Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-PyKMIP for openSUSE:Factory checked in at 2024-03-28 13:55:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-PyKMIP (Old) and /work/SRC/openSUSE:Factory/.python-PyKMIP.new.1905 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-PyKMIP" Thu Mar 28 13:55:00 2024 rev:11 rq:1163171 version:0.10.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-PyKMIP/python-PyKMIP.changes 2023-09-08 21:16:58.825557180 +0200 +++ /work/SRC/openSUSE:Factory/.python-PyKMIP.new.1905/python-PyKMIP.changes 2024-03-28 14:28:21.612424581 +0100 @@ -1,0 +2,10 @@ +Thu Mar 28 03:58:37 UTC 2024 - Steve Kowalik <steven.kowalik@suse.com> + +- Clean up Python 2 leftovers. +- Add patch crypto-42.patch: + * Use cryptography.hazmat.primitives.serialization to load private keys. +- Add patch no-ssl-wrap-socket.patch: + * Do not use removed in Python 3.12 function, ssl.wrap_socket. +- Switch to pyproject macros. + +------------------------------------------------------------------- New: ---- crypto-42.patch no-ssl-wrap-socket.patch BETA DEBUG BEGIN: New:- Clean up Python 2 leftovers. - Add patch crypto-42.patch: * Use cryptography.hazmat.primitives.serialization to load private keys. New: * Use cryptography.hazmat.primitives.serialization to load private keys. - Add patch no-ssl-wrap-socket.patch: * Do not use removed in Python 3.12 function, ssl.wrap_socket. BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-PyKMIP.spec ++++++ --- /var/tmp/diff_new_pack.uPc5y2/_old 2024-03-28 14:28:34.784905679 +0100 +++ /var/tmp/diff_new_pack.uPc5y2/_new 2024-03-28 14:28:34.812906702 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-PyKMIP # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,13 +16,11 @@ # -%bcond_without python2 Name: python-PyKMIP Version: 0.10.0 Release: 0 Summary: KMIP v11 library License: Apache-2.0 -Group: Development/Languages/Python URL: https://github.com/OpenKMIP/PyKMIP Source: https://files.pythonhosted.org/packages/source/P/PyKMIP/PyKMIP-%{version}.tar.gz # PATCH-FIX-UPSTREAM fix-tests-SQLAlchemy-140.patch gh#OpenKMIP/PyKMIP#656 mcepl@suse.com @@ -30,18 +28,24 @@ Patch0: fix-tests-SQLAlchemy-140.patch # https://github.com/OpenKMIP/PyKMIP/issues/668 Patch1: python-PyKMIP-no-mock.patch -# PATCH-FIX-OPENSUSE crypto-39.patch gh#OpenKMIP/PyKMIP#689 +# PATCH-FIX-UPSTREAM crypto-39.patch gh#OpenKMIP/PyKMIP#689 Patch2: crypto-39.patch # PATCH-FIX-UPSTREAM fix_test_mac_with_cryptographic_failure.patch gh#OpenKMIP/PyKMIP#702 Patch3: fix_test_mac_with_cryptographic_failure.patch +# PATCH-FIX-OPENSUSE Use cryptography.hazmat.primitives.serialization for loading private keys. +Patch4: crypto-42.patch +# PATCH-FIX-UPSTREAM Based on gh#OpenKMIP/PyKMIP#707, including some changes suggested +Patch5: no-ssl-wrap-socket.patch BuildRequires: %{python_module SQLAlchemy} BuildRequires: %{python_module cryptography} BuildRequires: %{python_module devel} +BuildRequires: %{python_module pip} BuildRequires: %{python_module pytest} BuildRequires: %{python_module requests} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module six} BuildRequires: %{python_module testtools} +BuildRequires: %{python_module wheel} BuildRequires: fdupes BuildRequires: python-rpm-macros Requires: python-SQLAlchemy @@ -49,14 +53,8 @@ Requires: python-requests Requires: python-six Requires(post): update-alternatives -Requires(postun):update-alternatives +Requires(postun): update-alternatives BuildArch: noarch -%if %{with python2} -BuildRequires: python-enum34 -%endif -%ifpython2 -Requires: python-enum34 -%endif %python_subpackages %description @@ -69,12 +67,14 @@ %prep %autosetup -p1 -n PyKMIP-%{version} +# Not needed, we use Python 3.4+ only +sed -i '/"enum-compat",/d' setup.py %build -%python_build +%pyproject_wheel %install -%python_install +%pyproject_install %python_clone -a %{buildroot}%{_bindir}/pykmip-server %python_expand %fdupes %{buildroot}%{$python_sitelib} @@ -91,6 +91,6 @@ %license LICENSE.txt %doc README.rst %{python_sitelib}/kmip -%{python_sitelib}/PyKMIP-%{version}*-info +%{python_sitelib}/PyKMIP-%{version}.dist-info %python_alternative %{_bindir}/pykmip-server ++++++ crypto-42.patch ++++++ Index: PyKMIP-0.10.0/kmip/services/server/crypto/engine.py =================================================================== --- PyKMIP-0.10.0.orig/kmip/services/server/crypto/engine.py +++ PyKMIP-0.10.0/kmip/services/server/crypto/engine.py @@ -588,10 +588,10 @@ class CryptographyEngine(api.Cryptograph backend = default_backend() try: - public_key = backend.load_der_public_key(encryption_key) + public_key = serialization.load_der_public_key(encryption_key) except Exception: try: - public_key = backend.load_pem_public_key(encryption_key) + public_key = serialization.load_pem_public_key(encryption_key) except Exception: raise exceptions.CryptographicFailure( "The public key bytes could not be loaded." @@ -935,14 +935,14 @@ class CryptographyEngine(api.Cryptograph params["unsafe_skip_rsa_key_validation"] = False try: - private_key = backend.load_der_private_key( + private_key = serialization.load_der_private_key( decryption_key, None, **params, ) except Exception: try: - private_key = backend.load_pem_private_key( + private_key = serialization.load_pem_private_key( decryption_key, None, **params, @@ -1500,10 +1500,10 @@ class CryptographyEngine(api.Cryptograph ) try: - public_key = backend.load_der_public_key(signing_key) + public_key = serialization.load_der_public_key(signing_key) except Exception: try: - public_key = backend.load_pem_public_key(signing_key) + public_key = serialization.load_pem_public_key(signing_key) except Exception: raise exceptions.CryptographicFailure( "The signing key bytes could not be loaded." ++++++ no-ssl-wrap-socket.patch ++++++ From 433ab3ef43241155ee64196574daae2f41feac4e Mon Sep 17 00:00:00 2001 From: Steven Silvester <steven.silvester@ieee.org> Date: Wed, 4 Oct 2023 09:59:43 -0500 Subject: [PATCH 01/11] Add python 3.12 support --- .github/workflows/tox.yml | 3 ++- kmip/services/kmip_client.py | 19 +++++++------- kmip/services/server/server.py | 25 ++++++++++--------- .../tests/unit/services/server/test_server.py | 4 +-- 4 files changed, 27 insertions(+), 24 deletions(-) Index: PyKMIP-0.10.0/kmip/services/kmip_client.py =================================================================== --- PyKMIP-0.10.0.orig/kmip/services/kmip_client.py +++ PyKMIP-0.10.0/kmip/services/kmip_client.py @@ -285,13 +285,15 @@ class KMIPProxy(object): six.reraise(*last_error) def _create_socket(self, sock): - self.socket = ssl.wrap_socket( + context = ssl.SSLContext(protocol=self.ssl_version) + context.load_verify_locations(capath=self.ca_certs) + context.check_hostname = False + context.verify_mode = self.cert_reqs + if self.certfile: + context.load_cert_chain(self.certfile, self.keyfile) + self.socket = context.wrap_socket( sock, - keyfile=self.keyfile, - certfile=self.certfile, - cert_reqs=self.cert_reqs, - ssl_version=self.ssl_version, - ca_certs=self.ca_certs, + server_side=False, do_handshake_on_connect=self.do_handshake_on_connect, suppress_ragged_eofs=self.suppress_ragged_eofs) self.socket.settimeout(self.timeout) Index: PyKMIP-0.10.0/kmip/services/server/server.py =================================================================== --- PyKMIP-0.10.0.orig/kmip/services/server/server.py +++ PyKMIP-0.10.0/kmip/services/server/server.py @@ -287,17 +287,22 @@ class KmipServer(object): for cipher in auth_suite_ciphers: self._logger.debug(cipher) - self._socket = ssl.wrap_socket( + capath = self.config.settings.get('ca_path') + context = ssl.SSLContext(protocol=self.auth_suite.protocol) + if capath is not None: + context.load_verify_locations(capath=capath) + context.verify_mode = ssl.CERT_REQUIRED + context.set_ciphers(self.auth_suite.ciphers) + certfile = self.config.settings.get('certificate_path') + if certfile: + keyfile = self.config.settings.get('key_path') + context.load_cert_chain(certfile, keyfile=keyfile) + + self._socket = context.wrap_socket( self._socket, - keyfile=self.config.settings.get('key_path'), - certfile=self.config.settings.get('certificate_path'), server_side=True, - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=self.auth_suite.protocol, - ca_certs=self.config.settings.get('ca_path'), do_handshake_on_connect=False, - suppress_ragged_eofs=True, - ciphers=self.auth_suite.ciphers + suppress_ragged_eofs=True ) try: Index: PyKMIP-0.10.0/kmip/tests/unit/services/server/test_server.py =================================================================== --- PyKMIP-0.10.0.orig/kmip/tests/unit/services/server/test_server.py +++ PyKMIP-0.10.0/kmip/tests/unit/services/server/test_server.py @@ -210,9 +210,9 @@ class TestKmipServer(testtools.TestCase) # Test that in ideal cases no errors are generated and the right # log messages are. with mock.patch('socket.socket') as socket_mock: - with mock.patch('ssl.wrap_socket') as ssl_mock: + with mock.patch('ssl.SSLContext') as ssl_mock: socket_mock.return_value = a_mock - ssl_mock.return_value = b_mock + ssl_mock.return_value.wrap_socket.return_value = b_mock manager_mock.assert_not_called() monitor_mock.assert_not_called() @@ -271,9 +271,9 @@ class TestKmipServer(testtools.TestCase) # Test that a NetworkingError is generated if the socket bind fails. with mock.patch('socket.socket') as socket_mock: - with mock.patch('ssl.wrap_socket') as ssl_mock: + with mock.patch('ssl.SSLContext') as ssl_mock: socket_mock.return_value = a_mock - ssl_mock.return_value = b_mock + ssl_mock.return_value.wrap_socket.return_value = b_mock test_exception = Exception() b_mock.bind.side_effect = test_exception