| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
| |
I hate it when we have to do this.
|
| | |
|
| |
|
|
|
|
|
|
| |
(#4507)
* Fixes #4500 -- use O_CLOEXEC when opening the /dev/urandom file descriptor
* Unused variable
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add definitions for SSL_get0_param and X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
* remove unnecessary parameter name
* Add version conditionals and more flags
* extend cryptography_has_102_verification_params
* X509_CHECK_FLAG_NEVER_CHECK_SUBJECT only available with openssl 1.1.0+
* add missing declaration
|
| | |
|
| |
|
|
|
|
| |
* support OCSP response serialization
* empty commit, good times
|
| |
|
|
|
|
|
|
|
|
| |
* support extensions in the OCSP request builder
* cover a missed branch
* refactor to use new func
* review feedback
|
| |
|
|
|
|
| |
* Cleanup _encode_asn1_str_gc: don't require the length as an argument
* Apply the same cleanup to _encode_asn1_str
|
| |
|
|
|
|
|
|
|
|
| |
* add OCSP basic response extension parsing
Just nonce for now. This does not support SINGLERESP extension parsing.
* also raises on extensions for non-successful
* empty commit
|
| | |
|
| |
|
|
|
|
| |
* additional OCSP bindings for the response builder
* use the OCSP extension funcs that match the rest of x509
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* support OCSP response parsing
* move the decorator to make pep8 happy
* add some missing docs
* review feedback
* more review feedback
|
| |
|
|
|
|
| |
* add ed25519 bindings
* var name
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* add OCSP request parsing support with OCSPNonce
* add docs
* reprs man
* make extensions a cached property
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* try something a bit different.
* newer compiler plz
* permute
* fix some warnings
* fix getters on OpenSSL < 1.1.0
* this is getting involved
* given our compiler flags we can't have SSL_CTX_set_cookie_verify_cb
|
| |
|
|
|
|
|
|
|
|
|
| |
* don't sort the serial numbers in a parsed CRL
OpenSSL sorts them in place and this breaks the signature and more.
fixes #4456
* cache the sorted CRL (but create it lazily)
* use the cache decorator
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add many OCSP bindings
Much of OCSP was opaqued in 1.1.0 so this also adds a bunch of getters
for older OpenSSL. However, 1.1.0 itself made it impossible to access
certain fields in the opaque struct, so we're forced to de-opaque them
for 1.1.0 through 1.1.0i as well as 1.1.1-pre1 through 1.1.1-pre9. There
is a patch (openssl/openssl#7082) that fixes this and should be in
1.1.0j and 1.1.1-pre10 (or 1.1.1 final, whichever they choose to issue)
* backslashes are sometimes useful
* comments
|
| |
|
|
| |
This allows us to reuse these functions in the OCSPResponse object in
the future
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #4333 -- added support for precert poison extension
* Make work on all OpenSSL versions
* fixed flake8 + docs
* fix for older OpenSSLs
* document this
* spell
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* ocsp response abc
* collapse SingleReponse into OCSPResponse now that we only support one
* split responder_id into two properties, add tbs_response_bytes
* typo
* rename one method and add a mapping we'll need shortly
|
| |
|
|
|
|
|
|
| |
* refactor ocsp request parsing and generation to support only one cert
* small doc change
* notimplementederror
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #3460 -- deprecate OpenSSL 1.0.1
* We need to import warnings
* flake8
* words are hard
* rephrase
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fixed a memory leak in x.509 OCSP no check
* Fix the _actual_ leak
* Speed up symbolizations
* Disable backtrace by default, because it doesn't work on Windows
* line length
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* make an ocsp request
* update test, add docs
* make it an OCSPRequestBuilder
* review feedback and more tests
* make it a class
* empty commit to retrigger
* type check
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Do conditional compiling of Cryptography_setup_ssl_threads
* Check Cryptography_HAS_LOCKING_CALLBACKS before initing static locks
Check if compiling and initing locking callbacks is necessary
PEP8 fix
* Make test_crypto_lock_init more complete
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add public_bytes to OCSPRequest
* review feedback
* OCSP request parsing
* change some prose
* add __len__ as a required method
|
| | |
|
| |
|
|
|
|
| |
* Refs #4375 -- integrate wycheproof AES CCM tests
* Skip these tests if we don't have CCM support
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PyPy (#4364)
* Add more SSL_CIPHER_* functions, necessary to implement ctx.get_ciphers() added by Python 3.6.1.
* Add placeholders for other versions
* Remove parameter names
* LibreSSL 2.7 has the new functions
* Add entries in _conditional.py
* SSL_CIPHER_get_id returns int, not char*
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* also check iv length for GCM nonce in AEAD
* ugh
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* add crl.get_revoked_certificate method
* lexicographic is the best ographic
* rename
|
| |
|
| |
I believe this can reasonably be considered backwards compatible since other invalid inputs already lead to InvalidUnwrap, and clients shouldn't be distinguishing between these two conditions, and ValueError wasn't documented anyways.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* document one shot AEAD length restrictions
* write a test that won't consume infinity ram
continue to raise OverflowError since that's what cffi did.
* this applies to associated_data too
* remove unneeded arg
* review feedback on docs
|
| |
|
|
|
|
|
|
|
| |
* raise valueerror for null x25519 derived keys
OpenSSL errors when it hits this edge case and a null shared key is bad
anyway so let's raise an error
* empty commit
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#4325)
* we don't actually care about the errstack here, it's an invalid signature
We previously had no cases where we could error without getting errors
on the error stack, but wycheproof contains test cases that can error
without adding anything to the stack. Accordingly, we should clear the
stack but raise InvalidSignature no matter what (rather than
InternalError if we have no error msgs)
* add a test
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Previously we encoded them as UTF-8, but as best I can tell in reality a
BMPString is fixed-width basic multilingual plane big endian encoding.
This is basically UCS-2 (aka original Unicode). However, Python doesn't
support UCS-2 encoding so we need to use utf_16_be. This means you can encode
surrogate code points that are invalid in the context of what a
BMPString is supposed to be, but in reality I strongly suspect the sane
encoding ship has sailed and dozens if not hundreds of implementations
both do this and expect other systems to handle their nonsense.
|
| |
|
|
| |
Duplicate attributes now raise an error instead of silently discarding
duplicates.
|
