summaryrefslogtreecommitdiff
path: root/src/cryptography/hazmat/primitives
Commit message (Collapse)AuthorAgeFilesLines
* Convert KDFs to Rust (#8787)Alex Gaynor2023-04-252-9/+13
|
* Migrate DH to Rust (#8768)Alex Gaynor2023-04-241-4/+7
|
* Convert HMAC to Rust (#8781)Alex Gaynor2023-04-221-62/+4
|
* Convert hashes to Rust (#8775)Alex Gaynor2023-04-211-47/+29
|
* add support for aes256-gcm@openssh.com decryption for SSH keys (#8738)Paul Kehrer2023-04-151-23/+85
| | | | | | | * add support for aes256-gcm@openssh.com decryption for SSH keys * review feedback * skip when bcrypt isn't present
* Remove unused consts (#8713)Alex Gaynor2023-04-121-3/+0
|
* Convert ed448 to Rust (#8705)Alex Gaynor2023-04-111-8/+11
|
* Convert ed25519 to Rust (#8697)Alex Gaynor2023-04-101-8/+11
|
* support equality checks on all public asymmetric key types (#8700)Paul Kehrer2023-04-108-0/+48
| | | | | * support equality checks on all public asymmetric key types * review feedback
* Migrate x448 to Rust (#8691)Alex Gaynor2023-04-101-8/+11
|
* Use from __future__ import annotations everywhere (#8643)Alex Gaynor2023-03-3141-72/+124
|
* Migrate x25519 to use rust-openssl (#7933)Alex Gaynor2023-03-241-8/+13
|
* Added support for handling python buffers in Rust code (#8556)Alex Gaynor2023-03-211-1/+1
| | | This is extra mega cursed, and strictly speaking unsound. It does, however, match the status quo ante, where someone mutating a buffer while its being used in cffi code will basically always be UB.
* Make Union type aliases a documented public API (#8168)Marti Raudsepp2023-03-078-48/+98
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Rename Union type aliases to CamelCase Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases) * Add utils.deprecated for the old non-underscore type aliases * Added documentation for new type aliases & minor tweaks * Use 'versionadded:: 40.0.0' * Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes * Fix imports (ruff) * Fix one more versionadded * Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes * Fix test mypy errors using cast() * Fix black, oops * Revert "Fix black, oops" This reverts commit 85344e231d697bdc0940e105f7aed729445f9743. * Revert "Fix test mypy errors using cast()" This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e. * Revert type of SubjectKeyIdentifier.from_public_key arg * Changelog tweak
* fixes #8298 -- correctly generate content-type header in PKCS#7 SMIME (#8389)Alex Gaynor2023-02-261-4/+19
|
* Enforce max number of SSH certificate principals (#8376)Jake2023-02-231-0/+10
| | | | | | | | | | | | | | | | | | | | * Enforce max number of SSH certificate principals There is an undocumented limit for the maximum number of valid principals accepted by the openssh tooling, as seen at: * https://github.com/openssh/openssh-portable/blob/27267642699342412964aa785b98afd69d952c88/sshkey.h#L108 * https://github.com/openssh/openssh-portable/blob/25c8a2bbcc10c493d27faea57c42a6bf13fa51f2/sshkey.c#L1801 * https://github.com/openssh/openssh-portable/blob/6180b0fa4f7996687678702806257e661fd5931e/ssh-keygen.c#L1833 This change enforces that same restriction as currently a SSH certificate can be generated that is invalid against the default sshd server. Consideration might be given for any non openssh servers that accept openssh certificates, if they exist and want to allow a greater number of principals. Of note, the 256 limit is not found in the spec for SSH certificates as defined at https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys. It instead seems to be arbitrarily chosen by the project as some limit was needed. * Address formatting error. * Comment on valid_prinicpals size limit plus test added. --------- Co-authored-by: Jake <jake@vaultish.com>
* Add shortcut methods for exporting EC keys as raw bytes (#8357)David Buchanan2023-02-224-0/+80
| | | | | | | | | | | | | | | | | * WIP: Add raw export alias method for x25519 keys * Ditto for x448, ed448, ed25519 * Document new private_bytes_raw public_bytes_raw methods * docs: Populate versionadded to be 40 * docs: Fix PublicFormat -> PrivateFormat where applicable * formatting * Update tests for test_pub_priv_bytes_raw in x25519, x448, ed448 (TODO: ed25519) * Add test_pub_priv_bytes_raw test for Ed25519
* fixes #8316 -- correct docstring (#8319)Alex Gaynor2023-02-171-1/+1
| | | | | | | | | | | * fixes #8316 -- correct docstring * Update src/cryptography/hazmat/primitives/asymmetric/x448.py Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com> --------- Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* fixes #8316 -- correct docstring (#8318)Alex Gaynor2023-02-171-1/+1
|
* Added type annotations for more things in backend (#8265)Alex Gaynor2023-02-112-11/+11
|
* add support for bytes-like objects in data and associated_data in aead ↵Mat2023-02-021-13/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | algorithms (#8187) * add support for bytes-like objects in data and associated_data in aead algorithms * flake * flake again * rework AESSIV _check_params * flake and 80char columns * associated_data cannot be None in _check_params, set to [] in calling function * Update src/cryptography/hazmat/primitives/ciphers/aead.py Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * flake fix --------- Co-authored-by: mat gas <none@none.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Update style for new black (#8185)Alex Gaynor2023-01-312-3/+0
|
* Use the ruff 'pyupgrade' checks (#8104)Alex Gaynor2023-01-207-16/+8
|
* remove the last vestiges of sha1 out of pkcs7 (#8032)Paul Kehrer2023-01-091-2/+1
| | | we already didn't support signing (released in 39.0)
* deprecate the rest of DSA support for SSH (#8013)Paul Kehrer2023-01-091-0/+22
| | | | | * deprecate the rest of DSA support for SSH * review comments
* deprecate support for DSA in load_ssh_public_key (#8009)Paul Kehrer2023-01-081-43/+26
| | | | | * deprecate support for DSA in load_ssh_public_key * try to prevent bad things a bit more
* switch to using integers for valid_after/valid_before in SSH certs (#8007)Paul Kehrer2023-01-081-33/+21
| | | | | | | * switch to using integers for valid_after/valid_before in SSH certs * i know this, it's a unix timestamp * one more review nit
* SSHCertificateBuilder (#8004)Paul Kehrer2023-01-082-0/+413
| | | | | | | | | | | * SSHCertificateBuilder This adds support for generating SSH certificates * add deterministic signing tests and valid_for_all_principals * test another edge * one of these two fixes makes no sense
* support SSH certificate parsing (#7960)Paul Kehrer2023-01-072-1/+279
| | | | | | | | | | | | | * support SSH certificate parsing DSA (deliberately) not supported * make a unified API * Update src/cryptography/hazmat/primitives/serialization/ssh.py Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* small refactor in ssh for key type (#7983)Paul Kehrer2023-01-051-20/+23
| | | this prevents duplicating this logic more times for ssh certs
* Replace more deprecated `abstractproperty` (#7944)Viicos2022-12-284-11/+22
|
* Typo fixes (#7942)Alex Gaynor2022-12-281-1/+1
|
* Replace deprecated `abstractproperty` (#7943)Viicos2022-12-275-17/+34
| | | | Deprecated since version 3.3, see https://docs.python.org/3/library/abc.html#abc.abstractproperty
* Update formatting for new ruff (#7937)Alex Gaynor2022-12-262-3/+3
|
* Switch from flake8 to ruff (#7920)Alex Gaynor2022-12-2123-47/+12
| | | It's more than 60x faster.
* Annotate a few more functions (#7876)Alex Gaynor2022-12-045-5/+5
|
* Rewrite PKCS7 signature generation in Rust (#7729)Alex Gaynor2022-11-251-6/+48
| | | | | * Rewrite PKCS7 signature generation in Rust * Update src/rust/src/pkcs7.rs
* update for new mypy (with more accurate typing) (#7785)Alex Gaynor2022-11-081-1/+3
|
* Remove SHA1 signatures support from PKCS7 (#7734)Alex Gaynor2022-10-221-1/+0
|
* Convert basic PKCS7 generation to Rust (#7700)Alex Gaynor2022-10-121-3/+2
|
* add unsafe_skip_rsa_key_validation (#7667)Paul Kehrer2022-10-032-4/+19
| | | | | | | | | | | | | | | | | | | * add unsafe_skip_rsa_key_validation This allows users to skip RSA key validation when calling load_pem_private_key, load_der_private_key, and RSAPrivateNumbers.private_key. This is a significant performance improvement but is **only safe if you know the key is valid**. If you use this when the key is invalid OpenSSL makes no guarantees about what might happen. Infinite loops, crashes, and all manner of terrible things become possible if that occurs. Beware, beware, beware. * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * remove unneeded variable Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* handle AESSIV empty byte strings on encrypt/decrypt (#7644)Paul Kehrer2022-09-241-0/+2
|
* use fixed pool to improve perf of aead ChaCha20Poly1305 (#7601)Paul Kehrer2022-09-121-2/+13
| | | | | | | | * use fixed pool to improve perf of aead ChaCha20Poly1305 ~35-45% speedup on benchmarks when reusing the same key for multiple operations * remove unneeded call
* fixes #7179 -- remove deprecated from_encoded_point (#7572)Alex Gaynor2022-09-071-45/+0
|
* support setting more PKCS12 serialization encryption options (#7560)Paul Kehrer2022-09-052-3/+76
| | | | | | | | | | | | | | | | | | * support setting more PKCS12 serialization encryption options This is limited support, but makes it possible to set two different PBES choices as well as set KDF rounds and MAC algorithm * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * review feedback redux * Update docs/hazmat/primitives/asymmetric/serialization.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* add AES128/AES256 classes (#7542)Paul Kehrer2022-08-262-0/+27
| | | | | | | | | | | These let developers be more explicit about the allowable key lengths for an AES key and make auditing the codebase a bit easier. But that's not really why we're adding them. In some upcoming serialization features we need to be able to specify AES 128 vs AES 256 and the current class doesn't work for that since it computes key length from the key you provide it when instantiating the class. That's incompatible with serialization where the key is derived later in the process. C'est la vie.
* PoC for making key serialization more configurable (#7520)Alex Gaynor2022-08-223-4/+62
|
* KBKDF: add CounterLocation.MiddleFixed (#7489)Jean Paul Galea2022-08-151-6/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * KBKDF: add CounterLocation.MiddleFixed * tests_kbkdf: add new tests - Test CounterLocation.MiddleFixed and blocation= * test_kbkdf_vectors: make use of MIDDLE_FIXED * docs: document KBKDF CounterLocation.MiddleFixed * s/blocation/break_location/g * CHANGELOG: document KBKDF{HMAC,CMAC} CounterLocation.MiddleFixed #7489 * kbkdf: fixed is static across n iterations, only the counter changes * kbkdf: check break_location is 0..len(fixed) - Update tests to assert exception is raised when break_location < 0 or > len(fixed) - When asserting for "break_location is ignored when MiddleFixed", use break_location=0 instead of =10, to ensure we don't raise because of break_location > len(fixed) - Assert that the right error messages are returned to the user. * kbkdf: keyword-only break_location * docs: document kw-only KBKDF{HMAC,CMAC}
* remove bizzare dead code (#7444)Alex Gaynor2022-07-221-3/+1
|
* feat: drop max password length of 72 characters from ↵Andrew Pantuso2022-07-201-6/+0
| | | | 'serialize_ssh_private_key' (#7439)
View Lorry Controller Status