* make a certificate expire a few years in the future, fixes doctests (#4383)
* make a certificate expire a few years in the future, fixes doctests
👋 to future alex when this test breaks in two years
* short lived certs are a good idea
* Fixes#4388 -- when running the aws-encryption-sdk tests only point pytest at one directory (#4391)
* Fixes#4388 -- when running the aws-encryption-sdk tests only point pytest at one directory
* Drop -l, there's no purpose for how we use these
* Updated wycheproof tests for new upstream vectors (#4378)
* updated tests for upstream wycheproof changes
* Updated AES tests
* oops, flake8
* document one shot AEAD length restrictions
* write a test that won't consume infinity ram
continue to raise OverflowError since that's what cffi did.
* this applies to associated_data too
* remove unneeded arg
* review feedback on docs
* document that an ECPublicNumbers object has some unexpected properties
It is not guaranteed to be a valid point on the curve as that is not
checked until you convert it to a PublicKey object.
* different language
* move the text, make it a warning, alter the language
* new language
In 2005, IETF devised a more secure padding scheme to replace PKCS #1
v1.5. To make sure that nobody can easily support or use it, they
mandated lots of complicated parameters in the certificate, unlike any
other X.509 signature scheme.
https://tools.ietf.org/html/rfc4055
`_SIG_OIDS_TO_HASH` and `Certificate.signature_hash_algorithm` cannot be
supported as-is, because the hash algorithm is defined in the signature
algorithm parameters, not by the OID itself.
* test against python 3.7 for windows
* update docs to say we test on 3.7
* more succinct
* maybe make this actually work.
* link properly
* moar changes
Internal block size isn't a particularly useful piece of information and
constructions like SHA3 make it even harder to determine what that
really means. Accordingly, we're removing it from the interface (but
leaving it on all existing hashes)
* Add API for retrieving the seconds-to-expiry for the token, given a TTL.
* Process PR feedback:
* Do compute the TTL, but just the age of the token. The caller
can decided what to do next.
* Factored out the HMAC signature verification to a separate function.
* Fixed a copy&paste mistake in the test cases
* Tests cleanup.
* `struct` no longer needed
* Document `def age()`
* typo in `age()` documentation
* token, not data
* remove test for TTL expiry that is already covered by the parameterized `test_invalid()`.
* let's call this extract_timestamp and just return timestamp
* review comments
* it's UNIX I know this
* implement AES KW with padding (RFC 5649)
fixes#3791
* oops, 2.2
* make sure this is the right valueerror
* more match
* make key padding easier to read
* review feedback
* review feedback
* added brainpool ec-curves key_length >= 256bit
* limit brainpool curves to the set that appear required + docs
* oops
* typos all around me
* add brainpool ECDH kex tests
* switch to using rfc 7027 vectors
* review feedback
* empty commits are the best
* add rotate method
* add some more tests for the failure modes
* start adding some documentation for the rotate method
* operate on a single token at a time, leave lists to the caller
* add versionadded
add versionadded, drop rotate from class doctest
* give rotate a doctest
* single level, not aligned
* add changelog for mf.rotate
* show that, once rotated, the old fernet instance can no longer decrypt the token
* add the instead of just the how
* update docs to reflect removal of ttl from rotate
* update tests
* refactor internal methods so that we can extract the timestamp
* implement rotate
* update wordlist (case sensitive?)
* lints
* consistent naming
* get_token_data/get_unverified_token_data -> better name
* doc changes
* use the static method, do not treat as imethod
* move up to MultiFernet docs
* add to authors
* alter wording
* monkeypatch time to make it less possible for the test to pass simply due to calls occuring in less than one second
* set the time after encryption to make sure that the time is preserved as part of re-encryption
* Update docs and changelog for URI, RFC822Name, and DNSName
As of 2.1 we want users to pass A-label strings, but we still accept
U-label strings and auto-encode on their behalf (with a deprecation
warning). However, we do not return U-label in the value attribute so
we are making a backwards incompatible change for users that utilize
internationalized domain names.
* language updates
* add presentational to the word list
* the linux dictionary is pathetic
