python-nss-ng 1.0.4__tar.gz → 1.0.5__tar.gz

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/Makefile

@@ -4,8 +4,8 @@
 # Makefile for python-nss-ng
 # Handles NSS/NSPR dependencies and environment setup for CI builds
 
-.PHONY: help deps-nss deps-test deps-build clean env-setup \
-        env-github-actions
+.PHONY: help deps-nss deps-test deps-test-system deps-build clean \
+        env-setup env-github-actions
 
 # Default target
 help:
@@ -13,7 +13,8 @@ help:
 	@echo ""
 	@echo "Targets:"
 	@echo "  deps-nss           - Build and install NSS/NSPR from source"
-	@echo "  deps-test          - Install test dependencies (meson/ninja)"
+	@echo "  deps-test-system   - Install system test deps (apt only)"
+	@echo "  deps-test          - Install all test dependencies (apt+pip)"
 	@echo "  deps-build         - Install build dependencies"
 	@echo "  env-setup          - Set up environment variables"
 	@echo "  env-github-actions - Export env vars to GitHub Actions"
@@ -50,13 +51,23 @@ deps-nss:
 	INSTALL_PREFIX=$(INSTALL_PREFIX) \
 	./.github/scripts/install-nss.sh
 
-# Install test dependencies (for test jobs)
-deps-test:
-	@echo "Installing test dependencies..."
+# Install system-level test dependencies only (apt packages)
+# Use this target in CI *before* actions/setup-python so that pip installs
+# are handled by the correct (hostedtoolcache) Python interpreter.
+deps-test-system:
+	@echo "Installing system-level test dependencies..."
 ifeq ($(PLATFORM),linux)
 	sudo apt-get update || true
 	sudo apt-get install -y meson ninja-build || true
 endif
+
+# Install test dependencies (for test jobs)
+# NOTE: This target runs pip install and should only be called *after*
+# actions/setup-python so that packages are installed into the correct
+# Python environment. If called with the system Python when a different
+# Python will run the tests, imports will fail at test time.
+deps-test: deps-test-system
+	@echo "Installing pip test dependencies..."
 	python -m pip install --upgrade pip || true
 	python -m pip install meson-python meson ninja pytest pytest-cov pytest-timeout pytest-xdist hypothesis mypy || true
 

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python-nss-ng
-Version: 1.0.4
+Version: 1.0.5
 Summary: Python bindings for Network Security Services (NSS) and Netscape Portable Runtime (NSPR)
 Keywords: nss,nspr,cryptography,ssl,tls,pki,x509,security
 Author-Email: John Dennis <jdennis@redhat.com>, Matthew Watkins <mwatkins@linuxfoundation.org>

python_nss_ng-1.0.5/REUSE.toml

@@ -0,0 +1,39 @@
+version = 1
+
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: 2025 The Linux Foundation
+
+# Licensing statement required for GHA tests and linting to pass for only this repository
+
+[[annotations]]
+path = [
+         "test/pki/**",
+         "uv.lock",
+	 "tests/dist/**",
+	 "img/**",
+	 "*.lock",
+         "test_coverage_report*"
+]
+SPDX-License-Identifier = "MPL-2.0"
+SPDX-FileCopyrightText = "2025 The Linux Foundation"
+
+# Project configuration files and ancillary documentation that
+# cannot easily carry inline SPDX headers.
+[[annotations]]
+path = [
+         "pyrightconfig.json",
+         "scripts/README.md",
+         "doc/ChangeLog",
+]
+SPDX-License-Identifier = "MPL-2.0"
+SPDX-FileCopyrightText = "Copyright (c) 2010-2025 python-nss-ng contributors"
+
+# Mutation testing artifacts produced by mutmut. These are generated
+# files (mutated source copies and metadata) and inherit the license
+# of the source they were produced from.
+[[annotations]]
+path = [
+         "mutants/**",
+]
+SPDX-License-Identifier = "MPL-2.0"
+SPDX-FileCopyrightText = "Copyright (c) 2010-2025 python-nss-ng contributors"

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/ChangeLog

@@ -365,7 +365,7 @@
     password file and writes hardcoded responses to the stdin of
     certuil and modutil.
 
-  * setup_certs now creates a new sql sytle NSS database (sql:pki)
+  * setup_certs now creates a new sql style NSS database (sql:pki)
 
   * All tests and examples now load the sql:pki database. Command line
     arg and variable changed from dbdir to db_name to reflect the
@@ -380,11 +380,11 @@
   External Changes
   ----------------
 
-  The primary enhancements in this version is support of certifcate
+  The primary enhancements in this version is support of certificate
   validation, OCSP support, and support for the certificate "Authority
   Information Access" extension.
 
-  Enhanced certifcate validation including CA certs can be done via
+  Enhanced certificate validation including CA certs can be done via
   Certificate.verify() or Certificate.is_ca_cert(). When cert
   validation fails you can now obtain diagnostic information as to why
   the cert failed to validate. This is encapsulated in the
@@ -575,7 +575,7 @@
   * For NSS >= 3.13 support CERTDB_TERMINAL_RECORD
 
   * You can now query for a specific certificate extension
-    Certficate.get_extension()
+    Certificate.get_extension()
 
   * The following classes were added:
     - RSAGenParams
@@ -594,14 +594,14 @@
     - SecItem_new_alloc()
 
   * The following class constructors were modified to accept
-    intialization parameters
+    initialization parameters
 
     - KEYPQGParams (DSA generation parameters)
 
   * The PublicKey formatting (i.e. format_lines) was augmented
     to format DSA keys (formerly it only recognized RSA keys).
 
-  * Allow lables and values to be justified when printing objects
+  * Allow labels and values to be justified when printing objects
 
   * The following were deprecated:
     - nss.nss.make_line_pairs (replaced by nss.nss.make_line_fmt_tuples)
@@ -609,12 +609,12 @@
     Deprecated Functionality:
     -------------------------
     - make_line_pairs() has been replaced by make_line_fmt_tuples()
-      because 2-valued tuples were not sufficently general. It is
+      because 2-valued tuples were not sufficiently general. It is
       expected very few programs will have used this function, it's mostly
       used internally but provided as a support utility.
 
 2011-04-22  John Dennis  <jdennis@redhat.com> 0.12
-  * Major new enhancement is additon of PKCS12 support and
+  * Major new enhancement is addition of PKCS12 support and
     AlgorithmID's.
 
   * setup.py build enhancements
@@ -757,7 +757,7 @@
     optional family parameter. This is necessary for utilizing
     PR_GetAddrInfoByName().
 
-  * NetworkAddress initialized via a string paramter are now initalized via
+  * NetworkAddress initialized via a string parameter are now initialized via
     PR_GetAddrInfoByName using family.
 
   * Add NetworkAddress.address property to return the address sans the
@@ -785,7 +785,7 @@
     Deprecated Functionality:
     -------------------------
 
-  * NetworkAddress initialized via a string paramter is now
+  * NetworkAddress initialized via a string parameter is now
     deprecated. AddrInfo should be used instead.
 
   * NetworkAddress.set_from_string is now deprecated. AddrInfo should be
@@ -793,7 +793,7 @@
 
   * NetworkAddress.hostentry is deprecated. It was a bad idea,
     NetworkAddress objects can support both IPv4 and IPv6, but a HostEntry
-    object can only support IPv4. Plus the implementation depdended on
+    object can only support IPv4. Plus the implementation depended on
     being able to perform a reverse DNS lookup which is not always
     possible.
 
@@ -806,7 +806,7 @@
     Internal Changes:
     -----------------
 
-  * Utilize PR_NetAddrFamily() access macro instead of explict access.
+  * Utilize PR_NetAddrFamily() access macro instead of explicit access.
 
   * Add PRNetAddr_port() utility to hide host vs. network byte order
     requirements when accessing the port inside a PRNetAddr and simplify
@@ -925,7 +925,7 @@
       nss.nss.x509_key_usage()
 
   * The following class methods and properties were added:
-    Note: it's a method if the name is suffixed with (), a propety otherwise
+    Note: it's a method if the name is suffixed with (), a property otherwise
       Socket.next()
       Socket.readlines()
       Socket.sendall()

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/cert_dump.py

@@ -1,6 +1,8 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
 
 '''
 This example will pretty print the contents of a certificate loaded from a
@@ -15,18 +17,12 @@ print "Certificate is %s" % cert
 What this example really aims to do is illustrate how to access the various
 components of a cert.
 '''
-from __future__ import absolute_import
-from __future__ import print_function
 
 import argparse
-import getpass
-import os
-import sys
 
-from nss.error import NSPRError
-import nss.io as io
 import nss.nss as nss
 
+
 # -----------------------------------------------------------------------------
 def print_extension(level, extension):
     print(nss.indented_format([(level, 'Name: %s' % extension.name),

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/cert_trust.py

@@ -1,11 +1,12 @@
-from __future__ import absolute_import
-from __future__ import print_function
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
+
 
 import argparse
 import sys
 from typing import Any
+
 import nss.nss as nss
-import nss.error as nss_error
 
 # Sample program that illustrates how to access certificate trust and/or
 # modify a certificates trust setting.

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/httplib_example.py

@@ -1,21 +1,31 @@
-from __future__ import absolute_import
-from __future__ import print_function
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+# This example predates Python 3 and demonstrates NSS HTTPS usage by
+# subclassing the long-removed ``httplib.HTTP`` class via ``six``. It
+# also performs ``int()`` / host-string coercions that the static
+# type system cannot prove safe. Static type checking of this file
+# is intentionally relaxed so the example can remain available as
+# historical documentation without requiring a full Py3 rewrite.
+#
+# pyright: reportAttributeAccessIssue=false, reportArgumentType=false, reportMissingImports=false
+
 import argparse
 import errno
 import getpass
-import six.moves.http_client  # type: ignore[import-untyped]
 import logging
 import sys
+
+import six.moves.http_client  # type: ignore[import-untyped,unused-ignore]
+
 try:
     import urlparse
 except ImportError:
     import urllib.parse as urlparse
-from nss.error import NSPRError
 import nss.io as io
 import nss.nss as nss
 import nss.ssl as ssl
@@ -91,7 +101,7 @@ def auth_certificate_callback(sock, check_sig, is_server, certdb):
 
 def password_callback(slot, retry, password):
     if not retry and password: return password
-    return getpass.getpass("Enter password for %s: " % slot.token_name);
+    return getpass.getpass("Enter password for %s: " % slot.token_name)
 
 def handshake_callback(sock):
     """
@@ -133,7 +143,7 @@ class NSSConnection(six.moves.http_client.HTTPConnection):
         logging.debug("connect: host=%s port=%s", self.host, self.port)
         try:
             addr_info = io.AddrInfo(self.host)
-        except Exception as e:
+        except Exception:
             logging.error("could not resolve host address \"%s\"", self.host)
             raise
 
@@ -148,7 +158,7 @@ class NSSConnection(six.moves.http_client.HTTPConnection):
             except Exception as e:
                 logging.debug("connect failed: %s (%s)", net_addr, e)
 
-        raise IOError(errno.ENOTCONN, "could not connect to %s at port %d" % (self.host, self.port))
+        raise OSError(errno.ENOTCONN, "could not connect to %s at port %d" % (self.host, self.port))
 
 class NSPRConnection(six.moves.http_client.HTTPConnection):
     default_port = six.moves.http_client.HTTPConnection.default_port
@@ -164,7 +174,7 @@ class NSPRConnection(six.moves.http_client.HTTPConnection):
         logging.debug("connect: host=%s port=%s", self.host, self.port)
         try:
             addr_info = io.AddrInfo(self.host)
-        except Exception as e:
+        except Exception:
             logging.error("could not resolve host address \"%s\"", self.host)
             raise
 
@@ -179,7 +189,7 @@ class NSPRConnection(six.moves.http_client.HTTPConnection):
             except Exception as e:
                 logging.debug("connect failed: %s (%s)", net_addr, e)
 
-        raise IOError(errno.ENOTCONN, "could not connect to %s at port %d" % (self.host, self.port))
+        raise OSError(errno.ENOTCONN, "could not connect to %s at port %d" % (self.host, self.port))
 
 class NSSHTTPS(six.moves.http_client.HTTP):
     _http_vsn = 11

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/pbkdf2_example.py

@@ -1,14 +1,15 @@
-from __future__ import absolute_import
-from __future__ import print_function
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
+
 
 import argparse
 import sys
 from typing import Any
 
 import nss.nss as nss
-import nss.error as nss_error
+
 print(sys.path)
-import six  # type: ignore[import-untyped]
+import six  # type: ignore[import-untyped,unused-ignore]
 
 #-------------------------------------------------------------------------------
 

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/ssl_cipher_info.py

@@ -1,13 +1,14 @@
-from __future__ import absolute_import
-from __future__ import print_function
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
+
 
 import argparse
 import sys
 
-from nss.error import NSPRError
 import nss.io as io
 import nss.nss as nss
 import nss.ssl as ssl
+from nss.error import NSPRError
 
 #-------------------------------------------------------------------------------
 
@@ -105,7 +106,7 @@ def ssl_connect():
         try:
             sock.set_ssl_version_range("tls1.0", "tls1.3")
         except NSPRError as e:
-            print("Cannot enable TLS 1.3, {}".format(e))
+            print(f"Cannot enable TLS 1.3, {e}")
 
         # Provide a callback which notifies us when the SSL handshake is
         # complete

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/ssl_example.py

@@ -1,11 +1,22 @@
-from __future__ import absolute_import
-from __future__ import print_function
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
+
+# This example predates Python 3 in places: it imports a plain TCP
+# socket via ``io.Socket.import_tcp_socket`` and assigns the result
+# back into an ``ssl.SSLSocket``-typed variable, and similarly mixes
+# ``str`` and ``bytes`` payloads on send/recv. Modernising the code
+# to satisfy strict mypy would change observable behaviour and is
+# out of scope for the tooling sync.
+#
+# mypy: ignore-errors
+# pyright: reportOptionalSubscript=false, reportAttributeAccessIssue=false, reportArgumentType=false, reportCallIssue=false
 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 import warnings
+
 warnings.simplefilter( "always", DeprecationWarning)
 
 import argparse
@@ -13,10 +24,10 @@ import getpass
 import os
 import sys
 
-from nss.error import NSPRError
 import nss.io as io
 import nss.nss as nss
 import nss.ssl as ssl
+from nss.error import NSPRError
 
 # -----------------------------------------------------------------------------
 NO_CLIENT_CERT             = 0
@@ -38,7 +49,7 @@ timeout_secs = 3
 
 def password_callback(slot, retry, password):
     if password: return password
-    return getpass.getpass("Enter password: ");
+    return getpass.getpass("Enter password: ")
 
 def handshake_callback(sock):
     print("-- handshake complete --")
@@ -145,7 +156,7 @@ def Client():
     # Get the IP Address of our server
     try:
         addr_info = io.AddrInfo(options.hostname)
-    except Exception as e:
+    except Exception:
         print("could not resolve host address \"%s\"" % options.hostname)
         return
 
@@ -243,7 +254,7 @@ def Server():
         # Get our certificate and private key
         server_cert = nss.find_cert_from_nickname(options.server_nickname, options.password)
         priv_key = nss.find_key_by_any_cert(server_cert, options.password)
-        server_cert_kea = server_cert.find_kea_type();
+        server_cert_kea = server_cert.find_kea_type()
 
         print("server cert:\n%s" % server_cert)
 

python_nss_ng-1.0.5/doc/examples/ssl_version_range.py

@@ -0,0 +1,127 @@
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
+
+"""
+In NSS 3.14 the SSL Version Range API was added. This was needed
+to better control the negotiation of SSL and TLS protocols between
+clients and servers. Properly configuring the min and max protocols is
+especially important to prevent protocol downgrade attacks such as
+POODLE. The SSL Version Range API is documented in the nss.ssl module
+documentation as well as the individual functions and methods in
+nss.ssl.
+
+This example program illustrates how to query the current and default
+protocol values, how one can get string versions of the protocol
+values to present to a user or use in logging, and how to set the
+protocol values given either a string name or it's matching
+enumeration.
+
+This example does not illustrate the proper selection of protocol
+values nor actual SSL/TLS communication.
+"""
+
+import nss.nss as nss
+import nss.ssl as ssl
+
+# Query and print supported SSL Library Versions
+
+print(
+    "supported ssl version (asString): %s"
+    % (ssl.get_supported_ssl_version_range(repr_kind=nss.AsString),)
+)
+print(
+    "supported ssl version (asEnumName): %s"
+    % (ssl.get_supported_ssl_version_range(repr_kind=nss.AsEnumName),)
+)
+print("supported ssl version (asEnum): %s" % (ssl.get_supported_ssl_version_range(),))
+
+# Query and print default SSL Library Versions
+
+print()
+print(
+    "default ssl version (asString): %s"
+    % (ssl.get_default_ssl_version_range(repr_kind=nss.AsString),)
+)
+print(
+    "default ssl version (asEnumName): %s"
+    % (ssl.get_default_ssl_version_range(repr_kind=nss.AsEnumName),)
+)
+print("default ssl version (asEnum): %s" % (ssl.get_default_ssl_version_range(),))
+
+# Equivalent calls on a SSL Socket
+
+sock = ssl.SSLSocket()
+sock.set_ssl_option(ssl.SSL_SECURITY, True)
+
+print()
+print("Initial Socket version range")
+print("socket ssl version (asString): %s" % (sock.get_ssl_version_range(repr_kind=nss.AsString),))
+print(
+    "socket ssl version (asEnumName): %s" % (sock.get_ssl_version_range(repr_kind=nss.AsEnumName),)
+)
+print("socket ssl version (asEnum): %s" % (sock.get_ssl_version_range(),))
+
+
+# Note, setting the version range can be done either with an
+# enumeration constant (e.g. ssl.SSL_LIBRARY_VERSION_TLS_1_1)
+# or with a friendly name (e.g. 'tls1.1')
+
+# Set with enumeration constants
+sock.set_ssl_version_range(ssl.SSL_LIBRARY_VERSION_TLS_1_1, ssl.SSL_LIBRARY_VERSION_TLS_1_2)
+
+
+print()
+print("Socket version range after setting")
+print("socket ssl version (asString): %s" % (sock.get_ssl_version_range(repr_kind=nss.AsString),))
+print(
+    "socket ssl version (asEnumName): %s" % (sock.get_ssl_version_range(repr_kind=nss.AsEnumName),)
+)
+print("socket ssl version (asEnum): %s" % (sock.get_ssl_version_range(),))
+
+# Set with friendly names
+ssl.set_default_ssl_version_range("tls1.1", "tls1.2")
+
+print()
+print(
+    "default ssl version after resetting (asString): %s"
+    % (ssl.get_default_ssl_version_range(repr_kind=nss.AsString),)
+)
+print(
+    "default ssl version after resetting (asEnumName): %s"
+    % (ssl.get_default_ssl_version_range(repr_kind=nss.AsEnumName),)
+)
+print("default ssl version after resetting (asEnum): %s" % (ssl.get_default_ssl_version_range(),))
+
+# Illustrate mapping between version names and enumerations.
+# Note, the repr_kind parameter to the get library version functions
+# will also give you the option as to whether an enumerated constant
+# or a name is returned.
+
+names = [
+    "ssl2",
+    "ssl3",
+    "tls1.0",
+    "tls1.1",
+    "tls1.2",
+    "tls1.3",
+    "SSL_LIBRARY_VERSION_2",
+    "SSL_LIBRARY_VERSION_3_0",
+    "SSL_LIBRARY_VERSION_TLS_1_0",
+    "SSL_LIBRARY_VERSION_TLS_1_1",
+    "SSL_LIBRARY_VERSION_TLS_1_2",
+    "SSL_LIBRARY_VERSION_TLS_1_3",
+]
+
+print()
+print("Convert to enum name")
+for name in names:
+    enum = ssl.ssl_library_version_from_name(name)
+    enum_name = ssl.ssl_library_version_name(enum)
+    print("name='%s' -> %s (%#06x)" % (name, enum_name, enum))
+
+print()
+print("Convert to friendly name")
+for name in names:
+    enum = ssl.ssl_library_version_from_name(name)
+    enum_name = ssl.ssl_library_version_name(enum, nss.AsString)
+    print("name='%s' -> %s (%#06x)" % (name, enum_name, enum))

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/verify_cert.py

@@ -1,12 +1,13 @@
-from __future__ import absolute_import
-from __future__ import print_function
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
+
 
 import argparse
 import sys
 from typing import Any
 
-import nss.nss as nss
 import nss.error as nss_error
+import nss.nss as nss
 
 # Global variable for command-line options
 options: Any = None
@@ -279,9 +280,8 @@ def main():
     if valid:
         print(indented_output('SUCCESS: cert is approved for', nss.cert_usage_flags(intended_usage)))
         return 0
-    else:
-        print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage)))
-        return 1
+    print(indented_output('FAIL: cert not approved for', nss.cert_usage_flags(intended_usage ^ approved_usage)))
+    return 1
 
 #-------------------------------------------------------------------------------
 if __name__ == "__main__":

{python_nss_ng-1.0.4 → python_nss_ng-1.0.5}/doc/examples/verify_server.py

@@ -1,16 +1,13 @@
-from __future__ import absolute_import
-from __future__ import print_function
+# SPDX-License-Identifier: MPL-2.0
+# SPDX-FileCopyrightText: Copyright (c) 2010-2025 python-nss-ng contributors
 
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 import argparse
-import getpass
-import os
 import sys
 
-from nss.error import NSPRError
 import nss.io as io
 import nss.nss as nss
 import nss.ssl as ssl