| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* support X.509 certificate PSS signing
no CSR, CRL, etc
* handle PSS.(MAX_LENGTH, DIGEST_LENGTH), review feedback
* name the kwarg
* test improvements
* skip if sha3 isn't supported
|
| |
|
|
| |
this allows easier verification of cert signatures, but more
specifically allows PSS signature verification
|
| |
|
|
|
|
|
| |
* support ms certificate template
* contortions for rust coverage
* review feedback
|
| | |
|
| |
|
| |
fixes #8589
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rename Union type aliases to CamelCase
Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases)
* Add utils.deprecated for the old non-underscore type aliases
* Added documentation for new type aliases & minor tweaks
* Use 'versionadded:: 40.0.0'
* Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes
* Fix imports (ruff)
* Fix one more versionadded
* Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes
* Fix test mypy errors using cast()
* Fix black, oops
* Revert "Fix black, oops"
This reverts commit 85344e231d697bdc0940e105f7aed729445f9743.
* Revert "Fix test mypy errors using cast()"
This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e.
* Revert type of SubjectKeyIdentifier.from_public_key arg
* Changelog tweak
|
| |
|
| |
Also change the typing to be an explicit union
|
| |
|
|
|
|
|
| |
* Disallow wildcards in DNSName for name constraints
As discussed in #8253, wildcards are unnecessary according to RFC 5280, and cause issues with at least Firefox.
* update changelog
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add Certificate.verify_signed_by
Verify that the signature on a certificate was created by the
private key belonging to another certificate's public key.
This code does not validate anything else! It is not a path builder,
general x509 validator, etc.
* switch to issued_by
validate issuer subject matches certificate issuer and refactor
* two fixes
* signed_by isn't the right target now
* coverage
* skip test on some *ssls
* extensive refactoring
* lol
* does any of this work
* final commit i swear
|
| |
|
|
| |
Deprecated since version 3.3, see
https://docs.python.org/3/library/abc.html#abc.abstractproperty
|
| | |
|
| |
|
| |
It's more than 60x faster.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* x509: add `load_pem_x509_certificates`
This behaves similarly to `load_pem_x509_certificate`, except that it
returns a list of loaded certificates instead of just the first X.509
certificate.
It raises if the input contains no PEM-encoded certificates, or if PEM
or certificate parsing fail.
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: blacken
Signed-off-by: William Woodruff <william@trailofbits.com>
* Update docs/x509/reference.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* tests/x509: assert each item in the list is actually a certificate
Signed-off-by: William Woodruff <william@trailofbits.com>
* bindings: expose `load_pem_x509_certificates` in `x509.pyi`
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: test the structure of each cert a bit
This has the transitive effect of establishing a fixed order.
Signed-off-by: William Woodruff <william@trailofbits.com>
* CHANGELOG: record changes
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: add PEM to spellcheck allowlist
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs/x509: document expected param
Signed-off-by: William Woodruff <william@trailofbits.com>
Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
| |
distribution points (#7710)
|
| |
|
|
|
|
|
|
|
|
|
| |
* add support for creating OCSP requests with precomputed hashes
* mypy and clippy fixes
* flake, fix MSRV
* MSRV this time
* feedback
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RDNs (#7514)
* Fix issue #7513 - parsing of RFC4514 strings should reverse the order of RDNs
* Solving code formating issues
* Adding comment justifing the reversal of rdns on the RFC4514 parser
* Comment changes on CHANGELOG.rst
* fixing a typo on method link at CHANGELOG.rst
* Removing reference to protected class _RFC4514NameParser from CHANGELOG.rst
Co-authored-by: Alexandre Machado <alexandre@softnex.com.br>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add `tbs_precertificate_bytes` property
* docs/x509: document `tbs_precertificate_bytes`
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: add two trivial tests
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509/base: fix lint
Signed-off-by: William Woodruff <william@trailofbits.com>
* oid: add CERTIFICATE_TRANSPARENCY (1.3.6.1.4.1.11129.2.4.4)
Signed-off-by: William Woodruff <william@trailofbits.com>
* hazmat/oid: rehome CERTIFICATE_TRANSPARENCY under ExtendedKeyUsageOID
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs/x509: fix link, help the spellchecker
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509: Raise ValueError when we can't filter SCT list extension
* tests: Expect a `ValueError` when accessing `tbs_precertificate_bytes`
in default example
* tests, vectors: Add TBS precert vector for test comparison
* docs/x509: document the `CERTIFICATE_TRANSPARENCY` OID
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs/x509: elaborate `tbs_precertificate_bytes`
Signed-off-by: William Woodruff <william@trailofbits.com>
* rust/x509: remove unused OID
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509/certificate: tweak error
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: reorganize
Signed-off-by: William Woodruff <william@trailofbits.com>
* Update src/rust/src/x509/certificate.rs
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* tests/x509: more reorg, rename
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: document new testvector
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: coax the spellchecker
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: use a cert that doesn't require SHA-1
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: test for no extensions at all
Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
| |
Signed-off-by: William Woodruff <william@trailofbits.com>
|
| |
|
| |
Signed-off-by: William Woodruff <william@trailofbits.com>
|
| |
|
|
|
| |
This didn't get renamed correctly in the last PR.
Signed-off-by: William Woodruff <william@yossarian.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* WIP
* x509: remove TBS work for now
Signed-off-by: William Woodruff <william@yossarian.net>
* CT: flake8
Signed-off-by: William Woodruff <william@yossarian.net>
* CT: remove TODO, add links
Signed-off-by: William Woodruff <william@yossarian.net>
* CT/SCT: strong enums for HashAlgorithm and SignatureAlgorithm
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: add SCT hash/signature algorithm tests
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: fix SignatureAlgorithm test, add signature contents test
Signed-off-by: William Woodruff <william@yossarian.net>
* rust: unit tests for {Hash,Signature}Algorithm
Signed-off-by: William Woodruff <william@yossarian.net>
* x509/sct: code coverage shenanigans
Signed-off-by: William Woodruff <william@yossarian.net>
* asn1, sct: pesky coverage
Signed-off-by: William Woodruff <william@yossarian.net>
* x509/sct: simplify parsing
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: document new SCT APIs
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: add refs to RFC 5246
Signed-off-by: William Woodruff <william@yossarian.net>
* SCT: forbid nonsense hash and signature algos
No tests, yet.
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: add invalid hash/sig algo tests
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: remove ToAttr trait
Inline impl into each struct's impl.
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: remove invalid hash/sig variants
These should never appear in the context of SCTs.
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: collapse matches
Handle invalid/unknown variants together.
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: update SCT tests
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: add a TODO
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: return a primitives.hashes object instead of a custom enum
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
|
| | |
|
| | |
|
| |
|
| |
fixes #7104
|
| |
|
|
|
| |
* fixes #7081 -- correctly handle escape sequences in RFC4514 strings
* Fix multi-digit OID arc parsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Initial tests
* Implement.
Required updating many many tests based on my read of the RFC. Should be reviewed closely.
* Fix for py36
* flake8
* Improve coverage on hypothesis test
* Remove bad assertion in hypothesis test
* Update docs
* fix docs
* Fixed unicode support
* review
* docs review
|
| |
|
| |
fixes #6973
|
| | |
|
| |
|
|
| |
(#6983)
|
| | |
|
| |
|
| |
At some point it gained a default that was the same as what we were implementing.
|
| |
|
| |
As someone who first with Python in 2.4 or so, this habit is going to be hard to break.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#6410)
* OCSP responses can contain multiple SINGLERESPs
Instead of throwing an exception when encountering a OCSP
response with multiple SINGLERESPs, throw the exception when
attempting to pull a single structure if multiple are present.
Add a response_iter property to the OCSP Response object, which
allows for iteration through all the SINGLERESPs, and properties
to be individually accessed for each.
* Small fixes to OCSP multiple response handling. Squash eventually
* Docs updates. Should be squashed
* Get rid of mutating iterator, replace with separate return object
* Fix versionadded strings in docs
* Cleanup docs & python bindings.
|
| |
|
|
| |
this appears to be best practice and also makes the mypy type-coverage
analysis happier
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* support bitstring values in DNs
parsing is limited to x500UniqueIdentifier only
* Update src/cryptography/x509/name.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
|
|
| |
The spec requires both of these to be exactly two characters to
correspond with ISO country codes. Reality is sometimes messier, so this
allows parsing (but not encoding) of this invalid data. Parsing will
raise a UserWarning if incorrect lengths are detected.
|
| | |
|
| | |
|
| |
|
|
|
| |
* Allow to serialize extension values as DER bytes string.
* Prepare test for SignedCertificateTimestamps.
|
| |
|
|
| |
also document that we can return these key types in a certificate,
although they can't be self-signed of course
|
| |
|
|
| |
* Move around some code to kill the need for a backend method
* Type the backend arg to typing.Any since we just don't care now
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
`rfc4514_string()` and related methods now have an optional
`attr_name_overrides` parameter to supply custom OID to name mappings,
which can be used to match vendor-specific extensions.
**BACKWARDS INCOMPATIBLE:** Reverted the nonstandard formatting of email
address fields as `E` in `rfc4514_string()` methods from version 35.0.
The previous behavior can be restored with:
`name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})`
Expanded documentation of `Name.rfc4514_string`.
|
| |
|
|
|
|
|
|
|
|
|
| |
* Convert CRL creation to Rust
* fixes
* small reflows
* Delete all teh code
* flake8
|
| |
|
|
|
|
|
|
|
| |
* Convert CSR creation to Rust
* put this back
* unused
* coverage
|
| |
|
|
|
|
|
|
|
|
|
| |
* Convert x.509 certificate generation to Rust
* flake8
* Coverage shenangins
* moar hashes
* moar hashes
|
