summaryrefslogtreecommitdiff
path: root/src/cryptography/hazmat
Commit message (Collapse)AuthorAgeFilesLines
...
* Use Rust for CSR::is_signature_valid (#8161)Alex Gaynor2023-01-291-23/+0
|
* Use the ruff 'pyupgrade' checks (#8104)Alex Gaynor2023-01-2012-29/+23
|
* rename variable to make sense (#8080)Alex Gaynor2023-01-171-3/+3
|
* remove the last vestiges of sha1 out of pkcs7 (#8032)Paul Kehrer2023-01-091-2/+1
| | | we already didn't support signing (released in 39.0)
* deprecate the rest of DSA support for SSH (#8013)Paul Kehrer2023-01-091-0/+22
| | | | | * deprecate the rest of DSA support for SSH * review comments
* deprecate support for DSA in load_ssh_public_key (#8009)Paul Kehrer2023-01-081-43/+26
| | | | | * deprecate support for DSA in load_ssh_public_key * try to prevent bad things a bit more
* switch to using integers for valid_after/valid_before in SSH certs (#8007)Paul Kehrer2023-01-081-33/+21
| | | | | | | * switch to using integers for valid_after/valid_before in SSH certs * i know this, it's a unix timestamp * one more review nit
* SSHCertificateBuilder (#8004)Paul Kehrer2023-01-082-0/+413
| | | | | | | | | | | * SSHCertificateBuilder This adds support for generating SSH certificates * add deterministic signing tests and valid_for_all_principals * test another edge * one of these two fixes makes no sense
* support SSH certificate parsing (#7960)Paul Kehrer2023-01-072-1/+279
| | | | | | | | | | | | | * support SSH certificate parsing DSA (deliberately) not supported * make a unified API * Update src/cryptography/hazmat/primitives/serialization/ssh.py Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* small refactor in ssh for key type (#7983)Paul Kehrer2023-01-051-20/+23
| | | this prevents duplicating this logic more times for ssh certs
* Replace more deprecated `abstractproperty` (#7944)Viicos2022-12-284-11/+22
|
* src/_cffi_src/openssl/evp.py: export EVP_PKEY_set_alias_type in FUNCTIONS ↵hustliyilin2022-12-281-0/+9
| | | | | | | | | | | | | | | (#7935) In openssl 1.1.1 docs/man3/EVP_PKEY_set1_RSA.pod (https://github.com/openssl/openssl/blob/OpenSSL_1_1_1/doc/man3/EVP_PKEY_set1_RSA.pod) The EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2) API is possible to convert it to using SM2 algorithms After loading an ECC key. So the EVP_PKEY_set_alias_type API is important for people who want to use cryptography with using SM2 algorithms. Therefore, we need to export EVP_PKEY_set_alias_type in FUNCTIONS. Signed-off-by: YiLin.Li <YiLin.Li@linux.alibaba.com> Signed-off-by: YiLin.Li <YiLin.Li@linux.alibaba.com>
* Typo fixes (#7942)Alex Gaynor2022-12-281-1/+1
|
* Replace deprecated `abstractproperty` (#7943)Viicos2022-12-275-17/+34
| | | | Deprecated since version 3.3, see https://docs.python.org/3/library/abc.html#abc.abstractproperty
* Update formatting for new ruff (#7937)Alex Gaynor2022-12-263-13/+13
|
* Switch from flake8 to ruff (#7920)Alex Gaynor2022-12-2139-84/+31
| | | It's more than 60x faster.
* Remove binding for X509_STORE_get_get_issuer (#7918)David Benjamin2022-12-201-1/+0
| | | | | | | | | This was added alongside X509_STORE_set_get_issuer in 21ef4080ec7666299f1268f3bbfb136582744359. It makes sense to want to override issuer lookup, but I've never seen a valid use case for querying the callbacks. If you're trying to get at the function that was already configured, you presumably already know it. (And if you don't, it's not safe to call because an arbitrary callback may have been written to only be usable in particular contexts.)
* x509: add `load_pem_x509_certificates` (#7878)William Woodruff2022-12-051-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * x509: add `load_pem_x509_certificates` This behaves similarly to `load_pem_x509_certificate`, except that it returns a list of loaded certificates instead of just the first X.509 certificate. It raises if the input contains no PEM-encoded certificates, or if PEM or certificate parsing fail. Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: blacken Signed-off-by: William Woodruff <william@trailofbits.com> * Update docs/x509/reference.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * tests/x509: assert each item in the list is actually a certificate Signed-off-by: William Woodruff <william@trailofbits.com> * bindings: expose `load_pem_x509_certificates` in `x509.pyi` Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: test the structure of each cert a bit This has the transitive effect of establishing a fixed order. Signed-off-by: William Woodruff <william@trailofbits.com> * CHANGELOG: record changes Signed-off-by: William Woodruff <william@trailofbits.com> * docs: add PEM to spellcheck allowlist Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: document expected param Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* a few more mypy flags and fixes (#7877)Paul Kehrer2022-12-044-4/+4
|
* Annotate a few more functions (#7876)Alex Gaynor2022-12-046-6/+12
|
* Rewrite PKCS7 signature generation in Rust (#7729)Alex Gaynor2022-11-253-105/+55
| | | | | * Rewrite PKCS7 signature generation in Rust * Update src/rust/src/pkcs7.rs
* LibreSSL 3.7 adds support for Ed25519 (#7803)Theo Buehler2022-11-221-1/+1
| | | | | | | | | * LibreSSL 3.7 adds support for Ed25519 This brings support for the raw public key API. * Use feature variable to enable Ed25519 Ed25519 support is available since OpenSSL 1.1.1b and LibreSSL 3.7.0.
* Add *_SHA3 signature algorithms to OID <-> hash map (#7819)jeanluc2022-11-171-0/+8
| | | | | | | * Add test for issue 7818 * Add *_SHA3 signature algorithms to OID <-> hash map * Use type instead of __class__
* update for new mypy (with more accurate typing) (#7785)Alex Gaynor2022-11-081-1/+3
|
* Update minimum LibreSSL to 3.5 (#7780)Alex Gaynor2022-11-072-11/+3
| | | This is the version of LibreSSL in OpenBSD 7.1, which is the oldest currently supported.
* Revert workaround for yanked OpenSSL (#7765)Alex Gaynor2022-11-031-4/+1
| | | Partial revert of 6578d86ec557e0b4af2ba9d0c0a821fe939044ee
* Remove SHA1 signatures support from PKCS7 (#7734)Alex Gaynor2022-10-221-1/+0
|
* Convert basic PKCS7 generation to Rust (#7700)Alex Gaynor2022-10-123-50/+11
|
* fixes #7454 -- added SSL_get_extms_support (#7697)Alex Gaynor2022-10-121-0/+5
|
* upgrade some openssls in CI (#7690)Paul Kehrer2022-10-111-2/+4
| | | | | | | | | | | * bump tests to 3.0.6 * qs become rs * fix openssl 3.0.6 error stack bug in pkcs12 * flake * more comment
* add unsafe_skip_rsa_key_validation (#7667)Paul Kehrer2022-10-034-21/+69
| | | | | | | | | | | | | | | | | | | * add unsafe_skip_rsa_key_validation This allows users to skip RSA key validation when calling load_pem_private_key, load_der_private_key, and RSAPrivateNumbers.private_key. This is a significant performance improvement but is **only safe if you know the key is valid**. If you use this when the key is invalid OpenSSL makes no guarantees about what might happen. Infinite loops, crashes, and all manner of terrible things become possible if that occurs. Beware, beware, beware. * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * remove unneeded variable Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Handle error generating DH params with very very large key size (#7666)Alex Gaynor2022-10-011-1/+3
| | | Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52024
* support compilation against openssl 3 with no legacy provider (#7650)Paul Kehrer2022-09-262-30/+63
| | | | | You must pass CRYPTOGRAPHY_OPENSSL_NO_LEGACY for this to be allowed. Downstreams can easily patch this check out if they want to default to this behavior.
* handle AESSIV empty byte strings on encrypt/decrypt (#7644)Paul Kehrer2022-09-241-0/+2
|
* Warn users on 32-bit Pythons on 64-bit windows. (#7641)Alex Gaynor2022-09-241-1/+15
| | | They're leaving a ton of performance on the table.
* A handful of small internal typing improvements (#7625)Alex Gaynor2022-09-181-6/+9
|
* remove consume_errors that are no longer required (#7620)Alex Gaynor2022-09-181-10/+0
|
* Remove reimplementation of OpenSSL function in DHX (#7611)Alex Gaynor2022-09-143-4/+4
|
* Move to a libressl policy (#7605)Alex Gaynor2022-09-132-23/+0
| | | This policy is to support things that are in supported versions of openbsd. the current oldest supported openbsd is 7.0, which included libressl 3.4
* use fixed pool to improve perf of aead ChaCha20Poly1305 (#7601)Paul Kehrer2022-09-122-16/+83
| | | | | | | | * use fixed pool to improve perf of aead ChaCha20Poly1305 ~35-45% speedup on benchmarks when reusing the same key for multiple operations * remove unneeded call
* Remove destroy from FixedPool (#7602)Alex Gaynor2022-09-111-1/+0
| | | turns out we don't need it
* Final set of cleanups to comments and bindings for dropping OpenSSL 1.1.0 ↵Alex Gaynor2022-09-111-6/+6
| | | | (#7598)
* simplify code now that we're >=1.1.1 only (#7595)Alex Gaynor2022-09-111-3/+1
|
* remove outdated comments and simplify code (#7594)Alex Gaynor2022-09-111-5/+3
|
* Remove pyOpenSSL fallback. (#7590)Alex Gaynor2022-09-112-61/+0
| | | We already require pyOpenSSL>=22.0, but pyOpenSSL has not required this fallback since 21.0.
* fixes #7109 -- update final comments for having dropped 1.1.0 (#7591)Alex Gaynor2022-09-112-6/+6
|
* fixes #7179 -- remove deprecated from_encoded_point (#7572)Alex Gaynor2022-09-071-45/+0
|
* Increase our minimum LibreSSL. (#7571)Alex Gaynor2022-09-071-7/+0
| | | OpenBSD 7.0 ships 3.4, and Alpine 3.14 ships 3.3.6
* Drop OpenSSL 1.1.0 (#7570)Alex Gaynor2022-09-073-29/+1
| | | | | There's still a few TODOs for cleanup. Refs #7109
* support setting more PKCS12 serialization encryption options (#7560)Paul Kehrer2022-09-053-6/+149
| | | | | | | | | | | | | | | | | | * support setting more PKCS12 serialization encryption options This is limited support, but makes it possible to set two different PBES choices as well as set KDF rounds and MAC algorithm * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * review feedback redux * Update docs/hazmat/primitives/asymmetric/serialization.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
View Lorry Controller Status