[rpms/python-tpm2-pytss] rawhide: Fix build with latest python-cryptography

[rpms/python-tpm2-pytss] rawhide: Fix build with latest python-cryptography

[Yaakov Selkowitz]

A new commit has been pushed.

Repo   : rpms/python-tpm2-pytss
Branch : rawhide
Commit : add5be174a88840331607cea86c5176807c5c83e
Author : Yaakov Selkowitz <yselkowi@redhat.com>
Date   : 2026-06-08T17:23:48-04:00
Stats  : +94/-1 in 3 file(s)
URL    : https://src.fedoraproject.org/rpms/python-tpm2-pytss/c/add5be174a88840331607cea86c5176807c5c83e?branch=rawhide

Log:
Fix build with latest python-cryptography

---
diff --git a/python-tpm2-pytss-cryptography-decrepit.patch b/python-tpm2-pytss-cryptography-decrepit.patch
new file mode 100644
index 0000000..80ee11c
--- /dev/null
+++ b/python-tpm2-pytss-cryptography-decrepit.patch
@@ -0,0 +1,42 @@
+Backport of "crypto: fix deprection warnings"
+
+https://github.com/tpm2-software/tpm2-pytss/commit/f792d122ffe00e6264b0cc16458e1ba72d632cd9
+
+diff --git a/src/tpm2_pytss/internal/crypto.py b/src/tpm2_pytss/internal/crypto.py
+index c1b731e..952f118 100644
+--- a/src/tpm2_pytss/internal/crypto.py
++++ b/src/tpm2_pytss/internal/crypto.py
+@@ -19,8 +19,10 @@ from cryptography.hazmat.primitives.serialization import (
+ from cryptography.x509 import load_pem_x509_certificate, load_der_x509_certificate
+ from cryptography.hazmat.primitives.kdf.kbkdf import CounterLocation, KBKDFHMAC, Mode
+ from cryptography.hazmat.primitives.kdf.concatkdf import ConcatKDFHash
+-from cryptography.hazmat.primitives.ciphers.algorithms import AES, Camellia
++from cryptography.hazmat.primitives.ciphers.algorithms import AES
++from cryptography.hazmat.decrepit.ciphers.algorithms import Camellia
+ from cryptography.hazmat.primitives.ciphers import modes, Cipher, CipherAlgorithm
++import cryptography.hazmat.decrepit.ciphers.modes as decrepit_modes
+ from cryptography.hazmat.backends import default_backend
+ from cryptography.exceptions import UnsupportedAlgorithm, InvalidSignature
+ from typing import Tuple, Type, Any
+@@ -52,7 +54,7 @@ if hasattr(hashes, "SM3"):
+ _algtable = (
+     (TPM2_ALG.AES, AES),
+     (TPM2_ALG.CAMELLIA, Camellia),
+-    (TPM2_ALG.CFB, modes.CFB),
++    (TPM2_ALG.CFB, decrepit_modes.CFB),
+ )
+ 
+ try:
+diff --git a/test/test_crypto.py b/test/test_crypto.py
+index 7abbecb..05e5f4f 100644
+--- a/test/test_crypto.py
++++ b/test/test_crypto.py
+@@ -537,7 +537,7 @@ class CryptoTest(TSS2_EsapiTest):
+ 
+         (alg, mode, bits) = crypto._symdef_to_crypt(symdef)
+         self.assertEqual(alg, crypto.AES)
+-        self.assertEqual(mode, crypto.modes.CFB)
++        self.assertEqual(mode, crypto.decrepit_modes.CFB)
+         self.assertEqual(bits, 128)
+ 
+         symdef.mode.sym = TPM2_ALG.LAST + 1

diff --git a/python-tpm2-pytss-cryptography47.patch b/python-tpm2-pytss-cryptography47.patch
new file mode 100644
index 0000000..92491ed
--- /dev/null
+++ b/python-tpm2-pytss-cryptography47.patch
@@ -0,0 +1,43 @@
+From 5d15cad4bde28902a4becb8e2a8e915aba8abbd0 Mon Sep 17 00:00:00 2001
+From: Erik Larsson <who+github@cnackers.org>
+Date: Sun, 26 Apr 2026 11:50:55 +0200
+Subject: [PATCH] cryptography: fix support for cryptography 47.
+
+The abstract classes now require deepcopy support, so add that.
+
+Signed-off-by: Erik Larsson <who+github@cnackers.org>
+---
+ src/tpm2_pytss/cryptography.py | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/tpm2_pytss/cryptography.py b/src/tpm2_pytss/cryptography.py
+index 5b8432cc..20dc34b2 100644
+--- a/src/tpm2_pytss/cryptography.py
++++ b/src/tpm2_pytss/cryptography.py
+@@ -263,6 +263,14 @@ def __copy__(self) -> "tpm_rsa_private_key":
+             ectx=self._ectx, handle=self._handle, session=self._session
+         )
+ 
++    def __deepcopy__(self, memo: dict) -> "tpm_rsa_private_key":
++        """Retuns a copy of the private key.
++
++        Notes:
++            This behaves as a shallow copy as we don't copy the ESAPI context.
++        """
++        return self.__copy__()
++
+ 
+ class tpm_ecc_private_key(ec.EllipticCurvePrivateKey):
+     """Interface to a TPM ECC key for use with the cryptography module.
+@@ -440,3 +448,11 @@ def __copy__(self) -> "tpm_ecc_private_key":
+         return tpm_ecc_private_key(
+             ectx=self._ectx, handle=self._handle, session=self._session
+         )
++
++    def __deepcopy__(self, memo: dict) -> "tpm_ecc_private_key":
++        """Retuns a copy of the private key.
++
++        Notes:
++            This behaves as a shallow copy as we don't copy the ESAPI context.
++        """
++        return self.__copy__()

diff --git a/python-tpm2-pytss.spec b/python-tpm2-pytss.spec
index cc0c3e4..67e18c7 100644
--- a/python-tpm2-pytss.spec
+++ b/python-tpm2-pytss.spec
@@ -3,7 +3,7 @@
 
 Name:           python-%{pypi_name}
 Version:        2.3.0
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        TPM 2.0 TSS Bindings for Python
 
 License:        BSD-2-Clause
@@ -19,6 +19,10 @@ Patch3:         %{name}-gcc15.patch
 # cryptography >= 45.0.0 requires the copy dunder for private key implementations.
 # https://github.com/tpm2-software/tpm2-pytss/commit/6ab4c74e6fb3da7cd38e97c1f8e92532312f8439
 Patch4:         %{name}-copy-dunder.patch
+# cryptography: fix support for cryptography 47.
+Patch5:         %{name}-cryptography47.patch
+# crypto: fix deprection warnings (backport)
+Patch6:         %{name}-cryptography-decrepit.patch
 
 BuildRequires:  python3-devel
 BuildRequires:  python3-pytest
@@ -66,6 +70,7 @@ Summary:        %{summary}
 
 
 %check
+export OPENSSL_ENABLE_SHA1_SIGNATURES=1
 %pyproject_check_import
 # The test test_tools_decode_tpml_tagged_tpm_property checks TPM2 revision which is not stable
 # In upstream this test as well as the tools are removed so I do not have any good way to fix it
@@ -83,6 +88,9 @@ Summary:        %{summary}
 
 
 %changelog
+* Mon Jun 08 2026 Yaakov Selkowitz <yselkowi@redhat.com> - 2.3.0-12
+- Fix build with latest python-cryptography
+
 * Thu Jun 04 2026 Python Maint <python-maint@redhat.com> - 2.3.0-11
 - Rebuilt for Python 3.15