import python-cryptography-3.2.1-5.el8

.gitignore

@@ -0,0 +1 @@
+SOURCES/cryptography-3.2.1.tar.gz

.python-cryptography.metadata

@@ -0,0 +1 @@
+20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz

SOURCES/0001-Re-add-deprecated-and-removed-features.patch

@@ -0,0 +1,254 @@
+From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 27 Oct 2020 16:42:15 +0100
+Subject: [PATCH 1] Re-add deprecated and removed features
+
+* encode_rfc6979_signature()
+* decode_rfc6979_signature()
+* Certificate.serial property
+* MACContext
+* osrandom engine is disabled
+
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ .../hazmat/backends/openssl/cmac.py           |  3 +-
+ .../hazmat/backends/openssl/hmac.py           |  3 +-
+ .../hazmat/backends/openssl/x509.py           |  4 ++
+ .../hazmat/primitives/asymmetric/utils.py     |  8 ++++
+ src/cryptography/hazmat/primitives/cmac.py    |  3 +-
+ src/cryptography/hazmat/primitives/hmac.py    |  3 +-
+ src/cryptography/hazmat/primitives/mac.py     | 37 +++++++++++++++++++
+ src/cryptography/x509/extensions.py           |  6 ++-
+ tests/hazmat/backends/test_openssl.py         |  3 ++
+ tests/hazmat/primitives/test_asym_utils.py    |  9 +++++
+ tests/x509/test_x509.py                       |  1 +
+ tests/x509/test_x509_ext.py                   |  5 +++
+ 12 files changed, 80 insertions(+), 5 deletions(-)
+ create mode 100644 src/cryptography/hazmat/primitives/mac.py
+
+diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
+index 195fc230f..5281f634d 100644
+--- a/src/cryptography/hazmat/backends/openssl/cmac.py
++++ b/src/cryptography/hazmat/backends/openssl/cmac.py
+@@ -11,10 +11,11 @@ from cryptography.exceptions import (
+     UnsupportedAlgorithm,
+     _Reasons,
+ )
+-from cryptography.hazmat.primitives import constant_time
++from cryptography.hazmat.primitives import constant_time, mac
+ from cryptography.hazmat.primitives.ciphers.modes import CBC
+ 
+ 
++@utils.register_interface(mac.MACContext)
+ class _CMACContext(object):
+     def __init__(self, backend, algorithm, ctx=None):
+         if not backend.cmac_algorithm_supported(algorithm):
+diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
+index 5024223b2..11c850e10 100644
+--- a/src/cryptography/hazmat/backends/openssl/hmac.py
++++ b/src/cryptography/hazmat/backends/openssl/hmac.py
+@@ -11,9 +11,10 @@ from cryptography.exceptions import (
+     UnsupportedAlgorithm,
+     _Reasons,
+ )
+-from cryptography.hazmat.primitives import constant_time, hashes
++from cryptography.hazmat.primitives import constant_time, hashes, mac
+ 
+ 
++@utils.register_interface(mac.MACContext)
+ @utils.register_interface(hashes.HashContext)
+ class _HMACContext(object):
+     def __init__(self, backend, key, algorithm, ctx=None):
+diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
+index 4d0dac764..c9074f59e 100644
+--- a/src/cryptography/hazmat/backends/openssl/x509.py
++++ b/src/cryptography/hazmat/backends/openssl/x509.py
+@@ -73,6 +73,10 @@ class _Certificate(object):
+         self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
+         return _asn1_integer_to_int(self._backend, asn1_int)
+ 
++    @property
++    def serial(self):
++        return self.serial_number
++
+     def public_key(self):
+         pkey = self._backend._lib.X509_get_pubkey(self._x509)
+         if pkey == self._backend._ffi.NULL:
+diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
+index 5f9b67786..886d7565b 100644
+--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
++++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
+@@ -39,3 +39,11 @@ class Prehashed(object):
+         self._digest_size = algorithm.digest_size
+ 
+     digest_size = utils.read_only_property("_digest_size")
++
++
++def decode_rfc6979_signature(signature):
++    return decode_dss_signature(signature)
++
++
++def encode_rfc6979_signature(r, s):
++    return encode_dss_signature(r, s)
+diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
+index bf962c906..7f37f13cc 100644
+--- a/src/cryptography/hazmat/primitives/cmac.py
++++ b/src/cryptography/hazmat/primitives/cmac.py
+@@ -12,9 +12,10 @@ from cryptography.exceptions import (
+ )
+ from cryptography.hazmat.backends import _get_backend
+ from cryptography.hazmat.backends.interfaces import CMACBackend
+-from cryptography.hazmat.primitives import ciphers
++from cryptography.hazmat.primitives import ciphers, mac
+ 
+ 
++@utils.register_interface(mac.MACContext)
+ class CMAC(object):
+     def __init__(self, algorithm, backend=None, ctx=None):
+         backend = _get_backend(backend)
+diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
+index 8c421dc68..6f03a1071 100644
+--- a/src/cryptography/hazmat/primitives/hmac.py
++++ b/src/cryptography/hazmat/primitives/hmac.py
+@@ -12,9 +12,10 @@ from cryptography.exceptions import (
+ )
+ from cryptography.hazmat.backends import _get_backend
+ from cryptography.hazmat.backends.interfaces import HMACBackend
+-from cryptography.hazmat.primitives import hashes
++from cryptography.hazmat.primitives import hashes, mac
+ 
+ 
++@utils.register_interface(mac.MACContext)
+ @utils.register_interface(hashes.HashContext)
+ class HMAC(object):
+     def __init__(self, key, algorithm, backend=None, ctx=None):
+diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
+new file mode 100644
+index 000000000..4c95190ba
+--- /dev/null
++++ b/src/cryptography/hazmat/primitives/mac.py
+@@ -0,0 +1,37 @@
++# This file is dual licensed under the terms of the Apache License, Version
++# 2.0, and the BSD License. See the LICENSE file in the root of this repository
++# for complete details.
++
++from __future__ import absolute_import, division, print_function
++
++import abc
++
++import six
++
++
++@six.add_metaclass(abc.ABCMeta)
++class MACContext(object):
++    @abc.abstractmethod
++    def update(self, data):
++        """
++        Processes the provided bytes.
++        """
++
++    @abc.abstractmethod
++    def finalize(self):
++        """
++        Returns the message authentication code as bytes.
++        """
++
++    @abc.abstractmethod
++    def copy(self):
++        """
++        Return a MACContext that is a copy of the current context.
++        """
++
++    @abc.abstractmethod
++    def verify(self, signature):
++        """
++        Checks if the generated message authentication code matches the
++        signature.
++        """
+diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
+index 130ba69b8..ddbccdf3b 100644
+--- a/src/cryptography/x509/extensions.py
++++ b/src/cryptography/x509/extensions.py
+@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
+ 
+     @classmethod
+     def from_issuer_subject_key_identifier(cls, ski):
++        if isinstance(ski, SubjectKeyIdentifier):
++            digest = ski.digest
++        else:
++            digest = ski.value.digest
+         return cls(
+-            key_identifier=ski.digest,
++            key_identifier=digest,
+             authority_cert_issuer=None,
+             authority_cert_serial_number=None,
+         )
+diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
+index 2f7e7bebf..73c17d84f 100644
+--- a/tests/hazmat/backends/test_openssl.py
++++ b/tests/hazmat/backends/test_openssl.py
+@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
+         res = backend._lib.ENGINE_free(e)
+         assert res == 1
+ 
++    def test_rhel8_no_osrandom(self):
++        pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
++
+ 
+ @pytest.mark.skipif(
+     backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
+diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
+index 70bff012f..334b459b5 100644
+--- a/tests/hazmat/primitives/test_asym_utils.py
++++ b/tests/hazmat/primitives/test_asym_utils.py
+@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
+     Prehashed,
+     decode_dss_signature,
+     encode_dss_signature,
++    encode_rfc6979_signature,
++    decode_rfc6979_signature
+ )
+ 
+ 
+@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
+ def test_pass_invalid_prehashed_arg():
+     with pytest.raises(TypeError):
+         Prehashed(object())
++
++
++def test_deprecated_rfc6979_signature():
++    sig = encode_rfc6979_signature(1, 1)
++    assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
++    decoded = decode_rfc6979_signature(sig)
++    assert decoded == (1, 1)
+diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
+index 11c80816c..e5bdf17d4 100644
+--- a/tests/x509/test_x509.py
++++ b/tests/x509/test_x509.py
+@@ -685,6 +685,7 @@ class TestRSACertificate(object):
+         )
+         assert isinstance(cert, x509.Certificate)
+         assert cert.serial_number == 11559813051657483483
++        assert cert.serial == cert.serial_number
+         fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
+         assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
+         assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
+diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
+index 2cd216fb6..ac2b2c03d 100644
+--- a/tests/x509/test_x509_ext.py
++++ b/tests/x509/test_x509_ext.py
+@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
+         )
+         assert ext.value == aki
+ 
++        aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
++            ski_ext
++        )
++        assert ext.value == aki
++
+ 
+ class TestNameConstraints(object):
+     def test_ipaddress_wrong_type(self):
+-- 
+2.26.2
+

SOURCES/0002-Support-pytest-3.4.2.patch

@@ -0,0 +1,86 @@
+From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Wed, 28 Oct 2020 14:27:55 +0100
+Subject: [PATCH 2] Support pytest 3.4.2
+
+---
+ setup.py            | 3 ++-
+ tests/conftest.py   | 4 ++--
+ tests/test_utils.py | 4 ++--
+ tests/utils.py      | 2 +-
+ 4 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index 82800a96e..5678db004 100644
+--- a/setup.py
++++ b/setup.py
+@@ -93,7 +93,8 @@ setup(
+     extras_require={
+         ":python_version < '3'": ["enum34", "ipaddress"],
+         "test": [
+-            "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
++            "pytest>=3.4.2,<3.6",
++            "attrs>=17.4.0,<18.0",
+             "pretend",
+             "iso8601",
+             "pytz",
+diff --git a/tests/conftest.py b/tests/conftest.py
+index 4e3124fa7..53c194830 100644
+--- a/tests/conftest.py
++++ b/tests/conftest.py
+@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
+ 
+ def pytest_runtest_setup(item):
+     if openssl_backend._fips_enabled:
+-        for marker in item.iter_markers(name="skip_fips"):
++        for marker in item.get_marker(name="skip_fips") or []:
+             pytest.skip(marker.kwargs["reason"])
+ 
+ 
+@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
+ def backend(request):
+     required_interfaces = [
+         mark.kwargs["interface"]
+-        for mark in request.node.iter_markers("requires_backend_interface")
++        for mark in request.node.get_marker("requires_backend_interface") or []
+     ]
+     if not all(
+         isinstance(openssl_backend, iface) for iface in required_interfaces
+diff --git a/tests/test_utils.py b/tests/test_utils.py
+index d6afa3b34..e0a1be4f5 100644
+--- a/tests/test_utils.py
++++ b/tests/test_utils.py
+@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
+     supported = pretend.stub(
+         kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
+     )
+-    node = pretend.stub(iter_markers=lambda x: [supported])
++    node = pretend.stub(get_marker=lambda x: [supported])
+     item = pretend.stub(node=node)
+     with pytest.raises(pytest.skip.Exception) as exc_info:
+         check_backend_support(True, item)
+@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
+     supported = pretend.stub(
+         kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
+     )
+-    node = pretend.stub(iter_markers=lambda x: [supported])
++    node = pretend.stub(get_marker=lambda x: [supported])
+     item = pretend.stub(node=node)
+     assert check_backend_support(None, item) is None
+ 
+diff --git a/tests/utils.py b/tests/utils.py
+index 5d98af00e..a08f79c34 100644
+--- a/tests/utils.py
++++ b/tests/utils.py
+@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
+ 
+ 
+ def check_backend_support(backend, item):
+-    for mark in item.node.iter_markers("supported"):
++    for mark in item.node.get_marker("supported") or []:
+         if not mark.kwargs["only_if"](backend):
+             pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
+ 
+-- 
+2.26.2
+

SOURCES/0003-Skip-iso8601-test-cases.patch

@@ -0,0 +1,73 @@
+From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Thu, 29 Oct 2020 09:21:06 +0100
+Subject: [PATCH 3] Skip iso8601 test cases
+
+---
+ tests/test_fernet.py | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/tests/test_fernet.py b/tests/test_fernet.py
+index 38409b03e..343f3e4ec 100644
+--- a/tests/test_fernet.py
++++ b/tests/test_fernet.py
+@@ -10,7 +10,10 @@ import json
+ import os
+ import time
+ 
+-import iso8601
++try:
++    import iso8601
++except ImportError:
++    iso8601 = None
+ 
+ import pytest
+ 
+@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
+ import cryptography_vectors
+ 
+ 
++skip_iso8601 = pytest.mark.skipif(
++    iso8601 is None,
++    reason="is8601 is not available"
++)
++
++
+ def json_parametrize(keys, filename):
+     vector_file = cryptography_vectors.open_vector_file(
+         os.path.join("fernet", filename), "r"
+@@ -49,6 +58,7 @@ def test_default_backend():
+     skip_message="Does not support AES CBC",
+ )
+ class TestFernet(object):
++    @skip_iso8601
+     @json_parametrize(
+         ("secret", "now", "iv", "src", "token"),
+         "generate.json",
+@@ -62,6 +72,7 @@ class TestFernet(object):
+         )
+         assert actual_token == token.encode("ascii")
+ 
++    @skip_iso8601
+     @json_parametrize(
+         ("secret", "now", "src", "ttl_sec", "token"),
+         "verify.json",
+@@ -81,6 +92,7 @@ class TestFernet(object):
+         payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
+         assert payload == src.encode("ascii")
+ 
++    @skip_iso8601
+     @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
+     def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
+         f = Fernet(secret.encode("ascii"), backend=backend)
+@@ -117,6 +129,7 @@ class TestFernet(object):
+         with pytest.raises(TypeError):
+             f.decrypt(u"")
+ 
++    @skip_iso8601
+     def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
+         f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
+         pt = b"encrypt me"
+-- 
+2.26.2
+

SOURCES/0004-Revert-remove-NPN-bindings.patch

@@ -0,0 +1,75 @@
+From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Mon, 14 Dec 2020 14:13:53 +0100
+Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
+ (#4765)"
+
+This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
+---
+ src/_cffi_src/openssl/ssl.py          | 20 +++++++++++++++++++-
+ tests/hazmat/bindings/test_openssl.py |  4 ++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
+index c38e309a1..fa854f5dd 100644
+--- a/src/_cffi_src/openssl/ssl.py
++++ b/src/_cffi_src/openssl/ssl.py
+@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
+ static const long TLS_ST_BEFORE;
+ static const long TLS_ST_OK;
+ 
++static const long OPENSSL_NPN_NEGOTIATED;
++
+ typedef ... SSL_METHOD;
+ typedef ... SSL_CTX;
+ 
+@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
+ 
+ long SSL_session_reused(SSL *);
+ 
++void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
++                                           int (*)(SSL *,
++                                                   const unsigned char **,
++                                                   unsigned int *,
++                                                   void *),
++                                           void *);
++void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
++                                      int (*)(SSL *,
++                                              unsigned char **,
++                                              unsigned char *,
++                                              const unsigned char *,
++                                              unsigned int,
++                                              void *),
++                                      void *);
+ int SSL_select_next_proto(unsigned char **, unsigned char *,
+                           const unsigned char *, unsigned int,
+                           const unsigned char *, unsigned int);
++void SSL_get0_next_proto_negotiated(const SSL *,
++                                    const unsigned char **, unsigned *);
+ 
+ int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
+ const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
+@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
+ static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
+ static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
+ static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
+-static const long Cryptography_HAS_NEXTPROTONEG = 0;
++static const long Cryptography_HAS_NEXTPROTONEG = 1;
+ static const long Cryptography_HAS_ALPN = 1;
+ 
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
+index ecee34091..aeb12a0dc 100644
+--- a/tests/hazmat/bindings/test_openssl.py
++++ b/tests/hazmat/bindings/test_openssl.py
+@@ -137,3 +137,7 @@ class TestOpenSSL(object):
+         )
+         with pytest.raises(RuntimeError):
+             _verify_openssl_version(lib)
++
++    def test_npn_binding(self):
++        b = Binding()
++        assert b.lib.Cryptography_HAS_NEXTPROTONEG
+-- 
+2.29.2
+

SOURCES/0005-CVE-2020-36242.patch

@@ -0,0 +1,18 @@
+From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 7 Feb 2021 11:04:43 -0600
+Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 2b10681b31..0f96795fdc 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -16,7 +16,7 @@
+ class _CipherContext(object):
+     _ENCRYPT = 1
+     _DECRYPT = 0
+-    _MAX_CHUNK_SIZE = 2 ** 31 - 1
++    _MAX_CHUNK_SIZE = 2 ** 30 - 1
+ 
+     def __init__(self, backend, cipher, mode, operation):
+         self._backend = backend

SPECS/python-cryptography.spec

@@ -0,0 +1,265 @@
+%{!?python3_pkgversion:%global python3_pkgversion 3}
+
+%global srcname cryptography
+
+Name:           python-%{srcname}
+Version:        3.2.1
+Release:        5%{?dist}
+Summary:        PyCA's cryptography library
+
+Group:          Development/Libraries
+License:        ASL 2.0 or BSD
+URL:            https://cryptography.io/en/latest/
+Source0:        https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
+
+Patch0001:      0001-Re-add-deprecated-and-removed-features.patch
+Patch0002:      0002-Support-pytest-3.4.2.patch
+Patch0003:	0003-Skip-iso8601-test-cases.patch
+Patch0004:	0004-Revert-remove-NPN-bindings.patch
+Patch0005:	0005-CVE-2020-36242.patch
+
+BuildRequires:  openssl-devel
+BuildRequires:  gcc
+
+BuildRequires:  python%{python3_pkgversion}-devel
+BuildRequires:  python%{python3_pkgversion}-pytest >= 3.4.2
+BuildRequires:  python%{python3_pkgversion}-setuptools
+BuildRequires:  python%{python3_pkgversion}-pretend
+# BuildRequires:  python{python3_pkgversion}-iso8601
+BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
+BuildRequires:  python%{python3_pkgversion}-pytz
+BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
+BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
+
+%description
+cryptography is a package designed to expose cryptographic primitives and
+recipes to Python developers.
+
+%package -n  python%{python3_pkgversion}-%{srcname}
+Group:          Development/Libraries
+Summary:        PyCA's cryptography library
+%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
+
+Requires:       openssl-libs
+Requires:       python%{python3_pkgversion}-six >= 1.4.1
+Requires:       python%{python3_pkgversion}-cffi >= 1.7
+Conflicts:      python%{python3_pkgversion}-cryptography-vectors < %{version}
+Conflicts:      python%{python3_pkgversion}-cryptography-vectors > %{version}
+
+%description -n python%{python3_pkgversion}-%{srcname}
+cryptography is a package designed to expose cryptographic primitives and
+recipes to Python developers.
+
+
+%prep
+%autosetup -p1 -n %{srcname}-%{version}
+
+
+%build
+%py3_build
+
+
+%install
+# Actually other *.c and *.h are appropriate
+# see https://github.com/pyca/cryptography/issues/1463
+find . -name .keep -print -delete
+%py3_install
+
+
+%check
+# workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
+rm -f tests/hazmat/primitives/test_padding.py
+# don't run hypothesis tests
+rm -rf tests/hypothesis
+PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest
+
+
+%files -n python%{python3_pkgversion}-%{srcname}
+%doc README.rst docs
+%license LICENSE LICENSE.APACHE LICENSE.BSD
+%{python3_sitearch}/%{srcname}
+%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
+
+
+%changelog
+* Tue Jun 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-5
+- Rebuild for RHEL 8.5
+- Resolves: rhbz#1933071
+
+* Tue Feb 09 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-4
+- CVE-2020-36242: Fixed a bug where certain sequences of update() calls
+  when symmetrically encrypting very large payloads (>2GB) could result
+  in an integer overflow, leading to buffer overflows.
+- Resolves: rhbz#1926528
+
+* Mon Dec 14 17:24:01 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-3
+- Conflict with non-matching vector package
+
+* Mon Dec 14 14:19:42 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
+- Re-add remove NPN bindings, required for pyOpenSSL
+- Resolves: rhbz#1907429
+
+* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
+- Rebase to upstream release 3.2.1
+- Resolves: rhbz#1873581
+- Resolves: rhbz#1778939
+- Removed dependencies on python-asn1crypto, python-idna
+
+* Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
+- Don't activate custom osrandom engine for FIPS compliance
+- Resolves: rhbz#1762667
+
+* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
+- Use TLSv1.2 in test as workaround for RHBZ#1615099
+- Resolves: RHBZ#1611738
+
+* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
+- New upstream release 2.3
+- Fix AEAD tag truncation bug, CVE-2018-10903, RHBZ#1602755, RHBZ#1602932
+
+* Tue Jun 19 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-2
+- Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1589754
+- Remove unnecessary copy and shebang mangling
+
+* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
+- New upstream release 2.2.1
+
+* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
+- New upstream release 2.1.4
+
+* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
+- Build requires gcc
+
+* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Nov 23 2017 Haïkel Guémar <hguemar@fedoraproject.org> - 2.1.3-1
+- Upstream 2.1.3
+
+* Tue Oct 24 2017 Christian Heimes <cheimes@redhat.com> - 2.1-2
+- Change Requires to openssl-libs
+
+* Thu Oct 12 2017 Christian Heimes <cheimes@redhat.com> - 2.1-1
+- New upstream release 2.1
+
+* Wed Sep 27 2017 Troy Dawson <tdawson@redhat.com> - 2.0.2-3
+- Cleanup spec file conditionals
+
+* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-2
+- Add workaround for pytest bug
+
+* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-1
+- New upstream release 2.0.2
+- Modernize spec
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jun 27 2017 Christian Heimes <cheimes@redhat.com> - 1.9-1
+- Upstream release 1.9
+
+* Wed Feb 15 2017 Christian Heimes <cheimes@redhat.com> - 1.7.2-1
+- Update to latest upstream
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 05 2017 Matěj Cepl <mcepl@redhat.com> - 1.7.1-1
+- Update to the latest upstream.
+- Add a patch from https://github.com/pyca/cryptography/pull/3328
+
+* Tue Dec 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-5
+- Enable tests
+
+* Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-4
+- Rebuild for Python 3.6
+- Disable python3 tests for now
+
+* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-3
+- Revert previous change
+
+* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-2
+- Disable tests on releases earlier than 24
+
+* Mon Nov 07 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-1
+- Update to v1.5.3
+- Update source URL
+- Add BR for pytz
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-4
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-3
+- Remove versioned setuptools dependency
+
+* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-2
+- Make it easier to build on EL7
+
+* Tue May 03 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-1
+- Update to v1.3.1
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Jan 11 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-2
+- Move python-cryptograph => python2-cryptography
+
+* Sat Jan 09 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-1
+- Update to v1.2.1
+
+* Wed Nov 11 2015 Robert Kuska <rkuska@redhat.com> - 1.1-1
+- Update to v1.1
+
+* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.0.2-2
+- Rebuilt for Python3.5 rebuild
+
+* Wed Sep 30 2015 Matěj Cepl <mcepl@redhat.com> - 1.0.2-1
+- New upstream release (fix #1267548)
+
+* Wed Aug 12 2015 Nathaniel McCallum <npmccallum@redhat.com> - 1.0-1
+- New upstream release
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu May 14 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.9-1
+- New upstream release
+- Run tests on RHEL
+- New deps: python-idna, python-ipaddress
+
+* Fri Apr 17 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8.2-1
+- New upstream release
+- Add python3-pyasn1 Requires (#1211073)
+
+* Tue Apr 14 2015 Matej Cepl <mcepl@redhat.com> - 0.8-2
+- Add python-pyasn1 Requires (#1211073)
+
+* Fri Mar 13 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8-1
+- New upstream release
+- Remove upstreamed patch
+
+* Wed Mar 04 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-2
+- Add python3-cryptography-vectors build requires
+- Add python-enum34 requires
+
+* Tue Feb 03 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-1
+- New upstream release. BSD is now an optional license.
+- Fix test running on python3
+- Add upstream patch to fix test paths
+
+* Fri Nov 07 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-2
+- Fix requires, for reasons why other development files were not
+  eliminated see https://github.com/pyca/cryptography/issues/1463.
+
+* Wed Nov 05 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-1
+- New upstream release.
+
+* Sun Jun 29 2014 Terry Chia <terrycwk1994@gmail.com> 0.4-1
+- initial version