3.4.5 backports and changelog/version bump (#5827)

* Bump pyo3 and lower MSRV (#5823) * fix signature of EllipticCurvePublicKey.verify() (#5808) The signature change was introduced in #5729 but is inconsistent with respect to related methods, breaks backward compatibility and compatibility with the OpenSSL backend (and maybe other backends) when named arguments are used. * Name: update get_attributes_for_oid return type (#5809) `List` gives more power to the caller. Note that `RelativeDistinguishedName`, the same function returns a `List`. Is there a reason this was `Iterable` only for `Name`? If we don't want to promise `List`, `Sequence` is another alternative. * Start typing a bunch of stuff from x509 extensions (#5812) * part 2 of typing x509 extensions (#5815) * 3.4.5 changelog and version bump * spelling * fix a false positive from the latest clippy (#5813) Co-authored-by: Alex Gaynor <[email protected]> Co-authored-by: Markus Wamser <[email protected]> Co-authored-by: Dan Halperin <[email protected]>
pyca · Feb 13, 2021 · 4d77fb9 · 4d77fb9
1 parent 4a3018e
commit 4d77fb9
Show file tree

Hide file tree

Showing 17 changed files with 414 additions and 158 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -143,7 +143,8 @@ jobs:
         PYTHON:
           - {VERSION: "3.9", TOXENV: "py39"}
         RUST:
-          # Cover MSRV and in-dev versions
+          # Cover MSRV (and likely next MSRV) and in-dev versions
+          - 1.41.0
           - 1.45.0
           - beta
           - nightly

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,19 @@
 Changelog
 =========
 
+.. _v3-4-5:
+
+3.4.5 - 2021-02-13
+~~~~~~~~~~~~~~~~~~
+
+* Various improvements to type hints.
+* Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change
+  improves compatibility with system-provided Rust on several Linux
+  distributions.
+* ``cryptography`` will be switching to a new versioning scheme with its next
+  feature release. More information is available in our
+  :doc:`/api-stability` documentation.
+
 .. _v3-4-4:
 
 3.4.4 - 2021-02-09

diff --git a/docs/installation.rst b/docs/installation.rst
@@ -7,6 +7,9 @@ You can install ``cryptography`` with ``pip``:
 
     $ pip install cryptography
 
+If this does not work please **upgrade your pip** first, as that is the
+single most common cause of installation problems.
+
 Supported platforms
 -------------------
 
@@ -72,18 +75,26 @@ local `wheel cache`_.
 Building cryptography on Linux
 ------------------------------
 
+.. note::
+
+    If you are on RHEL/CentOS/Fedora/Debian/Ubuntu or another distribution
+    derived from the preceding list, then you should **upgrade pip** and
+    attempt to install ``cryptography`` again before following the instructions
+    to compile it below. These platforms will receive a binary wheel and
+    require no compiler if you have an updated ``pip``!
+
 ``cryptography`` ships ``manylinux`` wheels (as of 2.0) so all dependencies
-are included. For users on pip 19.0 or above running on a ``manylinux2010`` (or
-greater) compatible distribution (almost everything except Alpine) all you
-should need to do is:
+are included. For users on **pip 19.0** or above running on a ``manylinux2010``
+(or greater) compatible distribution (almost everything **except Alpine**) all
+you should need to do is:
 
 .. code-block:: console
 
     $ pip install cryptography
 
 If you are on Alpine or just want to compile it yourself then
-``cryptography`` requires a compiler, headers for Python (if you're not
-using ``pypy``), and headers for the OpenSSL and ``libffi`` libraries
+``cryptography`` requires a C compiler, a Rust compiler, headers for Python (if
+you're not using ``pypy``), and headers for the OpenSSL and ``libffi`` libraries
 available on your system.
 
 On all Linux distributions you will need to have :ref:`Rust installed and
@@ -92,21 +103,57 @@ available<installation:Rust>`.
 Alpine
 ~~~~~~
 
+.. warning::
+
+    The Rust available by default in Alpine < 3.12 is older than the minimum
+    supported version. See the :ref:`Rust installation instructions
+    <installation:Rust>` for information about installing a newer Rust.
+
 .. code-block:: console
 
-    $ sudo apk add gcc musl-dev python3-dev libffi-dev openssl-dev
+    $ sudo apk add gcc musl-dev python3-dev libffi-dev openssl-dev cargo
 
 If you get an error with ``openssl-dev`` you may have to use ``libressl-dev``.
 
 Debian/Ubuntu
 ~~~~~~~~~~~~~
 
+.. warning::
+
+    The Rust available in current Debian stable and some Ubuntu versions is
+    older than the minimum supported version. Ubuntu 18.04 and 20.04 are
+    sufficiently new, but otherwise please see the
+    :ref:`Rust installation instructions <installation:Rust>` for information
+    about installing a newer Rust.
+
 .. code-block:: console
 
-    $ sudo apt-get install build-essential libssl-dev libffi-dev python3-dev
+    $ sudo apt-get install build-essential libssl-dev libffi-dev \
+        python3-dev cargo
+
+Fedora/RHEL 8/CentOS 8
+~~~~~~~~~~~~~~~~~~~~~~
 
-RHEL/CentOS
-~~~~~~~~~~~
+.. warning::
+
+    For RHEL and CentOS you must be on version 8.3 or newer for the command
+    below to install a sufficiently new Rust. If your Rust is less than 1.41.0
+    please see the :ref:`Rust installation instructions <installation:Rust>`
+    for information about installing a newer Rust.
+
+.. code-block:: console
+
+    $ sudo dnf install redhat-rpm-config gcc libffi-devel python3-devel \
+        openssl-devel cargo
+
+RHEL 7/CentOS 7
+~~~~~~~~~~~~~~~
+
+.. warning::
+
+    You must install Rust using the :ref:`Rust installation instructions
+    <installation:Rust>`. ``cryptography`` requires a Rust version newer than
+    what is provided in the distribution packages.
 
 .. code-block:: console
 
@@ -226,25 +273,27 @@ This will install a compiler (clang) along with (most of) the required
 development headers.
 
 You will also need to have :ref:`Rust installed and
-available<installation:Rust>`.
+available<installation:Rust>`, which can be obtained from `Homebrew`_,
+`MacPorts`_, or directly from the Rust website.
 
-You'll also need OpenSSL, which you can obtain from `Homebrew`_ or `MacPorts`_.
-Cryptography does **not** support Apple's deprecated OpenSSL distribution.
+Finally you need OpenSSL, which you can obtain from `Homebrew`_ or `MacPorts`_.
+Cryptography does **not** support the OpenSSL/LibreSSL libraries Apple ships
+in its base operating system.
 
 To build cryptography and dynamically link it:
 
 `Homebrew`_
 
 .. code-block:: console
 
-    $ brew install [email protected]
+    $ brew install [email protected] rust
     $ env LDFLAGS="-L$(brew --prefix [email protected])/lib" CFLAGS="-I$(brew --prefix [email protected])/include" pip install cryptography
 
 `MacPorts`_:
 
 .. code-block:: console
 
-    $ sudo port install openssl
+    $ sudo port install openssl rust
     $ env LDFLAGS="-L/opt/local/lib" CFLAGS="-I/opt/local/include" pip install cryptography
 
 You can also build cryptography statically:
@@ -253,14 +302,14 @@ You can also build cryptography statically:
 
 .. code-block:: console
 
-    $ brew install [email protected]
+    $ brew install [email protected] rust
     $ env CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 LDFLAGS="$(brew --prefix [email protected])/lib/libssl.a $(brew --prefix [email protected])/lib/libcrypto.a" CFLAGS="-I$(brew --prefix [email protected])/include" pip install cryptography
 
 `MacPorts`_:
 
 .. code-block:: console
 
-    $ sudo port install openssl
+    $ sudo port install openssl rust
     $ env CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1 LDFLAGS="/opt/local/lib/libssl.a /opt/local/lib/libcrypto.a" CFLAGS="-I/opt/local/include" pip install cryptography
 
 If you need to rebuild ``cryptography`` for any reason be sure to clear the
@@ -269,13 +318,31 @@ local `wheel cache`_.
 Rust
 ----
 
+.. note::
+
+    If you are on RHEL/CentOS/Fedora/Debian/Ubuntu or another distribution
+    derived from the preceding list, then you should **upgrade pip** (in
+    a virtual environment!) and attempt to install ``cryptography`` again
+    before trying to install the Rust toolchain. These platforms will receive
+    a binary wheel and require no compiler if you have an updated ``pip``!
+
 Building ``cryptography`` requires having a working Rust toolchain. The current
-minimum supported Rust version is 1.45.0.
+minimum supported Rust version is 1.41.0. **This is newer than the Rust most
+package managers ship**, so users will likely need to install with the
+instructions below.
 
 Instructions for installing Rust can be found on `the Rust Project's website`_.
 We recommend installing Rust with ``rustup`` (as documented by the Rust
 Project) in order to ensure you have a recent version.
 
+Rust is only required when building ``cryptography``, meaning that you may
+install it for the duration of your ``pip install`` command and then remove it
+from a system. A Rust toolchain is not required to **use** ``cryptography``. In
+deployments such as ``docker``, you may use a multi-stage ``Dockerfile`` where
+you install Rust during the build phase but do not install it in the runtime
+image. This is the same as the C compiler toolchain which is also required to
+build ``cryptography``, but not afterwards.
+
 .. _`Homebrew`: https://brew.sh
 .. _`MacPorts`: https://www.macports.org
 .. _`a binary distribution`: https://wiki.openssl.org/index.php/Binaries

diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
@@ -14,6 +14,7 @@ Botan
 Brainpool
 Bullseye
 Capitan
+CentOS
 changelog
 Changelog
 ciphertext
@@ -80,6 +81,7 @@ online
 paddings
 Parallelization
 personalization
+RHEL
 pickleable
 plaintext
 Poly

diff --git a/setup.py b/setup.py
@@ -59,7 +59,7 @@
                 if platform.python_implementation() == "PyPy"
                 else ["pyo3/abi3-py36"]
             ),
-            rust_version=">=1.45.0",
+            rust_version=">=1.41.0",
         )
     ]
 

diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
@@ -21,7 +21,7 @@
 )
 __uri__ = "https://github.com/pyca/cryptography"
 
-__version__ = "3.4.4"
+__version__ = "3.4.5"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __email__ = "[email protected]"

diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py
@@ -768,7 +768,7 @@ def _asn1_string_to_ascii(backend, asn1_string):
     return _asn1_string_to_bytes(backend, asn1_string).decode("ascii")
 
 
-def _asn1_string_to_utf8(backend, asn1_string):
+def _asn1_string_to_utf8(backend, asn1_string) -> str:
     buf = backend._ffi.new("unsigned char **")
     res = backend._lib.ASN1_STRING_to_UTF8(buf, asn1_string)
     if res == -1:

diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py
@@ -176,7 +176,7 @@ def verify(
         self,
         signature: bytes,
         data: bytes,
-        algorithm: EllipticCurveSignatureAlgorithm,
+        signature_algorithm: EllipticCurveSignatureAlgorithm,
     ) -> None:
         """
         Verifies the signature of the data.
-Original file line number
+Diff line change
@@ Expand Up / @@ -143,7 +143,8 @@ jobs: @@
             PYTHON:
               - {VERSION: "3.9", TOXENV: "py39"}
             RUST:
-              # Cover MSRV and in-dev versions
+              # Cover MSRV (and likely next MSRV) and in-dev versions
+              - 1.41.0
               - 1.45.0
               - beta
               - nightly
@@ Expand Down @@