summaryrefslogtreecommitdiff
path: root/vectors/cryptography_vectors
Commit message (Collapse)AuthorAgeFilesLines
* add RSA PSS SHA1 hash algorithm + SHA1 MGF1 test vector (#8906)Paul Kehrer2023-05-111-0/+19
|
* invalid visible string support (#8884)Paul Kehrer2023-05-071-0/+37
| | | | | | | | | | | | * invalid visible string support this allows utf8 in visiblestring, which is not valid DER. we raise a warning when this happens, but allow it since belgian eIDs, among others, have encoding errors. Belgium fixed this by 2021 (and possibly earlier), but their eID certificates have 10 year validity. * review comments * clippy
* Use defined_by for (EC)DSA signature AlgorithmIdentifiers (#8875)Alex Gaynor2023-05-051-0/+0
| | | Also fix a test that had an incorrect parameters for an OID. The test had deliberately been constructed to be invalid, but in a _different_ respect.
* add one more RSA PSS invalid test vector (#8798)Paul Kehrer2023-04-231-0/+0
|
* add two RSA PSS certificate vectors that have invalid encodings (#8797)Paul Kehrer2023-04-232-0/+0
| | | | | | | * add two RSA PSS certificate vectors that have invalid encodings The signatures on these vectors are not valid. * spelling
* add support for aes256-gcm@openssh.com decryption for SSH keys (#8738)Paul Kehrer2023-04-152-0/+9
| | | | | | | * add support for aes256-gcm@openssh.com decryption for SSH keys * review feedback * skip when bcrypt isn't present
* Support msCertificateTemplate extension (#8695)Paul Kehrer2023-04-101-0/+9
| | | | | | | * support ms certificate template * contortions for rust coverage * review feedback
* Added support for OCSP AcceptableResponses extension (#8617)Alex Gaynor2023-03-271-0/+0
| | | fixes #8589
* reopen main for 41 dev (#8584)Paul Kehrer2023-03-241-1/+1
|
* version bump and changelog for 40.0.0 (#8583)40.0.0Paul Kehrer2023-03-241-1/+1
|
* add CRL vector with an inner/outer signature OID mismatch (#8163)Paul Kehrer2023-01-291-0/+0
|
* fixes #8035 -- added a test for loading a cert with another PEM block ↵Alex Gaynor2023-01-121-0/+64
| | | | containing headers (#8045)
* mismatched inner/outer signature algorithm x509 cert (#8038)Paul Kehrer2023-01-101-0/+0
|
* more test vectors for ssh certs (#7993)Paul Kehrer2023-01-065-0/+5
|
* another ssh cert vector (#7991)Paul Kehrer2023-01-051-0/+1
|
* add ssh certificate test vectors (#7984)Paul Kehrer2023-01-058-0/+8
|
* reopen for 40 (#7955)Paul Kehrer2023-01-021-1/+1
| | | | | * reopen for 40 * oops
* 39.0.0 version bump (#7954)39.0.0Paul Kehrer2023-01-011-1/+1
|
* Switch from flake8 to ruff (#7920)Alex Gaynor2022-12-211-1/+0
| | | It's more than 60x faster.
* x509: add `load_pem_x509_certificates` (#7878)William Woodruff2022-12-051-0/+69
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * x509: add `load_pem_x509_certificates` This behaves similarly to `load_pem_x509_certificate`, except that it returns a list of loaded certificates instead of just the first X.509 certificate. It raises if the input contains no PEM-encoded certificates, or if PEM or certificate parsing fail. Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: blacken Signed-off-by: William Woodruff <william@trailofbits.com> * Update docs/x509/reference.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * tests/x509: assert each item in the list is actually a certificate Signed-off-by: William Woodruff <william@trailofbits.com> * bindings: expose `load_pem_x509_certificates` in `x509.pyi` Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: test the structure of each cert a bit This has the transitive effect of establishing a fixed order. Signed-off-by: William Woodruff <william@trailofbits.com> * CHANGELOG: record changes Signed-off-by: William Woodruff <william@trailofbits.com> * docs: add PEM to spellcheck allowlist Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: document expected param Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* fix parsing for CRLs with TLVs > 65535 bytes (#7575)Paul Kehrer2022-09-071-0/+4382
| | | | | | | | | | * add CRL test vector with 9,999 revoked items * bump rust-asn1 * add large CRL test this tests CRLs larger than 65535 bytes in size. rust-asn1 supports up to 4GiB TLVs now, but we'll avoid putting a test vector that big for now
* reopen main for 39 dev (#7568)Paul Kehrer2022-09-071-1/+1
|
* version bump for 38 release (#7567)38.0.0Paul Kehrer2022-09-061-1/+1
|
* Added OCB vectors from openssl (#7401)Alex Gaynor2022-07-051-0/+51
|
* Added vectors for long form tags (#7396)Alex Gaynor2022-07-042-0/+34
|
* X.509/Certificate: Add `tbs_precertificate_bytes` property (#7279)William Woodruff2022-05-311-0/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add `tbs_precertificate_bytes` property * docs/x509: document `tbs_precertificate_bytes` Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: add two trivial tests Signed-off-by: William Woodruff <william@trailofbits.com> * x509/base: fix lint Signed-off-by: William Woodruff <william@trailofbits.com> * oid: add CERTIFICATE_TRANSPARENCY (1.3.6.1.4.1.11129.2.4.4) Signed-off-by: William Woodruff <william@trailofbits.com> * hazmat/oid: rehome CERTIFICATE_TRANSPARENCY under ExtendedKeyUsageOID Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: fix link, help the spellchecker Signed-off-by: William Woodruff <william@trailofbits.com> * x509: Raise ValueError when we can't filter SCT list extension * tests: Expect a `ValueError` when accessing `tbs_precertificate_bytes` in default example * tests, vectors: Add TBS precert vector for test comparison * docs/x509: document the `CERTIFICATE_TRANSPARENCY` OID Signed-off-by: William Woodruff <william@trailofbits.com> * docs/x509: elaborate `tbs_precertificate_bytes` Signed-off-by: William Woodruff <william@trailofbits.com> * rust/x509: remove unused OID Signed-off-by: William Woodruff <william@trailofbits.com> * x509/certificate: tweak error Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: reorganize Signed-off-by: William Woodruff <william@trailofbits.com> * Update src/rust/src/x509/certificate.rs Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * tests/x509: more reorg, rename Signed-off-by: William Woodruff <william@trailofbits.com> * docs: document new testvector Signed-off-by: William Woodruff <william@trailofbits.com> * docs: coax the spellchecker Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: use a cert that doesn't require SHA-1 Signed-off-by: William Woodruff <william@trailofbits.com> * tests/x509: test for no extensions at all Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Added vectors for invalid CSR/CRL versions (#7247)Alex Gaynor2022-05-222-0/+18
| | | | | | | | | * Added vectors for invalid CSR/CRL versions * Update docs/development/test-vectors.rst Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com> Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* docs, vectors: add two more x509 SCT testvectors (#7215)William Woodruff2022-05-122-0/+0
| | | Signed-off-by: William Woodruff <william@yossarian.net>
* Fix test CRLs and CSRs with invalid versions (#7216)David Benjamin2022-05-129-85/+85
| | | | | | | | | | | | CRL versions only go up to v2 (numeric value 1) and CSRs only define v1 (numeric value 0). See https://www.rfc-editor.org/rfc/rfc5280.html#section-5.1 and https://www.rfc-editor.org/rfc/rfc2986.html#section-4. Some of the inputs used in tests were misissued. Unfortunately, the corresponding private keys for these test vectors weren't provided, so I've just editted the inputs with der-ascii and left the signatures invalid. The tests in question don't seem to rely on valid signatures.
* add x509 pss certificate and public key (#7161)Paul Kehrer2022-04-302-0/+21
| | | | | | | | | | | | * add x509 pss certificate and public key the cert is signed using rsa_pss_2048.pem and the public key is the public components of that private key * Update docs/development/test-vectors.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* reopen for 38 development (#7118)Paul Kehrer2022-04-261-1/+1
|
* version bump for 37 release (#7085)37.0.0Paul Kehrer2022-04-261-1/+1
|
* add RSA PSS test vectors (#7086)Paul Kehrer2022-04-175-0/+143
|
* check for invalid keys that RSA_check_key misses (#7080)Paul Kehrer2022-04-161-0/+17
| | | | | | | | | * check for invalid keys that RSA_check_key misses RSA_check_key checks for primality but that fails to catch this case since 2 is prime. Instead we fetch p and q and verify that they are odd and if not reject the key as invalid. * circleci sucks
* update pkcs7 test vectors (#7030)Paul Kehrer2022-04-031-0/+0
| | | | | * update pkcs7 test vectors * this is a word
* our NIST vector loader needs unique keys (#7026)Paul Kehrer2022-04-031-2/+2
|
* OCB3 test vectors for 104, 112, and 120-bit nonces (#7009)Paul Kehrer2022-03-293-0/+345
|
* fixes #6804 -- improve error message quality with invalid characters in name ↵Alex Gaynor2022-02-061-0/+17
| | | | attributes (#6843)
* Basic support for multiple SINGLERESP messages in one OCSP response, take 2 ↵turettn2022-01-033-0/+0
| | | | | | | | | | | | | | | | | | | | | | | (#6410) * OCSP responses can contain multiple SINGLERESPs Instead of throwing an exception when encountering a OCSP response with multiple SINGLERESPs, throw the exception when attempting to pull a single structure if multiple are present. Add a response_iter property to the OCSP Response object, which allows for iteration through all the SINGLERESPs, and properties to be individually accessed for each. * Small fixes to OCSP multiple response handling. Squash eventually * Docs updates. Should be squashed * Get rid of mutating iterator, replace with separate return object * Fix versionadded strings in docs * Cleanup docs & python bindings.
* support parsing bitstring values in DNs (#6629)Paul Kehrer2021-11-281-0/+11
| | | | | | | | | | | * support bitstring values in DNs parsing is limited to x500UniqueIdentifier only * Update src/cryptography/x509/name.py Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Reopen main for the 37.0.0 release (#6645)Alex Gaynor2021-11-211-1/+1
|
* Bump for 36.0.0 release (#6643)36.0.0Alex Gaynor2021-11-221-1/+1
|
* allow parsing of nonstandard country name and jurisdiction country name (#6641)Paul Kehrer2021-11-211-0/+18
| | | | | | The spec requires both of these to be exactly two characters to correspond with ISO country codes. Reality is sometimes messier, so this allows parsing (but not encoding) of this invalid data. Parsing will raise a UserWarning if incorrect lengths are detected.
* add AES SIV vectors (#6608)Paul Kehrer2021-11-151-0/+33
|
* add AES OCB3 test vectors (#6606)Paul Kehrer2021-11-151-0/+112
|
* Allow parsing CSR extensions with the critical bit having an explicitly ↵Alex Gaynor2021-11-141-0/+23
| | | | | | | encoded default (#6600) * Allow parsing CSR extensions with the critical bit having an explicitly encoded default * Poke for zuul
* allow multiple identical pem blocks (#6551)Paul Kehrer2021-11-051-31/+23
| | | | | this matches our behavior to OpenSSL and allows users to pass a chain to our PEM loaders. To make this a little less magical it is now documented.
* add accvraiz1 bmpstring test vector (#6503)Paul Kehrer2021-10-311-0/+44
|
* Add new PKCS12 test vectors (#6383)Felix Fontein2021-10-0624-0/+0
| | | | | | | * Add new PKCS12 test vectors for #6348. * Re-create test certs without DSA. * Forgot to adjust the docs.
* Accept combined PEM files with multiple sections (#6365)Maximilian Hils2021-10-032-0/+115
| | | | | * accept combined PEM files with multiple sections * pass error messages into `find_in_pem`
View Lorry Controller Status