| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
- Use common implementation
- OCSP signing was using different validation
- Check if private key is usable for signing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add a way to pass current time to Fernet
The motivation behind this is to be able to unit test code using Fernet
easily without having to monkey patch global state.
* Reformat to satisfy flake8
* Trigger a Fernet.encrypt() branch missing from coverage
* Revert specifying explicit current time in MultiFernet.rotate()
Message's timestamp is not verified anyway since ttl is None.
* Change the Fernet's explicit current time API slightly
This's been suggested in code review.
* Fix a typo
* Fix a typo
* Restore full MultiFernet test coverage and fix a typo
* Restore more coverage
time.time() is not called by MultiFernet.rotate() anymore so the monkey
patching and lambda need to go, because the patched function is not used
and coverage calculation will rightfully notice it.
* Remove an unused import
* Document when the *_at_time Fernet methods were added
|
|
|
|
| |
There happens to be global var named 'backend'
so backend._lib works, but is confusing.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Additional tests for public/private_bytes
They expose few places that raise TypeError and AssertionError!
before, and ValueError later.
* Cleanup of private_bytes() backend
Also pass key itself down to backend.
* Cleanup of public_bytes() backend
* Test handling of unsupported key type
|
| |
|
| |
|
| |
|
|
|
|
| |
supported) (#5231)
|
|
|
|
|
|
|
| |
* add SSL_CTX_(get|set)_keylog_callback
* For travis
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
reason more accurately. (#5157)
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Allow NameAttribute.value to be an empty string
RFC 4514 https://tools.ietf.org/html/rfc4514 does not mention that
"AttributeValue" can not be an empty (zero-length) string.
Fixes #5106
* reverse order to match fix from another PR
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
|
|
|
| |
RFC4514 requires in section 2.1 that RDNs are converted to string
representation in reversed order.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
have RC2 (#5072)
* Refs #5065 -- have a CI job with OpenSSL built with no-rc2
* Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't have RC2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add single_extensions to OCSPResponse (#4753)
* new vector, updateed docs, more stringent parser, changelog, etc
* simplify PR (no SCT for now)
* add a comment
* finish pulling out the sct stuff so tests might actually run
|
|
|
|
|
|
| |
Failing that would lead to an OpenSSL error when calling OBJ_txt2obj at
serialization.
Adds basic tests for oids.
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Deal with the 2.5 deprecations
* pep8 + test fixes
* docs typo
* Why did I do this?
* typo
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #5018 -- break users on OpenSSL 1.0.1
* Grammar
* Syntax error
* Missing import
* Missing import
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* update openssls
* missed one
* what will this do
* only do this check for 1.1.0+
|
|
|
|
|
|
| |
* Simplify implementing sequence methods
* flake8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Support ed25519 in csr/crl creation
* Tests for ed25519/x509
* Support ed448 in crt/csr/crl creation
* Tests for ed448/x509
* Support ed25519/ed448 in OCSPResponseBuilder
* Tests for eddsa in OCSPResponseBuilder
* Builder check missing in create_x509_csr
* Documentation update for ed25519+ed448 in x509
|
| |
|
|
|
| |
Per RFC5280 it is allowed in both certificates and CRL-s.
|
|
|
|
|
|
|
|
| |
* Add SSL_get0_verified_chain to cffi lib
OpenSSL 1.1.0 supports SSL_get0_verified_chain. This gives the full chain from the peer cert including your trusted CA cert.
* Work around no support for #if in cdef in old cffi
|
|
|
|
|
|
|
|
| |
* Make DER reader into a context manager
* Added another test case
* flake8
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
from __future__ import absolute_import, division, print_function
import timeit
print(timeit.timeit(
"decode_dss_signature(sig)",
setup=r"""
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
""",
number=10000))
Python 2.7:
asn1crypto: 0.25
_der.py: 0.098
Python 3.5:
asn1crypto: 0.17
_der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too.
|
|
|
|
|
|
|
|
|
|
| |
* fix osrandom/builtin switching methods for 1.1.0+
In 1.1.0 RAND_cleanup became a no-op. This broke changing to the builtin
random engine via activate_builtin_random(). Fixed by directly calling
RAND_set_rand_method. This works on 1.0.x and 1.1.x
* missed an assert
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* ed25519 support in x509 certificate builder
This adds minimal ed25519 support. More to come.
* Apply suggestions from code review
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
|
|
|
|
|
|
| |
* Refs #4923; deprecate OpenSSL 1.0.1
* changelog
|
|
|
| |
Introduced in OpenSSL 1.1. Added compatibility for older versions.
|
| |
|
|
|
|
|
|
|
|
| |
* reopen master for 2.8
also add the missing changelog
* sigh, empty commit to trigger azure pipelines
|
| |
|
|
|
|
|
|
|
|
| |
* test: ensure all public members of ExtensionOID have names defined
* add name for ExtensionOID.PRECERT_POISON
ref: https://github.com/google/certificate-transparency/blob/5fce65cb60cfe7808afc98de23c7dd5ddbfa1509/python/ct/crypto/asn1/oid.py#L338
|
|
|
|
|
|
| |
* fix aia encoding memory leak
* don't return anything from the prealloc func
|
|
|
|
|
|
|
|
|
|
| |
* fix from_issuer_subject_key_identifier to take the right type
deprecate passing the old Extension wrapper object
* don't use a try:except:
* hilarious contortions to satisfy doc8
|