summaryrefslogtreecommitdiff
path: root/src/cryptography
Commit message (Collapse)AuthorAgeFilesLines
...
* Handle error generating DH params with very very large key size (#7666)Alex Gaynor2022-10-011-1/+3
| | | Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52024
* support compilation against openssl 3 with no legacy provider (#7650)Paul Kehrer2022-09-262-30/+63
| | | | | You must pass CRYPTOGRAPHY_OPENSSL_NO_LEGACY for this to be allowed. Downstreams can easily patch this check out if they want to default to this behavior.
* mark verify_interface with a deprecation comment (#7649)Paul Kehrer2022-09-251-0/+3
| | | this will help us revisit it in the future
* Make verify_interface a no-op (#7648)Alex Gaynor2022-09-251-29/+3
| | | This should be sufficient to keep aws-encryption-sdk working, but let's us delete the code.
* handle AESSIV empty byte strings on encrypt/decrypt (#7644)Paul Kehrer2022-09-241-0/+2
|
* Warn users on 32-bit Pythons on 64-bit windows. (#7641)Alex Gaynor2022-09-241-1/+15
| | | They're leaving a ton of performance on the table.
* A handful of small internal typing improvements (#7625)Alex Gaynor2022-09-181-6/+9
|
* remove consume_errors that are no longer required (#7620)Alex Gaynor2022-09-181-10/+0
|
* Remove reimplementation of OpenSSL function in DHX (#7611)Alex Gaynor2022-09-143-4/+4
|
* Move to a libressl policy (#7605)Alex Gaynor2022-09-132-23/+0
| | | This policy is to support things that are in supported versions of openbsd. the current oldest supported openbsd is 7.0, which included libressl 3.4
* use fixed pool to improve perf of aead ChaCha20Poly1305 (#7601)Paul Kehrer2022-09-122-16/+83
| | | | | | | | * use fixed pool to improve perf of aead ChaCha20Poly1305 ~35-45% speedup on benchmarks when reusing the same key for multiple operations * remove unneeded call
* Remove destroy from FixedPool (#7602)Alex Gaynor2022-09-111-1/+0
| | | turns out we don't need it
* Final set of cleanups to comments and bindings for dropping OpenSSL 1.1.0 ↵Alex Gaynor2022-09-111-6/+6
| | | | (#7598)
* simplify code now that we're >=1.1.1 only (#7595)Alex Gaynor2022-09-111-3/+1
|
* remove outdated comments and simplify code (#7594)Alex Gaynor2022-09-111-5/+3
|
* Remove pyOpenSSL fallback. (#7590)Alex Gaynor2022-09-113-62/+0
| | | We already require pyOpenSSL>=22.0, but pyOpenSSL has not required this fallback since 21.0.
* fixes #7109 -- update final comments for having dropped 1.1.0 (#7591)Alex Gaynor2022-09-112-6/+6
|
* Remove deprecated support for x.509 signing with SHA1 and MD5 (#7573)Alex Gaynor2022-09-071-1/+0
|
* fixes #7179 -- remove deprecated from_encoded_point (#7572)Alex Gaynor2022-09-072-46/+0
|
* Increase our minimum LibreSSL. (#7571)Alex Gaynor2022-09-071-7/+0
| | | OpenBSD 7.0 ships 3.4, and Alpine 3.14 ships 3.3.6
* Drop OpenSSL 1.1.0 (#7570)Alex Gaynor2022-09-073-29/+1
| | | | | There's still a few TODOs for cleanup. Refs #7109
* reopen main for 39 dev (#7568)Paul Kehrer2022-09-071-1/+1
|
* version bump for 38 release (#7567)38.0.0Paul Kehrer2022-09-061-1/+1
|
* support setting more PKCS12 serialization encryption options (#7560)Paul Kehrer2022-09-053-6/+149
| | | | | | | | | | | | | | | | | | * support setting more PKCS12 serialization encryption options This is limited support, but makes it possible to set two different PBES choices as well as set KDF rounds and MAC algorithm * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * review feedback redux * Update docs/hazmat/primitives/asymmetric/serialization.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* add AES128/AES256 classes (#7542)Paul Kehrer2022-08-263-6/+38
| | | | | | | | | | | These let developers be more explicit about the allowable key lengths for an AES key and make auditing the codebase a bit easier. But that's not really why we're adding them. In some upcoming serialization features we need to be able to specify AES 128 vs AES 256 and the current class doesn't work for that since it computes key length from the key you provide it when instantiating the class. That's incompatible with serialization where the key is derived later in the process. C'est la vie.
* PoC for making key serialization more configurable (#7520)Alex Gaynor2022-08-224-5/+74
|
* Fix issue #7513 - parsing of RFC4514 strings should reverse the order of ↵Alexandre Machado2022-08-161-1/+9
| | | | | | | | | | | | | | | | | RDNs (#7514) * Fix issue #7513 - parsing of RFC4514 strings should reverse the order of RDNs * Solving code formating issues * Adding comment justifing the reversal of rdns on the RFC4514 parser * Comment changes on CHANGELOG.rst * fixing a typo on method link at CHANGELOG.rst * Removing reference to protected class _RFC4514NameParser from CHANGELOG.rst Co-authored-by: Alexandre Machado <alexandre@softnex.com.br>
* use the correct way of detecting backend feature (#7509)Alex Gaynor2022-08-151-2/+3
|
* try `EVP_CIPHER_fetch` due to `EVP_get_cipherbyname` is deprecated in ↵Weizheng Xu2022-08-151-1/+16
| | | | GetCipherByName (#7503)
* KBKDF: add CounterLocation.MiddleFixed (#7489)Jean Paul Galea2022-08-151-6/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * KBKDF: add CounterLocation.MiddleFixed * tests_kbkdf: add new tests - Test CounterLocation.MiddleFixed and blocation= * test_kbkdf_vectors: make use of MIDDLE_FIXED * docs: document KBKDF CounterLocation.MiddleFixed * s/blocation/break_location/g * CHANGELOG: document KBKDF{HMAC,CMAC} CounterLocation.MiddleFixed #7489 * kbkdf: fixed is static across n iterations, only the counter changes * kbkdf: check break_location is 0..len(fixed) - Update tests to assert exception is raised when break_location < 0 or > len(fixed) - When asserting for "break_location is ignored when MiddleFixed", use break_location=0 instead of =10, to ensure we don't raise because of break_location > len(fixed) - Assert that the right error messages are returned to the user. * kbkdf: keyword-only break_location * docs: document kw-only KBKDF{HMAC,CMAC}
* remove bizzare dead code (#7444)Alex Gaynor2022-07-221-3/+1
|
* feat: drop max password length of 72 characters from ↵Andrew Pantuso2022-07-201-6/+0
| | | | 'serialize_ssh_private_key' (#7439)
* Added FixedPool abstraction for use in optimizing various types (#7303)Alex Gaynor2022-07-161-0/+16
|
* fix copyright year (#7366)Alex Gaynor2022-06-221-1/+1
|
* Bind functions for dealing with sigalgs (#7349)Jean-Daniel2022-06-191-0/+7
| | | Fixes https://github.com/pyca/cryptography/issues/7336
* Expose SSL_OP_IGNORE_UNEXPECTED_EOF (#7321)dreid2022-06-081-0/+9
| | | | | | | | | | | * Expose SSL_OP_IGNORE_UNEXPECTED_EOF Expose SSL_OP_IGNORE_UNEXPECTED_EOF. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html#:~:text=this%20by%20default.-,SSL_OP_IGNORE_UNEXPECTED_EOF,-Some%20TLS%20implementations * Make this conditional. * Add to _conditionals.py
* X.509/Certificate: Add `tbs_precertificate_bytes` property (#7279)William Woodruff2022-05-312-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add `tbs_precertificate_bytes` property * docs/x509: document `tbs_precertificate_bytes` Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: add two trivial tests Signed-off-by: William Woodruff <william@trailofbits.com> * x509/base: fix lint Signed-off-by: William Woodruff <william@trailofbits.com> * oid: add CERTIFICATE_TRANSPARENCY (1.3.6.1.4.1.11129.2.4.4) Signed-off-by: William Woodruff <william@trailofbits.com> * hazmat/oid: rehome CERTIFICATE_TRANSPARENCY under ExtendedKeyUsageOID Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: fix link, help the spellchecker Signed-off-by: William Woodruff <william@trailofbits.com> * x509: Raise ValueError when we can't filter SCT list extension * tests: Expect a `ValueError` when accessing `tbs_precertificate_bytes` in default example * tests, vectors: Add TBS precert vector for test comparison * docs/x509: document the `CERTIFICATE_TRANSPARENCY` OID Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: elaborate `tbs_precertificate_bytes` Signed-off-by: William Woodruff <william@trailofbits.com> * rust/x509: remove unused OID Signed-off-by: William Woodruff <william@trailofbits.com> * x509/certificate: tweak error Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: reorganize Signed-off-by: William Woodruff <william@trailofbits.com> * Update src/rust/src/x509/certificate.rs Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * tests/x509: more reorg, rename Signed-off-by: William Woodruff <william@trailofbits.com> * docs: document new testvector Signed-off-by: William Woodruff <william@trailofbits.com> * docs: coax the spellchecker Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: use a cert that doesn't require SHA-1 Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: test for no extensions at all Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* lazily initialize blinding (#7292)Paul Kehrer2022-05-311-6/+25
|
* Deprecate support for MD5 and SHA1 signatures in X.509 (#7283)Alex Gaynor2022-05-281-0/+1
|
* new alpine new python (#7280)Alex Gaynor2022-05-281-1/+3
| | | | | | | * new alpine new python * Update ci.yml * Fix for fedora
* Remove register_interface, which was basically unused (#7234)Alex Gaynor2022-05-271-23/+0
| | | | | * Remove register_interface, which was basically unused * Remove now unused verify_interface
* CT: `extensions` -> `extension_bytes` (#7238)William Woodruff2022-05-191-1/+1
| | | Signed-off-by: William Woodruff <william@trailofbits.com>
* CT: add `SignedCertificateTimestamp.extensions` (#7237)William Woodruff2022-05-201-0/+6
| | | Signed-off-by: William Woodruff <william@trailofbits.com>
* x509: fix SignedCertificateTimestamp interface (#7235)William Woodruff2022-05-181-1/+1
| | | | | This didn't get renamed correctly in the last PR. Signed-off-by: William Woodruff <william@yossarian.net>
* x509/CT: expose more SCT internals (#7207)William Woodruff2022-05-131-0/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * WIP * x509: remove TBS work for now Signed-off-by: William Woodruff <william@yossarian.net> * CT: flake8 Signed-off-by: William Woodruff <william@yossarian.net> * CT: remove TODO, add links Signed-off-by: William Woodruff <william@yossarian.net> * CT/SCT: strong enums for HashAlgorithm and SignatureAlgorithm Signed-off-by: William Woodruff <william@yossarian.net> * tests: add SCT hash/signature algorithm tests Signed-off-by: William Woodruff <william@yossarian.net> * tests: fix SignatureAlgorithm test, add signature contents test Signed-off-by: William Woodruff <william@yossarian.net> * rust: unit tests for {Hash,Signature}Algorithm Signed-off-by: William Woodruff <william@yossarian.net> * x509/sct: code coverage shenanigans Signed-off-by: William Woodruff <william@yossarian.net> * asn1, sct: pesky coverage Signed-off-by: William Woodruff <william@yossarian.net> * x509/sct: simplify parsing Signed-off-by: William Woodruff <william@yossarian.net> * docs: document new SCT APIs Signed-off-by: William Woodruff <william@yossarian.net> * docs: add refs to RFC 5246 Signed-off-by: William Woodruff <william@yossarian.net> * SCT: forbid nonsense hash and signature algos No tests, yet. Signed-off-by: William Woodruff <william@yossarian.net> * tests: add invalid hash/sig algo tests Signed-off-by: William Woodruff <william@yossarian.net> * sct: remove ToAttr trait Inline impl into each struct's impl. Signed-off-by: William Woodruff <william@yossarian.net> * sct: remove invalid hash/sig variants These should never appear in the context of SCTs. Signed-off-by: William Woodruff <william@yossarian.net> * sct: collapse matches Handle invalid/unknown variants together. Signed-off-by: William Woodruff <william@yossarian.net> * tests: update SCT tests Signed-off-by: William Woodruff <william@yossarian.net> * sct: add a TODO Signed-off-by: William Woodruff <william@yossarian.net> * sct: return a primitives.hashes object instead of a custom enum Signed-off-by: William Woodruff <william@yossarian.net> Co-authored-by: Alex Cameron <asc@tetsuo.sh>
* add binding for PKCS12_set_mac (#7217)Paul Kehrer2022-05-121-0/+5
| | | | | OpenSSL 3 changed the default MAC to sha256, which is fine and good except Windows Server 2016 can't handle that so we need to build some APIs allowing worse things and name them scary legacy names.
* Instead of ignoring _openssl with mypy, use a pyi (#7177)Alex Gaynor2022-05-021-0/+8
|
* Add license headers to files that need them (#7170)Alex Gaynor2022-05-014-0/+16
|
* Move _CRLREASONFLAGS to be in a sensible place (#7167)Alex Gaynor2022-05-012-18/+11
|
* Allow loading of RSA-PSS public keys (#7162)Paul Kehrer2022-04-301-0/+13
| | | | | | This does not enforce PSS constraints and instead loads them as normal RSA public keys, similar to the support we added for private keys. fixes #4858
View Lorry Controller Status