| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
- Use common implementation
- OCSP signing was using different validation
- Check if private key is usable for signing
|
|
|
|
| |
There happens to be global var named 'backend'
so backend._lib works, but is confusing.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Additional tests for public/private_bytes
They expose few places that raise TypeError and AssertionError!
before, and ValueError later.
* Cleanup of private_bytes() backend
Also pass key itself down to backend.
* Cleanup of public_bytes() backend
* Test handling of unsupported key type
|
| |
|
|
|
|
|
|
|
|
| |
have RC2 (#5072)
* Refs #5065 -- have a CI job with OpenSSL built with no-rc2
* Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't have RC2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Support ed25519 in csr/crl creation
* Tests for ed25519/x509
* Support ed448 in crt/csr/crl creation
* Tests for ed448/x509
* Support ed25519/ed448 in OCSPResponseBuilder
* Tests for eddsa in OCSPResponseBuilder
* Builder check missing in create_x509_csr
* Documentation update for ed25519+ed448 in x509
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
from __future__ import absolute_import, division, print_function
import timeit
print(timeit.timeit(
"decode_dss_signature(sig)",
setup=r"""
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
""",
number=10000))
Python 2.7:
asn1crypto: 0.25
_der.py: 0.098
Python 3.5:
asn1crypto: 0.17
_der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too.
|
|
|
|
|
|
|
|
|
|
| |
* fix osrandom/builtin switching methods for 1.1.0+
In 1.1.0 RAND_cleanup became a no-op. This broke changing to the builtin
random engine via activate_builtin_random(). Fixed by directly calling
RAND_set_rand_method. This works on 1.0.x and 1.1.x
* missed an assert
|
|
|
|
|
|
|
|
|
|
| |
* ed25519 support in x509 certificate builder
This adds minimal ed25519 support. More to come.
* Apply suggestions from code review
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
|
|
|
| |
Introduced in OpenSSL 1.1. Added compatibility for older versions.
|
| |
|
|
|
|
|
| |
we don't support ed448 openssh keys so we'll use that to test this
branch. if we ever do support ed448 keys we can always just call this
private method directly to keep coverage.
|
|
|
|
|
|
| |
* add OpenSSH serialization for ed25519 keys (#4808)
* address review comments
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* poly1305 support
* some more tests
* have I mentioned how bad the spellchecker is?
* doc improvements
* EVP_PKEY_new_raw_private_key copies the key but that's not documented
Let's assume that might change and be very defensive
* review feedback
* add a test that fails on a tag of the correct length but wrong value
* docs improvements
|
|
|
|
|
|
| |
* support ed25519 openssh public keys
* don't need this check
|
|
|
|
|
|
|
|
| |
* ed448 support
* move the changelog entry
* flake8
|
|
|
|
|
|
| |
* ed25519 support
* review feedback
|
| |
|
|
|
|
|
|
|
|
| |
* support OPENSSL_NO_ENGINE
* support some new openssl config args
* sigh
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we used unix timestamps, but now we are switching to using
ASN1_TIME_set_string and automatically formatting the string based on
the year. The rule is as follows:
Per RFC 5280 (section 4.1.2.5.), the valid input time
strings should be encoded with the following rules:
1. UTC: YYMMDDHHMMSSZ, if YY < 50 (20YY) --> UTC: YYMMDDHHMMSSZ
2. UTC: YYMMDDHHMMSSZ, if YY >= 50 (19YY) --> UTC: YYMMDDHHMMSSZ
3. G'd: YYYYMMDDHHMMSSZ, if YYYY >= 2050 --> G'd: YYYYMMDDHHMMSSZ
4. G'd: YYYYMMDDHHMMSSZ, if YYYY < 2050 --> UTC: YYMMDDHHMMSSZ
Notably, Dates < 1950 are not valid UTCTime. At the moment we still
reject dates < Jan 1, 1970 in all cases but a followup PR can fix
that.
|
|
|
|
|
|
|
|
|
|
|
| |
* bind EVP_R_MEMORY_LIMIT_EXCEEDED and update a test
This will allow OpenSSL 1.1.1 on 32-bit (including our Windows 32-bit
builders) to fail as expected. Technically this isn't a malloc error,
but rather failing because the allocation requested is larger than
32-bits, but raising a MemoryError still seems appropriate
* what you want an endif too?
|
| |
|
|
|
|
|
|
| |
* add support for encoding compressed points
* review feedback
|
|
|
|
|
|
|
|
| |
* byteslike concatkdf
* byteslike scrypt
* byteslike x963kdf
|
|
|
|
|
|
|
|
| |
* support byteslike in HKDF
* support byteslike in PBKDF2HMAC
* add missing docs
|
|
|
| |
yuck.
|
|
|
|
|
|
|
|
|
|
|
| |
* x448 and x25519 should enforce key lengths in from_private_bytes
they should also check if the algorithm is supported like the public
bytes class methods do
* oops
* move the checks
|
|
|
|
|
|
| |
* add support for byteslike password/data to load_{pem,der}_private_key
* pypy 5.4 can't do memoryview from_buffer
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add support for byteslike on password and data for pkcs12 loading
* use a contextmanager to yield a null terminated buffer we can zero
* review feedback
* updated text
* one last change
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modify x25519 serialization to match x448
supports raw and pkcs8 encoding on private_bytes
supports raw and subjectpublickeyinfo on public_bytes
deprecates zero argument call to public_bytes
* add docs
* this is public now
* don't need that
* review feedback
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* support x448 public/private serialization both raw and pkcs8
* add tests for all other asym key types to prevent Raw
* more tests
* better tests
* fix a test
* funny story, I'm actually illiterate.
* pep8
* require PrivateFormat.Raw or PublicFormat.Raw with Encoding.Raw
* missing docs
* parametrize
* docs fixes
* remove dupe line
* assert something
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* compressed point support
* refactor to use oct2point directly
* small docs change
* remove deprecation for the moment and a bit of review feedback
* no backend arg, implicitly import it
* missed a spot
* double oops
* remove superfluous call
* use refactored method
* use vector file
* one last item
|
|
|
|
|
|
| |
* ec key creation by curve name refactored into a method
* typo
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* PoC code for check PEM wrap
* Remove PoC check wrap code
* Add PEM file info to FAQ
* Add FAQ/PEM link in exception message
* Fix flake8 style issues
* refactor, update language
* it's really amazing how bad the spell checker is
* review feedback
* change to etc
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Raise MemoryError when backend.derive_scrypt can't malloc enough
* Expose ERR_R_MALLOC_FAILURE and use the reason_match pattern to catch it
* Add test_scrypt_malloc_failure in test_scrypt
* let's see if this passes
* add comment to filippo's blog post about scrypt's params
|
|
|
| |
this will make life a bit easier when we support bytearrays
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* PKCS12 parsing support
* running all the tests is so gauche
* rename func
* various significant fixes
* dangerous idiot here
* move pkcs12
* docs updates
* a bit more prose
|
|
|
|
|
|
| |
* Move SSH serialization to it's own file
* flake8
|
|
|
|
|
|
| |
* refactor serialization into a package so we can add a pkcs12 module
* oops
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* x448 support
This work was originally authored by derwolfe
* update docs to have a more useful derived key length
* error if key is not a valid length in from_public_bytes
* one more
* switch to using evp_pkey_keygen_gc for x448 keygen
* review feedback
* switch to using evp_pkey_derive
* nit fix
|
|
|
| |
this allows us to use the same code for ed25519, x448, and ed448
|
|
|
|
|
|
| |
* create & use _evp_md_from_algorithm and _evp_md_non_null_from_algorithm
* remove unused import
|
|
|
|
|
|
|
|
| |
* ocsp response builder
* better prose
* review changes
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* support extensions in the OCSP request builder
* cover a missed branch
* refactor to use new func
* review feedback
|