aboutsummaryrefslogtreecommitdiffstats
path: root/src/cryptography/hazmat
Commit message (Collapse)AuthorAgeFilesLines
...
* add an EC OID to curve dictionary mapping (#4759)Paul Kehrer2019-02-201-0/+33
| | | | | | | | | | * add an EC OID to curve dictionary mapping * oid_to_curve function * changelog and docs fix * rename to get_curve_for_oid
* encode the package version in the shared object (#4756)Paul Kehrer2019-02-201-0/+24
| | | | | | | | | | * encode the package version in the shared object * review feedback * move into build_ffi so the symbol is in all shared objects * review feedback
* Simplify string formatting (#4757)Alex Gaynor2019-02-2019-44/+44
|
* Fixes #4734 -- Deal with deprecated things (#4736)Alex Gaynor2019-01-234-34/+2
| | | | | | | | | | * Fixes #4734 -- Deal with deprecated things - Make year based aliases of PersistentlyDeprecated so we can easily assess age - Removed encode/decode rfc6979 signature - Removed Certificate.serial * Unused import
* allow 32-bit platforms to encode certs with dates > unix epoch (#4727)Paul Kehrer2019-01-211-15/+6
| | | | | | | | | | | | | | | | | Previously we used unix timestamps, but now we are switching to using ASN1_TIME_set_string and automatically formatting the string based on the year. The rule is as follows: Per RFC 5280 (section 4.1.2.5.), the valid input time strings should be encoded with the following rules: 1. UTC: YYMMDDHHMMSSZ, if YY < 50 (20YY) --> UTC: YYMMDDHHMMSSZ 2. UTC: YYMMDDHHMMSSZ, if YY >= 50 (19YY) --> UTC: YYMMDDHHMMSSZ 3. G'd: YYYYMMDDHHMMSSZ, if YYYY >= 2050 --> G'd: YYYYMMDDHHMMSSZ 4. G'd: YYYYMMDDHHMMSSZ, if YYYY < 2050 --> UTC: YYMMDDHHMMSSZ Notably, Dates < 1950 are not valid UTCTime. At the moment we still reject dates < Jan 1, 1970 in all cases but a followup PR can fix that.
* bind EVP_R_MEMORY_LIMIT_EXCEEDED and update a test (#4726)Paul Kehrer2019-01-212-0/+13
| | | | | | | | | | | * bind EVP_R_MEMORY_LIMIT_EXCEEDED and update a test This will allow OpenSSL 1.1.1 on 32-bit (including our Windows 32-bit builders) to fail as expected. Technically this isn't a malloc error, but rather failing because the allocation requested is larger than 32-bits, but raising a MemoryError still seems appropriate * what you want an endif too?
* deprecate encode_point and migrate all internal callers (#4720)Paul Kehrer2019-01-202-1/+14
|
* add support for encoding compressed points (#4638)Paul Kehrer2019-01-203-7/+64
| | | | | | * add support for encoding compressed points * review feedback
* shake128/256 support (#4611)Paul Kehrer2019-01-192-5/+61
| | | | | | | | | | | | | | * shake128/256 support * remove block_size * doc an exception * change how we detect XOF by adding _xof attribute * interface! * review feedback
* support byteslike in KBKDFHMAC (#4711)Paul Kehrer2019-01-171-1/+1
|
* support byteslike in ConcatKDF{HMAC,Hash}, Scrypt, and X963KDF (#4709)Paul Kehrer2019-01-174-4/+5
| | | | | | | | * byteslike concatkdf * byteslike scrypt * byteslike x963kdf
* Support byteslike in HKDF and PBKDF2HMAC (#4707)Paul Kehrer2019-01-173-4/+5
| | | | | | | | * support byteslike in HKDF * support byteslike in PBKDF2HMAC * add missing docs
* support bytes-like for X25519PrivateKey.from_private_bytes (#4698)Paul Kehrer2019-01-171-6/+31
| | | yuck.
* x448 and x25519 should enforce key lengths in backend (#4703)Paul Kehrer2019-01-173-3/+21
| | | | | | | | | | | * x448 and x25519 should enforce key lengths in from_private_bytes they should also check if the algorithm is supported like the public bytes class methods do * oops * move the checks
* support byteslike in hmac update (#4705)Paul Kehrer2019-01-172-2/+3
| | | needed for some KDF keying material
* support byteslike in hash updates (#4702)Paul Kehrer2019-01-162-2/+5
| | | This is needed to handle keying material in some of the KDFs
* support bytes-like keys in CMAC and HMAC contexts (#4701)Paul Kehrer2019-01-162-2/+4
|
* add support for byteslike password/data to load_{pem,der}_private_key (#4693)Paul Kehrer2019-01-161-3/+1
| | | | | | * add support for byteslike password/data to load_{pem,der}_private_key * pypy 5.4 can't do memoryview from_buffer
* support byteslike in aead for key and nonce (#4695)Paul Kehrer2019-01-152-8/+10
|
* support byteslike in X448PrivateKey.from_private_bytes (#4694)Paul Kehrer2019-01-151-1/+2
|
* add support for byteslike on password and data for pkcs12 loading (#4690)Paul Kehrer2019-01-151-13/+37
| | | | | | | | | | | | * add support for byteslike on password and data for pkcs12 loading * use a contextmanager to yield a null terminated buffer we can zero * review feedback * updated text * one last change
* Remove a dead assignment (#4692)Alex Gaynor2019-01-151-1/+0
|
* Serialization x25519 (#4688)Paul Kehrer2019-01-145-8/+111
| | | | | | | | | | | | | | | | | * modify x25519 serialization to match x448 supports raw and pkcs8 encoding on private_bytes supports raw and subjectpublickeyinfo on public_bytes deprecates zero argument call to public_bytes * add docs * this is public now * don't need that * review feedback
* support x448 public/private serialization both raw and pkcs8 (#4653)Paul Kehrer2019-01-134-4/+110
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * support x448 public/private serialization both raw and pkcs8 * add tests for all other asym key types to prevent Raw * more tests * better tests * fix a test * funny story, I'm actually illiterate. * pep8 * require PrivateFormat.Raw or PublicFormat.Raw with Encoding.Raw * missing docs * parametrize * docs fixes * remove dupe line * assert something
* add signature_hash_algorithm to OCSPResponse (#4681)Paul Kehrer2019-01-101-0/+11
| | | | | | * add signature_hash_algorithm to OCSPResponse * fix pointless asserts
* Improve error message for unsupported ciphers (#4650)Alex Gaynor2018-12-181-6/+8
| | | | | | | | | | | | * Improve error message for unsupported ciphers * fix spacing * include the openssl version number in the message * backwards * pep8
* handle empty byte string in from_encoded_point (#4649)Paul Kehrer2018-12-171-0/+4
| | | | | | * handle empty byte string in from_encoded_point * move the error
* deprecate old from_encoded_point (#4640)Paul Kehrer2018-12-111-0/+9
|
* Compressed point support (#4629)Paul Kehrer2018-12-113-2/+33
| | | | | | | | | | | | | | | | | | | | | | | | * compressed point support * refactor to use oct2point directly * small docs change * remove deprecation for the moment and a bit of review feedback * no backend arg, implicitly import it * missed a spot * double oops * remove superfluous call * use refactored method * use vector file * one last item
* convert some asserts to function calls (#4636)Paul Kehrer2018-12-101-10/+14
|
* ec key creation by curve name refactored into a method (#4634)Paul Kehrer2018-12-101-21/+10
| | | | | | * ec key creation by curve name refactored into a method * typo
* allow bytes-like for key/iv/data for symmetric encryption (#4621)Paul Kehrer2018-12-093-17/+22
| | | | | | | | | | | | | | | | | | * allow bytearrays for key/iv for symmetric encryption * bump pypy/cffi requirements * update docs, fix some tests * old openssl is naught but pain * revert a typo * use trusty for old pypy * better error msg again * restore match
* Adds a more descriptive error msg for wrong wrapping (#4504)André Almeida2018-12-081-3/+12
| | | | | | | | | | | | | | | | | | | | * PoC code for check PEM wrap * Remove PoC check wrap code * Add PEM file info to FAQ * Add FAQ/PEM link in exception message * Fix flake8 style issues * refactor, update language * it's really amazing how bad the spell checker is * review feedback * change to etc
* Updated BLAKE2s and BLAKE2b error messages from unsupportedalgorithm … (#4519)Colin Metcalf2018-12-081-14/+6
| | | | | | | | | | | | | | | | | * Updated BLAKE2s and BLAKE2b error messages from unsupportedalgorithm exception to an explicit error. The error is now "ValueError: Digest size must be 32" (or 64 for BLAKE2b) This was done to give a more contextual error message and should be in place until OpenSSL supports variable lengths. * Updated if statements in hashes.py so that they no longer wrap to separate line. Updated test_hashes.py to unclude a test for non 32 or 64 digest_sizes that fall between 0-32/64. * Removed the new tests in test_hashes.py as the old ones were satisfactory. This also solved misaligned tabs and spaces. * Removed dead code in hashes.py that could no longer be reached after error message updates. * pep8 fix * remove superfluous parens
* Raise MemoryError when backend.derive_scrypt can't malloc enough (#4592)Tux2018-12-081-1/+18
| | | | | | | | | | | | * Raise MemoryError when backend.derive_scrypt can't malloc enough * Expose ERR_R_MALLOC_FAILURE and use the reason_match pattern to catch it * Add test_scrypt_malloc_failure in test_scrypt * let's see if this passes * add comment to filippo's blog post about scrypt's params
* encode IssuingDistributionPoint (#4618)Paul Kehrer2018-12-021-0/+23
|
* centralize our bytes check (#4622)Paul Kehrer2018-12-0216-87/+47
| | | this will make life a bit easier when we support bytearrays
* refactor some code into separate functions in asn1 encode (#4617)Paul Kehrer2018-12-011-20/+31
| | | | | | | | * refactor some code into separate functions in asn1 encode this will be useful in IDP encoding * review feedback
* allow multi-valued RDNs (#4616)Paul Kehrer2018-11-301-1/+1
| | | | RDNs can have multiple values. This allows them in FreshestCRL and upcoming IssuingDistributionPoint encoding support.
* IssuingDistributionPoint support (parse only) (#4552)Paul Kehrer2018-11-301-0/+25
| | | | | | | | | | | | | | | | | | | | | | * IssuingDistributionPoint support h/t to Irina Renteria for the initial work here * python 2 unfortunately still exists * py2 repr * typo caught by flake8 * add docs * review feedback * reorder args, other fixes * use the alex name * add changelog
* PKCS12 Basic Parsing (#4553)Paul Kehrer2018-11-282-0/+55
| | | | | | | | | | | | | | | | | | * PKCS12 parsing support * running all the tests is so gauche * rename func * various significant fixes * dangerous idiot here * move pkcs12 * docs updates * a bit more prose
* Move SSH serialization to it's own file (#4607)Alex Gaynor2018-11-244-148/+158
| | | | | | * Move SSH serialization to it's own file * flake8
* refactor serialization module into package (#4606)Paul Kehrer2018-11-233-11/+35
| | | | | | * refactor serialization into a package so we can add a pkcs12 module * oops
* Added comments reminding us to improve this code when we go 1.1.1+ only (#4605)Alex Gaynor2018-11-231-0/+4
|
* X448 support (#4580)Paul Kehrer2018-11-223-0/+145
| | | | | | | | | | | | | | | | | | | | * x448 support This work was originally authored by derwolfe * update docs to have a more useful derived key length * error if key is not a valid length in from_public_bytes * one more * switch to using evp_pkey_keygen_gc for x448 keygen * review feedback * switch to using evp_pkey_derive * nit fix
* refactor x25519 exchange into utils (#4603)Paul Kehrer2018-11-222-24/+27
|
* add sha3 support (#4573)Paul Kehrer2018-11-221-0/+24
| | | | | | | | * add sha3 support * missed versionadded * add prose, remove block_size
* add EVPDigestFinalXOF for extendable output functions (#4589)Paul Kehrer2018-11-131-0/+9
|
* refactor x25519 keygen into evp_pkey_keygen (#4587)Paul Kehrer2018-11-131-7/+7
| | | this allows us to use the same code for ed25519, x448, and ed448
* Ed bindings (#4586)Paul Kehrer2018-11-131-0/+9
| | | | | | * add evp_pkey_ed25519 * ed448 bindings