diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | dev-requirements.txt | 1 | ||||
| -rw-r--r-- | docs/development/test-vectors.rst | 6 | ||||
| -rw-r--r-- | docs/hazmat/primitives/asymmetric/rsa.rst | 2 | ||||
| -rw-r--r-- | docs/hazmat/primitives/mac/index.rst | 2 | ||||
| -rw-r--r-- | docs/installation.rst | 2 | ||||
| -rw-r--r-- | docs/x509/reference.rst | 9 | ||||
| -rw-r--r-- | setup.py | 1 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 2 | ||||
| -rw-r--r-- | src/cryptography/utils.py | 14 | ||||
| -rw-r--r-- | tests/hypothesis/__init__.py | 5 | ||||
| -rw-r--r-- | tests/hypothesis/test_fernet.py | 11 | ||||
| -rw-r--r-- | tests/test_x509.py | 24 | ||||
| -rw-r--r-- | tox.ini | 3 |
14 files changed, 66 insertions, 17 deletions
@@ -11,3 +11,4 @@ htmlcov/ *.egg .eggs/ *.py[co] +.hypothesis/ diff --git a/dev-requirements.txt b/dev-requirements.txt index 440d3b0f..6130eb37 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -12,5 +12,6 @@ sphinx_rtd_theme sphinxcontrib-spelling tox twine +hypothesis -e . -e vectors diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst index 0495cc77..25871d5c 100644 --- a/docs/development/test-vectors.rst +++ b/docs/development/test-vectors.rst @@ -396,14 +396,14 @@ header format (substituting the correct information): .. _`IETF`: https://www.ietf.org/ .. _`NIST CAVP`: http://csrc.nist.gov/groups/STM/cavp/ .. _`Bruce Schneier's vectors`: https://www.schneier.com/code/vectors.txt -.. _`Camellia page`: http://info.isl.ntt.co.jp/crypt/eng/camellia/ -.. _`CRYPTREC`: http://www.cryptrec.go.jp +.. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/ +.. _`CRYPTREC`: https://www.cryptrec.go.jp .. _`OpenSSL's test vectors`: https://github.com/openssl/openssl/blob/97cf1f6c2854a3a955fd7dd3a1f113deba00c9ef/crypto/evp/evptests.txt#L232 .. _`RIPEMD website`: http://homes.esat.kuleuven.be/~bosselae/ripemd160.html .. _`Whirlpool website`: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html .. _`draft RFC`: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01 .. _`Specification repository`: https://github.com/fernet/spec -.. _`errata`: http://www.rfc-editor.org/errata_search.php?rfc=6238 +.. _`errata`: https://www.rfc-editor.org/errata_search.php?rfc=6238 .. _`OpenSSL example key`: https://github.com/openssl/openssl/blob/d02b48c63a58ea4367a0e905979f140b7d090f86/test/testrsa.pem .. _`GnuTLS key parsing tests`: https://gitlab.com/gnutls/gnutls/commit/f16ef39ef0303b02d7fa590a37820440c466ce8d .. _`enc-rsa-pkcs8.pem`: https://gitlab.com/gnutls/gnutls/blob/f8d943b38bf74eaaa11d396112daf43cb8aa82ae/tests/pkcs8-decode/encpkcs8.pem diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst index a67ea47f..f88750cf 100644 --- a/docs/hazmat/primitives/asymmetric/rsa.rst +++ b/docs/hazmat/primitives/asymmetric/rsa.rst @@ -652,4 +652,4 @@ Key interfaces .. _`Chinese Remainder Theorem`: https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29#Using_the_Chinese_remainder_algorithm .. _`security proof`: http://eprint.iacr.org/2001/062.pdf .. _`recommended padding algorithm`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html -.. _`proven secure`: http://cseweb.ucsd.edu/~mihir/papers/oae.pdf +.. _`proven secure`: https://cseweb.ucsd.edu/~mihir/papers/oae.pdf diff --git a/docs/hazmat/primitives/mac/index.rst b/docs/hazmat/primitives/mac/index.rst index bc54bae4..05db708c 100644 --- a/docs/hazmat/primitives/mac/index.rst +++ b/docs/hazmat/primitives/mac/index.rst @@ -9,7 +9,7 @@ recommend that HMAC should be used unless you have a good reason otherwise. For more information on why HMAC is preferred, see `Use cases for CMAC vs. HMAC?`_ -.. _`Use cases for CMAC vs. HMAC?`: http://crypto.stackexchange.com/questions/15721/use-cases-for-cmac-vs-hmac +.. _`Use cases for CMAC vs. HMAC?`: https://crypto.stackexchange.com/questions/15721/use-cases-for-cmac-vs-hmac .. toctree:: :maxdepth: 1 diff --git a/docs/installation.rst b/docs/installation.rst index fd9a2d77..1456b724 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -196,7 +196,7 @@ information, consult `Greg Wilson's blog post`_ on the subject. .. _`Homebrew`: http://brew.sh -.. _`MacPorts`: http://www.macports.org +.. _`MacPorts`: https://www.macports.org .. _`32-bit`: https://jenkins.cryptography.io/job/openssl-win32-release/ .. _`64-bit`: https://jenkins.cryptography.io/job/openssl-win64-release/ .. _`bug in conda`: https://github.com/conda/conda-recipes/issues/110 diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst index 62bdb3a9..87383db1 100644 --- a/docs/x509/reference.rst +++ b/docs/x509/reference.rst @@ -496,9 +496,8 @@ X.509 Certificate Builder Adds an X.509 extension to the certificate. - :param extension: The extension to add to the certificate. Can be one - of :class:`~cryptography.x509.BasicConstraints` or - :class:`~cryptography.x509.SubjectAlternativeName`. + :param extension: An extension conforming to the + :class:`~cryptography.x509.ExtensionType` interface. :param critical: Set to ``True`` if the extension must be understood and handled by whoever reads the certificate. @@ -663,8 +662,8 @@ X.509 CSR (Certificate Signing Request) Builder Object .. method:: add_extension(extension, critical) - :param extension: The :class:`~cryptography.x509.Extension` to add to - the request. + :param extension: An extension conforming to the + :class:`~cryptography.x509.ExtensionType` interface. :param critical: Set to `True` if the extension must be understood and handled by whoever reads the certificate. :returns: A new @@ -60,6 +60,7 @@ test_requirements = [ "pytest<2.8", "pretend", "iso8601", + "hypothesis", ] # If there's no vectors locally that probably means we are in a tarball and diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index d30bfc29..ac025e95 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -235,7 +235,7 @@ def _encode_basic_constraints(backend, basic_constraints): constraints, backend._lib.BASIC_CONSTRAINTS_free ) constraints.ca = 255 if basic_constraints.ca else 0 - if basic_constraints.ca: + if basic_constraints.ca and basic_constraints.path_length is not None: constraints.pathlen = _encode_asn1_int( backend, basic_constraints.path_length ) diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index 237d5968..dac4046d 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -58,6 +58,12 @@ class InterfaceNotImplemented(Exception): pass +if hasattr(inspect, "signature"): + signature = inspect.signature +else: + signature = inspect.getargspec + + def verify_interface(iface, klass): for method in iface.__abstractmethods__: if not hasattr(klass, method): @@ -67,13 +73,13 @@ def verify_interface(iface, klass): if isinstance(getattr(iface, method), abc.abstractproperty): # Can't properly verify these yet. continue - spec = inspect.getargspec(getattr(iface, method)) - actual = inspect.getargspec(getattr(klass, method)) - if spec != actual: + sig = signature(getattr(iface, method)) + actual = signature(getattr(klass, method)) + if sig != actual: raise InterfaceNotImplemented( "{0}.{1}'s signature differs from the expected. Expected: " "{2!r}. Received: {3!r}".format( - klass, method, spec, actual + klass, method, sig, actual ) ) diff --git a/tests/hypothesis/__init__.py b/tests/hypothesis/__init__.py new file mode 100644 index 00000000..4b540884 --- /dev/null +++ b/tests/hypothesis/__init__.py @@ -0,0 +1,5 @@ +# This file is dual licensed under the terms of the Apache License, Version +# 2.0, and the BSD License. See the LICENSE file in the root of this repository +# for complete details. + +from __future__ import absolute_import, division, print_function diff --git a/tests/hypothesis/test_fernet.py b/tests/hypothesis/test_fernet.py new file mode 100644 index 00000000..fd243803 --- /dev/null +++ b/tests/hypothesis/test_fernet.py @@ -0,0 +1,11 @@ +from hypothesis import given +from hypothesis.strategies import binary + +from cryptography.fernet import Fernet + + +@given(binary()) +def test_fernet(data): + f = Fernet(Fernet.generate_key()) + ct = f.encrypt(data) + assert f.decrypt(ct) == data diff --git a/tests/test_x509.py b/tests/test_x509.py index 220e71a5..0c022df1 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1601,6 +1601,30 @@ class TestCertificateBuilder(object): decipher_only=False ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_build_ca_request_with_path_length_none(self, backend): + private_key = RSA_KEY_2048.private_key(backend) + + request = x509.CertificateSigningRequestBuilder().subject_name( + x509.Name([ + x509.NameAttribute(NameOID.ORGANIZATION_NAME, + u'PyCA'), + ]) + ).add_extension( + x509.BasicConstraints(ca=True, path_length=None), critical=True + ).sign(private_key, hashes.SHA1(), backend) + + loaded_request = x509.load_pem_x509_csr( + request.public_bytes(encoding=serialization.Encoding.PEM), backend + ) + subject = loaded_request.subject + assert isinstance(subject, x509.Name) + basic_constraints = request.extensions.get_extension_for_oid( + ExtensionOID.BASIC_CONSTRAINTS + ) + assert basic_constraints.value.path_length is None + @pytest.mark.requires_backend_interface(interface=X509Backend) class TestCertificateSigningRequestBuilder(object): @@ -8,6 +8,7 @@ deps = iso8601 pretend pytest<2.8 + hypothesis>=1.11.4 ./vectors passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME commands = @@ -85,7 +86,7 @@ commands = py.test --capture=no --strict --random {posargs} [flake8] -exclude = .tox,*.egg,.git,_build +exclude = .tox,*.egg,.git,_build,.hypothesis select = E,W,F,N,I application-import-names = cryptography,cryptography_vectors,tests |