* Add deprecation warning handling advice note
This tip is being added to help the library maintainers keep
testing cryptography where supporting multiple Python runtime
is still necessary.
Resolves https://github.com/pyca/cryptography/issues/5335
* Move deprecation suppression advice to FAQ
* disable the osrandom engine on 1.1.1d+
* skip (and run) some tests on 1.1.1d+
* simplify our conditionals
* Update src/_cffi_src/openssl/src/osrandom_engine.c
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* words
* more words
* language
* get coverage more cleverly
* a word
* Update .github/workflows/ci.yml
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
We have already validated that `p` is large enough to store `name`. In `strncpy` the `len` parameter should generally be the length of the target buffer, not the source buffer.
* remove NPN bindings -- you should be using ALPN!
pyOpenSSL consumed these, but we've marked it as deprecated and it
already handles the case where the bindings are not available.
* set Cryptography_HAS_NEXTPROTONEG to 0 for pyOpenSSL
we can remove this symbol in like...5 years.
* remove another NPN related definition
* suspicious
* Revert "remove another NPN related definition"
This reverts commit d872a7d1d776858c77b8c607f63cc9b5fef1ae39.
Revert "suspicious"
This reverts commit 5b767484f1cde132f686600a46e61a18e33cbdae.
* support x509 request challenge password parsing
* switch to a more generic (but not too generic) attribute parsing
* make it raise a valueerror
* Update tests/x509/test_x509.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Support parsing SCTs in OCSPResponse
* s/typically/only and pep8
* remove unused vector
Co-authored-by: Szilárd Pfeiffer <szilard.pfeiffer@balasys.hu>
* Disallow ttl=None in (Multi)Fernet.decrypt_at_time()
Since the introduction of the _at_time() methods in #5256[1] there's
been this little voice in the back of my mind telling me that maybe it's
not the best idea to allow ttl=None in decrypt_at_time(). It's been like
this for convenience and code reuse reasons.
Then I submitted a patch for cryptography stubs in typeshed[2] and I had
to decide whether to define decrypt_at_time()'s ttl as int and be
incompatible with cryptography's behavior or Optional[int] and advertise
an API that can be misused much too easily. I went ahead with int.
Considering the above I decided to propose this patch. Some amount of
redundancy (and a new test to properly cover the
MultiFernet.decrypt_at_time() implementation) is a price to prevent
clients from shooting themselves in the foot with the tll=None gun since
setting ttl to None disabled timestamp checks even if current_time was
provided.
[1] https://github.com/pyca/cryptography/pull/5256
[2] https://github.com/python/typeshed/pull/4238
* Actually test the return value here
* Fix formatting
The CRL is missing a CRL number and should mark the delta CRL extension
as critical. RFC 5280 says the following:
Section 5.2.3:
> CRL issuers conforming to this profile MUST include this extension
> [CRL number] in all CRLs and MUST mark this extension as
> non-critical.
Section 5.2.4:
> The delta CRL indicator is a critical CRL extension that identifies a
> CRL as being a delta CRL.
> When a conforming CRL issuer generates a delta CRL, the delta CRL
> MUST include a critical delta CRL indicator extension.
Sadly, RFC 5280 is often unclear about the difference between issuer
requirements and verifier requirements, but test certificates should
conform to issuer requirements where possible, in case the underly
library becomes stricter. Section 5.2.4 includes further text which
implies a delta CRL without a CRL number is unusable for a verifier
anyway:
> A complete CRL and a delta CRL MAY be combined if the following four
> conditions are satisfied:
>
> [...]
>
> (d) The CRL number of the complete CRL is less than the CRL number
> of the delta CRL. That is, the delta CRL follows the complete
> CRL in the numbering sequence.
Note I have not updated the signature in crl_delta_crl_indicator.pem.
The test does not care, and it is unclear which key to sign it with.
* ssh.py contains load/serialize code.
* Add PrivateFormat.OpenSSH to .private_bytes() format.
* Add load_ssh_private_key().
* Use new code for PublicFormat.OpenSSH too.
* load_ssh_public_key() now supports reading signed public keys.
* Supported algorithms: rsa, dsa, ec, ed25519.
* Optional dependency on 'bcrypt' package via [ssh] extra
