| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
- Use common implementation
- OCSP signing was using different validation
- Check if private key is usable for signing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Allow NameAttribute.value to be an empty string
RFC 4514 https://tools.ietf.org/html/rfc4514 does not mention that
"AttributeValue" can not be an empty (zero-length) string.
Fixes #5106
* reverse order to match fix from another PR
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| |
|
|
| |
RFC4514 requires in section 2.1 that RDNs are converted to string
representation in reversed order.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Support ed25519 in csr/crl creation
* Tests for ed25519/x509
* Support ed448 in crt/csr/crl creation
* Tests for ed448/x509
* Support ed25519/ed448 in OCSPResponseBuilder
* Tests for eddsa in OCSPResponseBuilder
* Builder check missing in create_x509_csr
* Documentation update for ed25519+ed448 in x509
|
| |
|
|
|
|
|
|
| |
* Make DER reader into a context manager
* Added another test case
* flake8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
from __future__ import absolute_import, division, print_function
import timeit
print(timeit.timeit(
"decode_dss_signature(sig)",
setup=r"""
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
""",
number=10000))
Python 2.7:
asn1crypto: 0.25
_der.py: 0.098
Python 3.5:
asn1crypto: 0.17
_der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too.
|
| |
|
|
| |
detect md5 and don't generate short RSA keys
these changes will help if we actually try to run FIPS enabled
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* ed25519 support in x509 certificate builder
This adds minimal ed25519 support. More to come.
* Apply suggestions from code review
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
|
|
|
|
| |
* test: regression test for UnicodeEncodeError in x509 name in #4810
added utf8 encoding at the top of the file due to PEP 263
* bugfix: #4810 resolve UnicodeEncodeError in x509 name
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* Fixes #4734 -- Deal with deprecated things
- Make year based aliases of PersistentlyDeprecated so we can easily assess age
- Removed encode/decode rfc6979 signature
- Removed Certificate.serial
* Unused import
|
| |
|
|
|
|
|
|
| |
* allow asn1 times of 1950-01-01 and later.
* add a test
* pretty up the test
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we used unix timestamps, but now we are switching to using
ASN1_TIME_set_string and automatically formatting the string based on
the year. The rule is as follows:
Per RFC 5280 (section 4.1.2.5.), the valid input time
strings should be encoded with the following rules:
1. UTC: YYMMDDHHMMSSZ, if YY < 50 (20YY) --> UTC: YYMMDDHHMMSSZ
2. UTC: YYMMDDHHMMSSZ, if YY >= 50 (19YY) --> UTC: YYMMDDHHMMSSZ
3. G'd: YYYYMMDDHHMMSSZ, if YYYY >= 2050 --> G'd: YYYYMMDDHHMMSSZ
4. G'd: YYYYMMDDHHMMSSZ, if YYYY < 2050 --> UTC: YYMMDDHHMMSSZ
Notably, Dates < 1950 are not valid UTCTime. At the moment we still
reject dates < Jan 1, 1970 in all cases but a followup PR can fix
that.
|
| |
|
|
|
|
| |
RFC 4514 does not explicitly allow whitespace between separators:
https://tools.ietf.org/html/rfc4514
Reported-by: David Arnold <dar@xoe.solutions>
|
| |
|
|
| |
(#4304)
|
| |
|
|
| |
RDNs can have multiple values. This allows them in FreshestCRL and
upcoming IssuingDistributionPoint encoding support.
|
| |
|
|
|
|
|
|
|
|
|
| |
* don't sort the serial numbers in a parsed CRL
OpenSSL sorts them in place and this breaks the signature and more.
fixes #4456
* cache the sorted CRL (but create it lazily)
* use the cache decorator
|
| |
|
|
|
| |
We already have coverage of the U-label deprecation warnings in
test_x509_ext.py; see TestRFC822Name.test_idna and
TestUniformResourceIdentifier.test_idna_no_port
|
| |
|
|
|
|
|
|
| |
* add crl.get_revoked_certificate method
* lexicographic is the best ographic
* rename
|
| |
|
|
|
|
|
|
|
|
| |
Previously we encoded them as UTF-8, but as best I can tell in reality a
BMPString is fixed-width basic multilingual plane big endian encoding.
This is basically UCS-2 (aka original Unicode). However, Python doesn't
support UCS-2 encoding so we need to use utf_16_be. This means you can encode
surrogate code points that are invalid in the context of what a
BMPString is supposed to be, but in reality I strongly suspect the sane
encoding ship has sailed and dozens if not hundreds of implementations
both do this and expect other systems to handle their nonsense.
|
| |
|
|
| |
Duplicate attributes now raise an error instead of silently discarding
duplicates.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Future proofing use of the six python version constants
After reading [1], noticed that cryptography uses a lot of if six.PY3
blocks. The issue with this is that whenever Python 4 is released,
this code in the else block will be executed even though it was
only intended for Python 2.
[1] http://astrofrog.github.io/blog/2016/01/12/stop-writing-python-4-incompatible-code/
Signed-off-by: Eric Brown <browne@vmware.com>
* Use not PY2 instead
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Raise a ValueError when conversion to generalizedtime fails
* added test for badasn1time value error
* pep8 compliance
* Addressing code review
+ VE now raises with ```{!r}``` formatting
+ Test now checks that the bad string made it into the VE message
* using ValueError.match
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix ASN1 string type encoding for several Name OIDs
When we changed over to the new type encoding system we didn't verify
that the new code exactly matched the ASN1 string types that OpenSSL was
previously choosing. This caused serialNumber, dnQualifier,
emailAddress, and domainComponent to change from their proper encodings
to UTF8String as of version 2.1.
Now we check to see if there's a sentinel value (indicating no custom
type has been passed) and then check if the OID has a different default
than UTF8. If it does, we set it.
This PR also adds tests for the ASN1 string type of ever supported
NameOID.
* review feedback
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Use a different warning class so users get warnings
* fixed tests
* do our own warning class
* typo
* flake8
|
| |
|
|
|
|
|
|
| |
* Inline calls to bit_length now that it's trivial
* unused imports
* An comment
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* backwards incompatible change to UniformResourceIdentifier
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies URI to accept two types:
U-label strings (which raises a deprecation warning) and A-label strings
(the new preferred type). There is also a constructor for URI
that bypasses validation so we can parse garbage out of certificates
(and round trip it if necessary)
* nonsense empty commit 2.6 and codecov are the worst
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* backwards incompatible change to RFC822Name
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies RFC822Name to accept two types:
U-label strings (which raises a deprecation warning) and A-label strings
(the new preferred type). There is also a constructor for RFC822Name
that bypasses validation so we can parse garbage out of certificates
(and round trip it if necessary)
* whoops
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Backwards incompatible change to DNSName
During this release cycle we decided to officially deprecate passing
U-labels to our GeneralName constructors. At first we tried changing
this in a purely backwards compatible way but get_values_for_type made
that untenable. This PR modifies DNSName to take three different types.
U-label strings (which raises a deprecation warning), A-label strings
(the new preferred type), and bytes (which are assumed to be decodable
to unicode strings). The latter, while supported, is primarily intended
for use by our parser and allows us to return the actual encoded data in
a certificate even if it has not been properly encoded to A-label before
the certificate is created. (Of course, if the certificate contains
invalid utf8 sequences this will still fail, but let's handle one
catastrophic failure at a time).
* coverage
* don't delete that asterisk from a test. it does things.
* no bytes in DNSName. Private constructor for bypassing validation
* test unicode in dnsname (yuck)
* fix docs
* empty commit, you disappoint me codecov
* CI is the worst
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* both parse and encode the ASN1 string type for Name attributes
Previously cryptography encoded everything (except country names) as
UTF8String. This caused problems with chain building in libraries like
NSS where the subject and issuer are expected to match byte-for-byte.
With this change we now parse and store the ASN1 string type as a
private _type in NameAttribute. We then use this to encode when issuing
a new certificate. This allows the CertificateBuilder to properly
construct an identical issuer and fixes the issue with NSS.
* make the sentinel private too
|
| |
|
|
|
|
|
|
|
|
| |
* add freshest CRL support
* add tests
* add changelog
* add tests for FreshestCRL generation
|
| |
|
| |
This is an extension for CRLs
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add support for the TLSFeature extension in x509
This extension is used for OCSP Must-Staple.
* fix changelog link
* pep8
* refactor to support the sequence properly and add status_request_v2
* update some language
* add test vector, implement eq/ne/hash on TLSFeature
* address review comments
|
|
|
* move x509 tests into a module
This is just to make grouping things like test_ocsp, etc a bit simpler
in the future
* fix path
* pep8
|
