|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * Refs #5075 -- use x448_test.json from wycheproof
* Fixed test
* crypto libraries from people who can't math, it's fine
* Skip teh weirdo 57 byte public keys | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | * Get tests passing with latest wycheproof clone
* Fix x25519 wycheproof tests
* Fix for acme repo changes | 
| | 
| 
| 
| 
| 
| 
| 
| | have RC2 (#5072)
* Refs #5065 -- have a CI job with OpenSSL built with no-rc2
* Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't have RC2 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * add single_extensions to OCSPResponse (#4753)
* new vector, updateed docs, more stringent parser, changelog, etc
* simplify PR (no SCT for now)
* add a comment
* finish pulling out the sct stuff so tests might actually run | 
| | 
| 
| 
| 
| 
| | Failing that would lead to an OpenSSL error when calling OBJ_txt2obj at
serialization.
Adds basic tests for oids. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * Deal with the 2.5 deprecations
* pep8 + test fixes
* docs typo
* Why did I do this?
* typo | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * Fixes #5018 -- break users on OpenSSL 1.0.1
* Grammar
* Syntax error
* Missing import
* Missing import | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * Support ed25519 in csr/crl creation
* Tests for ed25519/x509
* Support ed448 in crt/csr/crl creation
* Tests for ed448/x509
* Support ed25519/ed448 in OCSPResponseBuilder
* Tests for eddsa in OCSPResponseBuilder
* Builder check missing in create_x509_csr
* Documentation update for ed25519+ed448 in x509 | 
| | 
| 
| | Per RFC5280 it is allowed in both certificates and CRL-s. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * fix coverage by adding two artificial DSA public keys
One key removes the optional parameters from the structure to cover a
branch conditional, and the other key has its BITSTRING padding value
set to a non-zero value.
* lexicographic? never heard of it | 
| | 
| 
| 
| 
| 
| 
| 
| | * Make DER reader into a context manager
* Added another test case
* flake8 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
  from __future__ import absolute_import, division, print_function
  import timeit
  print(timeit.timeit(
      "decode_dss_signature(sig)",
      setup=r"""
  from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
  sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
  """,
      number=10000))
Python 2.7:
  asn1crypto: 0.25
  _der.py: 0.098
Python 3.5:
  asn1crypto: 0.17
  _der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too. | 
| | 
| 
| 
| | detect md5 and don't generate short RSA keys
these changes will help if we actually try to run FIPS enabled | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * Remove irrelevant DHBackend test conditions
DHBackend provides functions for plain finite-field Diffie-Hellman.
X25519 and X448 are their own algorithms, and Ed25519 and Ed448 aren't
even Diffie-Hellman primitives.
* Add missing backend support checks.
Some new AES and EC tests did not check for whether the corresponding
mode or curve was supported by the backend.
* Add a DummyMode for coverage | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * ed25519 support in x509 certificate builder
This adds minimal ed25519 support. More to come.
* Apply suggestions from code review
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com> | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * we don't have these mac builders any more
let's see if we get coverage from azure like we should!
* remove a branch we can't cover in tests
* remove unused import | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | * test: ensure all public members of ExtensionOID have names defined
* add name for ExtensionOID.PRECERT_POISON
ref: https://github.com/google/certificate-transparency/blob/5fce65cb60cfe7808afc98de23c7dd5ddbfa1509/python/ct/crypto/asn1/oid.py#L338 | 
| | 
| 
| 
| 
| 
| | * fix aia encoding memory leak
* don't return anything from the prealloc func | 
| | 
| 
| 
| 
| 
| | Using an all 0 key causes failures in OpenSSL master (and Fedora has
cherry-picked the commit that causes it). The change requires that the
key/tweak for XTS mode not be the same value, so let's just use a random
key. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * fix from_issuer_subject_key_identifier to take the right type
deprecate passing the old Extension wrapper object
* don't use a try:except:
* hilarious contortions to satisfy doc8 | 
| | 
| 
| 
| 
| 
| 
| 
| | * test: regression test for UnicodeEncodeError in x509 name in #4810
added utf8 encoding at the top of the file due to PEP 263
* bugfix: #4810 resolve UnicodeEncodeError in x509 name | 
| | |  | 
| | 
| 
| 
| 
| 
| | * fix a memory leak in AIA parsing
* oops can't remove that | 
| | 
| 
| 
| 
| 
| 
| 
| | * fix != comparison in py2 (fixes #4821)
* remove blank line b/c pep8
* move __ne__ next to __eq__ as per review request | 
| | |  | 
| | 
| 
| 
| 
| | we don't support ed448 openssh keys so we'll use that to test this
branch. if we ever do support ed448 keys we can always just call this
private method directly to keep coverage. | 
| | 
| 
| 
| 
| 
| | * add OpenSSH serialization for ed25519 keys (#4808)
* address review comments | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | * poly1305 support
* some more tests
* have I mentioned how bad the spellchecker is?
* doc improvements
* EVP_PKEY_new_raw_private_key copies the key but that's not documented
Let's assume that might change and be very defensive
* review feedback
* add a test that fails on a tag of the correct length but wrong value
* docs improvements | 
| | 
| 
| 
| 
| 
| | * support ed25519 openssh public keys
* don't need this check | 
| | 
| 
| 
| 
| 
| 
| 
| | * ed448 support
* move the changelog entry
* flake8 | 
| | 
| 
| 
| 
| 
| | * ed25519 support
* review feedback | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | * support OPENSSL_NO_ENGINE
* support some new openssl config args
* sigh | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * add an EC OID to curve dictionary mapping
* oid_to_curve function
* changelog and docs fix
* rename to get_curve_for_oid | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * encode the package version in the shared object
* review feedback
* move into build_ffi so the symbol is in all shared objects
* review feedback | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | * Run wycheproof RSA tests on LibreSSL>=2.8
* Define it this way
* These are errors on libressl | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | * Fixes #4734 -- Deal with deprecated things
- Make year based aliases of PersistentlyDeprecated so we can easily assess age
- Removed encode/decode rfc6979 signature
- Removed Certificate.serial
* Unused import | 
| | 
| 
| 
| 
| 
| 
| 
| | * allow asn1 times of 1950-01-01 and later.
* add a test
* pretty up the test | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Previously we used unix timestamps, but now we are switching to using
ASN1_TIME_set_string and automatically formatting the string based on
the year. The rule is as follows:
Per RFC 5280 (section 4.1.2.5.), the valid input time
strings should be encoded with the following rules:
1. UTC: YYMMDDHHMMSSZ, if YY < 50 (20YY) --> UTC: YYMMDDHHMMSSZ
2. UTC: YYMMDDHHMMSSZ, if YY >= 50 (19YY) --> UTC: YYMMDDHHMMSSZ
3. G'd: YYYYMMDDHHMMSSZ, if YYYY >= 2050 --> G'd: YYYYMMDDHHMMSSZ
4. G'd: YYYYMMDDHHMMSSZ, if YYYY < 2050 --> UTC: YYMMDDHHMMSSZ
Notably, Dates < 1950 are not valid UTCTime. At the moment we still
reject dates < Jan 1, 1970 in all cases but a followup PR can fix
that. |