aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Unify X.509 signature algorithm validation (#5276)HEADmasterMarko Kreen2020-06-142-48/+17
| | | | | - Use common implementation - OCSP signing was using different validation - Check if private key is usable for signing
* Add a way to pass current time to Fernet (#5256)Jakub Stasiak2020-06-141-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add a way to pass current time to Fernet The motivation behind this is to be able to unit test code using Fernet easily without having to monkey patch global state. * Reformat to satisfy flake8 * Trigger a Fernet.encrypt() branch missing from coverage * Revert specifying explicit current time in MultiFernet.rotate() Message's timestamp is not verified anyway since ttl is None. * Change the Fernet's explicit current time API slightly This's been suggested in code review. * Fix a typo * Fix a typo * Restore full MultiFernet test coverage and fix a typo * Restore more coverage time.time() is not called by MultiFernet.rotate() anymore so the monkey patching and lambda need to go, because the patched function is not used and coverage calculation will rightfully notice it. * Remove an unused import * Document when the *_at_time Fernet methods were added
* Consistently use 'self' in backend.py (#5261)Marko Kreen2020-05-271-6/+6
| | | | There happens to be global var named 'backend' so backend._lib works, but is confusing.
* Cleanup serialize (#5149)Marko Kreen2020-05-2510-189/+104
| | | | | | | | | | | | | | * Additional tests for public/private_bytes They expose few places that raise TypeError and AssertionError! before, and ValueError later. * Cleanup of private_bytes() backend Also pass key itself down to backend. * Cleanup of public_bytes() backend * Test handling of unsupported key type
* Deprecate support for Python 2 (#5251)Alex Gaynor2020-05-161-0/+12
|
* GOST certificates support in cryptography (#5195)Nikolay Morozov2020-05-081-0/+25
|
* Remove dead constant time code (#5239)Alex Gaynor2020-04-263-55/+0
|
* Added wycheproof RSA PKCSv1 encryption tests (#5234)Alex Gaynor2020-04-262-0/+2
|
* Dropped support for LibreSSL 2.7, 2.8, and 2.9.0 (2.9.1+ are still ↵Alex Gaynor2020-04-254-43/+0
| | | | supported) (#5231)
* add SSL_CTX_(get|set)_keylog_callback (#5187)Maximilian Hils2020-04-112-0/+26
| | | | | | | * add SSL_CTX_(get|set)_keylog_callback * For travis Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* See if we can remove an OpenSSL 1.0.1 workaround (#5184)Alex Gaynor2020-04-061-8/+0
|
* Removed deprecated behavior in AKI.from_issuer_subject_key_identifier (#5182)Alex Gaynor2020-04-052-16/+1
|
* Replace floating point arithmetic with integer arithmetic (#5181)Torin Carey2020-04-042-5/+2
|
* Drop support for OpenSSL 1.0.1 (#5178)Alex Gaynor2020-04-0413-326/+23
|
* reopen master for 3.0 dev (#5175)Paul Kehrer2020-04-021-1/+1
|
* 2.9 version and changelog bump (#5172)Paul Kehrer2020-04-021-1/+1
|
* Fixed error message in AES-CCM data length validation to reflect the error ↵Maciej Jurczak2020-03-281-1/+1
| | | | reason more accurately. (#5157)
* Allow NameAttribute.value to be an empty string (#5109)Andrea De Pasquale2020-03-191-3/+3
| | | | | | | | | | | | * Allow NameAttribute.value to be an empty string RFC 4514 https://tools.ietf.org/html/rfc4514 does not mention that "AttributeValue" can not be an empty (zero-length) string. Fixes #5106 * reverse order to match fix from another PR Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* Reversed the order of RDNs in x509.Name.rfc4514_string() (#5120)Thomas Erbesdobler2020-03-021-4/+8
| | | | RFC4514 requires in section 2.1 that RDNs are converted to string representation in reversed order.
* Use literals for collections and comprehensions. (#5091)Mads Jensen2020-01-123-4/+4
|
* Add pthread linking on non-win32 (#5086)Alexander Grund2019-12-231-1/+4
| | | | Required to link in static part of pthread, e.g. pthread_atfork Fixes https://github.com/pyca/cryptography/issues/5084
* Use dict literals. (#5080)Mads Jensen2019-12-021-1/+1
|
* Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't ↵Alex Gaynor2019-11-251-0/+9
| | | | | | | | have RC2 (#5072) * Refs #5065 -- have a CI job with OpenSSL built with no-rc2 * Fixes #5065 -- skip serialization tests which use RC2 if OpenSSL doesn't have RC2
* issue-5041: do not add extra flags when compiler or platform does not ↵Michael Felt2019-11-241-1/+13
| | | | | | | | | | | | | | support them (#5042) * check for suitable compiler (platform) before adding special flags * pep8 corrections * later pep8 messages * add clang to auto accepted compilers * modify syntax so multi-line is accepted
* add SSL_get_verify_result (#5071)Maximilian Hils2019-11-231-0/+1
|
* add SSL_CTX_get0_param (#5070)Maximilian Hils2019-11-222-0/+3
|
* add SSL[_CTX]_clear_mode (#5062)Maximilian Hils2019-11-111-0/+2
|
* Parse single_extensions in OCSP responses (#5059)Paul Kehrer2019-11-113-1/+25
| | | | | | | | | | | | * add single_extensions to OCSPResponse (#4753) * new vector, updateed docs, more stringent parser, changelog, etc * simplify PR (no SCT for now) * add a comment * finish pulling out the sct stuff so tests might actually run
* Fixed #5050 -- dropped support for an old LibresSSL release (#5056)Alex Gaynor2019-11-118-14/+11
| | | | | | * Fixed #5050 -- dropped support for an old LibresSSL release * Changelog
* Let Oid enforce positive decimal integers (#5053)Noel Remy2019-11-101-1/+6
| | | | | | Failing that would lead to an OpenSSL error when calling OBJ_txt2obj at serialization. Adds basic tests for oids.
* Deal with the 2.5 deprecations (#5048)Alex Gaynor2019-11-034-19/+5
| | | | | | | | | | | | * Deal with the 2.5 deprecations * pep8 + test fixes * docs typo * Why did I do this? * typo
* Add a comment so we can easily find a place to update later (#5043)Alex Gaynor2019-11-011-0/+1
| | | | | | * Add a comment so we can easily find a place to update later * flake8
* Don't bother computing y coefficient in _modinv (#5037)Clayton Smith2019-10-291-3/+3
|
* Silence unguarded availability warnings for `getentropy` when targeting ↵Max Bélanger2019-10-241-1/+5
| | | | | | | | macOS 10.12 (#5019) * silence `Wunguarded-availability` when building with a `MACOSX_DEPLOYMENT_TARGET < 10.12` * use `__builtin_available` rather than a `NULL` echo upon init on mac
* Test against libressl 3.0 (#5031)Alex Gaynor2019-10-201-2/+2
| | | | | | * Test against libressl 3.0 * Correctly type these ints
* Fixes #5018 -- break users on OpenSSL 1.0.1 (#5022)Alex Gaynor2019-10-181-6/+14
| | | | | | | | | | | | * Fixes #5018 -- break users on OpenSSL 1.0.1 * Grammar * Syntax error * Missing import * Missing import
* reopen master for the 2.9 release (#5017)Paul Kehrer2019-10-171-1/+1
|
* Bump versions for 2.8 release (#5014)Alex Gaynor2019-10-171-2/+2
|
* UniversalString needs to be encoded as UCS-4 (#5000)Marko Kreen2019-10-171-0/+2
|
* update openssls (#4995)Paul Kehrer2019-10-152-3/+17
| | | | | | | | | | * update openssls * missed one * what will this do * only do this check for 1.1.0+
* Simplify implementing sequence methods (#4987)Alex Gaynor2019-09-101-94/+31
| | | | | | * Simplify implementing sequence methods * flake8
* it's called FIPS_mode_set, not FIPS_set_mode (#4988)Paul Kehrer2019-09-091-1/+1
|
* Finish ed25519 and ed448 support in x509 module (#4972)Marko Kreen2019-09-094-18/+50
| | | | | | | | | | | | | | | | | | * Support ed25519 in csr/crl creation * Tests for ed25519/x509 * Support ed448 in crt/csr/crl creation * Tests for ed448/x509 * Support ed25519/ed448 in OCSPResponseBuilder * Tests for eddsa in OCSPResponseBuilder * Builder check missing in create_x509_csr * Documentation update for ed25519+ed448 in x509
* be clear that NoEncryption must be an instance in the exception (#4985)Paul Kehrer2019-09-074-4/+4
|
* Allow FreshestCRL extension in CRL (#4975)Marko Kreen2019-09-072-0/+2
| | | Per RFC5280 it is allowed in both certificates and CRL-s.
* Add SSL_get0_verified_chain to cffi lib (#4965)arjenzorgdoc2019-08-142-0/+16
| | | | | | | | * Add SSL_get0_verified_chain to cffi lib OpenSSL 1.1.0 supports SSL_get0_verified_chain. This gives the full chain from the peer cert including your trusted CA cert. * Work around no support for #if in cdef in old cffi
* Make DER reader into a context manager (#4957)Alex Gaynor2019-07-283-17/+22
| | | | | | | | * Make DER reader into a context manager * Added another test case * flake8
* Remove asn1crypto dependency (#4941)David Benjamin2019-07-285-34/+208
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Remove non-test dependencies on asn1crypto. cryptography.io actually contains two OpenSSL bindings right now, the expected cffi one, and an optional one hidden in asn1crypto. asn1crypto contains a lot of things that cryptography.io doesn't use, including a BER parser and a hand-rolled and not constant-time EC implementation. Instead, check in a much small DER-only parser in cryptography/hazmat. A quick benchmark suggests this parser is also faster than asn1crypto: from __future__ import absolute_import, division, print_function import timeit print(timeit.timeit( "decode_dss_signature(sig)", setup=r""" from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08" """, number=10000)) Python 2.7: asn1crypto: 0.25 _der.py: 0.098 Python 3.5: asn1crypto: 0.17 _der.py: 0.10 * Remove test dependencies on asn1crypto. The remaining use of asn1crypto was some sanity-checking of Certificates. Add a minimal X.509 parser to extract the relevant fields. * Add a read_single_element helper function. The outermost read is a little tedious. * Address flake8 warnings * Fix test for long-form vs short-form lengths. Testing a zero length trips both this check and the non-minimal long form check. Use a one-byte length to cover the missing branch. * Remove support for negative integers. These never come up in valid signatures. Note, however, this does change public API. * Update src/cryptography/hazmat/primitives/asymmetric/utils.py Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com> * Review comments * Avoid hardcoding the serialization of NULL in decode_asn1.py too.
* fix osrandom/builtin switching methods for 1.1.0+ (#4955)Paul Kehrer2019-07-272-7/+9
| | | | | | | | | | * fix osrandom/builtin switching methods for 1.1.0+ In 1.1.0 RAND_cleanup became a no-op. This broke changing to the builtin random engine via activate_builtin_random(). Fixed by directly calling RAND_set_rand_method. This works on 1.0.x and 1.1.x * missed an assert
* add bindings to parse and create challenge passwords in X509 CSRs (#4943)Paul Kehrer2019-07-092-1/+11
| | | | | | * add bindings to parse and create challenge passwords in X509 CSRs * moved away from the 1.1.0 section
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-27 16:04:23 +0000