| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
- Use common implementation
- OCSP signing was using different validation
- Check if private key is usable for signing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add a way to pass current time to Fernet
The motivation behind this is to be able to unit test code using Fernet
easily without having to monkey patch global state.
* Reformat to satisfy flake8
* Trigger a Fernet.encrypt() branch missing from coverage
* Revert specifying explicit current time in MultiFernet.rotate()
Message's timestamp is not verified anyway since ttl is None.
* Change the Fernet's explicit current time API slightly
This's been suggested in code review.
* Fix a typo
* Fix a typo
* Restore full MultiFernet test coverage and fix a typo
* Restore more coverage
time.time() is not called by MultiFernet.rotate() anymore so the monkey
patching and lambda need to go, because the patched function is not used
and coverage calculation will rightfully notice it.
* Remove an unused import
* Document when the *_at_time Fernet methods were added
|
| |
|
|
| |
There happens to be global var named 'backend'
so backend._lib works, but is confusing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Additional tests for public/private_bytes
They expose few places that raise TypeError and AssertionError!
before, and ValueError later.
* Cleanup of private_bytes() backend
Also pass key itself down to backend.
* Cleanup of public_bytes() backend
* Test handling of unsupported key type
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
supported) (#5231)
|
| |
|
|
|
|
|
| |
* add SSL_CTX_(get|set)_keylog_callback
* For travis
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
reason more accurately. (#5157)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Allow NameAttribute.value to be an empty string
RFC 4514 https://tools.ietf.org/html/rfc4514 does not mention that
"AttributeValue" can not be an empty (zero-length) string.
Fixes #5106
* reverse order to match fix from another PR
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| |
|
|
| |
RFC4514 requires in section 2.1 that RDNs are converted to string
representation in reversed order.
|
| | |
|
| |
|
|
| |
Required to link in static part of pthread, e.g. pthread_atfork
Fixes https://github.com/pyca/cryptography/issues/5084
|
| | |
|
| |
|
|
|
|
|
|
| |
have RC2 (#5072)
* Refs #5065 -- have a CI job with OpenSSL built with no-rc2
* Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't have RC2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
support them (#5042)
* check for suitable compiler (platform) before adding special flags
* pep8 corrections
* later pep8 messages
* add clang to auto accepted compilers
* modify syntax so multi-line is accepted
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add single_extensions to OCSPResponse (#4753)
* new vector, updateed docs, more stringent parser, changelog, etc
* simplify PR (no SCT for now)
* add a comment
* finish pulling out the sct stuff so tests might actually run
|
| |
|
|
|
|
| |
* Fixed #5050 -- dropped support for an old LibresSSL release
* Changelog
|
| |
|
|
|
|
| |
Failing that would lead to an OpenSSL error when calling OBJ_txt2obj at
serialization.
Adds basic tests for oids.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Deal with the 2.5 deprecations
* pep8 + test fixes
* docs typo
* Why did I do this?
* typo
|
| |
|
|
|
|
| |
* Add a comment so we can easily find a place to update later
* flake8
|
| | |
|
| |
|
|
|
|
|
|
| |
macOS 10.12 (#5019)
* silence `Wunguarded-availability` when building with a `MACOSX_DEPLOYMENT_TARGET < 10.12`
* use `__builtin_available` rather than a `NULL` echo upon init on mac
|
| |
|
|
|
|
| |
* Test against libressl 3.0
* Correctly type these ints
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #5018 -- break users on OpenSSL 1.0.1
* Grammar
* Syntax error
* Missing import
* Missing import
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* update openssls
* missed one
* what will this do
* only do this check for 1.1.0+
|
| |
|
|
|
|
| |
* Simplify implementing sequence methods
* flake8
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Support ed25519 in csr/crl creation
* Tests for ed25519/x509
* Support ed448 in crt/csr/crl creation
* Tests for ed448/x509
* Support ed25519/ed448 in OCSPResponseBuilder
* Tests for eddsa in OCSPResponseBuilder
* Builder check missing in create_x509_csr
* Documentation update for ed25519+ed448 in x509
|
| | |
|
| |
|
| |
Per RFC5280 it is allowed in both certificates and CRL-s.
|
| |
|
|
|
|
|
|
| |
* Add SSL_get0_verified_chain to cffi lib
OpenSSL 1.1.0 supports SSL_get0_verified_chain. This gives the full chain from the peer cert including your trusted CA cert.
* Work around no support for #if in cdef in old cffi
|
| |
|
|
|
|
|
|
| |
* Make DER reader into a context manager
* Added another test case
* flake8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
from __future__ import absolute_import, division, print_function
import timeit
print(timeit.timeit(
"decode_dss_signature(sig)",
setup=r"""
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
""",
number=10000))
Python 2.7:
asn1crypto: 0.25
_der.py: 0.098
Python 3.5:
asn1crypto: 0.17
_der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too.
|
| |
|
|
|
|
|
|
|
|
| |
* fix osrandom/builtin switching methods for 1.1.0+
In 1.1.0 RAND_cleanup became a no-op. This broke changing to the builtin
random engine via activate_builtin_random(). Fixed by directly calling
RAND_set_rand_method. This works on 1.0.x and 1.1.x
* missed an assert
|
| |
|
|
|
|
| |
* add bindings to parse and create challenge passwords in X509 CSRs
* moved away from the 1.1.0 section
|
