Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Bump signxml from 3.2.2 to 4.0.3 #736

Merged
merged 2 commits into from
Dec 12, 2024
Merged

chore(deps): Bump signxml from 3.2.2 to 4.0.3 #736

merged 2 commits into from
Dec 12, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 1, 2024
edited by svillegas-cdd
Loading

Bumps signxml from 3.2.2 to 4.0.3.

Release notes

Sourced from signxml's releases.

v4.0.0

  • Replace PyOpenSSL with Cryptography (#260)

    - This is a major infrastructure change that replaces core
  certificate parsing, key processing, signature validation, and
  certificate chain validation functions previously provided by
  PyOpenSSL with those provided by Cryptography. Care was taken to
  preserve the exisitng API, including exception types, but many
  error messages raised in various error conditions have changed. If
  you see unexpected behavior and you have reason to believe it is
  incorrect, please file an issue.

      

    • Breaking change: the ca_path parameter, previously used to specify
      
CA certificate stores, is no longer supported. Use the ca_pem_file
      
parameter instead.

  • Raise error when invalid certificate string is passed as input to signer

  • Fix public key matching for ECDSA (#245)

Changelog

Sourced from signxml's changelog.

Changes for v4.0.0 (2024-08-21)

  • Replace PyOpenSSL with Cryptography (#260)

    • This is a major infrastructure change that replaces core certificate parsing, key processing, signature validation, and certificate chain validation functions previously provided by PyOpenSSL with those provided by Cryptography. Care was taken to preserve the exisitng API, including exception types, but many error messages raised in various error conditions have changed. If you see unexpected behavior and you have reason to believe it is incorrect, please file an issue.

    • Breaking change: the ca_path parameter, previously used to specify CA certificate stores, is no longer supported. Use the ca_pem_file parameter instead.

  • Raise error when invalid certificate string is passed as input to signer

  • Fix public key matching for ECDSA (#245)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 1, 2024
@dependabot dependabot bot mentioned this pull request Dec 1, 2024
Closed
@dependabot dependabot bot force-pushed the dependabot/pip/signxml-4.0.3 branch from cdde969 to 8603c25 Compare December 5, 2024 19:13
@svillegas-cdd svillegas-cdd force-pushed the dependabot/pip/signxml-4.0.3 branch from 8603c25 to b137217 Compare December 6, 2024 18:43
@svillegas-cdd svillegas-cdd requested a review from a team as a code owner December 6, 2024 18:43
@svillegas-cdd svillegas-cdd self-assigned this Dec 6, 2024
@svillegas-cdd svillegas-cdd force-pushed the dependabot/pip/signxml-4.0.3 branch from b137217 to 1ef3a0a Compare December 9, 2024 13:30
@codecov Codecov
Copy link

codecov bot commented Dec 9, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.72%. Comparing base (7ed6b21) to head (3b8f2c9).
Report is 3 commits behind head on develop.

Additional details and impacted files 
@@             Coverage Diff             @@
##           develop     #736      +/-   ##
===========================================
+ Coverage    87.67%   87.72%   +0.04%     
===========================================
  Files           38       38              
  Lines         3149     3145       -4     
  Branches       386      385       -1     
===========================================
- Hits          2761     2759       -2     
+ Misses         246      245       -1     
+ Partials       142      141       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jtrobles-cdd
Copy link
Member

@svillegas-cdd The changelog of signxml warns of major changes in version 4.0.0. Pay special attention to that, please.

@svillegas-cdd
Copy link
Contributor

svillegas-cdd commented Dec 9, 2024
edited
Loading

The changelog of signxml warns of major changes in version 4.0.0. Pay special attention to that, please.

@jtrobles-cdd Yes, one of he changes was the removal of PyOpenSsl

So I replacced the use of certs crypto_utils._X509CertOpenSsl to crypto_utils.X509Cert and convert them to this type if needed.

Most of the test changes involved exception messages, except for the test_fail_replaced_cert, which now triggers a different exception type. The new error is:

  ValueError(
                'Invalid input.',
                'DER encoded key value does not match specified signature algorithm',
            )

instead of the previous XmlSignatureInvalid

I’m unsure if this new error is the expected behavior for the use case being tested.

@svillegas-cdd svillegas-cdd force-pushed the dependabot/pip/signxml-4.0.3 branch 2 times, most recently from ae5155c to 33d27e7 Compare December 9, 2024 17:17
@svillegas-cdd svillegas-cdd mentioned this pull request Dec 9, 2024
Merged
jtrobles-cdd
jtrobles-cdd requested changes Dec 10, 2024
View reviewed changes
Copy link
Member

@jtrobles-cdd jtrobles-cdd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Partial review

@jtrobles-cdd
Copy link
Member

The changelog of signxml warns of major changes in version 4.0.0. Pay special attention to that, please.

@jtrobles-cdd Yes, one of he changes was the removal of PyOpenSsl

So I replacced the use of certs crypto_utils._X509CertOpenSsl to crypto_utils.X509Cert and convert them to this type if needed.

Most of the test changes involved exception messages, except for the test_fail_replaced_cert, which now triggers a different exception type. The new error is:

  ValueError(
                'Invalid input.',
                'DER encoded key value does not match specified signature algorithm',
            )

instead of the previous XmlSignatureInvalid

I’m unsure if this new error is the expected behavior for the use case being tested.

We need to take a closer look at that test and also at test_fail_included_cert_not_from_a_known_ca.

@svillegas-cdd svillegas-cdd force-pushed the dependabot/pip/signxml-4.0.3 branch from 33d27e7 to 2ffc789 Compare December 10, 2024 16:01
@svillegas-cdd svillegas-cdd changed the title chore(deps): Bump signxml from 3.2.2 to 4.0.3 chore(deps): Bump signxml from 3.2.2 to 4.0.0 Dec 10, 2024
@svillegas-cdd svillegas-cdd force-pushed the dependabot/pip/signxml-4.0.3 branch from 2ffc789 to 04a58d1 Compare December 11, 2024 12:22
@svillegas-cdd
Copy link
Contributor

@jtrobles-cdd I updated the xml file for the test test_fail_replaced_cert now it raises the expected error

jtrobles-cdd
jtrobles-cdd requested changes Dec 11, 2024
View reviewed changes
@svillegas-cdd svillegas-cdd force-pushed the dependabot/pip/signxml-4.0.3 branch from 04a58d1 to 5229bf2 Compare December 11, 2024 18:18
jtrobles-cdd
jtrobles-cdd requested changes Dec 11, 2024
View reviewed changes
dependabot bot and others added 2 commits December 12, 2024 11:26
@dependabot @svillegas-cdd
chore(deps): Bump signxml from 3.2.2 to 4.0.3
3e07095 
Bumps [signxml](https://github.com/kislyuk/signxml) from 3.2.2 to 4.0.3.
- [Release notes](https://github.com/kislyuk/signxml/releases)
- [Changelog](https://github.com/XML-Security/signxml/blob/develop/Changes.rst)
- [Commits](XML-Security/signxml@v3.2.2...v4.0.3)

---
updated-dependencies:
- dependency-name: signxml
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@svillegas-cdd
chore: Update to SignXML 4.0.3 version
3b8f2c9 
- Updated error messages and expected exception in tests.
- Updated `add_pem_cert_header_footer` and now `signxml.util.add_pem_header` returns a byte object.
- Removed use of `crypto_utils._X509CertOpenSsl` in `verify_xml_signature` as SignXML has deprecated PyOpenSSL.

Ref: https://app.shortcut.com/cordada/story/11838/ [sc-11838]
@svillegas-cdd svillegas-cdd force-pushed the dependabot/pip/signxml-4.0.3 branch from 5229bf2 to 3b8f2c9 Compare December 12, 2024 14:36
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@svillegas-cdd svillegas-cdd changed the title chore(deps): Bump signxml from 3.2.2 to 4.0.0 chore(deps): Bump signxml from 3.2.2 to 4.0.3 Dec 12, 2024
@svillegas-cdd svillegas-cdd merged commit 87be259 into develop Dec 12, 2024
21 checks passed
@svillegas-cdd svillegas-cdd deleted the dependabot/pip/signxml-4.0.3 branch December 12, 2024 14:59
@svillegas-cdd svillegas-cdd mentioned this pull request Dec 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@svillegas-cdd svillegas-cdd svillegas-cdd left review comments

@jtrobles-cdd jtrobles-cdd jtrobles-cdd approved these changes

Assignees

@svillegas-cdd svillegas-cdd

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jtrobles-cdd @svillegas-cdd