* allow SPKI RSA keys to be parsed even if they have an incorrect delimiter
This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed
even if they are using the RSA PUBLIC KEY delimiter.
* formatting
* use original error if nothing parses, don't let it parse non-RSA
* Update ocsp.rst
Added warning about SHA1 being used for sign()
* Update ocsp.rst
Fixed spelling issues, at least according to en-GB dictionary.
* Update ocsp.rst
Spell checker didn't catch "algorithim" somehow.
* Update ocsp.rst
Attempting to rephrase the warning.
* Update ocsp.rst
Removing rouge space.
* Add support for SM4-GCM cipher
ref: #7503
ref: https://github.com/openssl/openssl/issues/13667
* Update SM4 GCM tests to use external test vector
* Cite SM4 test vectors sources in document
* Add tests for SM4ModeGCM finalize_with_tag
* Update CHANGELOG.rst
* x509/verification: add an API usage example
Signed-off-by: William Woodruff <william@yossarian.net>
* Apply suggestions from code review
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
- No special configuration is required for brew or macports OpenSSL anymore
- There's no point in documenting building local docs, it's basically never necessary
The existing cert doesn't expire until late 2038 but this simplifies
2038 checks for some downstream consumers. We shift the original
cert/key into a new pkcs12/ca directory so that we don't need to
regenerate all the PKCS12 vectors (which don't care about expiry anyway)
* src, tests: all max_chain_depth to validation API
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: document max_chain_depth
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: simplify type
Signed-off-by: William Woodruff <william@trailofbits.com>
* validation: document DEFAULT_MAX_CHAIN_DEPTH
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
* Add top-level ServerVerifier.verify API
This is a breakout from #8873, with just the interface/types and
a `NotImplementedError` stub.
Signed-off-by: William Woodruff <william@trailofbits.com>
* verification: move Store into PolicyBuilder/ServerVerifier
Signed-off-by: William Woodruff <william@trailofbits.com>
* verification: docs
Signed-off-by: William Woodruff <william@trailofbits.com>
* lintage
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: document ServerVerifier.store
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
* src, tests: flatten all changes
Signed-off-by: William Woodruff <william@trailofbits.com>
validation: remove Profile abstract from public APIs
One step towards removing it entirely
Signed-off-by: William Woodruff <william@trailofbits.com>
policy: disambiguate references
Signed-off-by: William Woodruff <william@trailofbits.com>
policy: remove separate rfc5280 profile
Signed-off-by: William Woodruff <william@trailofbits.com>
policy: remove profile abstraction entirely
Signed-off-by: William Woodruff <william@trailofbits.com>
rust: permitted_algorithms filtering
Signed-off-by: William Woodruff <william@trailofbits.com>
verify: simplify policy API substantially
No more manual monomorphization.
Signed-off-by: William Woodruff <william@trailofbits.com>
src, tests: remove verification code
Signed-off-by: William Woodruff <william@trailofbits.com>
validation: remove more validation code
Signed-off-by: William Woodruff <william@trailofbits.com>
* cryptography, rust: lintage
Signed-off-by: William Woodruff <william@trailofbits.com>
* cryptography, rust: lintage, add Policy.subject API
Signed-off-by: William Woodruff <william@trailofbits.com>
* src, tests: initial PolicyBuilder tests
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: Policy.validation_time getter
Signed-off-by: William Woodruff <william@trailofbits.com>
* push Store into rust
Signed-off-by: William Woodruff <william@trailofbits.com>
* cleanup, fixup
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests: lintage
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: lintage
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests: fix linter warning
* policy: apply the relevant parts of trail-of-forks/cryptography/pull/3
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: typo
Signed-off-by: William Woodruff <william@trailofbits.com>
* fixup type hints
Signed-off-by: William Woodruff <william@trailofbits.com>
* drop dep
Not used, yet.
Signed-off-by: William Woodruff <william@trailofbits.com>
* Revert "drop dep"
This reverts commit a5154e1245e666a79838cd73784884fad6743e7f.
* mod: remove permits_* bodies
Will include these in a subsequent PR.
Signed-off-by: William Woodruff <william@trailofbits.com>
* src: drop certificate helpers as well
Not needed yet.
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: remove unneeded explicit lifetimes
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests: builder API coverage
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests: more coverage
Signed-off-by: William Woodruff <william@trailofbits.com>
* type hints
Signed-off-by: William Woodruff <william@trailofbits.com>
* unused derives
Signed-off-by: William Woodruff <william@trailofbits.com>
* validation: more coverage
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: more cov
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: more coverage
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: add some known bad testcases
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: coverage
Signed-off-by: William Woodruff <william@trailofbits.com>
* validation: remove trust_store
Not yet used.
Signed-off-by: William Woodruff <william@trailofbits.com>
* ops: add NullOps test
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509: reimplement verify_directly_issued_by via CryptoOps
Tests fail, but this gets the right coverage.
Signed-off-by: William Woodruff <william@trailofbits.com>
* ops: use results
Signed-off-by: William Woodruff <william@trailofbits.com>
* src, tests: last cov, hopefully
Signed-off-by: William Woodruff <william@trailofbits.com>
* test: lintage
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: fill in API docs
Signed-off-by: William Woodruff <william@trailofbits.com>
* rust: uniform imports
Signed-off-by: William Woodruff <william@trailofbits.com>
* minimize for MVP
No configurable profile, Web PKI only.
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: remove old NOTE
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: remove another old NOTE
Signed-off-by: William Woodruff <william@trailofbits.com>
* src, tests: fixup tests
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: cleanup
Signed-off-by: William Woodruff <william@trailofbits.com>
* src, tests: drop support for missing subjects
As part of the MVP.
Signed-off-by: William Woodruff <william@trailofbits.com>
* profile: remove old comments
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: remove some verify-adjacent APIs
Paring down for review.
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: remove more verify-adjacent APIs
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: remove some From impls
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: remove rfc5280 constructor
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: declutter diff
Signed-off-by: William Woodruff <william@trailofbits.com>
* profile: prune even more state
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: remove old TODO
Signed-off-by: William Woodruff <william@trailofbits.com>
* policy: remove PolicyError
For now.
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: typo
Signed-off-by: William Woodruff <william@trailofbits.com>
* ops: remove NullOps
Signed-off-by: William Woodruff <william@trailofbits.com>
* rust: remove dev-dep, don't use import
Signed-off-by: William Woodruff <william@trailofbits.com>
* rust: fix IP_ADDRESS rename
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: clarify time behavior
Signed-off-by: William Woodruff <william@trailofbits.com>
* rename webpki() to new()
Since it doesn't actually do anything WebPKI related at the moment.
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: relocate
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: FixedPolicy -> PyCryptoPolicy
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: simplify SubjectOwner substantially
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: remove getter helper
Signed-off-by: William Woodruff <william@trailofbits.com>
* verify: reloc TODO
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Facundo Tuesca <facundo.tuesca@trailofbits.com>
