packages/python-cryptography
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade version to 42.0.2

Browse Source
This commit is contained in:
shixuantong 2024-02-01 10:44:07 +08:00
parent 1bd830829e
commit 6dfdfdcf53
8 changed files with 32 additions and 435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

284
backport-CVE-2023-38325.patch
View File

@ -1,284 +0,0 @@
From e190ef190525999d1f599cf8c3aef5cb7f3a8bc4 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 10 Jul 2023 19:46:49 -0500
Subject: [PATCH] Backport ssh cert fix (#9211)
* Fix encoding of SSH certs with critical options (#9208)
* Add tests for issue #9207
* Fix encoding of SSH certs with critical options
* Test unexpected additional values for crit opts/exts
* temporarily allow invalid ssh cert encoding
---
docs/development/test-vectors.rst | 4 +
.../hazmat/primitives/serialization/ssh.py | 28 ++++-
tests/hazmat/primitives/test_ssh.py | 111 +++++++++++++-----
...p256-ed25519-non-singular-crit-opt-val.pub | 1 +
.../p256-ed25519-non-singular-ext-val.pub | 1 +
5 files changed, 111 insertions(+), 34 deletions(-)
create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub
create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 72fdf7f..b379a54 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -842,6 +842,10 @@ Custom OpenSSH Certificate Test Vectors
critical option.
* ``p256-p256-non-lexical-crit-opts.pub`` - A certificate with critical
options in non-lexical order.
+* ``p256-ed25519-non-singular-crit-opt-val.pub`` - A certificate with
+ a critical option that contains more than one value.
+* ``p256-ed25519-non-singular-ext-val.pub`` - A certificate with
+ an extension that contains more than one value.
* ``dsa-p256.pub`` - A certificate with a DSA public key signed by a P256
CA.
* ``p256-dsa.pub`` - A certificate with a P256 public key signed by a DSA
diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py
index fa278d9..225e6fb 100644
--- a/src/cryptography/hazmat/primitives/serialization/ssh.py
+++ b/src/cryptography/hazmat/primitives/serialization/ssh.py
@@ -1000,6 +1000,20 @@ def _parse_exts_opts(exts_opts: memoryview) -> typing.Dict[bytes, bytes]:
if last_name is not None and bname < last_name:
raise ValueError("Fields not lexically sorted")
value, exts_opts = _get_sshstr(exts_opts)
+ if len(value) > 0:
+ try:
+ value, extra = _get_sshstr(value)
+ except ValueError:
+ warnings.warn(
+ "This certificate has an incorrect encoding for critical "
+ "options or extensions. This will be an exception in "
+ "cryptography 42",
+ utils.DeprecatedIn41,
+ stacklevel=4,
+ )
+ else:
+ if len(extra) > 0:
+ raise ValueError("Unexpected extra data after value")
result[bname] = bytes(value)
last_name = bname
return result
@@ -1387,12 +1401,22 @@ class SSHCertificateBuilder:
fcrit = _FragList()
for name, value in self._critical_options:
fcrit.put_sshstr(name)
- fcrit.put_sshstr(value)
+ if len(value) > 0:
+ foptval = _FragList()
+ foptval.put_sshstr(value)
+ fcrit.put_sshstr(foptval.tobytes())
+ else:
+ fcrit.put_sshstr(value)
f.put_sshstr(fcrit.tobytes())
fext = _FragList()
for name, value in self._extensions:
fext.put_sshstr(name)
- fext.put_sshstr(value)
+ if len(value) > 0:
+ fextval = _FragList()
+ fextval.put_sshstr(value)
+ fext.put_sshstr(fextval.tobytes())
+ else:
+ fext.put_sshstr(value)
f.put_sshstr(fext.tobytes())
f.put_sshstr(b"") # RESERVED FIELD
# encode CA public key
diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py
index c9f995b..9b2f0ea 100644
--- a/tests/hazmat/primitives/test_ssh.py
+++ b/tests/hazmat/primitives/test_ssh.py
@@ -1072,26 +1072,28 @@ class TestSSHCertificate:
# secp256r1 public key, ed25519 signing key
cert = load_ssh_public_identity(
b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbm"
- b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgtdU+dl9vD4xPi8afxERYo"
- b"s0c0d9/3m7XGY6fGeSkqn0AAAAIbmlzdHAyNTYAAABBBAsuVFNNj/mMyFm2xB99"
- b"G4xiaUJE1lZNjcp+S2tXYW5KorcHpusSlSqOkUPZ2l0644dgiNPDKR/R+BtYENC"
- b"8aq8AAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm"
- b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAAAAAAIIAA"
- b"AAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9y"
- b"d2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGV"
- b"ybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3"
- b"NoLWVkMjU1MTkAAAAg3P0eyGf2crKGwSlnChbLzTVOFKwQELE1Ve+EZ6rXF18AA"
- b"ABTAAAAC3NzaC1lZDI1NTE5AAAAQKoij8BsPj/XLb45+wHmRWKNqXeZYXyDIj8J"
- b"IE6dIymjEqq0TP6ntu5t59hTmWlDO85GnMXAVGBjFbeikBMfAQc= reaperhulk"
- b"@despoina.local"
+ b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLfsFv9Gbc6LZSiJFWdYQl"
+ b"IMNI50GExXW0fBpgGVf+Y4AAAAIbmlzdHAyNTYAAABBBIzVyRgVLR4F38bIOLBN"
+ b"8CNm8Nf+eBHCVkKDKb9WDyLLD61CEmzjK/ORwFuSE4N60eIGbFidBf0D0xh7G6o"
+ b"TNxsAAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm"
+ b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAWAAAAA1mb"
+ b"3JjZS1jb21tYW5kAAAALAAAAChlY2hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh"
+ b"YWFhYWFhYWFhYWFhAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAACCAAAAFXBlcm1"
+ b"pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbm"
+ b"cAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wd"
+ b"HkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1"
+ b"NTE5AAAAICH6csEOmGbOfT2B/S/FJg3uyPsaPSZUZk2SVYlfs0KLAAAAUwAAAAt"
+ b"zc2gtZWQyNTUxOQAAAEDz2u7X5/TFbN7Ms7DP4yArhz1oWWYKkdAk7FGFkHfjtY"
+ b"/YfNQ8Oky3dCZRi7PnSzScEEjos7723dhF8/y99WwH reaperhulk@despoina."
+ b"local"
)
assert isinstance(cert, SSHCertificate)
cert.verify_cert_signature()
signature_key = cert.signature_key()
assert isinstance(signature_key, ed25519.Ed25519PublicKey)
assert cert.nonce == (
- b"\xb5\xd5>v_o\x0f\x8cO\x8b\xc6\x9f\xc4DX\xa2\xcd\x1c\xd1\xdf"
- b"\x7f\xden\xd7\x19\x8e\x9f\x19\xe4\xa4\xaa}"
+ b'-\xfb\x05\xbf\xd1\x9bs\xa2\xd9J"EY\xd6\x10\x94\x83\r#\x9d'
+ b"\x06\x13\x15\xd6\xd1\xf0i\x80e_\xf9\x8e"
)
public_key = cert.public_key()
assert isinstance(public_key, ec.EllipticCurvePublicKey)
@@ -1102,7 +1104,10 @@ class TestSSHCertificate:
assert cert.valid_principals == [b"cryptouser", b"testuser"]
assert cert.valid_before == 1988015552
assert cert.valid_after == 1672655460
- assert cert.critical_options == {}
+ assert cert.critical_options == {
+ b"force-command": b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+ b"verify-required": b"",
+ }
assert cert.extensions == {
b"permit-X11-forwarding": b"",
b"permit-agent-forwarding": b"",
@@ -1111,6 +1116,31 @@ class TestSSHCertificate:
b"permit-user-rc": b"",
}
+ def test_loads_deprecated_invalid_encoding_cert(self, backend):
+ with pytest.warns(utils.DeprecatedIn41):
+ cert = load_ssh_public_identity(
+ b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYT"
+ b"ItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgXE7sJ+xDVVNCO"
+ b"cEvpZS+SXIbc0nJdny/KqVbnwHslMIAAAAIbmlzdHAyNTYAAABBBI/qcLq8"
+ b"iiErpAhOWRqdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw"
+ b"3TrulrWLibjPzZvLwmQcAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA//"
+ b"////////8AAABUAAAADWZvcmNlLWNvbW1hbmQAAAAoZWNobyBhYWFhYWFhY"
+ b"WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQAAAA92ZXJpZnktcmVxdWly"
+ b"ZWQAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAABoAAAAE2VjZHN"
+ b"hLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI/qcLq8iiErpAhOWR"
+ b"qdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw3TrulrWLib"
+ b"jPzZvLwmQcAAABlAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABKAAAAIQCi"
+ b"eCsIhGKrZdkE1+zY5EBucrLzxFpwnm/onIT/6rapvQAAACEAuVQ1yQjlPKr"
+ b"kfsGfjeG+2umZrOS5Ycx85BQhYf0RgsA="
+ )
+ assert isinstance(cert, SSHCertificate)
+ cert.verify_cert_signature()
+ assert cert.extensions == {b"permit-pty": b""}
+ assert cert.critical_options == {
+ b"force-command": b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+ b"verify-required": b"",
+ }
+
@pytest.mark.parametrize(
"filename",
[
@@ -1224,6 +1254,8 @@ class TestSSHCertificate:
"p256-p256-non-lexical-extensions.pub",
"p256-p256-duplicate-crit-opts.pub",
"p256-p256-non-lexical-crit-opts.pub",
+ "p256-ed25519-non-singular-crit-opt-val.pub",
+ "p256-ed25519-non-singular-ext-val.pub",
],
)
def test_invalid_encodings(self, filename):
@@ -1650,6 +1682,11 @@ class TestSSHCertificateBuilder:
.valid_after(1672531200)
.valid_before(1672617600)
.type(SSHCertificateType.USER)
+ .add_extension(b"permit-pty", b"")
+ .add_critical_option(
+ b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ )
+ .add_critical_option(b"verify-required", b"")
)
cert = builder.sign(private_key)
sig_key = cert.signature_key()
@@ -1664,19 +1701,21 @@ class TestSSHCertificateBuilder:
b"4kyHpbLEIVloBjzetoqXK6u8Hjz/APuagONypNDCySDR6M7jM85HDcLoFFrbBb8"
b"pruHSTxQejMeEmJxYf8b7rNl58/IWPB1ymbNlvHL/4oSOlnrtHkjcxRWzpQ7U3g"
b"T9BThGyhCiI7EMyEHMgP3r7kTzEUwT6IavWDAAAAAAAAAAAAAAABAAAAAAAAAAA"
- b"AAAAAY7DNAAAAAABjsh6AAAAAAAAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAw"
- b"EAAQAAAQEAwXr8fndHTKpaqDA2FYo/+/e1IWhRuiIw5dar/MHGz+9Z6SPqEzC8W"
- b"TtzgCq2CKbkozBlI6MRa6WqOWYUUXThO2xJ6beAYuRJ1y77EP1J6R+gi5bQUeeC"
- b"6fWrxbWm95hIJ6245z2gDyKy79zbduq0btrZjtZWYnQ/3GwOM2pdDNuqfcKeU2N"
- b"eJMh6WyxCFZaAY83raKlyurvB48/wD7moDjcqTQwskg0ejO4zPORw3C6BRa2wW/"
- b"Ka7h0k8UHozHhJicWH/G+6zZefPyFjwdcpmzZbxy/+KEjpZ67R5I3MUVs6UO1N4"
- b"E/QU4RsoQoiOxDMhBzID96+5E8xFME+iGr1gwAAARQAAAAMcnNhLXNoYTItNTEy"
- b"AAABAKCRnfhn6MZs3jRgIDICUpUyWrDCbpStEbdzhmoxF8w2m8klR7owRH/rxOf"
- b"nWhKMGnXnoERS+az3Zh9ckiQPujkuEToORKpzu6CEWlzHSzyK1o2X548KkW76HJ"
- b"gqzwMas94HY7UOJUgKSFUI0S3jAgqXAKSa1DxvJBu5/n57aUqPq+BmAtoI8uNBo"
- b"x4F1pNEop38+oD7rUt8bZ8K0VcrubJZz806K8UNiK0mOahaEIkvZXBfzPGvSNRj"
- b"0OjDl1dLUZaP8C1o5lVRomEm7pLcgE9i+ZDq5iz+mvQrSBStlpQ5hPGuUOrZ/oY"
- b"ZLZ1G30R5tWj212MHoNZjxFxM8+f2OT4="
+ b"AAAAAY7DNAAAAAABjsh6AAAAAWAAAAA1mb3JjZS1jb21tYW5kAAAALAAAAChlY2"
+ b"hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhAAAAD3Zlcmlme"
+ b"S1yZXF1aXJlZAAAAAAAAAASAAAACnBlcm1pdC1wdHkAAAAAAAAAAAAAARcAAAAH"
+ b"c3NoLXJzYQAAAAMBAAEAAAEBAMF6/H53R0yqWqgwNhWKP/v3tSFoUboiMOXWq/z"
+ b"Bxs/vWekj6hMwvFk7c4Aqtgim5KMwZSOjEWulqjlmFFF04TtsSem3gGLkSdcu+x"
+ b"D9SekfoIuW0FHngun1q8W1pveYSCetuOc9oA8isu/c23bqtG7a2Y7WVmJ0P9xsD"
+ b"jNqXQzbqn3CnlNjXiTIelssQhWWgGPN62ipcrq7wePP8A+5qA43Kk0MLJINHozu"
+ b"MzzkcNwugUWtsFvymu4dJPFB6Mx4SYnFh/xvus2Xnz8hY8HXKZs2W8cv/ihI6We"
+ b"u0eSNzFFbOlDtTeBP0FOEbKEKIjsQzIQcyA/evuRPMRTBPohq9YMAAAEUAAAADH"
+ b"JzYS1zaGEyLTUxMgAAAQCYbbNzhflDqZAxyBpdLIX0nLAdnTeFNBudMqgo3KGND"
+ b"WlU9N17hqBEmcvIOrtNi+JKuKZW89zZrbORHvdjv6NjGSKzJD/XA25YrX1KgMEO"
+ b"wt5pzMZX+100drwrjQo+vZqeIN3FJNmT3wssge73v+JsxQrdIAz7YM2OZrFr5HM"
+ b"qZEZ5tMvAf/s5YEMDttEU4zMtmjubQyDM5KyYnZdoDT4sKi2rB8gfaigc4IdI/K"
+ b"8oXL/3Y7rHuOtejl3lUK4v6DxeRl4aqGYWmhUJc++Rh0cbDgC2S6Cq7gAfG2tND"
+ b"zbwL217Q93R08bJn1hDWuiTiaHGauSy2gPUI+cnkvlEocHM"
)
@pytest.mark.supported(
@@ -1702,6 +1741,11 @@ class TestSSHCertificateBuilder:
.valid_after(1672531200)
.valid_before(1672617600)
.type(SSHCertificateType.USER)
+ .add_extension(b"permit-pty", b"")
+ .add_critical_option(
+ b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+ )
+ .add_critical_option(b"verify-required", b"")
)
cert = builder.sign(private_key)
sig_key = cert.signature_key()
@@ -1711,8 +1755,11 @@ class TestSSHCertificateBuilder:
b"ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdj"
b"AxQG9wZW5zc2guY29tAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
b"AAAAAAAINdamAGCsQq31Uv+08lkBzoO4XLz2qYjJa8CGmj3B1EaAAAAAAAAAAAA"
- b"AAABAAAAAAAAAAAAAAAAY7DNAAAAAABjsh6AAAAAAAAAAAAAAAAAAAAAMwAAAAt"
- b"zc2gtZWQyNTUxOQAAACDXWpgBgrEKt9VL/tPJZAc6DuFy89qmIyWvAhpo9wdRGg"
- b"AAAFMAAAALc3NoLWVkMjU1MTkAAABAAlF6Lxabxs+8fkOr7KjKYei9konIG13cQ"
- b"gJ2tWf3yFcg3OuV5s/AkRmKdwHlQfTUrhRdOmDnGxeLEB0mvkVFCw=="
+ b"AAABAAAAAAAAAAAAAAAAY7DNAAAAAABjsh6AAAAAWAAAAA1mb3JjZS1jb21tYW5"
+ b"kAAAALAAAAChlY2hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYW"
+ b"FhAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAAASAAAACnBlcm1pdC1wdHkAAAAAA"
+ b"AAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg11qYAYKxCrfVS/7TyWQHOg7hcvPa"
+ b"piMlrwIaaPcHURoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQL2aUjeD60C2FrbgHcN"
+ b"t8yRa8IRbxvOyA9TZYDGG1dRE3DiR0fuudU20v6vqfTd1gx0S5QyEdECXLl9ZI3"
+ b"AwZgc="
)
diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub
new file mode 100644
index 0000000..5510bd5
--- /dev/null
+++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbmlzdHAyNTYAAABBBCZWRs4GYIHGJpyXuqvfFGWN49dnJRkZJLDkFrHf6mNHhIMI3vtrLfCZwxPSfnCYWK6YofssZ1FYA6TkVJq8Xi8AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAABjsM0AAAAAAGOyHoAAAABtAAAADWZvcmNlLWNvbW1hbmQAAABBAAAAKGVjaG8gYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWEAAAARaW52YWxpZF9taXNjX2RhdGEAAAAPdmVyaWZ5LXJlcXVpcmVkAAAAAAAAABIAAAAKcGVybWl0LXB0eQAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACDdZgztgAFFC7T5PifrUy/kMu0Pnwq1au3vStKHe7FFMAAAAFMAAAALc3NoLWVkMjU1MTkAAABAt/0pBSDBFy1crBPHOBoKFoxRjKd1tKVdOrD3QVgbBfpaHfxi4vrgYe6JfQ54+vu5P+8yrMyACekT8H6hhvxHDw==
\ No newline at end of file
diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub
new file mode 100644
index 0000000..c44b49f
--- /dev/null
+++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbmlzdHAyNTYAAABBBCZWRs4GYIHGJpyXuqvfFGWN49dnJRkZJLDkFrHf6mNHhIMI3vtrLfCZwxPSfnCYWK6YofssZ1FYA6TkVJq8Xi8AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAABjsM0AAAAAAGOyHoAAAAAXAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAAAvAAAAFGNvbnRhaW5zLWV4dHJhLXZhbHVlAAAAEwAAAAVoZWxsbwAAAAYgd29ybGQAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACDdZgztgAFFC7T5PifrUy/kMu0Pnwq1au3vStKHe7FFMAAAAFMAAAALc3NoLWVkMjU1MTkAAABAY80oIEvooz/k3x9a+yVkjSNRfi4y/q87wVYiT7keTpP4n9JV/Vlc0u7O2QYOHfb4DUkcrvbsksKVsiqoQu5qDg==
\ No newline at end of file
--
2.27.0

49
backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch
View File

@ -1,49 +0,0 @@
From 6d71ead8d1910857e8cd778bc34c46c06e870a69 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Wed, 29 Nov 2023 11:37:52 +0800
Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
(#9926)
---
src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
tests/hazmat/primitives/test_pkcs7.py | 6 ++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index a3fe1bc..58e7207 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2383,9 +2383,12 @@ class Backend:
_Reasons.UNSUPPORTED_SERIALIZATION,
)
+ certs: list[x509.Certificate] = []
+ if p7.d.sign == self._ffi.NULL:
+ return certs
+
sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
- certs = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index 4e61c5e..d8170bf 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -89,6 +89,12 @@ class TestPKCS7Loading:
mode="rb",
)
+ def test_load_pkcs7_empty_certificates(self, backend):
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
+ assert certificates == []
+
# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic
--
2.33.0

28
backport-provide-openssl-apis-related-to-SM-for-python.patch
View File

@ -9,37 +9,37 @@ Signed-off-by: hanxinke <hanxinke@huawei.com>
1 file changed, 7 insertions(+)
diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py
index b8a3899..0797d59 100644
index 54f5388..c304684 100644
--- a/src/_cffi_src/openssl/evp.py
+++ b/src/_cffi_src/openssl/evp.py
@@ -35,6 +35,7 @@ static const int Cryptography_HAS_SCRYPT;
@@ -32,6 +32,7 @@ static const int EVP_CTRL_AEAD_SET_TAG;
static const int Cryptography_HAS_SCRYPT;
static const int Cryptography_HAS_EVP_PKEY_DHX;
static const long Cryptography_HAS_RAW_KEY;
static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF;
+static const int EVP_PKEY_SM2;
static const long Cryptography_HAS_300_FIPS;
static const long Cryptography_HAS_300_EVP_CIPHER;
static const long Cryptography_HAS_EVP_PKEY_DH;
@@ -93,6 +94,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *);
int EVP_DigestVerifyInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *,
ENGINE *, EVP_PKEY *);
"""
@@ -69,6 +70,9 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t);
int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int,
EVP_PKEY *);
+int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t);
+int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+ size_t siglen);
int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *);
int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *);
@@ -84,6 +88,9 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *);
EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *);
@@ -158,6 +162,9 @@ EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *,
int EVP_PKEY_get_raw_private_key(const EVP_PKEY *, unsigned char *, size_t *);
int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *);
int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *);
+void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
+const EVP_MD *EVP_sm3(void);
+
int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *);
int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int);
"""
--
2.33.0
2.27.0

70
backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch
View File

@ -1,70 +0,0 @@
From 6e9dc67ed5d8151d5b7604ad1a97b57cd367e028 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 5 Nov 2023 19:36:55 +0800
Subject: [PATCH] raise an exception instead of returning an empty list for
pkcs7 cert loading (#9947)
* raise an exception instead of returning an empty list
as davidben points out in #9926 we are calling a specific load
certificates function and an empty value doesn't necessarily mean empty
because PKCS7 contains multitudes. erroring is more correct.
* changelog
* Update CHANGELOG.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---
src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
tests/hazmat/primitives/test_pkcs7.py | 6 +++---
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 58e7207..d42220f 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2383,12 +2383,15 @@ class Backend:
_Reasons.UNSUPPORTED_SERIALIZATION,
)
- certs: list[x509.Certificate] = []
if p7.d.sign == self._ffi.NULL:
- return certs
+ raise ValueError(
+ "The provided PKCS7 has no certificate data, but a cert "
+ "loading method was called."
+ )
sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
+ certs: list[x509.Certificate] = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index d8170bf..44c1d8d 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -89,11 +89,11 @@ class TestPKCS7Loading:
mode="rb",
)
- def test_load_pkcs7_empty_certificates(self, backend):
+ def test_load_pkcs7_empty_certificates(self):
der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
- certificates = pkcs7.load_der_pkcs7_certificates(der)
- assert certificates == []
+ with pytest.raises(ValueError):
+ pkcs7.load_der_pkcs7_certificates(der)
# We have no public verification API and won't be adding one until we get
--
2.33.0

BIN
cargo-vendor-cache.tar.gz
View File

Binary file not shown.

BIN
cryptography-40.0.2.tar.gz
View File

Binary file not shown.

BIN
cryptography-42.0.2.tar.gz Normal file
View File

Binary file not shown.

36
python-cryptography.spec
View File

@ -1,18 +1,19 @@
%global pypi_name cryptography
Name: python-%{pypi_name}
Version: 40.0.2
Release: 5
Version: 42.0.2
Release: 1
Summary: PyCA's cryptography library
License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/
Source0: %{pypi_source %{pypi_name}}
# For Rust offline compile
# Decompress the source code of cryptography, then enter ./src/rust directory,
# execute "cargo vendor" to obtain "vendor" directory (Internet connection required),
# finally, tar -czvf cargo-vendor-cache.tar.gz vendor
# Note: Cargo needs to be consistent with the cargo version in the compile environment.
Source1: cargo-vendor-cache.tar.gz
Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch
Patch6003: backport-CVE-2023-38325.patch
# CVE-2023-49083
Patch6004: backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch
Patch6005: backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch
BuildRequires: openssl-devel cargo
BuildRequires: gcc
@ -24,15 +25,14 @@ BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-pretend
BuildRequires: python%{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version}
BuildRequires: python%{python3_pkgversion}-asn1crypto >= 0.21
BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4
BuildRequires: python%{python3_pkgversion}-pytz
BuildRequires: python%{python3_pkgversion}-idna >= 2.1
BuildRequires: python%{python3_pkgversion}-six >= 1.4.1
BuildRequires: python%{python3_pkgversion}-cffi >= 1.7
BuildRequires: python%{python3_pkgversion}-setuptools-rust
BuildRequires: python%{python3_pkgversion}-cffi >= 1.12
BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 1.7.0
BuildRequires: python%{python3_pkgversion}-wheel
BuildRequires: python3-pip
BuildRequires: python3-pytest-subtests
%description
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
@ -42,10 +42,7 @@ recipes to Python developers.
Summary: PyCA's cryptography library
Requires: openssl-libs
Requires: python%{python3_pkgversion}-idna >= 2.1
Requires: python%{python3_pkgversion}-asn1crypto >= 0.21
Requires: python%{python3_pkgversion}-six >= 1.4.1
Requires: python%{python3_pkgversion}-cffi >= 1.7
Requires: python%{python3_pkgversion}-cffi >= 1.12
%{?python_provide:%python_provide python%{python3_pkgversion}-%{pypi_name}}
@ -69,10 +66,10 @@ EOF
%build
%py3_build
%pyproject_build
%install
%py3_install
%pyproject_install
%check
#PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest --ignore vendor
@ -82,13 +79,16 @@ EOF
#%doc AUTHORS.rst
%license LICENSE LICENSE.APACHE LICENSE.BSD
%{python3_sitearch}/%{pypi_name}
%{python3_sitearch}/%{pypi_name}-%{version}-py*.egg-info
%{python3_sitearch}/%{pypi_name}-%{version}.dist-info
%files help
%defattr(-,root,root)
%doc README.rst docs
%changelog
* Thu Feb 01 2024 shixuantong <shixuantong1@huawei.com> - 42.0.2-1
- upgrade version to 42.0.2
* Sat Dec 23 2023 shixuanttong <shixuantong1@huawei.com> - 40.0.2-5
- update author info for Patch6002