Update to cryptography 42.0.8 (requires rust)

Cryptography 42.0.8 can now be built provided that the Rust
compiler and toolchains are installed into the build machine.

Note: legacy ciphers are disabled to prevent load-time crash
as if the CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment variable
was set.
https://cryptography.io/en/latest/openssl/#legacy-provider-in-openssl-3-x

Closes #657

server/pypi/build-wheel.py

@@ -616,6 +616,9 @@ def env_vars(self):
             "PKG_VERSION": self.version,
             "RECIPE_DIR": self.package_dir,
             "SRC_DIR": self.src_dir,
+
+            # allows packages to locate openssl, openssl must be in the meta.yml requirements.host
+            "OPENSSL_DIR": f"{self.host_env}/chaquopy",
         })
 
         if self.needs_rust:

server/pypi/packages/cryptography/meta.yaml

@@ -1,37 +1,10 @@
 package:
   name: cryptography
-  version: "3.4.8"
-
-build:
-  number: 2
-  script_env:
-    - CRYPTOGRAPHY_DONT_BUILD_RUST=1
+  version: "42.0.8"
 
 requirements:
   build:
     - cffi 1.15.1
-    - setuptools-rust 0.11.6
+    - setuptools-rust 1.7.0
   host:
-    # This version of cryptography isn't compatible with OpenSSL 3. So to build it for
-    # Python 3.9 and 3.10, we link it against OpenSSL 1.1.
-    #
-    # We don't do this by supplying an OpenSSL 1.1 wheel with a shared library, because
-    # the Chaquopy runtime (perhaps unnecessarily) loads non-Python libraries using
-    # RTLD_GLOBAL, which could cause conflicts with the OpenSSL 3 library which Chaquopy
-    # loads on startup.
-    #
-    # Instead, we link against OpenSSL 1.1 statically, as follows:
-    #  * Run the OpenSSL 1.1 build command from target/build-all.sh.
-    #  * For each combination of Python version and ABI, run build-with-static-openssl.sh
-    #    in this directory.
-    #
-    # Although this may cause some of OpenSSL's symbols to be exported by crytography's
-    # Python modules, that's safe because Python modules are loaded using RTLD_LOCAL. And
-    # although the GLOBAL/LOCAL distinction is only respected from API level 23, older
-    # versions wouldn't include earlier libraries in the symbol search order for later
-    # libraries anyway, unless they were listed in DT_NEEDED.
-    #
-    # More information:
-    #   * https://github.com/aosp-mirror/platform_bionic/blob/master/android-changes-for-ndk-developers.md
-    #   * https://github.com/android/ndk/issues/1244
     - openssl

server/pypi/packages/cryptography/patches/openssl_no_legacy.patch

@@ -0,0 +1,13 @@
+--- src-original/src/rust/src/lib.rs
++++ src/src/rust/src/lib.rs
+@@ -45,9 +45,7 @@
+     // serialization), RC4, Blowfish, IDEA, SEED, etc. These things
+     // are ugly legacy, but we aren't going to get rid of them
+     // any time soon.
+-    let load_legacy = env::var("CRYPTOGRAPHY_OPENSSL_NO_LEGACY")
+-        .map(|v| v.is_empty() || v == "0")
+-        .unwrap_or(true);
++    let load_legacy = false;
+     let legacy = if load_legacy {
+         let legacy_result = provider::Provider::load(None, "legacy");
+         _legacy_provider_error(legacy_result.is_ok())?;

server/pypi/packages/cryptography/patches/pyo3_no_interpreter.patch

@@ -0,0 +1,11 @@
+--- src-original/src/rust/Cargo.toml
++++ src/src/rust/Cargo.toml
+@@ -10,7 +10,7 @@
+ [dependencies]
+ once_cell = "1"
+ cfg-if = "1"
+-pyo3 = { version = "0.20", features = ["abi3"] }
++pyo3 = { version = "0.20", features = ["abi3", "abi3-py310"] }
+ asn1 = { version = "0.15.5", default-features = false }
+ cryptography-cffi = { path = "cryptography-cffi" }
+ cryptography-key-parsing = { path = "cryptography-key-parsing" }