* Upgrade openssl package for libressl 3.9.1 support
* Ensure a good error message when cffi module fails to import
* CHANGELOG
* Bump version for 42.0.6 release
* It's not FIPS anymore
* Resolve new clippy warnings (#10755)
The fixes themselves are of marginal value 🙃
* fix warning from latest nightly rust (#10486)
* fix warning from latest nightly rust
* Update lib.rs
* Fix ASN.1 for S/MIME capabilities.
The current implementation defines the SMIMECapabilities attribute
so that its value is a SEQUENCE of all the algorithm OIDs that are
supported.
However, the S/MIME v3 spec (RFC 2633) specifies that each algorithm
should be specified in its own SEQUENCE:
SMIMECapabilities ::= SEQUENCE OF SMIMECapability
SMIMECapability ::= SEQUENCE {
capabilityID OBJECT IDENTIFIER,
parameters ANY DEFINED BY capabilityID OPTIONAL }
(RFC 2633, Appendix A)
This commit changes the implementation so that each algorithm
is inside its own SEQUENCE. This also matches the OpenSSL
implementation.
* Fix the RSA OID used for signing PKCS#7/SMIME
The current implementation computes the algorithm identifier used
in the `digest_encryption_algorithm` PKCS#7 field
(or `SignatureAlgorithmIdentifier` in S/MIME) based on both the
algorithm used to sign (e.g. RSA) and the digest algorithm (e.g. SHA512).
This is correct for ECDSA signatures, where the OIDs used include the
digest algorithm (e.g: ecdsa-with-SHA512). However, due to historical
reasons, when signing with RSA the OID specified should be the one
corresponding to just RSA ("1.2.840.113549.1.1.1" rsaEncryption),
rather than OIDs which also include the digest algorithm (such as
"1.2.840.113549.1.1.13", sha512WithRSAEncryption).
This means that the logic to compute the algorithm identifier is the
same except when signing with RSA, in which case the OID will always
be `rsaEncryption`. This is consistent with the OpenSSL implementation,
and the RFCs that define PKCS#7 and S/MIME.
See RFC 3851 (section 2.2), and RFC 3370 (section 3.2) for more details.
* Add tests for the changes in PKCS7 signing
* PKCS7 fixes from code review
* Update CHANGELOG
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
* Check to see if we can use the hosted M1 runners (#10340)
* Stop pretending to be x64 on M1 in CI (#10341)
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
we previously hoisted this into rust, but we used the try_load feature
which supposedly retains fallbacks. Something about that doesn't behave
the way we expect though and the machinery in providers is sufficiently
complex that we are just going to load the default provider explicitly.
this matches our behavior pre-rust.
* initialize openssl's legacy provider in rust (#10323)
* initialize openssl's legacy provider in rust
as we oxidize we need to do this here to ensure it actually happens
* alex is a comment format pedant
* remove the memleak tests (#10322)
they are fragile, haven't caught regressions, and increasingly pointless
as we oxidize.
* allow SPKI RSA keys to be parsed even if they have an incorrect delimiter
This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed
even if they are using the RSA PUBLIC KEY delimiter.
* formatting
* use original error if nothing parses, don't let it parse non-RSA
* verification: add test_verify_tz_aware
Signed-off-by: William Woodruff <william@trailofbits.com>
* py_to_datetime handles tzinfo, add test
Signed-off-by: William Woodruff <william@trailofbits.com>
* Update src/rust/src/x509/common.rs
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* x509/common: coverage for the coverage god
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Update ocsp.rst
Added warning about SHA1 being used for sign()
* Update ocsp.rst
Fixed spelling issues, at least according to en-GB dictionary.
* Update ocsp.rst
Spell checker didn't catch "algorithim" somehow.
* Update ocsp.rst
Attempting to rephrase the warning.
* Update ocsp.rst
Removing rouge space.
