| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* support X.509 certificate PSS signing
no CSR, CRL, etc
* handle PSS.(MAX_LENGTH, DIGEST_LENGTH), review feedback
* name the kwarg
* test improvements
* skip if sha3 isn't supported
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix for #8854
Fix for issue #8854
* Fix for issue #8854
Fix for issue #8854
* versionadded
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| |
|
| |
Also replace one DH function with a simpler implementation
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
OpenBSD 7.1 is no longer supported so neither is LibreSSL 3.5.x
|
| |
|
|
|
|
|
| |
* add support for aes256-gcm@openssh.com decryption for SSH keys
* review feedback
* skip when bcrypt isn't present
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
* support equality checks on all public asymmetric key types
* review feedback
|
| |
|
|
|
|
|
| |
* support ms certificate template
* contortions for rust coverage
* review feedback
|
| | |
|
| | |
|
| |
|
| |
fixes #8589
|
| | |
|
| |
|
|
|
| |
This removes the OS random engine, which contained the only CPython PSF
licensed code in the repository. Accordingly, that license has now been
removed.
|
| | |
|
| |
|
| |
This is extra mega cursed, and strictly speaking unsound. It does, however, match the status quo ante, where someone mutating a buffer while its being used in cffi code will basically always be UB.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
The theory here is that we're already doing sufficient validation key loading, and this is purely duplicative.
Note that there's at least _some_ validationg that was previously occurring only ECDH, the LowOrderPublic check that can be seen in wycheproof.
|
| |
|
|
| |
- Avoid typing.cast
- Consolidate bn_ctx allocations
|
| |
|
|
|
|
|
|
|
|
|
|
| |
EC_KEY_set_public_key_affine_coordinates calls EC_KEY_check_key, which
checks the point isn't at infinity, that it is on the curve (which has
already been done by EC_POINT_set_affine_coordinates), and that the
private scalar matches the public point.
We don't want to do expensive checks twice, so instead we swap to calling
EC_POINT_set_affine_coordinates directly and implement a private scalar
matches public point check of our own.
Also we no longer call deprecated functions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rename Union type aliases to CamelCase
Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases)
* Add utils.deprecated for the old non-underscore type aliases
* Added documentation for new type aliases & minor tweaks
* Use 'versionadded:: 40.0.0'
* Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes
* Fix imports (ruff)
* Fix one more versionadded
* Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes
* Fix test mypy errors using cast()
* Fix black, oops
* Revert "Fix black, oops"
This reverts commit 85344e231d697bdc0940e105f7aed729445f9743.
* Revert "Fix test mypy errors using cast()"
This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e.
* Revert type of SubjectKeyIdentifier.from_public_key arg
* Changelog tweak
|
| | |
|
| |
|
|
|
| |
* deprecate support for OpenSSL <1.1.1d
* use an actually exported constant
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add an ignore for the newest ruff
Clearly document why we have each of our ignores
* Bump ruff from 0.0.253 to 0.0.254
Bumps [ruff](https://github.com/charliermarsh/ruff) from 0.0.253 to 0.0.254.
- [Release notes](https://github.com/charliermarsh/ruff/releases)
- [Changelog](https://github.com/charliermarsh/ruff/blob/main/BREAKING_CHANGES.md)
- [Commits](https://github.com/charliermarsh/ruff/compare/v0.0.253...v0.0.254)
---
updated-dependencies:
- dependency-name: ruff
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Enforce max number of SSH certificate principals
There is an undocumented limit for the maximum number of valid principals accepted by the openssh tooling, as seen at:
* https://github.com/openssh/openssh-portable/blob/27267642699342412964aa785b98afd69d952c88/sshkey.h#L108
* https://github.com/openssh/openssh-portable/blob/25c8a2bbcc10c493d27faea57c42a6bf13fa51f2/sshkey.c#L1801
* https://github.com/openssh/openssh-portable/blob/6180b0fa4f7996687678702806257e661fd5931e/ssh-keygen.c#L1833
This change enforces that same restriction as currently a SSH certificate can be generated that is invalid against the default sshd server. Consideration might be given for any non openssh servers that accept openssh certificates, if they exist and want to allow a greater number of principals.
Of note, the 256 limit is not found in the spec for SSH certificates as defined at https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys. It instead seems to be arbitrarily chosen by the project as some limit was needed.
* Address formatting error.
* Comment on valid_prinicpals size limit plus test added.
---------
Co-authored-by: Jake <jake@vaultish.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* WIP: Add raw export alias method for x25519 keys
* Ditto for x448, ed448, ed25519
* Document new private_bytes_raw public_bytes_raw methods
* docs: Populate versionadded to be 40
* docs: Fix PublicFormat -> PrivateFormat where applicable
* formatting
* Update tests for test_pub_priv_bytes_raw in x25519, x448, ed448 (TODO: ed25519)
* Add test_pub_priv_bytes_raw test for Ed25519
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* fixes #8316 -- correct docstring
* Update src/cryptography/hazmat/primitives/asymmetric/x448.py
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* add support for centos9-fips
Requires a variety of new FIPS constraints on our tests, including the
addition of rsa_encryption_supported
* review comments
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
algorithms (#8187)
* add support for bytes-like objects in data and associated_data in aead algorithms
* flake
* flake again
* rework AESSIV _check_params
* flake and 80char columns
* associated_data cannot be None in _check_params, set to [] in calling function
* Update src/cryptography/hazmat/primitives/ciphers/aead.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* flake fix
---------
Co-authored-by: mat gas <none@none.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| |
|
|
|
| |
1. use public API for loading DER cert
2. use length-API for PKCS12 friendly name, not NUL-terminated
3. don't upref and GC and X509* that doesn't need to live longer
|
| | |
|
