| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* test FIPS mode on centos8
* remove branch we don't take
* simpler
* better comment
* rename
* revert some things that don't matter
* small cleanups
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* generate_pkcs12 (#4952)
* pkcs12 support
* simplify
* remove fixtures
* reorg and other improvements. memleak check
* ugh
* more fixes
* last changes hopefully
Co-authored-by: Tomer Shalev <tshalev@proofpoint.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* disable the osrandom engine on 1.1.1d+
* skip (and run) some tests on 1.1.1d+
* simplify our conditionals
* Update src/_cffi_src/openssl/src/osrandom_engine.c
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* words
* more words
* language
* get coverage more cleverly
* a word
* Update .github/workflows/ci.yml
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| |
|
| |
fixes #5129
|
| |
|
| |
InternalErrors are bad when we know they're reachable
|
| |
|
|
|
|
|
| |
* support encoding attributes via CertificateSigningRequestBuilder
* use a constant. now you know what 12 means!
* pep8
|
| |
|
| |
fixes #5127
|
| | |
|
| | |
|
| |
|
| |
We have already validated that `p` is large enough to store `name`. In `strncpy` the `len` parameter should generally be the length of the target buffer, not the source buffer.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* remove NPN bindings -- you should be using ALPN!
pyOpenSSL consumed these, but we've marked it as deprecated and it
already handles the case where the bindings are not available.
* set Cryptography_HAS_NEXTPROTONEG to 0 for pyOpenSSL
we can remove this symbol in like...5 years.
* remove another NPN related definition
* suspicious
* Revert "remove another NPN related definition"
This reverts commit d872a7d1d776858c77b8c607f63cc9b5fef1ae39.
Revert "suspicious"
This reverts commit 5b767484f1cde132f686600a46e61a18e33cbdae.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* support x509 request challenge password parsing
* switch to a more generic (but not too generic) attribute parsing
* make it raise a valueerror
* Update tests/x509/test_x509.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
* support 4096 bit DSA parsing from numbers classes
* need to get local linting fixed.
* reorder
* add a link to more reasons why DSA sucks
|
| |
|
| |
Closes #5290
|
| |
|
|
|
|
|
|
|
| |
* Support parsing SCTs in OCSPResponse
* s/typically/only and pep8
* remove unused vector
Co-authored-by: Szilárd Pfeiffer <szilard.pfeiffer@balasys.hu>
|
| |
|
|
|
| |
* add SubjectInformationAccess extension support
* fixes
|
| |
|
|
|
|
|
| |
* constrain RSA key generation more heavily
* constraint to just 3 & 65537
* explain change
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Disallow ttl=None in (Multi)Fernet.decrypt_at_time()
Since the introduction of the _at_time() methods in #5256[1] there's
been this little voice in the back of my mind telling me that maybe it's
not the best idea to allow ttl=None in decrypt_at_time(). It's been like
this for convenience and code reuse reasons.
Then I submitted a patch for cryptography stubs in typeshed[2] and I had
to decide whether to define decrypt_at_time()'s ttl as int and be
incompatible with cryptography's behavior or Optional[int] and advertise
an API that can be misused much too easily. I went ahead with int.
Considering the above I decided to propose this patch. Some amount of
redundancy (and a new test to properly cover the
MultiFernet.decrypt_at_time() implementation) is a price to prevent
clients from shooting themselves in the foot with the tll=None gun since
setting ttl to None disabled timestamp checks even if current_time was
provided.
[1] https://github.com/pyca/cryptography/pull/5256
[2] https://github.com/python/typeshed/pull/4238
* Actually test the return value here
* Fix formatting
|
| |
|
|
|
|
|
|
|
| |
* ssh.py contains load/serialize code.
* Add PrivateFormat.OpenSSH to .private_bytes() format.
* Add load_ssh_private_key().
* Use new code for PublicFormat.OpenSSH too.
* load_ssh_public_key() now supports reading signed public keys.
* Supported algorithms: rsa, dsa, ec, ed25519.
* Optional dependency on 'bcrypt' package via [ssh] extra
|
| |
|
|
|
| |
- Use common implementation
- OCSP signing was using different validation
- Check if private key is usable for signing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add a way to pass current time to Fernet
The motivation behind this is to be able to unit test code using Fernet
easily without having to monkey patch global state.
* Reformat to satisfy flake8
* Trigger a Fernet.encrypt() branch missing from coverage
* Revert specifying explicit current time in MultiFernet.rotate()
Message's timestamp is not verified anyway since ttl is None.
* Change the Fernet's explicit current time API slightly
This's been suggested in code review.
* Fix a typo
* Fix a typo
* Restore full MultiFernet test coverage and fix a typo
* Restore more coverage
time.time() is not called by MultiFernet.rotate() anymore so the monkey
patching and lambda need to go, because the patched function is not used
and coverage calculation will rightfully notice it.
* Remove an unused import
* Document when the *_at_time Fernet methods were added
|
| |
|
|
| |
There happens to be global var named 'backend'
so backend._lib works, but is confusing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Additional tests for public/private_bytes
They expose few places that raise TypeError and AssertionError!
before, and ValueError later.
* Cleanup of private_bytes() backend
Also pass key itself down to backend.
* Cleanup of public_bytes() backend
* Test handling of unsupported key type
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
supported) (#5231)
|
| |
|
|
|
|
|
| |
* add SSL_CTX_(get|set)_keylog_callback
* For travis
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
reason more accurately. (#5157)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Allow NameAttribute.value to be an empty string
RFC 4514 https://tools.ietf.org/html/rfc4514 does not mention that
"AttributeValue" can not be an empty (zero-length) string.
Fixes #5106
* reverse order to match fix from another PR
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| |
|
|
| |
RFC4514 requires in section 2.1 that RDNs are converted to string
representation in reversed order.
|
| | |
|
| |
|
|
| |
Required to link in static part of pthread, e.g. pthread_atfork
Fixes https://github.com/pyca/cryptography/issues/5084
|
| | |
|
| |
|
|
|
|
|
|
| |
have RC2 (#5072)
* Refs #5065 -- have a CI job with OpenSSL built with no-rc2
* Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't have RC2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
support them (#5042)
* check for suitable compiler (platform) before adding special flags
* pep8 corrections
* later pep8 messages
* add clang to auto accepted compilers
* modify syntax so multi-line is accepted
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* add single_extensions to OCSPResponse (#4753)
* new vector, updateed docs, more stringent parser, changelog, etc
* simplify PR (no SCT for now)
* add a comment
* finish pulling out the sct stuff so tests might actually run
|
