| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
The theory here is that we're already doing sufficient validation key loading, and this is purely duplicative.
Note that there's at least _some_ validationg that was previously occurring only ECDH, the LowOrderPublic check that can be seen in wycheproof.
|
| |
|
|
|
| |
this alters and renames the caching function a bit since it caches *to
the group* object but the actual values (in ECDH) come from the testcase
itself
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* add support for centos9-fips
Requires a variety of new FIPS constraints on our tests, including the
addition of rsa_encryption_supported
* review comments
|
| | |
|
| | |
|
| | |
|
| |
|
| |
It's more than 60x faster.
|
| |
|
|
|
|
|
|
|
| |
(#7895)
* Bump BoringSSL and/or OpenSSL in CI
* Attempt to work-around wycheproof tests
Co-authored-by: pyca-boringbot[bot] <pyca-boringbot[bot]+106132319@users.noreply.github.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add unsafe_skip_rsa_key_validation
This allows users to skip RSA key validation when calling
load_pem_private_key, load_der_private_key, and
RSAPrivateNumbers.private_key. This is a significant performance
improvement but is **only safe if you know the key is valid**. If you
use this when the key is invalid OpenSSL makes no guarantees about what
might happen. Infinite loops, crashes, and all manner of terrible things
become possible if that occurs. Beware, beware, beware.
* Apply suggestions from code review
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* remove unneeded variable
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| |
|
|
|
| |
* remove error handling for 1.0.2
* Update test_ecdsa.py
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop supported for older LibreSSL
3.1 covers the oldest version used by versions of Alpine and OpenBSD that are supported by their upstreams.
* Remove tests that are now unused
* Update CHANGELOG.rst
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* FIPS 3.0.0 support
* comments
* remove unneeded error clear
* review comments
* small refactor
* black
* flake8 too
* review feedback
* oops
* fix
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Speed up RSA tests in 3.0.0
RSA_check_key is slower in OpenSSL 3.0.0 due to improved
primality checking. In normal use this is unlikely to be a problem
since users don't load new keys constantly, but we do in our tests.
This adds some private flags to allow skipping those checks for
performance reasons.
On my laptop with this patch it takes 16s to run test_rsa.py. The
previous commit takes 72s.
* black
* different approach
* skip rsa key checks in wycheproof
wycheproof's tets don't rely on broken keys
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* rsa type hinting
* remove unused import
* missed return type
* type fixes
* ignores no longer required
* black gets me every time
* Update src/cryptography/hazmat/backends/openssl/rsa.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* clean mypy with tests dir
* remove most no_type_check annotations
* le sigh
* remove unneeded comments
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* GCM IV size limits
OpenSSL 3.0.0 is going to enforce these size limits so we might as well
put them in now.
* fix the tests
* black
* these cases can't happen if we're limiting IV size already
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* test FIPS mode on centos8
* remove branch we don't take
* simpler
* better comment
* rename
* revert some things that don't matter
* small cleanups
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
supported) (#5231)
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* Refs #5075 -- use rsa_signature_*.json from wycheproof
* for azure
|
| |
|
|
|
|
|
|
|
|
| |
* Refs #5075 -- use x448_test.json from wycheproof
* Fixed test
* crypto libraries from people who can't math, it's fine
* Skip teh weirdo 57 byte public keys
|
| |
|
|
|
|
|
|
| |
* Get tests passing with latest wycheproof clone
* Fix x25519 wycheproof tests
* Fix for acme repo changes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove irrelevant DHBackend test conditions
DHBackend provides functions for plain finite-field Diffie-Hellman.
X25519 and X448 are their own algorithms, and Ed25519 and Ed448 aren't
even Diffie-Hellman primitives.
* Add missing backend support checks.
Some new AES and EC tests did not check for whether the corresponding
mode or curve was supported by the backend.
* Add a DummyMode for coverage
|
| |
|
|
|
|
| |
* ed25519 support
* review feedback
|
| |
|
|
|
|
|
|
| |
* Run wycheproof RSA tests on LibreSSL>=2.8
* Define it this way
* These are errors on libressl
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modify x25519 serialization to match x448
supports raw and pkcs8 encoding on private_bytes
supports raw and subjectpublickeyinfo on public_bytes
deprecates zero argument call to public_bytes
* add docs
* this is public now
* don't need that
* review feedback
|
| |
|
|
|
|
|
|
| |
* Support compressed points in the wycheproof tests
* Handle entries with no public key
* Ok, let's try this
|
| | |
|
| | |
|
