summaryrefslogtreecommitdiff
path: root/src/cryptography
Commit message (Collapse)AuthorAgeFilesLines
...
* Fixes #7127 -- added attr_name_overrides on from_rfc4514_string (#7160)Alex Gaynor2022-04-301-4/+13
|
* add a a constant for pyOpenSSL with OpenSSL 3 (#7156)Paul Kehrer2022-04-301-0/+7
|
* Migrate ObjectIdentifier to Rust (#7153)Alex Gaynor2022-04-302-64/+10
|
* Allow Fernet decryption to accept string tokens (#7116)Robert Coup2022-04-291-8/+16
| | | | | | | | | | | | | | | | | | | | * tests: better testid generation for fernet vectors Use the vector filename and array index for the pytest id rather than a concatenation of the vector content. eg: `tests/test_fernet.py::TestFernet::test_invalid[invalid.json:2]` * (Multi)Fernet: allow str tokens for decryption Remove some developer friction by allowing string tokens to be passed to Fernet decryption methods. Because a valid token as generated by `Fernet.encrypt()` is url-safe base64-encoded, a non-ASCII token is definitely invalid. The stdlib base64 function already accepts and checks ASCII str values so delegate to that. * Kick CI
* Fix parsing of priv keys via pub key APIs to error properly in ossl3 (#7132)Paul Kehrer2022-04-271-2/+19
| | | | | | | | In OpenSSL 3.0.x the PEM_read_bio_PUBKEY function will invoke the default password callback if you pass an encrypted private key. This is very, very, very bad as the default callback can trigger an interactive console prompt, which will hang the Python process. We therefore provide our own callback to catch this and error out properly.
* Add typings to default_backend() (#7131)Nicolas Haller2022-04-271-1/+2
| | | This commit adds back a return type for default_backend, so mypy would consider this function typed.
* final deprecation warnings for 1.1.0 (#7123)Paul Kehrer2022-04-261-1/+1
|
* reopen for 38 development (#7118)Paul Kehrer2022-04-261-1/+1
|
* version bump for 37 release (#7085)37.0.0Paul Kehrer2022-04-261-1/+1
|
* Load RSA PSS keys as regular RSA keys (#7112)Paul Kehrer2022-04-261-0/+19
| | | | | | | | | | | * RSA PSS openssl constant * load PSS keys (OpenSSL only) but strip the constraints * empty commit for CI, sigh * review feedback * nit
* Be clear that OpenSSL 1.1.0 is going bye bye (#7108)Alex Gaynor2022-04-221-2/+2
|
* added octet string tag (#7106)Alex Gaynor2022-04-221-0/+1
| | | fixes #7104
* fixes #7081 -- correctly handle escape sequences in RFC4514 strings (#7083)Alex Gaynor2022-04-161-18/+12
| | | | | * fixes #7081 -- correctly handle escape sequences in RFC4514 strings * Fix multi-digit OID arc parsing
* Add support for PSS.AUTO and PSS.DIGEST_LENGTH (#7082)Paul Kehrer2022-04-162-7/+36
| | | | | | | * add PSS auto support for verification * add support for PSS.DIGEST_LENGTH * review comments
* check for invalid keys that RSA_check_key misses (#7080)Paul Kehrer2022-04-161-0/+12
| | | | | | | | | * check for invalid keys that RSA_check_key misses RSA_check_key checks for primality but that fails to catch this case since 2 is prime. Instead we fetch p and q and verify that they are odd and if not reject the key as invalid. * circleci sucks
* Implement a parser for RFC4514 strings (#7055)Alex Gaynor2022-04-161-0/+123
| | | | | | | | | | | | | | | | | | | | | | | | | * Initial tests * Implement. Required updating many many tests based on my read of the RFC. Should be reviewed closely. * Fix for py36 * flake8 * Improve coverage on hypothesis test * Remove bad assertion in hypothesis test * Update docs * fix docs * Fixed unicode support * review * docs review
* Added a non-public API for setting the tag on an attribute (#7038)Alex Gaynor2022-04-051-5/+21
| | | fixes #6973
* serialize certs to pkcs7 (#7034)Paul Kehrer2022-04-042-0/+56
| | | | | * serialize certs to pkcs7 * missed assert
* make ExtensionTypeVar covariant (#7033)Mathias Ertl2022-04-031-1/+3
|
* add TLSv1.3 PSKs function bindings (#7002)可可熊2022-04-031-0/+13
| | | | | | | | | * TLSv1.3 PSKs function bindings * add PSK related functions to be conditional * add Cryptography_SSL_SESSION_new to avoid namespace collision Co-authored-by: d00624431 <dongpu1@huawei.com>
* SIV support (#7029)Paul Kehrer2022-04-023-10/+127
| | | | | * SIV support * empty commit to see if codecov sees the 3.0 coverage this time
* small refactors for upcoming SIV support (#7028)Paul Kehrer2022-04-022-15/+17
| | | use f strings (why not) and internally use lists for processing AD
* add new bindings for OpenSSL 3.0.0 cipher fetching/freeing (#7027)Paul Kehrer2022-04-031-0/+5
|
* we documented this as 2**31 - 1, enforce it at the right spot (#7025)Paul Kehrer2022-04-021-8/+8
| | | | | | it was previously enforced by cffi since the underlying CipherUpdate calls use a 32-bit signed integer. We added our own checks in #4322 so that we could test it without using crazy amounts of RAM, but set the wrong limits. Whoops.
* fixes #7005 -- check if public keys are at infinity earlier (#7020)Alex Gaynor2022-04-021-0/+13
| | | to infinity, and beyond!
* support 12-15 byte nonce sizes in OCB3 (#7011)Paul Kehrer2022-03-291-2/+2
| | | | | | | | | * support 12-15 byte nonce sizes in OCB3 * Update tests/hazmat/primitives/test_aead.py Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Serialize PKCS12 CA alias/friendlyName (#6910)ajoino2022-03-292-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | * PKCS12 serialization wrapper supports PKCS12Certificate cas * Added code from Felix's gist to serialize_key_and_certificate_to_pkcs12. Doesn't break current behaviour/tests, need to write validate new behaviour, write tests, and format code. * Simplified instance check * Tried to write tests, but I cannot figure out how to read the friendlyName from parsed_more_certs. * Fixed test function and renamed it. * Fixed formatting. * Commiting before trying black * Formatted updates to make flake8 and black happy. * Fixed first review comments. * remove forgotten print statement * use backend.openssl_assert instead of if ... * Documented changes. * Updated documentation.
* Try removing the SSL_library_init call in initialization (#6986)Alex Gaynor2022-03-211-2/+0
| | | I'm reasonably certain it's not required in recent OpenSSL's
* enforce that GeneralSubtrees for NameConstraints must be None or non-empty ↵Alex Gaynor2022-03-201-0/+8
| | | | (#6983)
* Dedicated check for signature hash algorithms (#6931)Christian Heimes2022-03-181-2/+12
| | | | | | | | | | | | | | | | * Dedicated check for signature hash algorithms Move the check for FIPS mode and blocked SHA1 signature algorithm into the backend code. Some distros will block SHA1 for RSA signatures in the near future. The new ``signature_hash_supported()`` method will allow us to flip the switch in one place. Note: The ban of SHA1 signatures does not affect MGF1's inner hash algorithm. Signed-off-by: Christian Heimes <christian@python.org> * Address flake issues * Update src/cryptography/hazmat/backends/openssl/backend.py
* Remove initialization call that's not required in 1.1.0+ (#6952)Alex Gaynor2022-03-131-2/+0
|
* Convert some old-style formatting to f strings (#6945)Alex Gaynor2022-03-134-16/+14
|
* fixes #6927 -- handle negative return values from openssl (#6928)Alex Gaynor2022-03-041-1/+1
|
* Added OID for #6920 (#6925)sanchayanghosh2022-03-031-0/+1
| | | | | | | | | | | * Added OID * Added to docuemntation for IPSec SAs * Update docs/x509/reference.rst to correct the version change. Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com> Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* fixes #6809 -- deprecate 4 legacy ciphers (#6922)Alex Gaynor2022-03-022-7/+47
|
* Disable DSA tests in FIPS mode (#6916)Christian Heimes2022-03-031-0/+5
| | | | | | | | | | | | | * Disable DSA tests in FIPS mode See: #6880 * ignore coverage for nested FIPS check * Remove if branch * Remove skip modulus branch * Keep tests that don't use the backend
* refactor utils.deprecated to be more mypy friendly (#6923)Alex Gaynor2022-03-031-2/+7
| | | | | * refactor utils.deprecated to be more mypy friendly * Poke for CI
* Begin deprecation process for Python 3.6 (#6913)Alex Gaynor2022-03-011-0/+12
|
* allow ed pk12, better tests (#6865)whiteowl32022-02-271-1/+6
| | | | | * dont block pk12 serialization of ed pairs * mimic test_ec curve skipping to satisfy alpine ci
* Don't explicitly define __ne__ any longer (#6908)Alex Gaynor2022-02-2710-195/+0
| | | At some point it gained a default that was the same as what we were implementing.
* Add types for padding.PSS class. (#6882)Jonathan Slenders2022-02-232-13/+22
|
* Block TripleDES in FIPS mode (#6879)Christian Heimes2022-02-221-7/+6
| | | | | | | | | | | | | | * Block TripleDES in FIPS mode NIST SP-800-131A rev 2 lists TripleDES Encryption as disallowed in FIPS 140-3 decryption as legacy use. Three-key TDEA is listed as deprecated throughout 2023 and disallowed after 2023. For simplicity we block all use of TripleDES in FIPS mode. Fixes: #6875 Signed-off-by: Christian Heimes <christian@python.org> * Fix flake
* Make a branch more specific now that libressl 3.4 is out (#6876)Alex Gaynor2022-02-161-2/+1
|
* refs #6835 -- added oid constants for SHA3 signatures (#6850)Alex Gaynor2022-02-071-0/+8
|
* Remove explicit subclassing of object now that all classes are new-style (#6830)Alex Gaynor2022-01-3026-68/+68
| | | As someone who first with Python in 2.4 or so, this habit is going to be hard to break.
* Format for new black (#6828)Alex Gaynor2022-01-298-12/+12
|
* Basic support for multiple SINGLERESP messages in one OCSP response, take 2 ↵turettn2022-01-031-0/+66
| | | | | | | | | | | | | | | | | | | | | | | (#6410) * OCSP responses can contain multiple SINGLERESPs Instead of throwing an exception when encountering a OCSP response with multiple SINGLERESPs, throw the exception when attempting to pull a single structure if multiple are present. Add a response_iter property to the OCSP Response object, which allows for iteration through all the SINGLERESPs, and properties to be individually accessed for each. * Small fixes to OCSP multiple response handling. Squash eventually * Docs updates. Should be squashed * Get rid of mutating iterator, replace with separate return object * Fix versionadded strings in docs * Cleanup docs & python bindings.
* type a context manager and its helper (#6781)Paul Kehrer2022-01-031-2/+2
| | | | | * type a context manager and its helper * untype this since it also takes a cffi object
* more pointless typing to improve metrics (#6780)Paul Kehrer2022-01-031-13/+20
| | | | | | | | | | | * more pointless typing to improve metrics * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * black Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* more internal typing for ssh (#6779)Paul Kehrer2022-01-031-25/+63
|
View Lorry Controller Status