| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* New osrandom_engine in C
Inspired by Python/random.c and the old implementation.
Signed-off-by: Christian Heimes <christian@python.org>
* osrandom_engine
* Fix naming bug caused by search 'n replace mistake
* Make it easier to override osrandom auto-detection
* Add engine ctrl and backend API to get implementation from ENGINE
Signed-off-by: Christian Heimes <christian@python.org>
* Better test coverage, documentation, LICENSE
Signed-off-by: Christian Heimes <christian@python.org>
* Coverage is hard.
Signed-off-by: Christian Heimes <christian@python.org>
* * enable win32 check
* read() returns size_t
Signed-off-by: Christian Heimes <christian@python.org>
* Add macOS to spelling list. Remove dead code from header file.
Signed-off-by: Christian Heimes <christian@python.org>
* remove CCRandomGenerateBytes path and update getentropy to work on macOS
This change allows us to test all the engines in our CI:
* getentropy (tested by macOS sierra)
* getrandom (tested on several linux builders)
* /dev/urandom (tested on FreeBSD, OS X 10.11 and below, & older linux)
* CryptGenRandom (tested on windows builders)
I also fixed bugs preventing compilation in the getentropy code
* getentropy() returns int and is restricted to 256 bytes on macOS, too.
Signed-off-by: Christian Heimes <christian@python.org>
* add versionadded
* Re-add import of os module
* Fixes related to Alex's recent review.
Signed-off-by: Christian Heimes <christian@python.org>
* Add error reporting and fail for EAGAIN
Add error reporting strings for various error cases. This gives us much
nicer and understandable error messages.
SYS_getrandom() EAGAIN is now an error. Cryptography refuses to
initialize its osrandom engine when the Kernel's CPRNG hasn't been
seeded yet.
Signed-off-by: Christian Heimes <christian@python.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Start of OpenSSL DH backend implementation
* Supporting DH in MultiBackend
* DHBackend has dh_parameters_supported method
* Removed DHParametersWithNumbers and DHPrivateKeyWithNumbers from documentation
* Removed ExchangeContext. exchange is a method of DHPrivateKeyWithSerialization
* PEP8 fixes
* Fixed TestDH.test_bad_tls_exchange
* Fixed generate_private_key reference in dh documentation
* test DH multibackend support
* testing DH coversion to serialized
* Validating that we receive serialized class in test_generate_dh
* Testing DH exchange symmetric key padding
* struct DH is now opaqued
* PEP8 fixes
* Testing load_dh_private_numbers throws ValueError when DH_check fails
* Using openssl_assert
* Passing keywords arguments in DH key exchange example
* test_dh::test_bad_tls_exchange now uses pre calculated parameters
* TestDH - Add test that the computed secret is equivalent to the definition by comparing with secret computed in pure python
* Add missing generator parameter to DHBackend interface docs.
* Include parameter type in DHBackend abc docs.
* Add docs for dh.generate_parameters function
* Remove the dh Numbers section, and move the DHNumbers class docs to where they are first used.
* Add note of big endian byte packing to DH exchange method.
* DH documentation updates.
Add single sentence overview with wikipedia link.
Add paragraph on assembling using Numbers objects.
Add link to backend interface docs.
First section was all indented, I think by mistake.
* Add exchange method to DHPrivateKey abstract base class.
* Small tweaks to DH documentation - remove Provider.
* Add endian to dictionary
* Use utils.int_from_bytes in test_tls_exchange_algorithm
* Removed duplicate line
* Change dh.rst exchange algorithm from doctest to code-block
The example in the Diffie-Hellman exhange algorithm is using
2048 bits key. Generating the parameters of 2048 takes long
time. This caused the automated tests to fail. In order to
pass the tests we change the example to code-block so it
will not run in the doc tests.
* Fix dh docs
* Document the generator in DHBackend relevant methods
* Fix dh tests
* use DHparams_dup
* Fix key type to unsigned char as expected by DH_compute_key
* Validate that DH generator is 2 or 5
* test dh exchange using botan vectors
* group all numbers classes
* Simplify _DHPrivateKey
* Rename test with serialized to numbers
* Move bad exchange params to external vector file
* update exchange versionadded to 1.7
* Make key_size bit accurate
* Change botan link
* Added CHANGELOG entry
|
| |
|
|
|
|
| |
* Error out on OpenSSL 1.0.0 by default
* what the heck
|
| | |
|
| |
|
|
|
|
| |
* add support for prehashing in ECDSA sign/verify
* move signature_algorithm check to its own function
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* support RSA verify with prehashing
* review feedback
* more dedupe
* refactor and move to a separate module
|
| |
|
|
|
|
|
|
| |
* support prehashing in RSA sign
* check to make sure digest size matches prehashed data provided
* move doctest for prehashed
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* change derive_elliptic_curve_public_point to return EllipticCurvePublicKey
* also rename the backend interface method
* review feedback
* Rename to derive_elliptic_curve_private_key
* Returns EllipticCurvePrivateKey
* Reuses the EC_POINT in the openssl impl
* Rename "secret" arg to "private_value" which is consistent with our
naming for the value in ECPrivateNumbers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Raize padding block_size limit to what is allowed by the specs.
* Add tests for raising padding limits.
* Amend C code for padding check to use uint16_t instead of uint8_t.
* Fix test to work in Python 3.
* Fix typo.
* Fix another typo.
* Fix return type of the padding checks.
* Change hypothesis test on padding.
* Update comment.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* cx_freeze support for default_backend
* updated tabing to spaces
* corrected spacing
* moved finding backend to backends __init__
* update to check to see if sys is frozen
* corrected pep8 issues
* update based on comments
* changes to simplify, support testing, and improve comments
* add changelog entry
* right, coverage. I remember now. Time for some contortions.
* updated with review feedback
|
| |
|
|
|
|
|
|
|
|
| |
* Add a bytes method to get the DER ASN.1 encoding of an X509 name.
This is useful for creating an OpenSSL style subject_name_hash (#3011)
* add to backend interface and update multibackend
* bytes -> public_bytes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove Python OpenSSL locking callback and replace it with one in C
The Python OpenSSL locking callback is unsafe; if GC is triggered
during the callback's invocation, it can result in the callback being
invoked reentrantly, which can lead to deadlocks. This patch replaces
it with one in C that gets built at compile time via cffi along with
the rest of the OpenSSL binding.
* fixes for some issues
* unused
* revert these changes
* these two for good measure
* missing param
* sigh, syntax
* delete tests that assumed an ability to mess with locks
* style fixes
* licensing stuff
* utf8
* Unicode. Huh. What it isn't good for, absolutely nothing.
|
| |
|
|
|
|
| |
* add alternate signature OID for RSA with SHA1 + test and vector
* mozilla is a proper noun leave me alone spellchecker
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* finish https://github.com/pyca/cryptography/pull/1973
* change API & add test
Function will now return an instance of EllipticCurvePrivateKey, as that
is the users' ultimate goal anyway.
* fix test
* improve coverage
* complete coverage
* final fix
* centos fix
* retry
* cleanup asserts
* use openssl_assert
* skip unsupported platforms
* change API name to derive_private_key
* change version added
* improve description of `secret` param
* separate successful and failure test cases
* simplify successful case
* add docs for derive_elliptic_curve_public_point
* add period
|
| |
|
|
|
|
|
|
| |
Update the Name class to accept and internally store a list of
RelativeDistinguishedName objects. Add the 'rdns' attribute to give
access to the RDNs. Update ASN.1 routines to correctly decode and
encode multi-value RDNs.
Fixes: https://github.com/pyca/cryptography/issues/3199
|
| |
|
|
|
|
|
|
|
|
|
| |
* Add RelativeDistinguishedName class
* Make relative_name a RelativeDistinguishedName
DistributionPoint relative_name is currently a Name but RFC 5280
defines it as RelativeDistinguishedName, i.e. a non-empty SET OF
name attributes. Change the DistributionPoint relative_name
attribute to be a RelativeDistinguishedName.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* support encoding IPv4Network and IPv6Network, useful for NameConstraints
* add changelog entry
* add more networks with full and no masking (/32, /128, /0)
* parametrize the nc tests to fix coverage
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* 1.0.2i changed the way COMP_METHOD is exported if NO_COMP is set
* add a comment explaining why we changed this
* 1.0.2i handles NUMERICSTRING properly now so need only test < 1.0.2i
* needs to be visible
|
| | |
|
| |
|
| |
right now it just always skips
|
| |
|
|
|
|
|
|
|
|
| |
* support random_serial_number in the CertificateBuilder
* turns out pytest's monkeypatch has an undo
* random_serial_number now a function
* just certs
|
| |
|
|
|
|
|
|
|
|
| |
* Add bounds checking for Scrypt parameters.
* Pep8.
* More PEP8.
* Change wording.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Scrypt implementation.
* Docs stuff.
* Make example just an example and not a doctest.
* Add changelog entry.
* Docs cleanup.
* Add more tests.
* Add multibackend tests.
* PEP8.
* Add docs about Scrypt parameters.
* Docs cleanup.
* Add AlreadyFinalized.
|
| |
|
|
|
|
| |
* add support for signature_algorithm_oid to cert, CSR, and CRL
* refactor _SIG_OIDS_TO_HASH to use ObjectIdentifiers and use that
|
| | |
|
| |
|
|
|
|
|
|
| |
* Add a register_interface_if decorator.
* Add tests.
* PEP 8.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* blake2b/blake2s support
Doesn't support keying, personalization, salting, or tree hashes so
the API is pretty simple right now.
* implement digest_size via utils.read_only_property
* un-keyed for spelling's sake
* test copying + digest_size checks
* unkeyed is too a word
* line wrap
* reword the docs
* use the evp algorithm name in the error
This will make BLAKE2 alternate digest size errors a bit less confusing
* add changelog entry and docs about supported digest_size
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* make pre5 work
* add a blank line to make the diff happier
* 1.1.0-pre6 working
* support the changes since 1.1.0-pre6
* fixes
* add 1.1.0 to travis
* expose the symbol
* better testing for numericstring
* handle libre...
* actually use the 1.1.0 we compile
* cache the ossl-110 dir on travis
* add some newlines
* changelog entry for 1.1.0 support
* note that we test on 1.1.0
* proper skip on this test
* reorder
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Iterators can only be enumerated once, breaking code like this in
Python 3 for example:
san = SubjectAlternativeName(map(DNSName, lst))
This is also a slight behavior change if the caller modifies the list
after passing it to the constructor, because input lists are now copied.
Which seems like a good thing.
Also:
* Name now checks that attributes elements are of type NameAttribute
* NoticeReference now allows notice_numbers to be any iterable
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
not_valid_before (#2920)
* CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before
These functions now accept aware datetimes and convert them to UTC
* Added pytz to test requirements
* Correct pep8 error and improve Changelog wording
* Improve tests and clarify changelog message
* Trim Changelog line length
* Allow RevokedCertificateBuilder and CertificateRevocationListBuilder to accept aware datetimes
* Fix accidental changelog entry
|
| | |
|
| |
|
|
|
|
| |
Fix DNSName wildcard encoding for NameConstraints
Previously '.example.com' would get normalised to 'example.com', making
it impossible to add wildcard NameConstraints.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* Add an enforce_key_length parameter to HOTP and TOTP.
* Document changes in docs.
* Add some words to the wordlist.
* Add versionadded to docs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Use a series of constants for OpenSSL version checks.
N.B. I removed several qualifiers that were being used to express beta vs. release in OpenSSL version numbers. Reviewers please look closely!
* Convert some python as well, also add the file
* flake8
* Simplify code, remove functionality that can be expressed more simply
* clean up the tests as well
* more constants
* wrap long lines
* reflect feedback
* unused
* add this back?
|
| |
|
|
| |
This is due to a bug in CommonCrypto present in 10.11.x. Filed as
radar://26636600
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add sign and verify methods to ECDSA
* Documented ECDSA sign/verify methods
* Added CHANGELOG entry
* Skipping test verify and sign if curve is not supported
* Fixed typo in documentation return type
* Removed provider language from EllipticCurvePrivateKey and EllipticCurvePublicKey
|
| |
|
|
|
|
|
|
| |
* Add sign and verify methods to DSA
* Documented DSA sign/verify methods
* Added CHANGELOG entry
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fixed #3008 -- expose calculate max pss salt length
* Fixed a few mistakes in the docs
* move all the code around
* oops
* write a unit test
* versionadded + changelog
|
| |
|
| |
We have always been at war with OpenSSL 0.9.8
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop OpenSSL 0.9.8
* Drop this test, it's not relevant any longer
* unused import
* Remove CRYPTOGRAPHY_ALLOW_OPENSSL_098=1 from our tox
* removed unused code for Cryptography_HAS_PKEY_CTX
* return unused code for _AESCTRCipherContext
* syntax :-(
* remove some unused tests and skips
* remove unused code for Cryptography_HAS_PBKDF2_HMAC
* Revert "return unused code for _AESCTRCipherContext"
This reverts commit 7d149729205aa4c9735eb322414b167a75b302df.
* Remove unused RSA code
* Remove unused test code for conditional bindings
* Remove unused dsa code
* unused import
* Remove unused x509 extension code
* Remove unused EC code
* Attempt to remove unused DER key loading code
* document this
* grammar
* Added back this paragraph
* Update docs
|
| |
|
|
|
|
|
|
|
| |
This patch adds wrapper methods to allow the user to sign and verify a
single message block without having to go through the multi-step
process of creating a signer or verifier, updating it with the one
message, and finalizing the result. This will make signing and
verifying data more user-friendly when only using small messages.
Partial bug #1529
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* some rsa oaep sha2 support
* various improvements
* fix a thing
* simplify
* update the test
* styyyyyle
* more styyyyle
* fix libre, remove a skip that should never be hit
* OAEP version check fixes
|
| |
|
|
|
|
|
|
| |
* added a repr to the dsa numbers classes
* fix
* another test
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* SSH serialization for public keys
* name errors ahoy!
* id, ego, superego
* dsa support
* EC support
* Don't keyerror
* Documentation OpenSSH
* flake8
* fix
* bytes bytes bytes
* skip curve unsupported
* bytes!
* Move a function
* reorganize code for coverage
|
