| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
* add support for aes256-gcm@openssh.com decryption for SSH keys
* review feedback
* skip when bcrypt isn't present
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rename Union type aliases to CamelCase
Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases)
* Add utils.deprecated for the old non-underscore type aliases
* Added documentation for new type aliases & minor tweaks
* Use 'versionadded:: 40.0.0'
* Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes
* Fix imports (ruff)
* Fix one more versionadded
* Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes
* Fix test mypy errors using cast()
* Fix black, oops
* Revert "Fix black, oops"
This reverts commit 85344e231d697bdc0940e105f7aed729445f9743.
* Revert "Fix test mypy errors using cast()"
This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e.
* Revert type of SubjectKeyIdentifier.from_public_key arg
* Changelog tweak
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Enforce max number of SSH certificate principals
There is an undocumented limit for the maximum number of valid principals accepted by the openssh tooling, as seen at:
* https://github.com/openssh/openssh-portable/blob/27267642699342412964aa785b98afd69d952c88/sshkey.h#L108
* https://github.com/openssh/openssh-portable/blob/25c8a2bbcc10c493d27faea57c42a6bf13fa51f2/sshkey.c#L1801
* https://github.com/openssh/openssh-portable/blob/6180b0fa4f7996687678702806257e661fd5931e/ssh-keygen.c#L1833
This change enforces that same restriction as currently a SSH certificate can be generated that is invalid against the default sshd server. Consideration might be given for any non openssh servers that accept openssh certificates, if they exist and want to allow a greater number of principals.
Of note, the 256 limit is not found in the spec for SSH certificates as defined at https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys. It instead seems to be arbitrarily chosen by the project as some limit was needed.
* Address formatting error.
* Comment on valid_prinicpals size limit plus test added.
---------
Co-authored-by: Jake <jake@vaultish.com>
|
| |
|
|
|
| |
* deprecate the rest of DSA support for SSH
* review comments
|
| |
|
|
|
| |
* deprecate support for DSA in load_ssh_public_key
* try to prevent bad things a bit more
|
| |
|
|
|
|
|
| |
* switch to using integers for valid_after/valid_before in SSH certs
* i know this, it's a unix timestamp
* one more review nit
|
| |
|
|
|
|
|
|
|
|
|
| |
* SSHCertificateBuilder
This adds support for generating SSH certificates
* add deterministic signing tests and valid_for_all_principals
* test another edge
* one of these two fixes makes no sense
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* support SSH certificate parsing
DSA (deliberately) not supported
* make a unified API
* Update src/cryptography/hazmat/primitives/serialization/ssh.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
| |
this prevents duplicating this logic more times for ssh certs
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
'serialize_ssh_private_key' (#7439)
|
| | |
|
| |
|
| |
As someone who first with Python in 2.4 or so, this habit is going to be hard to break.
|
| | |
|
| | |
|
| |
|
| |
If nothing else these are mypy friendly
|
| |
|
|
|
| |
* More typing of the ssh module internals
* old python
|
| | |
|
| |
|
|
| |
remove some unneeded type ignores. This work found a missing type and
added it as well.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* backend typing for twofactor package and more otp work
* even more typing
* style fixes
* no generic typing for _get_backend
* remove unneeded typing
|
| |
|
|
|
|
|
|
|
| |
* add serialization type hinting
* reorganize to prevent circular dependency
* review feedback
* damn you black
|
| |
|
| |
Nothing is really annotated, just getting to clean.
|
| |
|
|
|
| |
* Drop Python 2
* Black everything
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove Python2 from CI and code that branched on it
* Update setup.py
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
* remove
* review feedback
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
|
| | |
|
| |
|
|
|
| |
* use _get_backend everywhere
* black
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* ssh.py contains load/serialize code.
* Add PrivateFormat.OpenSSH to .private_bytes() format.
* Add load_ssh_private_key().
* Use new code for PublicFormat.OpenSSH too.
* load_ssh_public_key() now supports reading signed public keys.
* Supported algorithms: rsa, dsa, ec, ed25519.
* Optional dependency on 'bcrypt' package via [ssh] extra
|
| |
|
|
|
|
| |
* support ed25519 openssh public keys
* don't need this check
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* compressed point support
* refactor to use oct2point directly
* small docs change
* remove deprecation for the moment and a bit of review feedback
* no backend arg, implicitly import it
* missed a spot
* double oops
* remove superfluous call
* use refactored method
* use vector file
* one last item
|
|
|
* Move SSH serialization to it's own file
* flake8
|
