| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
* don't use a set
We don't need one here and it creates ordering instability when
iterating over an RDN
* add a test
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* support X.509 certificate PSS signing
no CSR, CRL, etc
* handle PSS.(MAX_LENGTH, DIGEST_LENGTH), review feedback
* name the kwarg
* test improvements
* skip if sha3 isn't supported
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* certificate: add a `get_extension` helper
Signed-off-by: William Woodruff <william@trailofbits.com>
* certificate: OID by ref
Signed-off-by: William Woodruff <william@trailofbits.com>
* certificate: syntax
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509, src: `check_duplicate_extensions`
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: simplify
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: everyone loves newtypes
Signed-off-by: William Woodruff <william@trailofbits.com>
* rust: refactor-o-rama
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: look upon my works
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: continue blasting the code
Signed-off-by: William Woodruff <william@trailofbits.com>
* src/rust: actually commit my changes
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: clippage
Signed-off-by: William Woodruff <william@trailofbits.com>
* relocate
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: dedupe
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: cleanup
Signed-off-by: William Woodruff <william@trailofbits.com>
* clippage
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: dedupe
Signed-off-by: William Woodruff <william@trailofbits.com>
* common: cleanup
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: unused impls
Signed-off-by: William Woodruff <william@trailofbits.com>
* more deletion
Signed-off-by: William Woodruff <william@trailofbits.com>
* clippage
Signed-off-by: William Woodruff <william@trailofbits.com>
* extensions: add a `get_extension` test
Signed-off-by: William Woodruff <william@trailofbits.com>
* extensions: unused derives
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: dup ext check for tbs_precertificate_bytes
Signed-off-by: William Woodruff <william@trailofbits.com>
* certificate: remove `extensions()`
Signed-off-by: William Woodruff <william@trailofbits.com>
* extensions: docs
Signed-off-by: William Woodruff <william@trailofbits.com>
* extensions: newtype
Signed-off-by: William Woodruff <william@trailofbits.com>
* rust: better error types, dedupe
Signed-off-by: William Woodruff <william@trailofbits.com>
extensions: unwrap -> expect
Signed-off-by: William Woodruff <william@trailofbits.com>
* Revert "rust: better error types, dedupe"
This reverts commit 212b75ff2f69a3b3cfc9d6a55949f23877f8f618.
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
|
| |
|
|
| |
this allows easier verification of cert signatures, but more
specifically allows PSS signature verification
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* invalid visible string support
this allows utf8 in visiblestring, which is not valid DER. we raise a
warning when this happens, but allow it since belgian eIDs, among
others, have encoding errors. Belgium fixed this by 2021 (and possibly
earlier), but their eID certificates have 10 year validity.
* review comments
* clippy
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
| |
OpenBSD 7.1 is no longer supported so neither is LibreSSL 3.5.x
|
| |
|
|
|
|
|
| |
* add support for aes256-gcm@openssh.com decryption for SSH keys
* review feedback
* skip when bcrypt isn't present
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
* support equality checks on all public asymmetric key types
* review feedback
|
| |
|
|
|
|
|
| |
* support ms certificate template
* contortions for rust coverage
* review feedback
|
| | |
|
| | |
|
| |
|
| |
fixes #8589
|
| | |
|
| |
|
|
|
|
|
| |
* Upgrade to pyo3 0.16
* Upgrade to pyo3 0.17
* Upgrade to pyo3 0.18
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
* drop python 3.6 support
* Update tests/hazmat/bindings/test_openssl.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
|
| |
This removes the OS random engine, which contained the only CPython PSF
licensed code in the repository. Accordingly, that license has now been
removed.
|
| | |
|
| |
|
|
| |
we weren't really getting any value from it and we haven't expanded our
use in numerous years
|
| |
|
| |
This is extra mega cursed, and strictly speaking unsound. It does, however, match the status quo ante, where someone mutating a buffer while its being used in cffi code will basically always be UB.
|
| | |
|
| | |
|
| |
|
| |
See: https://github.com/pyca/cryptography/pull/7933#issuecomment-1471865194 + https://foss.heptapod.net/pypy/pypy/-/issues/3905#note_290457 to understand why
|
| | |
|
| | |
|
| |
|
|
|
| |
The theory here is that we're already doing sufficient validation key loading, and this is purely duplicative.
Note that there's at least _some_ validationg that was previously occurring only ECDH, the LowOrderPublic check that can be seen in wycheproof.
|
| |
|
|
|
| |
this alters and renames the caching function a bit since it caches *to
the group* object but the actual values (in ECDH) come from the testcase
itself
|
| | |
|
| | |
|
| |
|
|
| |
- Avoid typing.cast
- Consolidate bn_ctx allocations
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Rename Union type aliases to CamelCase
Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases)
* Add utils.deprecated for the old non-underscore type aliases
* Added documentation for new type aliases & minor tweaks
* Use 'versionadded:: 40.0.0'
* Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes
* Fix imports (ruff)
* Fix one more versionadded
* Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes
* Fix test mypy errors using cast()
* Fix black, oops
* Revert "Fix black, oops"
This reverts commit 85344e231d697bdc0940e105f7aed729445f9743.
* Revert "Fix test mypy errors using cast()"
This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e.
* Revert type of SubjectKeyIdentifier.from_public_key arg
* Changelog tweak
|
| |
|
|
| |
The test in question has 2**24 iterations and doesn't represent an
interesting edge case in the algorithm, just a high iteration count.
|
| | |
|
| | |
|
| |
|
|
|
| |
* use the rsa fixtures in x509 too
* use strings in __all__
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* double the speed of our rsa tests
this both creates a reusable fixture for our most commonly used private
keys as well as disables key validation. as always, disabling key
validation should not be done unless you never parse untrusted key
input. unsurprisingly, our tests are trusted and understood input (and
we also continue to have tests where we run check key to verify that it
catches corrupt things)
* fix typing
* explain why we don't use the rsa_key_2048 fixture in the blinding test
|
| | |
|
| | |
|
