| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
* Add a comment so we can easily find a place to update later
* flake8
|
| | |
|
| |
|
|
|
|
|
|
| |
macOS 10.12 (#5019)
* silence `Wunguarded-availability` when building with a `MACOSX_DEPLOYMENT_TARGET < 10.12`
* use `__builtin_available` rather than a `NULL` echo upon init on mac
|
| | |
|
| |
|
|
|
|
| |
* Use 3.8 in CI where we want 'the latest 3.x'
* Revert macOS changes for now
|
| |
|
|
|
|
| |
* Test against libressl 3.0
* Correctly type these ints
|
| | |
|
| |
|
|
| |
Move the `backend` argument up with the rest of the constructor
arguments, otherwise it's easy to miss it.
|
| |
|
|
| |
The documentation states that `backend` should be a `HashBackend`
instance when in fact it should be a `HMACBackend` instance.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #5018 -- break users on OpenSSL 1.0.1
* Grammar
* Syntax error
* Missing import
* Missing import
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* Don’t downgrade pip on windows wheel building
* Conditionally install enum34
* Syntax
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* Fixes #5010 -- test and build 3.8 wheels
* try using isolated_build = True to work around a failure
|
| |
|
|
|
|
|
|
|
|
| |
* update openssls
* missed one
* what will this do
* only do this check for 1.1.0+
|
| | |
|
| |
|
|
|
|
| |
* Simplify implementing sequence methods
* flake8
|
| |
|
|
|
|
|
|
|
|
| |
* update libressl and pypy2.7 and pypy3.5
* okay can't get 7.1, let's try to at least do 7.0
* 7.1.1 does actually exist
* also an empty commit to appease the codecov gods
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Support ed25519 in csr/crl creation
* Tests for ed25519/x509
* Support ed448 in crt/csr/crl creation
* Tests for ed448/x509
* Support ed25519/ed448 in OCSPResponseBuilder
* Tests for eddsa in OCSPResponseBuilder
* Builder check missing in create_x509_csr
* Documentation update for ed25519+ed448 in x509
|
| | |
|
| | |
|
| |
|
| |
Per RFC5280 it is allowed in both certificates and CRL-s.
|
| |
|
|
|
|
|
|
|
|
| |
* fix coverage by adding two artificial DSA public keys
One key removes the optional parameters from the structure to cover a
branch conditional, and the other key has its BITSTRING padding value
set to a non-zero value.
* lexicographic? never heard of it
|
| |
|
|
| |
- Note that signatures are DER-encoded
- Note that signatures can be encoded from r,s using util function
|
| |
|
|
|
|
|
|
| |
* Add SSL_get0_verified_chain to cffi lib
OpenSSL 1.1.0 supports SSL_get0_verified_chain. This gives the full chain from the peer cert including your trusted CA cert.
* Work around no support for #if in cdef in old cffi
|
| |
|
|
| |
(#4959)
|
| |
|
|
|
|
|
|
| |
* Make DER reader into a context manager
* Added another test case
* flake8
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
from __future__ import absolute_import, division, print_function
import timeit
print(timeit.timeit(
"decode_dss_signature(sig)",
setup=r"""
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
""",
number=10000))
Python 2.7:
asn1crypto: 0.25
_der.py: 0.098
Python 3.5:
asn1crypto: 0.17
_der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too.
|
| |
|
|
|
|
|
|
|
|
| |
* fix osrandom/builtin switching methods for 1.1.0+
In 1.1.0 RAND_cleanup became a no-op. This broke changing to the builtin
random engine via activate_builtin_random(). Fixed by directly calling
RAND_set_rand_method. This works on 1.0.x and 1.1.x
* missed an assert
|
| |
|
|
| |
detect md5 and don't generate short RSA keys
these changes will help if we actually try to run FIPS enabled
|
| | |
|
| |
|
|
|
|
| |
* add bindings to parse and create challenge passwords in X509 CSRs
* moved away from the 1.1.0 section
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove irrelevant DHBackend test conditions
DHBackend provides functions for plain finite-field Diffie-Hellman.
X25519 and X448 are their own algorithms, and Ed25519 and Ed448 aren't
even Diffie-Hellman primitives.
* Add missing backend support checks.
Some new AES and EC tests did not check for whether the corresponding
mode or curve was supported by the backend.
* Add a DummyMode for coverage
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* ed25519 support in x509 certificate builder
This adds minimal ed25519 support. More to come.
* Apply suggestions from code review
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
|
| | |
|
| |
|
|
|
|
|
|
| |
* more ed25519 vectors, better description of RFC 8410 vector
* typo
* oops, doc'd wrong
|
| | |
|
| | |
|
| | |
|
