| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
| |
Also replace one DH function with a simpler implementation
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
* support equality checks on all public asymmetric key types
* review feedback
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This removes the OS random engine, which contained the only CPython PSF
licensed code in the repository. Accordingly, that license has now been
removed.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
- Avoid typing.cast
- Consolidate bn_ctx allocations
|
| |
|
|
|
|
|
|
|
|
|
|
| |
EC_KEY_set_public_key_affine_coordinates calls EC_KEY_check_key, which
checks the point isn't at infinity, that it is on the curve (which has
already been done by EC_POINT_set_affine_coordinates), and that the
private scalar matches the public point.
We don't want to do expensive checks twice, so instead we swap to calling
EC_POINT_set_affine_coordinates directly and implement a private scalar
matches public point check of our own.
Also we no longer call deprecated functions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rename Union type aliases to CamelCase
Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases)
* Add utils.deprecated for the old non-underscore type aliases
* Added documentation for new type aliases & minor tweaks
* Use 'versionadded:: 40.0.0'
* Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes
* Fix imports (ruff)
* Fix one more versionadded
* Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes
* Fix test mypy errors using cast()
* Fix black, oops
* Revert "Fix black, oops"
This reverts commit 85344e231d697bdc0940e105f7aed729445f9743.
* Revert "Fix test mypy errors using cast()"
This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e.
* Revert type of SubjectKeyIdentifier.from_public_key arg
* Changelog tweak
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* add support for centos9-fips
Requires a variety of new FIPS constraints on our tests, including the
addition of rsa_encryption_supported
* review comments
|
| |
|
|
|
| |
1. use public API for loading DER cert
2. use length-API for PKCS12 friendly name, not NUL-terminated
3. don't upref and GC and X509* that doesn't need to live longer
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
It's more than 60x faster.
|
| |
|
|
|
| |
* Rewrite PKCS7 signature generation in Rust
* Update src/rust/src/pkcs7.rs
|
| |
|
|
|
|
|
|
|
| |
* LibreSSL 3.7 adds support for Ed25519
This brings support for the raw public key API.
* Use feature variable to enable Ed25519
Ed25519 support is available since OpenSSL 1.1.1b and LibreSSL 3.7.0.
|
| |
|
| |
This is the version of LibreSSL in OpenBSD 7.1, which is the oldest currently supported.
|
| |
|
| |
Partial revert of 6578d86ec557e0b4af2ba9d0c0a821fe939044ee
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* bump tests to 3.0.6
* qs become rs
* fix openssl 3.0.6 error stack bug in pkcs12
* flake
* more comment
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add unsafe_skip_rsa_key_validation
This allows users to skip RSA key validation when calling
load_pem_private_key, load_der_private_key, and
RSAPrivateNumbers.private_key. This is a significant performance
improvement but is **only safe if you know the key is valid**. If you
use this when the key is invalid OpenSSL makes no guarantees about what
might happen. Infinite loops, crashes, and all manner of terrible things
become possible if that occurs. Beware, beware, beware.
* Apply suggestions from code review
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* remove unneeded variable
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
| |
Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52024
|
| |
|
|
|
| |
You must pass CRYPTOGRAPHY_OPENSSL_NO_LEGACY for this to be allowed.
Downstreams can easily patch this check out if they want to default to
this behavior.
|
| | |
|
| | |
|
| |
|
| |
This policy is to support things that are in supported versions of openbsd. the current oldest supported openbsd is 7.0, which included libressl 3.4
|
| |
|
|
| |
(#7598)
|
| | |
|
| | |
|
| |
|
| |
We already require pyOpenSSL>=22.0, but pyOpenSSL has not required this fallback since 21.0.
|
| | |
|
| |
|
|
|
| |
There's still a few TODOs for cleanup.
Refs #7109
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* support setting more PKCS12 serialization encryption options
This is limited support, but makes it possible to set two different PBES
choices as well as set KDF rounds and MAC algorithm
* Apply suggestions from code review
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* review feedback redux
* Update docs/hazmat/primitives/asymmetric/serialization.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
