* KBKDF: add CounterLocation.MiddleFixed
* tests_kbkdf: add new tests
- Test CounterLocation.MiddleFixed and blocation=
* test_kbkdf_vectors: make use of MIDDLE_FIXED
* docs: document KBKDF CounterLocation.MiddleFixed
* s/blocation/break_location/g
* CHANGELOG: document KBKDF{HMAC,CMAC} CounterLocation.MiddleFixed #7489
* kbkdf: fixed is static across n iterations, only the counter changes
* kbkdf: check break_location is 0..len(fixed)
- Update tests to assert exception is raised when
break_location < 0 or > len(fixed)
- When asserting for "break_location is ignored when MiddleFixed",
use break_location=0 instead of =10,
to ensure we don't raise because of break_location > len(fixed)
- Assert that the right error messages are returned to the user.
* kbkdf: keyword-only break_location
* docs: document kw-only KBKDF{HMAC,CMAC}
The previous wording (to me) sounded as if an instance of the specific
`ExtensionType` subclass would be returned.
But the methods actually return an `Extension` instance, from which the
specific `ExtensionType` instance can be accessed through the `value`
property.
* Add `tbs_precertificate_bytes` property
* docs/x509: document `tbs_precertificate_bytes`
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: add two trivial tests
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509/base: fix lint
Signed-off-by: William Woodruff <william@trailofbits.com>
* oid: add CERTIFICATE_TRANSPARENCY (1.3.6.1.4.1.11129.2.4.4)
Signed-off-by: William Woodruff <william@trailofbits.com>
* hazmat/oid: rehome CERTIFICATE_TRANSPARENCY under ExtendedKeyUsageOID
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs/x509: fix link, help the spellchecker
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509: Raise ValueError when we can't filter SCT list extension
* tests: Expect a `ValueError` when accessing `tbs_precertificate_bytes`
in default example
* tests, vectors: Add TBS precert vector for test comparison
* docs/x509: document the `CERTIFICATE_TRANSPARENCY` OID
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs/x509: elaborate `tbs_precertificate_bytes`
Signed-off-by: William Woodruff <william@trailofbits.com>
* rust/x509: remove unused OID
Signed-off-by: William Woodruff <william@trailofbits.com>
* x509/certificate: tweak error
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: reorganize
Signed-off-by: William Woodruff <william@trailofbits.com>
* Update src/rust/src/x509/certificate.rs
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* tests/x509: more reorg, rename
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: document new testvector
Signed-off-by: William Woodruff <william@trailofbits.com>
* docs: coax the spellchecker
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: use a cert that doesn't require SHA-1
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests/x509: test for no extensions at all
Signed-off-by: William Woodruff <william@trailofbits.com>
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Update install docs now that we test on Windows 2022
* Update installation.rst
* Update spelling_wordlist.txt
* Update docs/installation.rst
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* WIP
* x509: remove TBS work for now
Signed-off-by: William Woodruff <william@yossarian.net>
* CT: flake8
Signed-off-by: William Woodruff <william@yossarian.net>
* CT: remove TODO, add links
Signed-off-by: William Woodruff <william@yossarian.net>
* CT/SCT: strong enums for HashAlgorithm and SignatureAlgorithm
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: add SCT hash/signature algorithm tests
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: fix SignatureAlgorithm test, add signature contents test
Signed-off-by: William Woodruff <william@yossarian.net>
* rust: unit tests for {Hash,Signature}Algorithm
Signed-off-by: William Woodruff <william@yossarian.net>
* x509/sct: code coverage shenanigans
Signed-off-by: William Woodruff <william@yossarian.net>
* asn1, sct: pesky coverage
Signed-off-by: William Woodruff <william@yossarian.net>
* x509/sct: simplify parsing
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: document new SCT APIs
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: add refs to RFC 5246
Signed-off-by: William Woodruff <william@yossarian.net>
* SCT: forbid nonsense hash and signature algos
No tests, yet.
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: add invalid hash/sig algo tests
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: remove ToAttr trait
Inline impl into each struct's impl.
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: remove invalid hash/sig variants
These should never appear in the context of SCTs.
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: collapse matches
Handle invalid/unknown variants together.
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: update SCT tests
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: add a TODO
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: return a primitives.hashes object instead of a custom enum
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
CRL versions only go up to v2 (numeric value 1) and CSRs only define v1
(numeric value 0). See
https://www.rfc-editor.org/rfc/rfc5280.html#section-5.1 and
https://www.rfc-editor.org/rfc/rfc2986.html#section-4. Some of the
inputs used in tests were misissued.
Unfortunately, the corresponding private keys for these test vectors
weren't provided, so I've just editted the inputs with der-ascii and
left the signatures invalid. The tests in question don't seem to rely on
valid signatures.
* add x509 pss certificate and public key
the cert is signed using rsa_pss_2048.pem and the public key is the
public components of that private key
* Update docs/development/test-vectors.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* tests: better testid generation for fernet vectors
Use the vector filename and array index for the pytest id rather than a
concatenation of the vector content.
eg: `tests/test_fernet.py::TestFernet::test_invalid[invalid.json:2]`
* (Multi)Fernet: allow str tokens for decryption
Remove some developer friction by allowing string tokens to be passed to
Fernet decryption methods. Because a valid token as generated by
`Fernet.encrypt()` is url-safe base64-encoded, a non-ASCII token is
definitely invalid.
The stdlib base64 function already accepts and checks ASCII str values
so delegate to that.
* Kick CI
* check for invalid keys that RSA_check_key misses
RSA_check_key checks for primality but that fails to catch this case
since 2 is prime. Instead we fetch p and q and verify that they are odd
and if not reject the key as invalid.
* circleci sucks
* Initial tests
* Implement.
Required updating many many tests based on my read of the RFC. Should be reviewed closely.
* Fix for py36
* flake8
* Improve coverage on hypothesis test
* Remove bad assertion in hypothesis test
* Update docs
* fix docs
* Fixed unicode support
* review
* docs review
* support 12-15 byte nonce sizes in OCB3
* Update tests/hazmat/primitives/test_aead.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* PKCS12 serialization wrapper supports PKCS12Certificate cas
* Added code from Felix's gist to serialize_key_and_certificate_to_pkcs12. Doesn't break current behaviour/tests, need to write validate new behaviour, write tests, and format code.
* Simplified instance check
* Tried to write tests, but I cannot figure out how to read the friendlyName from parsed_more_certs.
* Fixed test function and renamed it.
* Fixed formatting.
* Commiting before trying black
* Formatted updates to make flake8 and black happy.
* Fixed first review comments.
* remove forgotten print statement
* use backend.openssl_assert instead of if ...
* Documented changes.
* Updated documentation.
* Added OID
* Added to docuemntation for IPSec SAs
* Update docs/x509/reference.rst to correct the version change.
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
