| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
* additional OCSP bindings for the response builder
* use the OCSP extension funcs that match the rest of x509
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* support OCSP response parsing
* move the decorator to make pep8 happy
* add some missing docs
* review feedback
* more review feedback
|
| |
|
|
|
|
| |
* add ed25519 bindings
* var name
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* add OCSP request parsing support with OCSPNonce
* add docs
* reprs man
* make extensions a cached property
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* update pytest config
pytest 3.8.0 was just released and officially deprecates some of the way
we do pytest marks. They introduced a new way to do this in 3.6 so this
PR switches to that mechanism and updates our minimum pytest requirement
* update the stubs
* also update wycheproof test config to remove deprecated paths
* don't need this any more
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* try something a bit different.
* newer compiler plz
* permute
* fix some warnings
* fix getters on OpenSSL < 1.1.0
* this is getting involved
* given our compiler flags we can't have SSL_CTX_set_cookie_verify_cb
|
| |
|
|
|
|
|
|
|
|
|
| |
* don't sort the serial numbers in a parsed CRL
OpenSSL sorts them in place and this breaks the signature and more.
fixes #4456
* cache the sorted CRL (but create it lazily)
* use the cache decorator
|
| |
|
| |
of course, if this works it might just be luck
|
| | |
|
| |
|
|
|
|
|
|
| |
* yet another ocsp response vector.
and yet there will be at least one more after this
* add one more
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add many OCSP bindings
Much of OCSP was opaqued in 1.1.0 so this also adds a bunch of getters
for older OpenSSL. However, 1.1.0 itself made it impossible to access
certain fields in the opaque struct, so we're forced to de-opaque them
for 1.1.0 through 1.1.0i as well as 1.1.1-pre1 through 1.1.1-pre9. There
is a patch (openssl/openssl#7082) that fixes this and should be in
1.1.0j and 1.1.1-pre10 (or 1.1.1 final, whichever they choose to issue)
* backslashes are sometimes useful
* comments
|
| | |
|
| |
|
|
| |
This allows us to reuse these functions in the OCSPResponse object in
the future
|
| |
|
|
|
|
| |
* add more OCSP response vectors
* another vector and better docs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #4333 -- added support for precert poison extension
* Make work on all OpenSSL versions
* fixed flake8 + docs
* fix for older OpenSSLs
* document this
* spell
|
| |
|
|
|
|
|
|
|
|
| |
* OCSP response vector
* oops, wrong name
* move ocsp response vector docs
* make alex happy
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* ocsp response abc
* collapse SingleReponse into OCSPResponse now that we only support one
* split responder_id into two properties, add tbs_response_bytes
* typo
* rename one method and add a mapping we'll need shortly
|
| |
|
|
|
|
|
|
| |
* refactor ocsp request parsing and generation to support only one cert
* small doc change
* notimplementederror
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fixes #3460 -- deprecate OpenSSL 1.0.1
* We need to import warnings
* flake8
* words are hard
* rephrase
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Fixed a memory leak in x.509 OCSP no check
* Fix the _actual_ leak
* Speed up symbolizations
* Disable backtrace by default, because it doesn't work on Windows
* line length
|
| |
|
|
|
|
|
|
|
|
| |
dependencies (#4441)
* lock aws-encryption-sdk and dynamodb-encryption-sdk downstream tests to frozen dependencies
* explicitly identify test directory in dynanmodb-encryption-sdk downstream tests
* install the frozen dependencies after installing the package to force dependencies to the frozen set
|
| | |
|
| | |
|
| |
|
|
|
|
| |
* fixed test name
* spelling is hard
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* reorganize downstream tests
* fix run.sh syntax
* add instructions for adding more downstream tests
* rework downstream CI test guide into rst readme
* remove unnecessary example test handler
* all test handlers should "exit 1" if an unexpected argument is received
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
(#4429)
* Fixes #4357 -- document the additional release steps for a security release
* One additional step
* Fix a few typos
* this is a word
* link these
|
| | |
|
| |
|
|
|
|
| |
* Update our security documentation to match what we actually do
* If you stand for nothing Burr, what will you fall for?
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* make an ocsp request
* update test, add docs
* make it an OCSPRequestBuilder
* review feedback and more tests
* make it a class
* empty commit to retrigger
* type check
|
| | |
|
| |
|
|
|
|
| |
* Fixes #4408 -- added an FAQ about abi3 wheels
* abi3 is a word, sort of
|
| | |
|
| |
|
|
|
|
| |
* Mention that PyCA also maintains pynacl
* line wrap
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* test openssl 1.1.1
* let's see what a 1.1.1 pyopenssl does
* 1.1.1-pre8
* pre9
* docs and test more things
* 3.7 needs xenial
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Do conditional compiling of Cryptography_setup_ssl_threads
* Check Cryptography_HAS_LOCKING_CALLBACKS before initing static locks
Check if compiling and initing locking callbacks is necessary
PEP8 fix
* Make test_crypto_lock_init more complete
|
| |
|
|
|
|
| |
* Don't clone wycheproof if we're doing a downstream test
* you and your rules
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix encoding errors in RSA test keys.
enc-rsa-pkcs8.pem and unenc-rsa-pkcs8.pem did not encode the RSA key
correctly. Per RFC 8017, appendix A.1:
The object identifier rsaEncryption identifies RSA public and private
keys as defined in Appendices A.1.1 and A.1.2. The parameters field
has associated with this OID in a value of type AlgorithmIdentifier
SHALL have a value of type NULL.
rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
unenc-rsa-pkcs8.pem, however, was missing that NULL, which was, in turn,
carried into the encrypted payload of enc-rsa-pkcs8.pem. The DER
version, enc-rsa-pkcs8.der, carries this mistake too. Interestingly,
unenc-rsa-pkcs8.der does *not* have it. I'm guessing it was converted
with the openssl command-line tool which fixed the encoding in
conversion.
Current versions of OpenSSL are lax and ignore the parameters field, but
it's best to test against spec-compliant inputs. Fix unenc-rsa-pkcs8.pem
to match unenc-rsa-pkcs8.der and then refresh enc-rsa-pkcs8.{der,pem}
with the new encoding but otherwise the same encryption parameters.
I've refreshed the dumpasn1 (at least that's what it looks like)
preamble at the top of each file, but the current version of dumpasn1
appears to have changed the spacing slightly, so there's some whitespace
diff noise.
* Update test-vectors.rst.
|
| | |
|
| | |
|
| | |
|
