summaryrefslogtreecommitdiff
path: root/src/cryptography/hazmat/primitives/serialization
Commit message (Collapse)AuthorAgeFilesLines
* add support for aes256-gcm@openssh.com decryption for SSH keys (#8738)Paul Kehrer2023-04-151-23/+85
| | | | | | | * add support for aes256-gcm@openssh.com decryption for SSH keys * review feedback * skip when bcrypt isn't present
* Use from __future__ import annotations everywhere (#8643)Alex Gaynor2023-03-315-16/+23
|
* Added support for handling python buffers in Rust code (#8556)Alex Gaynor2023-03-211-1/+1
| | | This is extra mega cursed, and strictly speaking unsound. It does, however, match the status quo ante, where someone mutating a buffer while its being used in cffi code will basically always be UB.
* Make Union type aliases a documented public API (#8168)Marti Raudsepp2023-03-075-39/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Rename Union type aliases to CamelCase Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases) * Add utils.deprecated for the old non-underscore type aliases * Added documentation for new type aliases & minor tweaks * Use 'versionadded:: 40.0.0' * Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes * Fix imports (ruff) * Fix one more versionadded * Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes * Fix test mypy errors using cast() * Fix black, oops * Revert "Fix black, oops" This reverts commit 85344e231d697bdc0940e105f7aed729445f9743. * Revert "Fix test mypy errors using cast()" This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e. * Revert type of SubjectKeyIdentifier.from_public_key arg * Changelog tweak
* fixes #8298 -- correctly generate content-type header in PKCS#7 SMIME (#8389)Alex Gaynor2023-02-261-4/+19
|
* Enforce max number of SSH certificate principals (#8376)Jake2023-02-231-0/+10
| | | | | | | | | | | | | | | | | | | | * Enforce max number of SSH certificate principals There is an undocumented limit for the maximum number of valid principals accepted by the openssh tooling, as seen at: * https://github.com/openssh/openssh-portable/blob/27267642699342412964aa785b98afd69d952c88/sshkey.h#L108 * https://github.com/openssh/openssh-portable/blob/25c8a2bbcc10c493d27faea57c42a6bf13fa51f2/sshkey.c#L1801 * https://github.com/openssh/openssh-portable/blob/6180b0fa4f7996687678702806257e661fd5931e/ssh-keygen.c#L1833 This change enforces that same restriction as currently a SSH certificate can be generated that is invalid against the default sshd server. Consideration might be given for any non openssh servers that accept openssh certificates, if they exist and want to allow a greater number of principals. Of note, the 256 limit is not found in the spec for SSH certificates as defined at https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys. It instead seems to be arbitrarily chosen by the project as some limit was needed. * Address formatting error. * Comment on valid_prinicpals size limit plus test added. --------- Co-authored-by: Jake <jake@vaultish.com>
* remove the last vestiges of sha1 out of pkcs7 (#8032)Paul Kehrer2023-01-091-2/+1
| | | we already didn't support signing (released in 39.0)
* deprecate the rest of DSA support for SSH (#8013)Paul Kehrer2023-01-091-0/+22
| | | | | * deprecate the rest of DSA support for SSH * review comments
* deprecate support for DSA in load_ssh_public_key (#8009)Paul Kehrer2023-01-081-43/+26
| | | | | * deprecate support for DSA in load_ssh_public_key * try to prevent bad things a bit more
* switch to using integers for valid_after/valid_before in SSH certs (#8007)Paul Kehrer2023-01-081-33/+21
| | | | | | | * switch to using integers for valid_after/valid_before in SSH certs * i know this, it's a unix timestamp * one more review nit
* SSHCertificateBuilder (#8004)Paul Kehrer2023-01-082-0/+413
| | | | | | | | | | | * SSHCertificateBuilder This adds support for generating SSH certificates * add deterministic signing tests and valid_for_all_principals * test another edge * one of these two fixes makes no sense
* support SSH certificate parsing (#7960)Paul Kehrer2023-01-072-1/+279
| | | | | | | | | | | | | * support SSH certificate parsing DSA (deliberately) not supported * make a unified API * Update src/cryptography/hazmat/primitives/serialization/ssh.py Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* small refactor in ssh for key type (#7983)Paul Kehrer2023-01-051-20/+23
| | | this prevents duplicating this logic more times for ssh certs
* Update formatting for new ruff (#7937)Alex Gaynor2022-12-261-1/+1
|
* Switch from flake8 to ruff (#7920)Alex Gaynor2022-12-213-6/+2
| | | It's more than 60x faster.
* Annotate a few more functions (#7876)Alex Gaynor2022-12-041-1/+1
|
* Rewrite PKCS7 signature generation in Rust (#7729)Alex Gaynor2022-11-251-6/+48
| | | | | * Rewrite PKCS7 signature generation in Rust * Update src/rust/src/pkcs7.rs
* update for new mypy (with more accurate typing) (#7785)Alex Gaynor2022-11-081-1/+3
|
* Remove SHA1 signatures support from PKCS7 (#7734)Alex Gaynor2022-10-221-1/+0
|
* Convert basic PKCS7 generation to Rust (#7700)Alex Gaynor2022-10-121-3/+2
|
* add unsafe_skip_rsa_key_validation (#7667)Paul Kehrer2022-10-031-2/+10
| | | | | | | | | | | | | | | | | | | * add unsafe_skip_rsa_key_validation This allows users to skip RSA key validation when calling load_pem_private_key, load_der_private_key, and RSAPrivateNumbers.private_key. This is a significant performance improvement but is **only safe if you know the key is valid**. If you use this when the key is invalid OpenSSL makes no guarantees about what might happen. Infinite loops, crashes, and all manner of terrible things become possible if that occurs. Beware, beware, beware. * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * remove unneeded variable Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* support setting more PKCS12 serialization encryption options (#7560)Paul Kehrer2022-09-051-0/+9
| | | | | | | | | | | | | | | | | | * support setting more PKCS12 serialization encryption options This is limited support, but makes it possible to set two different PBES choices as well as set KDF rounds and MAC algorithm * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * review feedback redux * Update docs/hazmat/primitives/asymmetric/serialization.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* PoC for making key serialization more configurable (#7520)Alex Gaynor2022-08-222-4/+13
|
* remove bizzare dead code (#7444)Alex Gaynor2022-07-221-3/+1
|
* feat: drop max password length of 72 characters from ↵Andrew Pantuso2022-07-201-6/+0
| | | | 'serialize_ssh_private_key' (#7439)
* serialize certs to pkcs7 (#7034)Paul Kehrer2022-04-041-0/+9
| | | | | * serialize certs to pkcs7 * missed assert
* Serialize PKCS12 CA alias/friendlyName (#6910)ajoino2022-03-291-2/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | * PKCS12 serialization wrapper supports PKCS12Certificate cas * Added code from Felix's gist to serialize_key_and_certificate_to_pkcs12. Doesn't break current behaviour/tests, need to write validate new behaviour, write tests, and format code. * Simplified instance check * Tried to write tests, but I cannot figure out how to read the friendlyName from parsed_more_certs. * Fixed test function and renamed it. * Fixed formatting. * Commiting before trying black * Formatted updates to make flake8 and black happy. * Fixed first review comments. * remove forgotten print statement * use backend.openssl_assert instead of if ... * Documented changes. * Updated documentation.
* Convert some old-style formatting to f strings (#6945)Alex Gaynor2022-03-131-4/+4
|
* allow ed pk12, better tests (#6865)whiteowl32022-02-271-1/+6
| | | | | * dont block pk12 serialization of ed pairs * mimic test_ec curve skipping to satisfy alpine ci
* Don't explicitly define __ne__ any longer (#6908)Alex Gaynor2022-02-271-6/+0
| | | At some point it gained a default that was the same as what we were implementing.
* Remove explicit subclassing of object now that all classes are new-style (#6830)Alex Gaynor2022-01-302-6/+6
| | | As someone who first with Python in 2.4 or so, this habit is going to be hard to break.
* Format for new black (#6828)Alex Gaynor2022-01-291-1/+1
|
* more internal typing for ssh (#6779)Paul Kehrer2022-01-031-25/+63
|
* Swap out the struct module for int methods (#6774)Alex Gaynor2021-12-301-7/+3
| | | If nothing else these are mypy friendly
* More typing of the ssh module internals (#6772)Alex Gaynor2021-12-291-33/+37
| | | | | * More typing of the ssh module internals * old python
* Start typing the internals of the ssh module (#6761)Alex Gaynor2021-12-271-6/+23
|
* consistently use object for other in eq/ne types (#6756)Paul Kehrer2021-12-261-4/+4
| | | | this appears to be best practice and also makes the mypy type-coverage analysis happier
* add some more mypy flags (#6751)Paul Kehrer2021-12-231-4/+1
| | | | remove some unneeded type ignores. This work found a missing type and added it as well.
* improvements to public/private key types and misc backend typing (#6734)Paul Kehrer2021-12-231-1/+1
|
* type the pkcs7signaturebuilder init (#6724)Paul Kehrer2021-12-221-1/+12
|
* deprecate backend part 10 of n (#6529)Paul Kehrer2021-11-034-64/+65
|
* PKCS12: return 'friendly name' with PKCS12KeyAndCertificates API (#6348)Felix Fontein2021-10-061-3/+135
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Propose a new load_key_and_certificates_with_name API to return the PKCS12 'friendly name' as well. * Extend load_key_and_certificates_with_name to return friendly names for all certificates; add serialize_key_and_certificates_with_names; add X509_alias_set1 to cffi; add basic tests for all these. * Add changelog entry and documentation. * Revert "Extend load_key_and_certificates_with_name to return friendly names for all certificates; add serialize_key_and_certificates_with_names; add X509_alias_set1 to cffi; add basic tests for all these." This reverts commit 125935e8cf1d27028c5b593bb058e2716311fd72. * Create new interface. * Rename load_key_and_certificates_object -> load_pkcs12. * Add constructor validation, improve repr tests. * Mention '... or None'. * Allow all private key types. * Fix/improve tests. * Ignore type errors when intentionally passing wrong types. * Fix type; linting. * Use correct ignore.
* Use well-defined enum representation (#6042)Christian Heimes2021-05-121-2/+2
| | | | | | | | | Python 3.10 changed enum's object and string representation. PyCA cryptography now uses a custom subclass of enum.Enum() will well-defined __repr__ and __str__ from Python 3.9. Related: https://bugs.python.org/issue40066 Fixes: https://github.com/pyca/cryptography/issues/5995 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* make PRIVATE/PUBLIC_KEY_TYPES a public API (#6001)Mathias Ertl2021-04-241-8/+8
|
* more typing (#5887)Paul Kehrer2021-03-024-12/+34
| | | | | | | | | | | * backend typing for twofactor package and more otp work * even more typing * style fixes * no generic typing for _get_backend * remove unneeded typing
* fixed a circular import error (due to type hints) (#5800)Alex Gaynor2021-02-091-2/+2
| | | | fixes #5794 closes #5795
* Added typing for a bunch of random stuff (#5743)Alex Gaynor2021-02-041-8/+12
|
* dsa type hinting (#5726)Paul Kehrer2021-01-311-47/+0
|
* reorg some types to prevent an import cycle (#5727)Paul Kehrer2021-01-311-1/+3
|
* type updates from turning on unchecked-defs on tests (#5720)Paul Kehrer2021-01-312-2/+5
| | | test changes themselves will be in a separate PR
View Lorry Controller Status