chore(deps): bump pycryptodomex from 3.17 to 3.21.0 in /demos/jans-tent

[dependabot]

Bumps pycryptodomex from 3.17 to 3.21.0.

Release notes

Sourced from pycryptodomex's releases.

v3.20.0 - Amiens

New features

• Added support for TurboSHAKE128 and TurboSHAKE256.
• Added method Crypto.Hash.new() to generate a hash object given a hash name.
• Added support for AES-GCM encryption of PBES2 and PKCS#8 containers.
• Added support for SHA-2 and SHA-3 algorithms in PBKDF2 when creating PBES2 and PKCS#8 containers.
• Export of RSA keys accepts the prot_params dictionary as parameter to control the number of iterations for PBKDF2 and scrypt.
• C unit tests also run on non-x86 architectures.

Resolved issues

• GH#787: Fixed autodetect logic for GCC 14 in combination with LTO.

v3.20.0 - Amiens (pycryptodomex)

New features

• Added support for TurboSHAKE128 and TurboSHAKE256.
• Added method Crypto.Hash.new() to generate a hash object given a hash name.
• Added support for AES-GCM encryption of PBES2 and PKCS#8 containers.
• Added support for SHA-2 and SHA-3 algorithms in PBKDF2 when creating PBES2 and PKCS#8 containers.
• Export of RSA keys accepts the prot_params dictionary as parameter to control the number of iterations for PBKDF2 and scrypt.
• C unit tests also run on non-x86 architectures.

Resolved issues

• GH#787: Fixed autodetect logic for GCC 14 in combination with LTO.

v3.19.1 - Zeil

Resolved issues

• Fixed a side-channel leakage with OAEP decryption that could be exploited to carry out a Manger attack. Thanks to Hubert Kario.

v3.19.1 - Zeil (pycryptodomex)

Resolved issues

• Fixed a side-channel leakage with OAEP decryption that could be exploited to carry out a Manger attack. Thanks to Hubert Kario.

... (truncated)

Changelog

Sourced from pycryptodomex's changelog.

3.21.0 (30 September 2024) ++++++++++++++++++++++++++

New features

• By setting the PYCRYPTODOME_DISABLE_GMP environment variable, the GMP library will not be used even if detected.
• Add support for Curve25519 / X25519.
• Add support for Curve448 / X448.
• Add attribute curve to EccPoint and EccXPoint classes, with the canonical name of the curve.
• GH#781: the label for the SP800_108_Counter KDF may now contain zero bytes. Thanks to Julien Rische.
• GH#814: RSA keys for PSS can be imported.

Resolved issues

• GH#810: fixed negation of Ed25519 points.
• GH#819: accept an RFC5916 ECPrivateKey even if it doesn't contain any of the optional elements (parameters [0] and publicKey[1]).

Other changes

• Remove support for Python 3.5.

3.20.0 (9 January 2024) ++++++++++++++++++++++++++

New features

• Added support for TurboSHAKE128 and TurboSHAKE256.
• Added method Crypto.Hash.new() to generate a hash object given a hash name.
• Added support for AES-GCM encryption of PBES2 and PKCS#8 containers.
• Added support for SHA-2 and SHA-3 algorithms in PBKDF2 when creating PBES2 and PKCS#8 containers.
• Export of RSA keys accepts the prot_params dictionary as parameter to control the number of iterations for PBKDF2 and scrypt.
• C unit tests also run on non-x86 architectures.

Resolved issues

• GH#787: Fixed autodetect logic for GCC 14 in combination with LTO.

3.19.1 (28 December 2023) ++++++++++++++++++++++++++

... (truncated)

Commits

• 5e40a18 Bump version
• cd4cb45 Fix docs and changelog
• d499d27 Decrypt PKCS#8 key even if the password is empty
• 0c86527 Build wheel on Windows 2019
• fdd7892 Bump required version of pycryptodome-test-vectors
• 5040405 Build wheel for Python 3.13
• 19494e0 Bump version for test vectors package
• 66420a7 Fix tests for x448/x25519
• 05bcdff Add tag for Python 3.13
• 2ddda6a Fixed typo in documentation
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dryrunsecurity]

DryRun Security Summary

The provided text summarizes the GitHub Actions workflows for the Janssen Project, focusing on automating tasks like building documentation, Docker images, and Java packages, while emphasizing security best practices such as hardening runners, managing dependencies, code signing, security analysis, and secure secrets management.

Expand for full summary

Summary:

The provided code changes cover a wide range of GitHub Actions workflows for the Janssen Project, a set of open-source identity and access management (IAM) tools. These workflows are designed to automate various tasks, such as building and publishing documentation, Docker images, and Java packages, as well as running code quality checks and security analysis.

The key security-related aspects of these changes include:

1. Hardening the GitHub Actions Runner: Many of the workflows use the step-security/harden-runner action to enforce secure configurations for the GitHub Actions runner environment, such as setting the egress policy to "audit" mode.
2. Secure Dependency Management: The workflows ensure that dependencies are kept up-to-date and free of known vulnerabilities, which is a crucial security practice.
3. Code Signing and Integrity: Several workflows use GPG signing to ensure the integrity of the code changes and the published artifacts, such as Docker images and binary packages.
4. Security Analysis and Monitoring: The workflows include steps for running security-focused analyses, such as the OSSF Scorecard tool, to assess the overall security posture of the project.
5. Secure Secrets Management: The workflows use GitHub Secrets to store sensitive information, such as authentication tokens and signing keys, which helps to prevent the exposure of these credentials.

Overall, the provided code changes demonstrate a strong emphasis on security best practices and the implementation of various measures to ensure the security and integrity of the Janssen Project's codebase and artifacts.

Files Changed:

1. .github/workflows/backport.yml: This workflow automates the process of creating backport pull requests for the Janssen Project repository.
2. .github/workflows/activate-nightly-build.yml: This workflow is responsible for activating a nightly build process for the project.
3. .github/dependabot.yml: This file configures Dependabot to automatically update dependencies across various components of the Janssen platform.
4. .github/CODEOWNERS: This file specifies the individuals or teams responsible for reviewing and approving changes to specific files or directories within the repository.
5. .github/pull_request_template.md: This file is a pull request template that provides a structured format for contributors to follow when submitting pull requests.
6. .github/workflows/build-docs.yml: This workflow is responsible for publishing the documentation for the Janssen Project to GitHub Pages.
7. .github/workflows/clean_github_cache.yml: This workflow is responsible for cleaning up the GitHub cache for a specific pull request.
8. .github/workflows/delete_workflow_runs.yml: This workflow automatically deletes old workflow runs from the repository.
9. .github/workflows/central_code_quality_check.yml: This workflow runs code quality checks on the project's codebase using SonarCloud.
10. .github/workflows/dependency-review.yml: This workflow scans dependency manifest files for known-vulnerable versions of packages.
11. .github/workflows/build-wars.yml: This workflow builds and publishes Java packages for the Janssen Project.
12. .github/workflows/build-packages.yml: This workflow builds and publishes binary packages for the Janssen Project.
13. .github/workflows/docker_build_image.yml: This workflow builds and publishes Docker images for the Janssen Project.
14. .github/workflows/scorecard.yml: This workflow runs the OSSF Scorecard tool to analyze the security posture of the Janssen Project repository.
15. .github/workflows/sync.yml: This workflow synchronizes changes from the JanssenProject/jans repository to the JanssenProject/terraform-provider-jans repository.
16. .github/workflows/pr-ref-issue.yml: This workflow enforces that each Pull Request references an open issue in the repository.
17. .github/workflows/jans_pycloud_build_package.yml: This workflow updates the jans-pycloudlib dependency in various Docker images used in the Janssen Project.
18. .github/workflows/testcases.yml: This workflow runs test cases for the Janssen Project.
19. .github/workflows/test_docker_linux_installer.yml: This workflow tests the Jans Linux installer, including the Terraform provider.

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.