0.0 + +* Fri Jul 26 2024 shixuantong - 42.0.7-2 +- enable check + +* Fri Jul 19 2024 liweigang - 42.0.7-1 +- update to version 42.0.7 +- license compliance rectification + +* Thu Apr 18 2024 shixuantong - 42.0.2-3 +- set debug is true for build debug package +- add rust to BuildRequires + * Tue Feb 27 2024 shixuantong - 42.0.2-2 - fix CVE-2024-26130