mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
f689a70b7ebb963f9a1fe645a43623940fbeee37
6 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Michael Tremer
|
87d0d07bbc |
core176: Re-ship lots of stuff that is still linked against OpenSSL 1.1.1
There are no functional changes in these files, but they are however linked against OpenSSL 1.1.1 and need to be re-shipped before we remove the legacy library. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
Adolf Belka
|
97119282dd |
python3-cryptography:Update to version 38.0.1 and to work with python-3.10.8
- Updated from version 36.0.2 to 38.0.1 - Update of rootfile - Changelog 38.0.1 - 2022-09-07 Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically seen in large CRLs). 38.0.0 - 2022-09-06 Final deprecation of OpenSSL 1.1.0. The next release of cryptography will drop support. We no longer ship many linux 2010 wheels. Users should upgrade to the latest pip to ensure this doesn’t cause issues downloading wheels on their platform. We now ship manylinux_2_28 wheels for users on new enough platforms. Updated the minimum supported Rust version (MSRV) to 1.48.0, from 1.41.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required. decrypt() and related methods now accept both str and bytes tokens. Parsing CertificateSigningRequest restores the behavior of enforcing that the Extension critical field must be correctly encoded DER. See the issue for complete details. Added two new OpenSSL functions to the bindings to support an upcoming pyOpenSSL release. When parsing CertificateRevocationList and CertificateSigningRequest values, it is now enforced that the version value in the input must be valid according to the rules of RFC 2986 and RFC 5280. Using MD5 or SHA1 in CertificateBuilder and other X.509 builders is deprecated and support will be removed in the next version. Added additional APIs to SignedCertificateTimestamp, including signature_hash_algorithm, signature_algorithm, signature, and extension_bytes. Added tbs_precertificate_bytes, allowing users to access the to-be-signed pre-certificate data needed for signed certificate timestamp verification. KBKDFHMAC and KBKDFCMAC now support MiddleFixed counter location. Fixed RFC 4514 name parsing to reverse the order of the RDNs according to the section 2.1 of the RFC, affecting method from_rfc4514_string(). It is now possible to customize some aspects of encryption when serializing private keys, using encryption_builder(). Removed several legacy symbols from our OpenSSL bindings. Users of pyOpenSSL versions older than 22.0 will need to upgrade. Added AES128 and AES256 classes. These classes do not replace AES (which allows all AES key lengths), but are intended for applications where developers want to be explicit about key length. 37.0.4 - 2022-07-05 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5. 37.0.3 - 2022-06-21 (YANKED)¶ Attention This release was subsequently yanked from PyPI due to a regression in OpenSSL. Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4. 37.0.2 - 2022-05-03 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3. Added a constant needed for an upcoming pyOpenSSL release. 37.0.1 - 2022-04-27 Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error. Restored some legacy symbols for older pyOpenSSL users. These will be removed again in the future, so pyOpenSSL users should still upgrade to the latest version of that package when they upgrade cryptography. 37.0.0 - 2022-04-26 Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.2. BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.9.x and 3.0.x. The new minimum LibreSSL version is 3.1+. BACKWARDS INCOMPATIBLE: Removed signer and verifier methods from the public key and private key classes. These methods were originally deprecated in version 2.0, but had an extended deprecation timeline due to usage. Any remaining users should transition to sign and verify. Deprecated OpenSSL 1.1.0 support. OpenSSL 1.1.0 is no longer supported by the OpenSSL project. The next release of cryptography will be the last to support compiling with OpenSSL 1.1.0. Deprecated Python 3.6 support. Python 3.6 is no longer supported by the Python core team. Support for Python 3.6 will be removed in a future cryptography release. Deprecated the current minimum supported Rust version (MSRV) of 1.41.0. In the next release we will raise MSRV to 1.48.0. Users with the latest pip will typically get a wheel and not need Rust installed, but check Installation for documentation on installing a newer rustc if required. Deprecated CAST5, SEED, IDEA, and Blowfish because they are legacy algorithms with extremely low usage. These will be removed in a future version of cryptography. Added limited support for distinguished names containing a bit string. We now ship universal2 wheels on macOS, which contain both arm64 and x86_64 architectures. Users on macOS should upgrade to the latest pip to ensure they can use this wheel, although we will continue to ship x86_64 specific wheels for now to ease the transition. This will be the final release for which we ship manylinux2010 wheels. Going forward the minimum supported manylinux ABI for our wheels will be manylinux2014. The vast majority of users will continue to receive manylinux wheels provided they have an up to date pip. For PyPy wheels this release already requires manylinux2014 for compatibility with binaries distributed by upstream. Added support for multiple OCSPSingleResponse in a OCSPResponse. Restored support for signing certificates and other structures in X.509 with SHA3 hash algorithms. TripleDES is disabled in FIPS mode. Added support for serialization of PKCS#12 CA friendly names/aliases in serialize_key_and_certificates() Added support for 12-15 byte (96 to 120 bit) nonces to AESOCB3. This class previously supported only 12 byte (96 bit). Added support for AESSIV when using OpenSSL 3.0.0+. Added support for serializing PKCS7 structures from a list of certificates with serialize_certificates. Added support for parsing RFC 4514 strings with from_rfc4514_string(). Added AUTO to PSS. This can be used to verify a signature where the salt length is not already known. Added DIGEST_LENGTH to PSS. This constant will set the salt length to the same length as the PSS hash algorithm. Added support for loading RSA-PSS key types with load_pem_private_key() and load_der_private_key(). This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a normal RSA private key, discarding the PSS constraint information. Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Adolf Belka
|
643871d4a7 |
python3-cryptography: Update to version 36.0.2
- Update from version 3.4.7 to 36.0.2
After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 2021
See Chanelog section 35.0.0 below
- New release requires a lot of rust packages - see Changelog sections 35.0.0 & 36.0.0
below. The required rust packages are installed in separate patches in this series
- Update of rootfile
- Changelog
36.0.2 - 2022-03-15¶
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.
36.0.1 - 2021-12-14¶
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.
36.0.0 - 2021-11-21¶
FINAL DEPRECATION Support for verifier and signer on our asymmetric key
classes was deprecated in version 2.0. These functions had an extended
deprecation due to usage, however the next version of cryptography will drop
support. Users should migrate to sign and verify.
The entire X.509 layer is now written in Rust. This allows alternate
asymmetric key implementations that can support cloud key management
services or hardware security modules provided they implement the necessary
interface (for example: EllipticCurvePrivateKey).
Deprecated the backend argument for all functions.
Added support for AESOCB3.
Added support for iterating over arbitrary request attributes.
Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
favor of get_attribute_for_oid() on the new Attributes object.
Fixed handling of PEM files to allow loading when certificate and key are in
the same file.
Fixed parsing of CertificatePolicies extensions containing legacy BMPString
values in their explicitText.
Allow parsing of negative serial numbers in certificates. Negative serial
numbers are prohibited by RFC 5280 so a deprecation warning will be raised
whenever they are encountered. A future version of cryptography will drop
support for parsing them.
Added support for parsing PKCS12 files with friendly names for all
certificates with load_pkcs12(), which will return an object of type
PKCS12KeyAndCertificates.
rfc4514_string() and related methods now have an optional attr_name_overrides
parameter to supply custom OID to name mappings, which can be used to match
vendor-specific extensions.
BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email address
fields as E in rfc4514_string() methods from version 35.0.
The previous behavior can be restored with:
name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
Allow X25519PublicKey and X448PublicKey to be used as public keys when
parsing certificates or creating them with CertificateBuilder. These key
types must be signed with a different signing algorithm as X25519 and X448
do not support signing.
Extension values can now be serialized to a DER byte string by calling
public_bytes().
Added experimental support for compiling against BoringSSL. As BoringSSL
does not commit to a stable API, cryptography tests against the latest
commit only. Please note that several features are not available when
building against BoringSSL.
Parsing CertificateSigningRequest from DER and PEM now, for a limited time
period, allows the Extension critical field to be incorrectly encoded. See
the issue for complete details. This will be reverted in a future
cryptography release.
When OCSPNonce are parsed and generated their value is now correctly wrapped
in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts with the
original behavior specified in RFC 2560. For a temporary period for
backwards compatibility, we will also parse values that are encoded as
specified in RFC 2560 but this behavior will be removed in a future release.
35.0.0 - 2021-09-29¶
Changed the version scheme. This will result in us incrementing the major
version more frequently, but does not change our existing backwards
compatibility policy.
BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM
string passed have PEM delimiters of the correct type. For example, parsing
a private key PEM concatenated with a certificate PEM will no longer be
accepted by the PEM certificate parser.
BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows
negative serial numbers. RFC 5280 has always prohibited these.
BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during X.509
parsing will raise an error on initial parse rather than when the malformed
field is accessed.
Rust is now required for building cryptography, the
CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected.
Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust.
This should be backwards compatible (modulo the items listed above) and
improve both security and performance.
Added support for OpenSSL 3.0.0 as a compilation target.
Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms
are provided for compatibility in regions where they may be required, and
are not generally recommended.
We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our
manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine
Linux should ensure they upgrade to the latest pip to correctly receive
wheels.
Added rfc4514_attribute_name attribute to x509.NameAttribute.
Added KBKDFCMAC.
3.4.8 - 2021-08-24¶
Updated Windows, macOS, and manylinux wheels to be compiled with
OpenSSL 1.1.1l.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
Peter Müller
|
9a7e4d8506 |
Switch checksums from MD5 to BLAKE2
Historically, the MD5 checksums in our LFS files serve as a protection against broken downloads, or accidentally corrupted source files. While the sources are nowadays downloaded via HTTPS, it make sense to beef up integrity protection for them, since transparently intercepting TLS is believed to be feasible for more powerful actors, and the state of the public PKI ecosystem is clearly not helping. Therefore, this patch switches from MD5 to BLAKE2, updating all LFS files as well as make.sh to deal with this checksum algorithm. BLAKE2 is notably faster (and more secure) than SHA2, so the performance penalty introduced by this patch is negligible, if noticeable at all. In preparation of this patch, the toolchain files currently used have been supplied with BLAKE2 checksums as well on https://source.ipfire.org/. Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremeripfire.org> |
||
|
Michael Tremer
|
c54ce71713 |
python3-cryptography: Fix build against Rust
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
7c49b08794 |
python3-cryptography: New package required by oci-python-sdk
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |