| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
* Make DER reader into a context manager
* Added another test case
* flake8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove non-test dependencies on asn1crypto.
cryptography.io actually contains two OpenSSL bindings right now, the
expected cffi one, and an optional one hidden in asn1crypto. asn1crypto
contains a lot of things that cryptography.io doesn't use, including a
BER parser and a hand-rolled and not constant-time EC implementation.
Instead, check in a much small DER-only parser in cryptography/hazmat. A
quick benchmark suggests this parser is also faster than asn1crypto:
from __future__ import absolute_import, division, print_function
import timeit
print(timeit.timeit(
"decode_dss_signature(sig)",
setup=r"""
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
sig=b"\x30\x2d\x02\x15\x00\xb5\xaf\x30\x78\x67\xfb\x8b\x54\x39\x00\x13\xcc\x67\x02\x0d\xdf\x1f\x2c\x0b\x81\x02\x14\x62\x0d\x3b\x22\xab\x50\x31\x44\x0c\x3e\x35\xea\xb6\xf4\x81\x29\x8f\x9e\x9f\x08"
""",
number=10000))
Python 2.7:
asn1crypto: 0.25
_der.py: 0.098
Python 3.5:
asn1crypto: 0.17
_der.py: 0.10
* Remove test dependencies on asn1crypto.
The remaining use of asn1crypto was some sanity-checking of
Certificates. Add a minimal X.509 parser to extract the relevant fields.
* Add a read_single_element helper function.
The outermost read is a little tedious.
* Address flake8 warnings
* Fix test for long-form vs short-form lengths.
Testing a zero length trips both this check and the non-minimal long
form check. Use a one-byte length to cover the missing branch.
* Remove support for negative integers.
These never come up in valid signatures. Note, however, this does
change public API.
* Update src/cryptography/hazmat/primitives/asymmetric/utils.py
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
* Review comments
* Avoid hardcoding the serialization of NULL in decode_asn1.py too.
|
| |
|
|
| |
detect md5 and don't generate short RSA keys
these changes will help if we actually try to run FIPS enabled
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove irrelevant DHBackend test conditions
DHBackend provides functions for plain finite-field Diffie-Hellman.
X25519 and X448 are their own algorithms, and Ed25519 and Ed448 aren't
even Diffie-Hellman primitives.
* Add missing backend support checks.
Some new AES and EC tests did not check for whether the corresponding
mode or curve was supported by the backend.
* Add a DummyMode for coverage
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* ed25519 support in x509 certificate builder
This adds minimal ed25519 support. More to come.
* Apply suggestions from code review
Co-Authored-By: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
* we don't have these mac builders any more
let's see if we get coverage from azure like we should!
* remove a branch we can't cover in tests
* remove unused import
|
| | |
|
| |
|
|
|
|
|
|
| |
* test: ensure all public members of ExtensionOID have names defined
* add name for ExtensionOID.PRECERT_POISON
ref: https://github.com/google/certificate-transparency/blob/5fce65cb60cfe7808afc98de23c7dd5ddbfa1509/python/ct/crypto/asn1/oid.py#L338
|
| |
|
|
|
|
| |
* fix aia encoding memory leak
* don't return anything from the prealloc func
|
| |
|
|
|
|
| |
Using an all 0 key causes failures in OpenSSL master (and Fedora has
cherry-picked the commit that causes it). The change requires that the
key/tweak for XTS mode not be the same value, so let's just use a random
key.
|
| |
|
|
|
|
|
|
|
|
| |
* fix from_issuer_subject_key_identifier to take the right type
deprecate passing the old Extension wrapper object
* don't use a try:except:
* hilarious contortions to satisfy doc8
|
| |
|
|
|
|
|
|
| |
* test: regression test for UnicodeEncodeError in x509 name in #4810
added utf8 encoding at the top of the file due to PEP 263
* bugfix: #4810 resolve UnicodeEncodeError in x509 name
|
| | |
|
| |
|
|
|
|
| |
* fix a memory leak in AIA parsing
* oops can't remove that
|
| |
|
|
|
|
|
|
| |
* fix != comparison in py2 (fixes #4821)
* remove blank line b/c pep8
* move __ne__ next to __eq__ as per review request
|
| | |
|
| |
|
|
|
| |
we don't support ed448 openssh keys so we'll use that to test this
branch. if we ever do support ed448 keys we can always just call this
private method directly to keep coverage.
|
| |
|
|
|
|
| |
* add OpenSSH serialization for ed25519 keys (#4808)
* address review comments
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* poly1305 support
* some more tests
* have I mentioned how bad the spellchecker is?
* doc improvements
* EVP_PKEY_new_raw_private_key copies the key but that's not documented
Let's assume that might change and be very defensive
* review feedback
* add a test that fails on a tag of the correct length but wrong value
* docs improvements
|
| |
|
|
|
|
| |
* support ed25519 openssh public keys
* don't need this check
|
| |
|
|
|
|
|
|
| |
* ed448 support
* move the changelog entry
* flake8
|
| |
|
|
|
|
| |
* ed25519 support
* review feedback
|
| | |
|
| |
|
|
|
|
|
|
| |
* support OPENSSL_NO_ENGINE
* support some new openssl config args
* sigh
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
* add an EC OID to curve dictionary mapping
* oid_to_curve function
* changelog and docs fix
* rename to get_curve_for_oid
|
| |
|
|
|
|
|
|
|
|
| |
* encode the package version in the shared object
* review feedback
* move into build_ffi so the symbol is in all shared objects
* review feedback
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* Run wycheproof RSA tests on LibreSSL>=2.8
* Define it this way
* These are errors on libressl
|
| |
|
|
|
|
|
|
|
|
| |
* Fixes #4734 -- Deal with deprecated things
- Make year based aliases of PersistentlyDeprecated so we can easily assess age
- Removed encode/decode rfc6979 signature
- Removed Certificate.serial
* Unused import
|
| |
|
|
|
|
|
|
| |
* allow asn1 times of 1950-01-01 and later.
* add a test
* pretty up the test
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we used unix timestamps, but now we are switching to using
ASN1_TIME_set_string and automatically formatting the string based on
the year. The rule is as follows:
Per RFC 5280 (section 4.1.2.5.), the valid input time
strings should be encoded with the following rules:
1. UTC: YYMMDDHHMMSSZ, if YY < 50 (20YY) --> UTC: YYMMDDHHMMSSZ
2. UTC: YYMMDDHHMMSSZ, if YY >= 50 (19YY) --> UTC: YYMMDDHHMMSSZ
3. G'd: YYYYMMDDHHMMSSZ, if YYYY >= 2050 --> G'd: YYYYMMDDHHMMSSZ
4. G'd: YYYYMMDDHHMMSSZ, if YYYY < 2050 --> UTC: YYMMDDHHMMSSZ
Notably, Dates < 1950 are not valid UTCTime. At the moment we still
reject dates < Jan 1, 1970 in all cases but a followup PR can fix
that.
|
| | |
|
| |
|
|
|
|
| |
* add support for encoding compressed points
* review feedback
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* shake128/256 support
* remove block_size
* doc an exception
* change how we detect XOF by adding _xof attribute
* interface!
* review feedback
|
| | |
|
| |
|
|
|
|
|
|
| |
* byteslike concatkdf
* byteslike scrypt
* byteslike x963kdf
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
* support byteslike in HKDF
* support byteslike in PBKDF2HMAC
* add missing docs
|
| |
|
| |
yuck.
|
| |
|
|
|
|
|
|
|
|
|
| |
* x448 and x25519 should enforce key lengths in from_private_bytes
they should also check if the algorithm is supported like the public
bytes class methods do
* oops
* move the checks
|
| |
|
| |
needed for some KDF keying material
|
| |
|
| |
This is needed to handle keying material in some of the KDFs
|
| | |
|
| |
|
|
|
|
| |
* add support for byteslike password/data to load_{pem,der}_private_key
* pypy 5.4 can't do memoryview from_buffer
|
| |
|
|
| |
we don't care about exceeding a deadline in CI because our infra
has wild variability and this can just randomly happen.
|
