aboutsummaryrefslogtreecommitdiffstats
path: root/src/cryptography/hazmat
Commit message (Collapse)AuthorAgeFilesLines
* Unify X.509 signature algorithm validation (#5276)HEADmasterMarko Kreen2020-06-141-38/+17
| | | | | - Use common implementation - OCSP signing was using different validation - Check if private key is usable for signing
* Consistently use 'self' in backend.py (#5261)Marko Kreen2020-05-271-6/+6
| | | | There happens to be global var named 'backend' so backend._lib works, but is confusing.
* Cleanup serialize (#5149)Marko Kreen2020-05-2510-189/+104
| | | | | | | | | | | | | | * Additional tests for public/private_bytes They expose few places that raise TypeError and AssertionError! before, and ValueError later. * Cleanup of private_bytes() backend Also pass key itself down to backend. * Cleanup of public_bytes() backend * Test handling of unsupported key type
* Added wycheproof RSA PKCSv1 encryption tests (#5234)Alex Gaynor2020-04-261-0/+1
|
* Dropped support for LibreSSL 2.7, 2.8, and 2.9.0 (2.9.1+ are still ↵Alex Gaynor2020-04-252-21/+0
| | | | supported) (#5231)
* add SSL_CTX_(get|set)_keylog_callback (#5187)Maximilian Hils2020-04-111-0/+8
| | | | | | | * add SSL_CTX_(get|set)_keylog_callback * For travis Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* See if we can remove an OpenSSL 1.0.1 workaround (#5184)Alex Gaynor2020-04-061-8/+0
|
* Replace floating point arithmetic with integer arithmetic (#5181)Torin Carey2020-04-042-5/+2
|
* Drop support for OpenSSL 1.0.1 (#5178)Alex Gaynor2020-04-046-148/+10
|
* Fixed error message in AES-CCM data length validation to reflect the error ↵Maciej Jurczak2020-03-281-1/+1
| | | | reason more accurately. (#5157)
* Use literals for collections and comprehensions. (#5091)Mads Jensen2020-01-121-1/+1
|
* Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't ↵Alex Gaynor2019-11-251-0/+9
| | | | | | | | have RC2 (#5072) * Refs #5065 -- have a CI job with OpenSSL built with no-rc2 * Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't have RC2
* add SSL_CTX_get0_param (#5070)Maximilian Hils2019-11-221-0/+1
|
* Parse single_extensions in OCSP responses (#5059)Paul Kehrer2019-11-112-1/+19
| | | | | | | | | | | | * add single_extensions to OCSPResponse (#4753) * new vector, updateed docs, more stringent parser, changelog, etc * simplify PR (no SCT for now) * add a comment * finish pulling out the sct stuff so tests might actually run
* Let Oid enforce positive decimal integers (#5053)Noel Remy2019-11-101-1/+6
| | | | | | Failing that would lead to an OpenSSL error when calling OBJ_txt2obj at serialization. Adds basic tests for oids.
* Deal with the 2.5 deprecations (#5048)Alex Gaynor2019-11-033-18/+4
| | | | | | | | | | | | * Deal with the 2.5 deprecations * pep8 + test fixes * docs typo * Why did I do this? * typo
* Don't bother computing y coefficient in _modinv (#5037)Clayton Smith2019-10-291-3/+3
|
* Fixes #5018 -- break users on OpenSSL 1.0.1 (#5022)Alex Gaynor2019-10-181-6/+14
| | | | | | | | | | | | * Fixes #5018 -- break users on OpenSSL 1.0.1 * Grammar * Syntax error * Missing import * Missing import
* UniversalString needs to be encoded as UCS-4 (#5000)Marko Kreen2019-10-171-0/+2
|
* update openssls (#4995)Paul Kehrer2019-10-151-3/+15
| | | | | | | | | | * update openssls * missed one * what will this do * only do this check for 1.1.0+
* it's called FIPS_mode_set, not FIPS_set_mode (#4988)Paul Kehrer2019-09-091-1/+1
|
* Finish ed25519 and ed448 support in x509 module (#4972)Marko Kreen2019-09-091-14/+32
| | | | | | | | | | | | | | | | | | * Support ed25519 in csr/crl creation * Tests for ed25519/x509 * Support ed448 in crt/csr/crl creation * Tests for ed448/x509 * Support ed25519/ed448 in OCSPResponseBuilder * Tests for eddsa in OCSPResponseBuilder * Builder check missing in create_x509_csr * Documentation update for ed25519+ed448 in x509
* be clear that NoEncryption must be an instance in the exception (#4985)Paul Kehrer2019-09-074-4/+4
|
* Allow FreshestCRL extension in CRL (#4975)Marko Kreen2019-09-072-0/+2
| | | Per RFC5280 it is allowed in both certificates and CRL-s.
* Add SSL_get0_verified_chain to cffi lib (#4965)arjenzorgdoc2019-08-141-0/+7
| | | | | | | | * Add SSL_get0_verified_chain to cffi lib OpenSSL 1.1.0 supports SSL_get0_verified_chain. This gives the full chain from the peer cert including your trusted CA cert. * Work around no support for #if in cdef in old cffi
* Make DER reader into a context manager (#4957)Alex Gaynor2019-07-282-8/+13
| | | | | | | | * Make DER reader into a context manager * Added another test case * flake8
* Remove asn1crypto dependency (#4941)David Benjamin2019-07-284-31/+187
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Remove non-test dependencies on asn1crypto. cryptography.io actually contains two OpenSSL bindings right now, the expected cffi one, and an optional one hidden in asn1crypto. asn1crypto contains a lot of things that cryptography.io doesn't use, including a BER parser and a hand-rolled and not constant-time EC implementation. Instead, check in a much small DER-only parser in cryptography/hazmat. A quick benchmark suggests this parser is also faster than asn1crypto: from __future__ import absolute_import, division, print_function import timeit print(timeit.timeit( "decode_dss_signature(sig)", setup=r""" from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08" """, number=10000)) Python 2.7: asn1crypto: 0.25 _der.py: 0.098 Python 3.5: asn1crypto: 0.17 _der.py: 0.10 * Remove test dependencies on asn1crypto. The remaining use of asn1crypto was some sanity-checking of Certificates. Add a minimal X.509 parser to extract the relevant fields. * Add a read_single_element helper function. The outermost read is a little tedious. * Address flake8 warnings * Fix test for long-form vs short-form lengths. Testing a zero length trips both this check and the non-minimal long form check. Use a one-byte length to cover the missing branch. * Remove support for negative integers. These never come up in valid signatures. Note, however, this does change public API. * Update src/cryptography/hazmat/primitives/asymmetric/utils.py Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com> * Review comments * Avoid hardcoding the serialization of NULL in decode_asn1.py too.
* fix osrandom/builtin switching methods for 1.1.0+ (#4955)Paul Kehrer2019-07-271-4/+6
| | | | | | | | | | * fix osrandom/builtin switching methods for 1.1.0+ In 1.1.0 RAND_cleanup became a no-op. This broke changing to the builtin random engine via activate_builtin_random(). Fixed by directly calling RAND_set_rand_method. This works on 1.0.x and 1.1.x * missed an assert
* add class methods for poly1305 sign verify operations (#4932)Jeff Yang2019-07-081-0/+12
|
* ed25519 support in x509 certificate builder (#4937)Paul Kehrer2019-07-061-3/+15
| | | | | | | | | | * ed25519 support in x509 certificate builder This adds minimal ed25519 support. More to come. * Apply suggestions from code review Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Refs #4923; deprecate OpenSSL 1.0.1 (#4924)Alex Gaynor2019-06-151-1/+1
| | | | | | * Refs #4923; deprecate OpenSSL 1.0.1 * changelog
* Switch to new notBefore/After APIs (#4914)Rosen Penev2019-06-072-4/+4
| | | Introduced in OpenSSL 1.1. Added compatibility for older versions.
* Only EVP_CTRL_AEAD_SET_TAG in _aead_setup for CCM mode (#4916)Christian Heimes2019-06-051-1/+2
|
* fix aia encoding memory leak (#4889)Paul Kehrer2019-05-181-12/+15
| | | | | | * fix aia encoding memory leak * don't return anything from the prealloc func
* Fixes #4830 -- handle negative serial numbers (#4843)Alex Gaynor2019-04-131-1/+4
|
* fix a memory leak in AIA parsing (#4836)Paul Kehrer2019-04-111-1/+8
| | | | | | * fix a memory leak in AIA parsing * oops can't remove that
* add new branch for unsupported openssh serialization (#4813)Paul Kehrer2019-03-181-2/+5
| | | | | we don't support ed448 openssh keys so we'll use that to test this branch. if we ever do support ed448 keys we can always just call this private method directly to keep coverage.
* add OpenSSH serialization for ed25519 keys (#4808) (#4811)bernhl2019-03-171-0/+7
| | | | | | * add OpenSSH serialization for ed25519 keys (#4808) * address review comments
* poly1305 support (#4802)Paul Kehrer2019-03-093-0/+116
| | | | | | | | | | | | | | | | | | | | * poly1305 support * some more tests * have I mentioned how bad the spellchecker is? * doc improvements * EVP_PKEY_new_raw_private_key copies the key but that's not documented Let's assume that might change and be very defensive * review feedback * add a test that fails on a tag of the correct length but wrong value * docs improvements
* Improve deprecation warning to specify the release (#4804)Josh Soref2019-03-081-2/+2
|
* remove maccontext (#4803)Paul Kehrer2019-03-076-47/+6
|
* add poly1305 NID/EVP, and EVP_DigestSign{Update,Final} for incremental (#4799)Paul Kehrer2019-03-071-0/+8
|
* support ed25519 openssh public keys (#4785)Paul Kehrer2019-02-274-9/+21
| | | | | | * support ed25519 openssh public keys * don't need this check
* ed448 support (#4610)Paul Kehrer2019-02-273-0/+276
| | | | | | | | * ed448 support * move the changelog entry * flake8
* ed25519 support (#4114)Paul Kehrer2019-02-263-0/+278
| | | | | | * ed25519 support * review feedback
* remove unused locking functions (#4780)Paul Kehrer2019-02-261-5/+0
| | | | | | | | * remove unused locking functions we do all this in C when necessary * oops, need this
* Polish off removal of unused engine bindings (#4769)Alex Gaynor2019-02-251-3/+0
|
* reduce our engine bindings even more (#4768)Paul Kehrer2019-02-252-32/+10
|
* support NO_ENGINE (#4763)Paul Kehrer2019-02-253-10/+54
| | | | | | | | * support OPENSSL_NO_ENGINE * support some new openssl config args * sigh
* why did we have these variables (#4764)Paul Kehrer2019-02-242-3/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-18 00:08:10 +0000