| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add single_extensions to OCSPResponse (#4753)
* new vector, updateed docs, more stringent parser, changelog, etc
* simplify PR (no SCT for now)
* add a comment
* finish pulling out the sct stuff so tests might actually run
|
|
|
| |
Per RFC5280 it is allowed in both certificates and CRL-s.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
from __future__ import absolute_import, division, print_function
import timeit
print(timeit.timeit(
"decode_dss_signature(sig)",
setup=r"""
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
""",
number=10000))
Python 2.7:
asn1crypto: 0.25
_der.py: 0.098
Python 3.5:
asn1crypto: 0.17
_der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too.
|
|
|
|
|
|
| |
* fix a memory leak in AIA parsing
* oops can't remove that
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* IssuingDistributionPoint support
h/t to Irina Renteria for the initial work here
* python 2 unfortunately still exists
* py2 repr
* typo caught by flake8
* add docs
* review feedback
* reorder args, other fixes
* use the alex name
* add changelog
|
|
|
|
|
|
|
|
|
|
|
| |
* separate refactor _decode_dist_points
We need to be able to parse reasons and distpoint for the
CRL extension IssuingDistributionPoint
* move comment, rename a variable
* review feedback
|
|
|
|
|
|
|
|
|
|
| |
* add OCSP basic response extension parsing
Just nonce for now. This does not support SINGLERESP extension parsing.
* also raises on extensions for non-successful
* empty commit
|
|
|
|
|
|
|
|
|
|
| |
* add OCSP request parsing support with OCSPNonce
* add docs
* reprs man
* make extensions a cached property
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #4333 -- added support for precert poison extension
* Make work on all OpenSSL versions
* fixed flake8 + docs
* fix for older OpenSSLs
* document this
* spell
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Raise a ValueError when conversion to generalizedtime fails
* added test for badasn1time value error
* pep8 compliance
* Addressing code review
+ VE now raises with ```{!r}``` formatting
+ Test now checks that the bad string made it into the VE message
* using ValueError.match
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* backwards incompatible change to UniformResourceIdentifier
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies URI to accept two types:
U-label strings (which raises a deprecation warning) and A-label strings
(the new preferred type). There is also a constructor for URI
that bypasses validation so we can parse garbage out of certificates
(and round trip it if necessary)
* nonsense empty commit 2.6 and codecov are the worst
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* backwards incompatible change to RFC822Name
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies RFC822Name to accept two types:
U-label strings (which raises a deprecation warning) and A-label strings
(the new preferred type). There is also a constructor for RFC822Name
that bypasses validation so we can parse garbage out of certificates
(and round trip it if necessary)
* whoops
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Backwards incompatible change to DNSName
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies DNSName to take three different types.
U-label strings (which raises a deprecation warning), A-label strings
(the new preferred type), and bytes (which are assumed to be decodable
to unicode strings). The latter, while supported, is primarily intended
for use by our parser and allows us to return the actual encoded data in
a certificate even if it has not been properly encoded to A-label before
the certificate is created. (Of course, if the certificate contains
invalid utf8 sequences this will still fail, but let's handle one
catastrophic failure at a time).
* coverage
* don't delete that asterisk from a test. it does things.
* no bytes in DNSName. Private constructor for bypassing validation
* test unicode in dnsname (yuck)
* fix docs
* empty commit, you disappoint me codecov
* CI is the worst
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* both parse and encode the ASN1 string type for Name attributes
Previously cryptography encoded everything (except country names) as
UTF8String. This caused problems with chain building in libraries like
NSS where the subject and issuer are expected to match byte-for-byte.
With this change we now parse and store the ASN1 string type as a
private _type in NameAttribute. We then use this to encode when issuing
a new certificate. This allows the CertificateBuilder to properly
construct an identical issuer and fixes the issue with NSS.
* make the sentinel private too
|
|
|
|
|
|
|
|
|
|
| |
* add freshest CRL support
* add tests
* add changelog
* add tests for FreshestCRL generation
|
|
|
| |
This is an extension for CRLs
|
|
|
|
| |
We support directly passing bytes now and these code paths are
duplicated in the deprecated value attributes.
|
|
|
|
|
| |
strings of the form "scheme:///anything" would incorrectly have two
slashes dropped. This is fixed in two code paths in this PR but one of
those code paths will be entirely removed in a followup PR.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add support for the TLSFeature extension in x509
This extension is used for OCSP Must-Staple.
* fix changelog link
* pep8
* refactor to support the sequence properly and add status_request_v2
* update some language
* add test vector, implement eq/ne/hash on TLSFeature
* address review comments
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Begin the deprecation of auto-idna for x509.DNSName
Refs #3357
* fix warning
* py3k fixes
* fix docs
* sigh
* flake8
* these are words
* words
* tests for coverage
* another test
* do idna things
* more idna things
|
|
|
|
|
|
|
|
| |
* don't parse SCTs on older openssl
* use two diff extension parsers because why not
* review feedback
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Stub API for SCTs, feedback wanted
* grr, flake8
* finish up the __init__
* Initial implementation and tests
* write a test. it fails because computer
* get the tests passing and fix some TODOs
* changelog entry
* This can go now
* Put a skip in this test
* grump
* Removed unreachable code
* moved changelog to the correct section
* Use the deocrator for expressing requirements
* This needs f for the right entry_type
* coverage
* syntax error
* tests for coverage
* better sct eq tests
* docs
* technically correct, the most useless kind of correct
* typo and more details
* bug
* drop __eq__
|
|
|
|
|
|
|
|
|
| |
The OpenSSL manual recommends a buffer size of 80 for OBJ_oid2txt:
https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values.
But OIDs longer than this occur in real life (e.g. Active Directory
makes some very long OIDs). If the length of the stringified OID
exceeds the buffer size, allocate a new buffer that is big enough to
hold the stringified OID, and re-do the conversion into the new
buffer.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Don't raise an UnsupportedExtension for critical extensions.
Fixes #2903
Fixes #2901
Fixes #3325
* Don't link
* Revert "Don't link"
This reverts commit 4fe847f91d9dd45cdc28a4984c4e44aad62a5de6.
* fix
* Revert "Revert "Don't link""
This reverts commit 856031b5a1fbad04ac218fa94ebf37dcd402f3ed.
* fix
* Deprecate this
* Better changelog entry
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fixed #3492 -- use a better API
* More correct types
* Revert "More correct types"
This reverts commit e7412927eccf2b983bbcab2d2864ae1e4e83b56f.
|
|
|
|
|
|
|
|
|
|
| |
* Refs #3430 -- fixed a memory leak in extension parsing for CRL dp
* same fix for policy info
* make this private
* consistency cleanup
|
|
|
|
|
|
|
|
| |
Update the Name class to accept and internally store a list of
RelativeDistinguishedName objects. Add the 'rdns' attribute to give
access to the RDNs. Update ASN.1 routines to correctly decode and
encode multi-value RDNs.
Fixes: https://github.com/pyca/cryptography/issues/3199
|
|
|
|
|
|
|
|
|
|
|
| |
* Add RelativeDistinguishedName class
* Make relative_name a RelativeDistinguishedName
DistributionPoint relative_name is currently a Name but RFC 5280
defines it as RelativeDistinguishedName, i.e. a non-empty SET OF
name attributes. Change the DistributionPoint relative_name
attribute to be a RelativeDistinguishedName.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|