diff options
| -rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 15 | ||||
| -rw-r--r-- | cryptography/hazmat/bindings/openssl/err.py | 123 | ||||
| -rw-r--r-- | cryptography/hazmat/bindings/openssl/ssl.py | 11 | ||||
| -rw-r--r-- | cryptography/hazmat/bindings/openssl/x509.py | 9 | ||||
| -rw-r--r-- | cryptography/hazmat/bindings/openssl/x509_vfy.py | 168 | ||||
| -rw-r--r-- | cryptography/hazmat/primitives/interfaces.py | 14 | ||||
| -rw-r--r-- | docs/hazmat/backends/interfaces.rst | 5 | ||||
| -rw-r--r-- | tasks.py | 5 | ||||
| -rw-r--r-- | tests/hazmat/backends/test_openssl.py | 5 |
9 files changed, 206 insertions, 149 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index bf97e42d..53d92be3 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -560,6 +560,15 @@ class Backend(object): algorithm) def mgf1_hash_supported(self, algorithm): + warnings.warn( + "mgf1_hash_supported is deprecated and will be removed in " + "a future version.", + utils.DeprecatedIn05, + stacklevel=2 + ) + return self._mgf1_hash_supported(algorithm) + + def _mgf1_hash_supported(self, algorithm): if self._lib.Cryptography_HAS_MGF1_MD: return self.hash_supported(algorithm) else: @@ -569,7 +578,7 @@ class Backend(object): if isinstance(padding, PKCS1v15): return True elif isinstance(padding, PSS) and isinstance(padding._mgf, MGF1): - return self.mgf1_hash_supported(padding._mgf._algorithm) + return self._mgf1_hash_supported(padding._mgf._algorithm) elif isinstance(padding, OAEP) and isinstance(padding._mgf, MGF1): return isinstance(padding._mgf._algorithm, hashes.SHA1) else: @@ -1518,7 +1527,7 @@ class _RSASignatureContext(object): raise ValueError("Digest too large for key size. Use a larger " "key.") - if not self._backend.mgf1_hash_supported(padding._mgf._algorithm): + if not self._backend._mgf1_hash_supported(padding._mgf._algorithm): raise UnsupportedAlgorithm( "When OpenSSL is older than 1.0.1 then only SHA1 is " "supported with MGF1.", @@ -1709,7 +1718,7 @@ class _RSAVerificationContext(object): "correct key and digest algorithm." ) - if not self._backend.mgf1_hash_supported(padding._mgf._algorithm): + if not self._backend._mgf1_hash_supported(padding._mgf._algorithm): raise UnsupportedAlgorithm( "When OpenSSL is older than 1.0.1 then only SHA1 is " "supported with MGF1.", diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py index f97fd5d1..8ed97d0b 100644 --- a/cryptography/hazmat/bindings/openssl/err.py +++ b/cryptography/hazmat/bindings/openssl/err.py @@ -18,8 +18,6 @@ INCLUDES = """ """ TYPES = """ -static const long Cryptography_HAS_102_ERROR_CODES; -static const long Cryptography_HAS_100_ERROR_CODES; static const int Cryptography_HAS_REMOVE_THREAD_STATE; static const int Cryptography_HAS_098H_ERROR_CODES; static const int Cryptography_HAS_098C_CAMELLIA_CODES; @@ -30,7 +28,6 @@ struct ERR_string_data_st { }; typedef struct ERR_string_data_st ERR_STRING_DATA; - static const int ERR_LIB_EVP; static const int ERR_LIB_PEM; static const int ERR_LIB_ASN1; @@ -223,70 +220,6 @@ static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE; static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY; static const int RSA_R_BLOCK_TYPE_IS_NOT_01; static const int RSA_R_BLOCK_TYPE_IS_NOT_02; - -static const int X509_V_OK; -static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; -static const int X509_V_ERR_UNABLE_TO_GET_CRL; -static const int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE; -static const int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE; -static const int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; -static const int X509_V_ERR_CERT_SIGNATURE_FAILURE; -static const int X509_V_ERR_CRL_SIGNATURE_FAILURE; -static const int X509_V_ERR_CERT_NOT_YET_VALID; -static const int X509_V_ERR_CERT_HAS_EXPIRED; -static const int X509_V_ERR_CRL_NOT_YET_VALID; -static const int X509_V_ERR_CRL_HAS_EXPIRED; -static const int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; -static const int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; -static const int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; -static const int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; -static const int X509_V_ERR_OUT_OF_MEM; -static const int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; -static const int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; -static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; -static const int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; -static const int X509_V_ERR_CERT_CHAIN_TOO_LONG; -static const int X509_V_ERR_CERT_REVOKED; -static const int X509_V_ERR_INVALID_CA; -static const int X509_V_ERR_PATH_LENGTH_EXCEEDED; -static const int X509_V_ERR_INVALID_PURPOSE; -static const int X509_V_ERR_CERT_UNTRUSTED; -static const int X509_V_ERR_CERT_REJECTED; -static const int X509_V_ERR_SUBJECT_ISSUER_MISMATCH; -static const int X509_V_ERR_AKID_SKID_MISMATCH; -static const int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; -static const int X509_V_ERR_KEYUSAGE_NO_CERTSIGN; -static const int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; -static const int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; -static const int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; -static const int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; -static const int X509_V_ERR_INVALID_NON_CA; -static const int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; -static const int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; -static const int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; -static const int X509_V_ERR_INVALID_EXTENSION; -static const int X509_V_ERR_INVALID_POLICY_EXTENSION; -static const int X509_V_ERR_NO_EXPLICIT_POLICY; -static const int X509_V_ERR_DIFFERENT_CRL_SCOPE; -static const int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE; -static const int X509_V_ERR_UNNESTED_RESOURCE; -static const int X509_V_ERR_PERMITTED_VIOLATION; -static const int X509_V_ERR_EXCLUDED_VIOLATION; -static const int X509_V_ERR_SUBTREE_MINMAX; -static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; -static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; -static const int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; -static const int X509_V_ERR_CRL_PATH_VALIDATION_ERROR; -static const int X509_V_ERR_SUITE_B_INVALID_VERSION; -static const int X509_V_ERR_SUITE_B_INVALID_ALGORITHM; -static const int X509_V_ERR_SUITE_B_INVALID_CURVE; -static const int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM; -static const int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED; -static const int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256; -static const int X509_V_ERR_HOSTNAME_MISMATCH; -static const int X509_V_ERR_EMAIL_MISMATCH; -static const int X509_V_ERR_IP_ADDRESS_MISMATCH; -static const int X509_V_ERR_APPLICATION_VERIFICATION; """ FUNCTIONS = """ @@ -343,38 +276,6 @@ static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED; """ CUSTOMIZATIONS = """ -// OpenSSL 1.0.2+ -#if OPENSSL_VERSION_NUMBER >= 0x10002000L -static const long Cryptography_HAS_102_ERROR_CODES = 1; -#else -static const long Cryptography_HAS_102_ERROR_CODES = 0; -static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0; -static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0; -static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0; -static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; -static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; -static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; -static const long X509_V_ERR_HOSTNAME_MISMATCH = 0; -static const long X509_V_ERR_EMAIL_MISMATCH = 0; -static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; -#endif - -// OpenSSL 1.0.0+ -#if OPENSSL_VERSION_NUMBER >= 0x10000000L -static const long Cryptography_HAS_100_ERROR_CODES = 1; -#else -static const long Cryptography_HAS_100_ERROR_CODES = 0; -static const long X509_V_ERR_DIFFERENT_CRL_SCOPE = 0; -static const long X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = 0; -static const long X509_V_ERR_PERMITTED_VIOLATION = 0; -static const long X509_V_ERR_EXCLUDED_VIOLATION = 0; -static const long X509_V_ERR_SUBTREE_MINMAX = 0; -static const long X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = 0; -static const long X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = 0; -static const long X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 0; -static const long X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 0; -#endif - #if OPENSSL_VERSION_NUMBER >= 0x10000000L static const long Cryptography_HAS_REMOVE_THREAD_STATE = 1; #else @@ -405,33 +306,9 @@ static const long Cryptography_HAS_098C_CAMELLIA_CODES = 0; static const int EVP_F_CAMELLIA_INIT_KEY = 0; static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED = 0; #endif - """ CONDITIONAL_NAMES = { - "Cryptography_HAS_102_ERROR_CODES": [ - 'X509_V_ERR_SUITE_B_INVALID_VERSION', - 'X509_V_ERR_SUITE_B_INVALID_ALGORITHM', - 'X509_V_ERR_SUITE_B_INVALID_CURVE', - 'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM', - 'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED', - 'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256', - 'X509_V_ERR_HOSTNAME_MISMATCH', - 'X509_V_ERR_EMAIL_MISMATCH', - 'X509_V_ERR_IP_ADDRESS_MISMATCH' - ], - "Cryptography_HAS_100_ERROR_CODES": [ - 'X509_V_ERR_DIFFERENT_CRL_SCOPE', - 'X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE', - 'X509_V_ERR_UNNESTED_RESOURCE', - 'X509_V_ERR_PERMITTED_VIOLATION', - 'X509_V_ERR_EXCLUDED_VIOLATION', - 'X509_V_ERR_SUBTREE_MINMAX', - 'X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE', - 'X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX', - 'X509_V_ERR_UNSUPPORTED_NAME_SYNTAX', - 'X509_V_ERR_CRL_PATH_VALIDATION_ERROR', - ], "Cryptography_HAS_REMOVE_THREAD_STATE": [ "ERR_remove_thread_state" ], diff --git a/cryptography/hazmat/bindings/openssl/ssl.py b/cryptography/hazmat/bindings/openssl/ssl.py index 79f13b60..018a1413 100644 --- a/cryptography/hazmat/bindings/openssl/ssl.py +++ b/cryptography/hazmat/bindings/openssl/ssl.py @@ -127,7 +127,6 @@ static const long SSL_MODE_ENABLE_PARTIAL_WRITE; static const long SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const long SSL_MODE_AUTO_RETRY; static const long SSL3_RANDOM_SIZE; -typedef ... X509_STORE_CTX; typedef ... SSL_METHOD; typedef struct ssl_st { int version; @@ -226,16 +225,6 @@ int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); - -/* X509_STORE_CTX */ -int X509_STORE_CTX_get_error(X509_STORE_CTX *); -void X509_STORE_CTX_set_error(X509_STORE_CTX *, int); -int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *); -X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); -int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *, int, void *); -void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *, int); - - /* SSL_SESSION */ void SSL_SESSION_free(SSL_SESSION *); diff --git a/cryptography/hazmat/bindings/openssl/x509.py b/cryptography/hazmat/bindings/openssl/x509.py index c0be3064..cf38df32 100644 --- a/cryptography/hazmat/bindings/openssl/x509.py +++ b/cryptography/hazmat/bindings/openssl/x509.py @@ -24,11 +24,13 @@ INCLUDES = """ * Note that the result is an opaque type. */ typedef STACK_OF(X509) Cryptography_STACK_OF_X509; +typedef STACK_OF(X509_CRL) Cryptography_STACK_OF_X509_CRL; typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED; """ TYPES = """ typedef ... Cryptography_STACK_OF_X509; +typedef ... Cryptography_STACK_OF_X509_CRL; typedef ... Cryptography_STACK_OF_X509_REVOKED; typedef struct { @@ -76,7 +78,6 @@ typedef struct { ...; } X509; -typedef ... X509_STORE; typedef ... NETSCAPE_SPKI; """ @@ -166,12 +167,6 @@ EVP_PKEY *d2i_PUBKEY_bio(BIO *, EVP_PKEY **); ASN1_INTEGER *X509_get_serialNumber(X509 *); int X509_set_serialNumber(X509 *, ASN1_INTEGER *); -/* X509_STORE */ -X509_STORE *X509_STORE_new(void); -void X509_STORE_free(X509_STORE *); -int X509_STORE_add_cert(X509_STORE *, X509 *); -int X509_verify_cert(X509_STORE_CTX *); - const char *X509_verify_cert_error_string(long); const char *X509_get_default_cert_area(void); diff --git a/cryptography/hazmat/bindings/openssl/x509_vfy.py b/cryptography/hazmat/bindings/openssl/x509_vfy.py index a5dcb6a7..ed35b1bc 100644 --- a/cryptography/hazmat/bindings/openssl/x509_vfy.py +++ b/cryptography/hazmat/bindings/openssl/x509_vfy.py @@ -28,17 +28,89 @@ typedef STACK_OF(ASN1_OBJECT) Cryptography_STACK_OF_ASN1_OBJECT; TYPES = """ static const long Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS; +static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES; static const long Cryptography_HAS_102_VERIFICATION_PARAMS; static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST; +static const long Cryptography_HAS_100_VERIFICATION_ERROR_CODES; static const long Cryptography_HAS_100_VERIFICATION_PARAMS; static const long Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE; typedef ... Cryptography_STACK_OF_ASN1_OBJECT; + +typedef ... X509_STORE; +typedef ... X509_STORE_CTX; typedef ... X509_VERIFY_PARAM; /* While these are defined in the source as ints, they're tagged here as longs, just in case they ever grow to large, such as what we saw with OP_ALL. */ + +// Verification error codes +static const int X509_V_OK; +static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; +static const int X509_V_ERR_UNABLE_TO_GET_CRL; +static const int X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE; +static const int X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE; +static const int X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; +static const int X509_V_ERR_CERT_SIGNATURE_FAILURE; +static const int X509_V_ERR_CRL_SIGNATURE_FAILURE; +static const int X509_V_ERR_CERT_NOT_YET_VALID; +static const int X509_V_ERR_CERT_HAS_EXPIRED; +static const int X509_V_ERR_CRL_NOT_YET_VALID; +static const int X509_V_ERR_CRL_HAS_EXPIRED; +static const int X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; +static const int X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; +static const int X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; +static const int X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; +static const int X509_V_ERR_OUT_OF_MEM; +static const int X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; +static const int X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; +static const int X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; +static const int X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; +static const int X509_V_ERR_CERT_CHAIN_TOO_LONG; +static const int X509_V_ERR_CERT_REVOKED; +static const int X509_V_ERR_INVALID_CA; +static const int X509_V_ERR_PATH_LENGTH_EXCEEDED; +static const int X509_V_ERR_INVALID_PURPOSE; +static const int X509_V_ERR_CERT_UNTRUSTED; +static const int X509_V_ERR_CERT_REJECTED; +static const int X509_V_ERR_SUBJECT_ISSUER_MISMATCH; +static const int X509_V_ERR_AKID_SKID_MISMATCH; +static const int X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; +static const int X509_V_ERR_KEYUSAGE_NO_CERTSIGN; +static const int X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; +static const int X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; +static const int X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; +static const int X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; +static const int X509_V_ERR_INVALID_NON_CA; +static const int X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; +static const int X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; +static const int X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; +static const int X509_V_ERR_INVALID_EXTENSION; +static const int X509_V_ERR_INVALID_POLICY_EXTENSION; +static const int X509_V_ERR_NO_EXPLICIT_POLICY; +static const int X509_V_ERR_DIFFERENT_CRL_SCOPE; +static const int X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE; +static const int X509_V_ERR_UNNESTED_RESOURCE; +static const int X509_V_ERR_PERMITTED_VIOLATION; +static const int X509_V_ERR_EXCLUDED_VIOLATION; +static const int X509_V_ERR_SUBTREE_MINMAX; +static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; +static const int X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; +static const int X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; +static const int X509_V_ERR_CRL_PATH_VALIDATION_ERROR; +static const int X509_V_ERR_SUITE_B_INVALID_VERSION; +static const int X509_V_ERR_SUITE_B_INVALID_ALGORITHM; +static const int X509_V_ERR_SUITE_B_INVALID_CURVE; +static const int X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM; +static const int X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED; +static const int X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256; +static const int X509_V_ERR_HOSTNAME_MISMATCH; +static const int X509_V_ERR_EMAIL_MISMATCH; +static const int X509_V_ERR_IP_ADDRESS_MISMATCH; +static const int X509_V_ERR_APPLICATION_VERIFICATION; + +// Verification parameters static const long X509_V_FLAG_CB_ISSUER_CHECK; static const long X509_V_FLAG_USE_CHECK_TIME; static const long X509_V_FLAG_CRL_CHECK; @@ -62,6 +134,38 @@ static const long X509_V_FLAG_PARTIAL_CHAIN; """ FUNCTIONS = """ +int X509_verify_cert(X509_STORE_CTX *); + +// X509_STORE +X509_STORE *X509_STORE_new(void); +void X509_STORE_free(X509_STORE *); +int X509_STORE_add_cert(X509_STORE *, X509 *); + +// X509_STORE_CTX +X509_STORE_CTX *X509_STORE_CTX_new(void); +void X509_STORE_CTX_cleanup(X509_STORE_CTX *); +void X509_STORE_CTX_free(X509_STORE_CTX *); +int X509_STORE_CTX_init(X509_STORE_CTX *, X509_STORE *, X509 *, + Cryptography_STACK_OF_X509 *); +void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *, + Cryptography_STACK_OF_X509 *); +void X509_STORE_CTX_set_cert(X509_STORE_CTX *, X509 *); +void X509_STORE_CTX_set_chain(X509_STORE_CTX *,Cryptography_STACK_OF_X509 *); +X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *); +void X509_STORE_CTX_set0_param(X509_STORE_CTX *, X509_VERIFY_PARAM *); +int X509_STORE_CTX_set_default(X509_STORE_CTX *, const char *); +void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *, + int (*)(int, X509_STORE_CTX *)); +Cryptography_STACK_OF_X509 *X509_STORE_CTX_get_chain(X509_STORE_CTX *); +Cryptography_STACK_OF_X509 *X509_STORE_CTX_get1_chain(X509_STORE_CTX *); +int X509_STORE_CTX_get_error(X509_STORE_CTX *); +void X509_STORE_CTX_set_error(X509_STORE_CTX *, int); +int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *); +X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); +int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *, int, void *); +void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *, int); + +// X509_VERIFY_PARAM X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *, unsigned long); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *, unsigned long); @@ -77,6 +181,11 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *); """ MACROS = """ +// X509_STORE_CTX +void X509_STORE_CTX_set0_crls(X509_STORE_CTX *, + Cryptography_STACK_OF_X509_CRL *); + +// X509_VERIFY_PARAM int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const unsigned char *, size_t); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int); @@ -97,7 +206,23 @@ void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, unsigned int) = NULL; #endif -// OpenSSL 1.0.2+ +// OpenSSL 1.0.2+ verification error codes +#if OPENSSL_VERSION_NUMBER >= 0x10002000L +static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1; +#else +static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0; +static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0; +static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0; +static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0; +static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; +static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; +static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; +static const long X509_V_ERR_HOSTNAME_MISMATCH = 0; +static const long X509_V_ERR_EMAIL_MISMATCH = 0; +static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; +#endif + +// OpenSSL 1.0.2+ verification parameters #if OPENSSL_VERSION_NUMBER >= 0x10002000L static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; #else @@ -125,7 +250,23 @@ static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 0; static const long X509_V_FLAG_TRUSTED_FIRST = 0; #endif -// OpenSSL 1.0.0+ +// OpenSSL 1.0.0+ verification error codes +#if OPENSSL_VERSION_NUMBER >= 0x10000000L +static const long Cryptography_HAS_100_VERIFICATION_ERROR_CODES = 1; +#else +static const long Cryptography_HAS_100_VERIFICATION_ERROR_CODES = 0; +static const long X509_V_ERR_DIFFERENT_CRL_SCOPE = 0; +static const long X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = 0; +static const long X509_V_ERR_PERMITTED_VIOLATION = 0; +static const long X509_V_ERR_EXCLUDED_VIOLATION = 0; +static const long X509_V_ERR_SUBTREE_MINMAX = 0; +static const long X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = 0; +static const long X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = 0; +static const long X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 0; +static const long X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 0; +#endif + +// OpenSSL 1.0.0+ verification parameters #if OPENSSL_VERSION_NUMBER >= 0x10000000L static const long Cryptography_HAS_100_VERIFICATION_PARAMS = 1; #else @@ -147,6 +288,17 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_X509_VERIFY_PARAM_SET_HOSTFLAGS": [ "X509_VERIFY_PARAM_set_hostflags", ], + "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": [ + 'X509_V_ERR_SUITE_B_INVALID_VERSION', + 'X509_V_ERR_SUITE_B_INVALID_ALGORITHM', + 'X509_V_ERR_SUITE_B_INVALID_CURVE', + 'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM', + 'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED', + 'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256', + 'X509_V_ERR_HOSTNAME_MISMATCH', + 'X509_V_ERR_EMAIL_MISMATCH', + 'X509_V_ERR_IP_ADDRESS_MISMATCH' + ], "Cryptography_HAS_102_VERIFICATION_PARAMS": [ "X509_V_FLAG_SUITEB_128_LOS_ONLY", "X509_V_FLAG_SUITEB_192_LOS", @@ -161,6 +313,18 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": [ "X509_V_FLAG_TRUSTED_FIRST", ], + "Cryptography_HAS_100_VERIFICATION_ERROR_CODES": [ + 'X509_V_ERR_DIFFERENT_CRL_SCOPE', + 'X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE', + 'X509_V_ERR_UNNESTED_RESOURCE', + 'X509_V_ERR_PERMITTED_VIOLATION', + 'X509_V_ERR_EXCLUDED_VIOLATION', + 'X509_V_ERR_SUBTREE_MINMAX', + 'X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE', + 'X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX', + 'X509_V_ERR_UNSUPPORTED_NAME_SYNTAX', + 'X509_V_ERR_CRL_PATH_VALIDATION_ERROR', + ], "Cryptography_HAS_100_VERIFICATION_PARAMS": [ "Cryptography_HAS_100_VERIFICATION_PARAMS", "X509_V_FLAG_EXTENDED_CRL_SUPPORT", diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index 54821dbd..dd901aae 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -191,6 +191,12 @@ class RSAPrivateKey(object): Returns an AsymmetricSignatureContext used for signing data. """ + @abc.abstractmethod + def decrypt(self, ciphertext, padding): + """ + Decrypts the provided ciphertext. + """ + @abc.abstractproperty def key_size(self): """ @@ -206,6 +212,7 @@ class RSAPrivateKey(object): @six.add_metaclass(abc.ABCMeta) class RSAPrivateKeyWithNumbers(RSAPrivateKey): + @abc.abstractmethod def private_numbers(self): """ Returns an RSAPrivateNumbers. @@ -220,6 +227,12 @@ class RSAPublicKey(object): Returns an AsymmetricVerificationContext used for verifying signatures. """ + @abc.abstractmethod + def encrypt(self, plaintext, padding): + """ + Encrypts the given plaintext. + """ + @abc.abstractproperty def key_size(self): """ @@ -229,6 +242,7 @@ class RSAPublicKey(object): @six.add_metaclass(abc.ABCMeta) class RSAPublicKeyWithNumbers(RSAPublicKey): + @abc.abstractmethod def public_numbers(self): """ Returns an RSAPublicNumbers diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst index a18a3d57..9e476f72 100644 --- a/docs/hazmat/backends/interfaces.rst +++ b/docs/hazmat/backends/interfaces.rst @@ -255,10 +255,13 @@ A specific ``backend`` may provide one or more of these interfaces. .. method:: mgf1_hash_supported(algorithm) + ..deprecated:: 0.5 + Check if the specified ``algorithm`` is supported for use with :class:`~cryptography.hazmat.primitives.asymmetric.padding.MGF1` inside :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` - padding. + padding. This method is deprecated in favor of + ``rsa_padding_supported``. :param algorithm: An instance of a :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` @@ -91,11 +91,14 @@ def release(version): "vectors/dist/cryptography_vectors-{0}*".format(version) ) + username = getpass.getpass("Input the GitHub/Jenkins username: ") token = getpass.getpass("Input the Jenkins token: ") response = requests.post( "{0}/build".format(JENKINS_URL), + auth=requests.auth.HTTPBasicAuth( + username, token + ), params={ - "token": token, "cause": "Building wheels for {0}".format(version) } ) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index f9e692b4..0dd91695 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -353,7 +353,10 @@ class TestOpenSSLRSA(object): ) def test_unsupported_mgf1_hash_algorithm(self): - assert backend.mgf1_hash_supported(DummyHash()) is False + assert pytest.deprecated_call( + backend.mgf1_hash_supported, + DummyHash() + ) is False def test_rsa_padding_unsupported_pss_mgf1_hash(self): assert backend.rsa_padding_supported( |