| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
|
|
| |
Co-authored-by: Michael Lazar <mlazar@doctorondemand.com>
|
|
|
|
|
|
|
| |
* Drop CI for OpenSSL 1.0.2
* Delete code for coverage reasons
* Bump minimum cryptography version
|
|
|
|
|
|
| |
* Fixing issue #798, thanks to @reaperhulk; removing undocumented '%s' option and getting the date in a more robust way
Co-authored-by: Joseba Alberdi <j.alberdi@simuneatomistics.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
|
| |
* fixed tests for twisted change
|
|
|
|
|
|
|
|
|
|
|
|
| |
* crypto._PassphraseHelper: pass non-callable passphrase using callback
Fixes #945
Before this commit, we would pass a bytes passphrase as a null terminated string.
This causes issue when a randomly generated key's first byte is null because
OpenSSL rightly determines the key length is 0.
This commit modifies the passphrase helper to pass the passphrase via the
callback
* Update changelog to document bug fix
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509StoreContext (#948)
The additional certificates provided in the new `chain` parameter will be
untrusted but may be used to build the chain.
This makes it easier to validate a certificate against a store which
contains only root ca certificates, and the intermediates come from e.g.
the same untrusted source as the certificate to be verified.
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
|
|
|
|
|
|
| |
Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL-
style hashed CA/CRL lookup directory, similar to the already existing
SSL.Context.load_verify_locations().
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
|
|
|
|
|
|
| |
* Context.set_verify: allow omission of callback
* squeeze to 80 chars
* make it clear that default callback is used
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Allow accessing a connection's verfied certificate chain
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain.
Add Connection.get_verified_chain using SSL_get0_verified_chain if
available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain
otherwise.
Fixes #740.
* TLSv1_METHOD -> SSLv23_METHOD
* Use X509_up_ref instead of X509_dup
* Add _openssl_assert where appropriate
* SSL_get_peer_cert_chain should not be null
* Reformat with black
* Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0>
* Add Changelog entry
* Remove _add_chain
|
| |
|
|
|
|
|
|
|
|
|
| |
* focal time
* larger dh params, assert on something
* urllib3 fix
* actually check an error
|
|
|
|
|
| |
* remove npn support entirely. you should be using alpn
* flake8
|
| |
|
| |
|
|
|
|
|
|
|
| |
* newer pypy
* missed one
* we don't support ancient cffi any more
|
|
|
|
|
|
|
|
|
| |
* simplify
* generate new certs and keys with 3072-bit RSA
* black
* add a test to avoid losing coverage
|
|
|
|
|
|
|
| |
* make our CI less frustrating
* sigh, even less sensitive
* can we stop doing this on macos now?
|
|
|
|
|
|
|
| |
* _only_ update the image
* Update .travis.yml
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| |
|
|
|
|
|
| |
* Remove RPM build script that we have no idea if it works
* MANIFEST.in as well
|
|
|
|
|
|
|
|
|
| |
* add SSL.Context.set_keylog_callback
* don't fail on missing attribute
* lint!
* make it black
|
| |
|
|
|
|
|
| |
* `sudo` key is deprecated
* `os` key is missing
* `matrix` is an alias for `jobs`
|
|
|
|
|
|
|
|
|
|
|
| |
From RFC 5280, section 4.1.2.9:
[Extensions] MUST only appear if the version is 3 (Section 4.1.2.1).
If present, this field is a SEQUENCE of one or more certificate
extensions. The format and content of certificate extensions in the
Internet PKI are defined in Section 4.2.
X509 objects default to v1, so the test certs need a set_version(2) call. (Note
v3 is encoded as 2.)
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
* Uhhh, fix twisted tests to actually run twisted (wat)
* Update tox.ini
|
| |
|
|
|
|
|
|
|
|
|
| |
* fix PKey.check for some broken keys
RSA_check_key is documented to return 1 for valid keys.
It (currently) returns 0 or -1 for invalid ones.
The previous code accepted invalid keys if RSA_check_key returns -1!
* add test
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* ALPN: complete handshake without accepting a client's protocols.
The callback passed to `SSL_CTX_set_alpn_select_cb` can return
`SSL_TLSEXT_ERR_NOACK` to allow the handshake to continue without
accepting any of the client's offered protocols.
This commit introduces `NO_OVERLAPPING_PROTOCOLS`, which the Python
callback passed to `Context.set_alpn_select_callback` can return to
achieve the same thing.
It does not change the previous meaning of an empty string, which
still terminates the handshake.
* Update src/OpenSSL/SSL.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Address @alex's review.
* Use recorded value in test, fix lint error.
* Cover TypeError branch in _ALPNHelper.callback
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* use _ffi.from_buffer(buf) in send, to support bytearray
* add bytearray test
* update CHANGELOG.rst
* move from_buffer before 'buffer too long' check
* context-managed from_buffer + black
* don't shadow buf in send()
* test return count for sendall
* test sending an array
* fix test
* also use from_buffer in bio_write
* de-format _util.py
* formatting
* add simple bio_write tests
* wrap line
|
|
|
|
|
|
|
| |
Users with older cryptography (and hence potentially older asn1crypto, a
transitive dependency) are seeing a serious bug on macOS catalina due to
the way older asn1crypto loads a shared library. While this isn't a
pyOpenSSL bug bumping this dep might prevent the bug from impacting
some users.
|