cryptography

mirror of https://github.com/saymrwulf/cryptography.git synced 2026-05-14 20:37:55 +00:00

Author	SHA1	Message	Date
Facundo Tuesca	0faaffc2f5	Add support for encrypting S/MIME messages (#10889 ) * Add support for encrypting S/MIME messages * Move PKCS7 decrypt test function to Rust * Use symmetric encryption function from PKCS12 * Remove debug file write from tests * Remove unneeded backend parameter * docs and changelog	2024-07-18 08:52:09 -07:00
Facundo Tuesca	783223f5f6	docs: Add instructions to build the docs (#11290 ) * docs: Add instructions to build the docs * docs: Fix single backticks * docs: remove troubleshooting section * Update docs/development/getting-started.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>	2024-07-17 21:07:37 +00:00
Paul Kehrer	2b371f418b	add support for CipherContext.update_nonce (#10437 ) * add support for CipherContext.reset_nonce This only supports ChaCha20 and ciphers in CTR mode. * expand tests to reset to different nonces	2024-07-05 18:54:12 -04:00
Daniel Lenski	8a7f27be3d	Add rsa_recover_private_exponent function (#11193 ) Given the RSA public exponent (`e`), and the RSA primes (`p`, `q`), it is possible to calculate the corresponding private exponent `d = e⁻¹ mod λ(n)` where `λ(n) = lcm(p-1, q-1)`. With this function added, it becomes possible to use the library to reconstruct an RSA private key given only `p`, `q`, and `e`: from cryptography.hazmat.primitives.asymmetric import rsa n = p * q d = rsa.rsa_recover_private_exponent(e, p, q) # newly-added piece iqmp = rsa.rsa_crt_iqmp(p, q) # preexisting dmp1 = rsa.rsa_crt_dmp1(d, p) # preexisting dmq1 = rsa.rsa_crt_dmq1(d, q) # preexisting assert rsa.rsa_recover_prime_factors(n, e, d) in ((p, q), (q, p)) # verify consistency privk = rsa.RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, rsa.RSAPublicNumbers(e, n)).private_key() Older RSA implementations, including the original RSA paper, often used the Euler totient function `ɸ(n) = (p-1) * (q-1)` instead of `λ(n)`. The private exponents generated by that method work equally well, but may be larger than strictly necessary (`λ(n)` always divides `ɸ(n)`). This commit additionally implements `_rsa_recover_euler_private_exponent`, so that tests of the internal structure of RSA private keys can allow for either the Euler or the Carmichael versions of the private exponents. It makes sense to expose only the more modern version (using the Carmichael totient function) for public usage, given that it is slightly more computationally efficient to use the keys in this form, and that some standards like FIPS 186-4 require this form. (See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=63)	2024-07-05 15:14:04 -07:00
Magnus Watn	eae331491c	Add _utc datetime methods to x509.ocsp (#11183 ) Fixes #11170.	2024-06-30 12:08:56 -04:00
Alex Gaynor	85fba50add	Remove buster from CI (#11182 ) * Remove buster from CI It is EOL * Update installation.rst	2024-06-30 14:07:09 +03:00
William Woodruff	f370b09810	policy/extension: improve extension policy errors (#11162 ) * policy/extension: improve extension policy errors * verification: ValidationError::ExtensionError variant Begin cleaning things up. * policy/extension: remove redundant clone * ensure that we render the ext OID * lib: coverage for other display arms * relocate custom vector * test-vectors: typo	2024-06-25 21:51:24 -04:00
Alex Gaynor	61a5e672e6	fixed rst syntax in test-vectors.rst (#11153 )	2024-06-25 08:00:12 +03:00
Nathan Easton	73717542c4	Update reference.rst (#11137 ) * Update reference.rst This code snippet works when importing the extension oid * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>	2024-06-22 13:16:50 +00:00
Alex Gaynor	da45641e46	Convert `PKCS7PaddingContext` to Rust (#11089 )	2024-06-10 12:22:36 -04:00
Paul Kehrer	5dc620daa4	document creating a CA hierarchy: root -> int -> ee (#11031 ) * document creating a CA hierarchy: root -> int -> ee * fix things	2024-05-27 13:00:44 +00:00
Dimitri Papadopoulos Orfanos	1ce23d008a	Fix more misspellings (#10933 ) * Fix more misspellings * Apply codespell suggestion: implementor → implementer This is not exactly a misspelling, but: * From Garner's Modern English Usage (4 ed.) Although the variant spelling ✳implementor predominated for much of the late 20th century, today implementer is considered standard. * The Google Ngram Viewer shows a ratio of almost 10:1 in 2019.	2024-05-05 16:12:27 +00:00
Alex Gaynor	07642cfe48	Test on rolling for arm64 (#10897 ) * Test on rolling for arm64 * Update installation.rst	2024-04-25 20:32:32 -07:00
Facundo Tuesca	83d90df3df	Add timezone-aware API variant for `x509.InvalidityDate.invalidity_date` (#10848 )	2024-04-21 15:09:12 -04:00
Alex Gaynor	368e3505d5	Document that we test with ubuntu 24.04 (#10831 )	2024-04-16 07:40:29 -06:00
Paul Kehrer	126c144aee	Update testing docs (#10829 )	2024-04-16 12:23:40 +00:00
Julien Castiaux	031d407e4d	Add public_key_algorithm_oid to certificate and CSR (#10517 )	2024-03-27 14:32:35 -04:00
Alex Gaynor	e9954a0a31	fixes #10631 -- remove documentation for method that was removed (#10632 ) * fixes #10631 -- remove documentation for method that was removed * Update CHANGELOG.rst	2024-03-23 12:53:01 +00:00
Alex Gaynor	8436316862	Wycheproof lives under C2SP now (#10628 )	2024-03-22 19:34:41 -04:00
William Woodruff	4a3e7dcc97	verification: client verification APIs (#10345 ) * verification: WIP client verification skeleton Signed-off-by: William Woodruff <william@yossarian.net> * verify: fill in build_client_verifier Signed-off-by: William Woodruff <william@yossarian.net> * implement ClientVerifier.verify Signed-off-by: William Woodruff <william@yossarian.net> * verification: make Python 3.8 happy Signed-off-by: William Woodruff <william@yossarian.net> * switch to a full VerifiedClient type Signed-off-by: William Woodruff <william@yossarian.net> * remove the SubjectOwner::None hack Signed-off-by: William Woodruff <william@yossarian.net> * docs: fix ClientVerifier Signed-off-by: William Woodruff <william@yossarian.net> * verification: replace match with if Signed-off-by: William Woodruff <william@yossarian.net> * return GNs directly, not whole extension Signed-off-by: William Woodruff <william@yossarian.net> * docs/verification: document UnsupportedGeneralNameType raise Signed-off-by: William Woodruff <william@yossarian.net> * lib: RFC822 checks on NCs * test_limbo: enable client tests * tests: flake * test_verification: more Python API coverage * verification: filter GNs by NC support * verification: forbid unsupported NC GNs This is what we should have been doing originally, per RFC 5280 4.2.1.10: > If a name constraints extension that is marked as critical > imposes constraints on a particular name form, and an instance of > that name form appears in the subject field or subjectAltName > extension of a subsequent certificate, then the application MUST > either process the constraint or reject the certificate. * docs/verification: remove old sentence Signed-off-by: William Woodruff <william@yossarian.net> * verification: ensure the right EKU for client/server paths Signed-off-by: William Woodruff <william@yossarian.net> * test_limbo: fixup EKU assertion * verification: feedback --------- Signed-off-by: William Woodruff <william@yossarian.net>	2024-03-20 21:00:00 -04:00
Alex Gaynor	dcf6ac240d	Updates for ruff 0.3.1 (#10548 )	2024-03-07 10:57:37 -08:00
Facundo Tuesca	0a1098fcf0	Support for ECDSA deterministic signing (RFC 6979) (#10369 ) * Add support for deterministic ECDSA (RFC 6979)	2024-02-26 19:13:47 +00:00
Alex Gaynor	43b8b7910d	Raise MSRV to 1.65 (#10481 )	2024-02-25 23:04:40 +00:00
Facundo Tuesca	c97808ca77	Add test vectors for deterministic ECDSA (RFC6979) (#10438 )	2024-02-20 06:57:07 -08:00
Paul Kehrer	608ce9520f	add RC2-128-CBC vector (#10402 ) vector created using golang's x/crypto internal impl and verified against openssl	2024-02-16 22:20:14 -05:00
Paul Kehrer	ccd392ed50	mark ARC4 and TripleDES with the right version added for decrepit (#10325 )	2024-02-02 03:41:25 +00:00
Paul Kehrer	c7ec8a6eed	fix decrepit example (#10324 ) * fix decrepit example * Update docs/hazmat/decrepit/ciphers.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>	2024-02-02 03:33:48 +00:00
Paul Kehrer	fd46c01cac	Update install docs (#10309 ) We also test OpenSSL 3.2	2024-01-31 12:09:22 +00:00
Paul Kehrer	722a6393e6	migrate ARC4 and TripleDES to decrepit (#10286 )	2024-01-29 19:42:21 -05:00
Paul Kehrer	1729edef70	add decrepit namespace and put SEED, IDEA, Blowfish, and CAST5 in it (#10284 )	2024-01-28 17:34:33 -05:00
Paul Kehrer	98d764801d	increase toctree depth on primitives (#10282 ) this makes the landing page for hazmat/primtives in the docs much more useful.	2024-01-28 15:40:02 -05:00
Paul Kehrer	3da3a3703b	support bytes-like consistently across our asym sign/verify APIs (#10260 ) and update our docs to show it as well	2024-01-25 21:09:27 +00:00
Paul Kehrer	08b24d87a6	explicitly support bytes-like for signature/data in RSA sign/verify (#10259 ) this was never documented but previously worked in <42. we now also document that this is supported to confuse ourselves less.	2024-01-25 19:51:59 +00:00
Paul Kehrer	075925fd55	allow SPKI RSA keys to be parsed even if they have an incorrect delimiter (#10248 ) * allow SPKI RSA keys to be parsed even if they have an incorrect delimiter This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed even if they are using the RSA PUBLIC KEY delimiter. * formatting * use original error if nothing parses, don't let it parse non-RSA	2024-01-25 01:54:23 +00:00
Hacksawfred3232	bd0a0648a8	Added warning about SHA1 being used for response signing in ocsp.rst (#10204 ) * Update ocsp.rst Added warning about SHA1 being used for sign() * Update ocsp.rst Fixed spelling issues, at least according to en-GB dictionary. * Update ocsp.rst Spell checker didn't catch "algorithim" somehow. * Update ocsp.rst Attempting to rephrase the warning. * Update ocsp.rst Removing rouge space.	2024-01-19 01:26:45 +00:00
Alex Gaynor	ad4ba0af95	Develop a local nox target (#10173 ) This formats code, runs linters, and tests. And it does these in an order that's optimized for fast local feedback	2024-01-14 20:43:55 -02:00
William Woodruff	a1ed534adb	docs/x509: fix verification example (#10169 ) * docs/x509: fix verification example Signed-off-by: William Woodruff <william@trailofbits.com> * x509/verification: doctest Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com>	2024-01-12 21:05:59 +00:00
Paul Kehrer	30e5ee2493	add some more EC vectors (#10134 )	2024-01-05 18:03:57 +00:00
Alex Gaynor	e31a34398e	Another test case for explicit parameter private key (#10132 )	2024-01-05 12:57:12 -03:00
Alex Gaynor	bbf2544c79	Added two test cases for unsupported EC private keys (#10126 )	2024-01-05 07:19:16 -03:00
Alex Gaynor	6e106f5584	Update various links in the docs for permanent redirects (#10109 )	2024-01-02 21:00:20 -03:00
Alex Gaynor	42467135ad	Bump copyright years (#10101 )	2024-01-01 07:32:57 -03:00
Alex Gaynor	9e866cc50d	Update various links in the docs for permanent redirects (#10098 )	2023-12-31 17:56:51 -03:00
Alex Gaynor	7a59849a5d	Remove linkcheck ignore for secg.org (#10099 ) They appear to have gotten rid of FF DH KEX entirely	2023-12-31 17:33:05 -03:00
Johnny Hsieh	91541cf726	Add support for GCM mode of SM4 cipher (#10072 ) * Add support for SM4-GCM cipher ref: #7503 ref: https://github.com/openssl/openssl/issues/13667 * Update SM4 GCM tests to use external test vector * Cite SM4 test vectors sources in document * Add tests for SM4ModeGCM finalize_with_tag * Update CHANGELOG.rst	2023-12-29 10:56:29 -03:00
Paul Kehrer	8046ea1c49	document that we raise CryptographyDeprecationWarning on deprecation more clearly (#10053 ) * document we raise CryptographyDeprecationWarning clearly * be a little louder about our deprecated ciphers	2023-12-23 14:48:55 -05:00
Paul Kehrer	cea8a236ae	i grow weary of www.cosic.esat.kuleuven.be (#10045 )	2023-12-23 15:58:41 +00:00
Alex Gaynor	c9578f28a1	Fixed a typo in test-vectors documentation (#10041 )	2023-12-23 12:45:31 -03:00
Paul Kehrer	eac469a5c0	we call it unstable in the changelog and not experimental (#10040 ) let's be consistent	2023-12-23 13:51:26 +00:00
William Woodruff	d3f28d3ad8	x509/verification: add an API usage example (#10036 ) * x509/verification: add an API usage example Signed-off-by: William Woodruff <william@yossarian.net> * Apply suggestions from code review Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Signed-off-by: William Woodruff <william@yossarian.net> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>	2023-12-22 19:15:56 -05:00
William Woodruff	38461e1c6d	CHANGELOG: record #8873 (#10035 ) * CHANGELOG: record #8873 Signed-off-by: William Woodruff <william@yossarian.net> * docs/x509/verification: clean up, update note Signed-off-by: William Woodruff <william@yossarian.net> * add module ref Signed-off-by: William Woodruff <william@yossarian.net> * CHANGELOG: Cryptograpy's -> our Signed-off-by: William Woodruff <william@yossarian.net> * CHANGELOG: reflow, better linkage Signed-off-by: William Woodruff <william@yossarian.net> --------- Signed-off-by: William Woodruff <william@yossarian.net>	2023-12-22 22:48:13 +00:00
Alex Gaynor	fb4c72c8bf	Added wycheproof vectors for pbkdf2 (#10024 )	2023-12-21 08:30:36 -06:00
Paul Kehrer	2525eb048a	support RSA PSS for CRLs (#10013 ) adds rsa_padding kwarg to sign and also adds signature_algorithm_parameters as a method to CRLs	2023-12-18 17:54:38 -05:00
Alex Gaynor	a8b96dab9b	Simplify the release process: No need to pass the version to release.py (#9990 )	2023-12-12 06:09:51 -08:00
Alex Gaynor	cd9cb8b488	Remind people about rust in the dev docs (#9985 )	2023-12-10 17:39:06 +00:00
Alex Gaynor	0a1f26b48f	Document tests-nocoverage in our dev docs (#9984 ) There's limited value in running coverage locally, since no single build produces 100% coverage	2023-12-10 11:29:29 -06:00
Alex Gaynor	61676b5b05	Update development docs (#9977 ) - No special configuration is required for brew or macports OpenSSL anymore - There's no point in documenting building local docs, it's basically never necessary	2023-12-09 08:36:46 -06:00
Paul Kehrer	d06a6a17cb	regenerate x509/custom/ca/ca.pem to expire in 2100 (#9964 ) The existing cert doesn't expire until late 2038 but this simplifies 2038 checks for some downstream consumers. We shift the original cert/key into a new pkcs12/ca directory so that we don't need to regenerate all the PKCS12 vectors (which don't care about expiry anyway)	2023-12-05 09:21:37 -05:00
Facundo Tuesca	ca4f40621d	Add support for AES-GCM-SIV using OpenSSL>=3.2.0 (#9843 )	2023-12-02 09:39:19 -06:00
Alex Gaynor	f1817f8077	Slightly alter AEAD benchmark code to solve problem AES-GCM-SIV hit (#9948 )	2023-12-01 18:42:42 -06:00
Facundo Tuesca	6359dc0e04	Add test vectors for AES-GCM-SIV (#9930 )	2023-12-01 10:46:29 -06:00
Paul Kehrer	64b3658ee5	port 41.0.6 changelog (#9928 ) * port 41.0.6 changelog * spelling	2023-11-27 20:40:13 +00:00
Alex Gaynor	b7d52c7f9d	Remove more u prefixes (#9884 )	2023-11-16 00:20:37 +00:00
Logan Hunt	0d1035feed	Remove `u` prefix from strings (#9882 )	2023-11-15 23:02:45 +00:00
William Woodruff	380fda6cbc	Fix transposed doc, simplify type in trust store test (#9874 ) * trust_store: simplify assert RHS type Signed-off-by: William Woodruff <william@trailofbits.com> * docs/verification: fix transposed doc item Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com>	2023-11-13 21:36:11 +00:00
William Woodruff	9ba13da437	verification: add VerificationError, doc APIs (#9873 ) Signed-off-by: William Woodruff <william@trailofbits.com>	2023-11-13 16:21:32 -05:00
Alex Gaynor	420ad4e245	Fix some warnings from `ruff --preview` (#9842 )	2023-11-09 17:37:56 -06:00
William Woodruff	e7dbca6260	verification: add missing max_chain_depth kwargs (#9847 ) Missed these on the original PR. Signed-off-by: William Woodruff <william@trailofbits.com>	2023-11-09 22:43:03 +00:00
William Woodruff	7d451dbd9a	src, tests: add max_chain_depth to validation API (#9844 ) * src, tests: all max_chain_depth to validation API Signed-off-by: William Woodruff <william@trailofbits.com> * docs: document max_chain_depth Signed-off-by: William Woodruff <william@trailofbits.com> * verify: simplify type Signed-off-by: William Woodruff <william@trailofbits.com> * validation: document DEFAULT_MAX_CHAIN_DEPTH Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com>	2023-11-09 20:34:27 +00:00
Paul Kehrer	e958374785	add support for signing PKCS7 using RSA PSS (#9829 ) * add support for signing PKCS7 using RSA PSS * mypy fixes	2023-11-04 04:59:39 +00:00
William Woodruff	d643b04eb7	Add top-level ServerVerifier.verify API (#9805 ) * Add top-level ServerVerifier.verify API This is a breakout from #8873, with just the interface/types and a `NotImplementedError` stub. Signed-off-by: William Woodruff <william@trailofbits.com> * verification: move Store into PolicyBuilder/ServerVerifier Signed-off-by: William Woodruff <william@trailofbits.com> * verification: docs Signed-off-by: William Woodruff <william@trailofbits.com> * lintage Signed-off-by: William Woodruff <william@trailofbits.com> * docs: document ServerVerifier.store Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com>	2023-10-31 15:03:35 -04:00
Alex Gaynor	1cb847a597	Updates to dev docs (#9780 ) - Stop talking about black - Use type annotations in examples	2023-10-26 00:49:20 +00:00
Paul Kehrer	9d41ee63f0	test on sonoma on M1 (#9777 ) * test on sonoma on M1 * sonoma is also a word	2023-10-25 17:39:20 -04:00
Alex Gaynor	a87d041ab7	Bump default CI job to 3.12 (#9697 )	2023-10-05 07:39:31 -05:00
Facundo Tuesca	566fcd6c4d	Deprecate naive datetime x509 APIs (#9667 ) * Deprecate naive datetime x509 APIs * Add missing tests for timezone-aware x509 APIs * Document the deprecation of the naive datetime APIs	2023-09-29 09:58:48 -05:00
Facundo Tuesca	ce94de03e8	Add timezone-aware API variants for x509 (#9661 ) * Add timezone-aware API variants for x509 * Add documentation for timezone-aware APIs	2023-09-28 10:45:30 -05:00
Alex Gaynor	699449302e	More CF domains making linkcheck not work (#9626 ) * More CF domains making linkcheck not work * Update conf.py	2023-09-19 06:51:40 -07:00
William Woodruff	73d070e853	Path validation: builder/verifier API skeletons (#9405 ) * src, tests: flatten all changes Signed-off-by: William Woodruff <william@trailofbits.com> validation: remove Profile abstract from public APIs One step towards removing it entirely Signed-off-by: William Woodruff <william@trailofbits.com> policy: disambiguate references Signed-off-by: William Woodruff <william@trailofbits.com> policy: remove separate rfc5280 profile Signed-off-by: William Woodruff <william@trailofbits.com> policy: remove profile abstraction entirely Signed-off-by: William Woodruff <william@trailofbits.com> rust: permitted_algorithms filtering Signed-off-by: William Woodruff <william@trailofbits.com> verify: simplify policy API substantially No more manual monomorphization. Signed-off-by: William Woodruff <william@trailofbits.com> src, tests: remove verification code Signed-off-by: William Woodruff <william@trailofbits.com> validation: remove more validation code Signed-off-by: William Woodruff <william@trailofbits.com> * cryptography, rust: lintage Signed-off-by: William Woodruff <william@trailofbits.com> * cryptography, rust: lintage, add Policy.subject API Signed-off-by: William Woodruff <william@trailofbits.com> * src, tests: initial PolicyBuilder tests Signed-off-by: William Woodruff <william@trailofbits.com> * verify: Policy.validation_time getter Signed-off-by: William Woodruff <william@trailofbits.com> * push Store into rust Signed-off-by: William Woodruff <william@trailofbits.com> * cleanup, fixup Signed-off-by: William Woodruff <william@trailofbits.com> * tests: lintage Signed-off-by: William Woodruff <william@trailofbits.com> * src: lintage Signed-off-by: William Woodruff <william@trailofbits.com> * tests: fix linter warning * policy: apply the relevant parts of trail-of-forks/cryptography/pull/3 Signed-off-by: William Woodruff <william@trailofbits.com> * policy: typo Signed-off-by: William Woodruff <william@trailofbits.com> * fixup type hints Signed-off-by: William Woodruff <william@trailofbits.com> * drop dep Not used, yet. Signed-off-by: William Woodruff <william@trailofbits.com> * Revert "drop dep" This reverts commit a5154e1245e666a79838cd73784884fad6743e7f. * mod: remove permits_* bodies Will include these in a subsequent PR. Signed-off-by: William Woodruff <william@trailofbits.com> * src: drop certificate helpers as well Not needed yet. Signed-off-by: William Woodruff <william@trailofbits.com> * verify: remove unneeded explicit lifetimes Signed-off-by: William Woodruff <william@trailofbits.com> * tests: builder API coverage Signed-off-by: William Woodruff <william@trailofbits.com> * tests: more coverage Signed-off-by: William Woodruff <william@trailofbits.com> * type hints Signed-off-by: William Woodruff <william@trailofbits.com> * unused derives Signed-off-by: William Woodruff <william@trailofbits.com> * validation: more coverage Signed-off-by: William Woodruff <william@trailofbits.com> * policy: more cov Signed-off-by: William Woodruff <william@trailofbits.com> * policy: more coverage Signed-off-by: William Woodruff <william@trailofbits.com> * policy: add some known bad testcases Signed-off-by: William Woodruff <william@trailofbits.com> * policy: coverage Signed-off-by: William Woodruff <william@trailofbits.com> * validation: remove trust_store Not yet used. Signed-off-by: William Woodruff <william@trailofbits.com> * ops: add NullOps test Signed-off-by: William Woodruff <william@trailofbits.com> * x509: reimplement verify_directly_issued_by via CryptoOps Tests fail, but this gets the right coverage. Signed-off-by: William Woodruff <william@trailofbits.com> * ops: use results Signed-off-by: William Woodruff <william@trailofbits.com> * src, tests: last cov, hopefully Signed-off-by: William Woodruff <william@trailofbits.com> * test: lintage Signed-off-by: William Woodruff <william@trailofbits.com> * docs: fill in API docs Signed-off-by: William Woodruff <william@trailofbits.com> * rust: uniform imports Signed-off-by: William Woodruff <william@trailofbits.com> * minimize for MVP No configurable profile, Web PKI only. Signed-off-by: William Woodruff <william@trailofbits.com> * verify: remove old NOTE Signed-off-by: William Woodruff <william@trailofbits.com> * verify: remove another old NOTE Signed-off-by: William Woodruff <william@trailofbits.com> * src, tests: fixup tests Signed-off-by: William Woodruff <william@trailofbits.com> * docs: cleanup Signed-off-by: William Woodruff <william@trailofbits.com> * src, tests: drop support for missing subjects As part of the MVP. Signed-off-by: William Woodruff <william@trailofbits.com> * profile: remove old comments Signed-off-by: William Woodruff <william@trailofbits.com> * policy: remove some verify-adjacent APIs Paring down for review. Signed-off-by: William Woodruff <william@trailofbits.com> * policy: remove more verify-adjacent APIs Signed-off-by: William Woodruff <william@trailofbits.com> * policy: remove some From impls Signed-off-by: William Woodruff <william@trailofbits.com> * policy: remove rfc5280 constructor Signed-off-by: William Woodruff <william@trailofbits.com> * docs: declutter diff Signed-off-by: William Woodruff <william@trailofbits.com> * profile: prune even more state Signed-off-by: William Woodruff <william@trailofbits.com> * policy: remove old TODO Signed-off-by: William Woodruff <william@trailofbits.com> * policy: remove PolicyError For now. Signed-off-by: William Woodruff <william@trailofbits.com> * docs: typo Signed-off-by: William Woodruff <william@trailofbits.com> * ops: remove NullOps Signed-off-by: William Woodruff <william@trailofbits.com> * rust: remove dev-dep, don't use import Signed-off-by: William Woodruff <william@trailofbits.com> * rust: fix IP_ADDRESS rename Signed-off-by: William Woodruff <william@trailofbits.com> * docs: clarify time behavior Signed-off-by: William Woodruff <william@trailofbits.com> * rename webpki() to new() Since it doesn't actually do anything WebPKI related at the moment. Signed-off-by: William Woodruff <william@trailofbits.com> * docs: relocate Signed-off-by: William Woodruff <william@trailofbits.com> * verify: FixedPolicy -> PyCryptoPolicy Signed-off-by: William Woodruff <william@trailofbits.com> * verify: simplify SubjectOwner substantially Signed-off-by: William Woodruff <william@trailofbits.com> * verify: remove getter helper Signed-off-by: William Woodruff <william@trailofbits.com> * verify: reloc TODO Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>	2023-09-16 20:56:11 +00:00
Alex Gaynor	d35e0f8be8	Be clear that x509.verification is not yet covered by our policies (#9609 ) * Be clear that x509.verification is not yet covered by our policies * Update verification.rst	2023-09-15 13:24:16 -07:00
William Woodruff	3e411cf951	verification: add PolicyBuilder API (#9601 ) * verification: add PolicyBuilder API Signed-off-by: William Woodruff <william@trailofbits.com> * docs: fix the docs build Signed-off-by: William Woodruff <william@trailofbits.com> * docs: drop doc for `webpki()` classmethod Signed-off-by: William Woodruff <william@trailofbits.com> * docs, src, test: refactoring Signed-off-by: William Woodruff <william@trailofbits.com> * tests: coverage Signed-off-by: William Woodruff <william@trailofbits.com> * docs, src, tests: rename `build_server_policy` Signed-off-by: William Woodruff <william@trailofbits.com> * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> * verification: feedback Signed-off-by: William Woodruff <william@trailofbits.com> * tests: fix test Signed-off-by: William Woodruff <william@trailofbits.com> * tests: fix some more Signed-off-by: William Woodruff <william@trailofbits.com> * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>	2023-09-14 17:36:01 +00:00
McCoy Patiño	da21e9670b	Add algorithm/MGF properties to asymmetric paddings (#9582 ) * Add properties * Update documentation * Add tests * Line length; Expose MGF class * Remove unnecessary flags	2023-09-11 19:58:01 -04:00
Paul Kehrer	6bdf404054	support PSS signing for CSRs (#9514 ) * support PSS signing for CSRs * doc fix	2023-08-28 23:24:33 +00:00
Alex Gaynor	466d41ce72	Remove FAQ that's no longer up to date (#9484 ) I don't think this is the right error message, and it hasn't been for a while	2023-08-22 07:05:13 -07:00
Alex Gaynor	a8dd927f04	Fix ruff on main (#9443 )	2023-08-17 14:11:09 +00:00
Facundo Tuesca	b660044dce	Add test vectors for ChaCha20 counter overflow (#9221 ) * Adapt ChaCha20 test vectors to 64-bit counter * Add ChaCha20 test vectors for counter overflow These vectors test the behavior during counter overflow. Since different implementations use different counter sizes (e.g. OpenSSL uses a 64-bit counter, whereas BoringSSL uses a 32-bit counter), it's important to ensure that the behavior during counter overflow is consistent between implementations. These vectors take into account both 32-bit and 64-bit overflows.	2023-08-17 08:54:35 -05:00
William Woodruff	f4362f4e6a	docs: add Store docs (#9416 ) * docs: add Store docs Signed-off-by: William Woodruff <william@trailofbits.com> * src, tests: don't allow empty stores Signed-off-by: William Woodruff <william@trailofbits.com> * Update docs/x509/verification.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>	2023-08-14 18:48:27 +00:00
Paul Kehrer	f7e629f70a	tested platforms update (#9358 )	2023-08-04 23:38:13 -04:00
William Woodruff	41d89f1ae6	noxfile, docs: fix posargs handling (#9354 ) * noxfile, docs: fix posargs handling Signed-off-by: William Woodruff <william@trailofbits.com> * Update docs/development/getting-started.rst Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>	2023-08-04 16:48:15 +00:00
Alex Gaynor	e718a49097	Raise MSRV to 1.63.0 (#9043 )	2023-08-03 11:15:07 +12:00
Jean Paul Galea	caeafe6c4a	docs: fix broken link to https://ed25519.cr.yp.to/software.html (#9338 )	2023-08-02 19:02:56 +12:00
Paul Kehrer	1961fdb264	update pypy supported versions in the docs (#9318 ) * update tested pypy version * update pypy supported version	2023-07-31 17:41:15 -04:00
Paul Kehrer	1b4bbea008	tolerate (with warning) invalid DSA params encoding in X.509 (#9271 ) fixes #9253	2023-07-20 17:10:15 -04:00
Paul Kehrer	b2abc35bda	fix another NIST link (#9270 )	2023-07-20 20:27:44 +00:00
Paul Kehrer	c5c99b2d1c	fix a link from the NIST CSRC migration (#9267 )	2023-07-20 06:07:58 -04:00
Alex Gaynor	10813b0bed	Finish replacing utcnow (#9260 ) refs #9186	2023-07-18 12:37:00 +00:00
Alex Gaynor	e949b2e15c	Prepare for new ruff release (#9227 )	2023-07-12 19:40:26 -07:00
jeanluc	1ca7adc97b	Fix encoding of SSH certs with critical options (#9208 ) * Add tests for issue #9207 * Fix encoding of SSH certs with critical options * Test unexpected additional values for crit opts/exts	2023-07-10 11:50:49 -05:00
Magnus Watn	50932e2f15	Add organizationIdentifier Name OID (2.5.4.97) (#9206 )	2023-07-10 07:05:11 -04:00
Paul Kehrer	b5709f7d18	update linkcheck (#9193 )	2023-07-07 16:32:58 +00:00
Facundo Tuesca	f4b7707af5	Fixes for ChaCha20 documentation (#9192 ) * Restore missing section from ChaCha20 docs This change fixes the indentation of a note inside the ChaCha20 section of the docs, which caused the note to not render in the resulting HTML. * Fix ChaCha20 docs to specify non RFC-compliance Currently, cryptography uses OpenSSL's ChaCha20 implementation, which is based on the original algorithm designed by Daniel J. Bernstein rather than the later standardized version (RFC 7539). Since the documentation does not reflect this (it describes the RFC version of the algorithm, rather than the original version we use), this change fixes that. * Remove random counter from ChaCha20 example docs This changes the ChaCha20 example in the documentation to use a normal user-defined variable for the counter part of the nonce, rather than a randomized counter.	2023-07-07 10:59:23 -05:00

1 2 3 4 5 ...

2637 commits