* feat: implement parsing of admissions extension
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: add tests for admissions extension parsing
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: use cryptography result return type
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: apply fixes done by cargo fmt and clippy
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* add gematik company name and the gmbh abbreviations to known words
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: regenerate the synthetic certificate with additional admission covering the case of naming authority with no data
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: parse none for profession_oids if profession_oids is none
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: apply formatting to changes in rust codebase
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* refactor: switch return type of parse_profession_infos from PyObject to Bound<PyAny>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* refactor: switch return type of parse_naming_authority from PyObject to Bound<PyAny>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* refactor: switch return type of parse_admissions from PyObject to Bound<PyAny>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: remove gematik certs from repo
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: remove gematik certs from this pr
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: extend parser tests with an additional synthetic certificate to complete rust coverage
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: add description for the additional certificate without authority
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* use into_bound(py) as shortcut, refrain from using to_object() in all added functions
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* add better description for the admissions synthetic cert
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* adjust description to avoid using misspelled words
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
---------
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* Bump RSA-512 test keys to RSA-2048
RSA-512 was broken in 1999. cryptography.io should not be requesting
its backend library support it in 2024.
* Update test-vectors.rst
The replacement keys were generated fresh, and this document seems to
just cite the external ones.
* Document custom test vectors
* extensions: EKU must contain at least one member
Signed-off-by: William Woodruff <william@trailofbits.com>
* record changes
Signed-off-by: William Woodruff <william@trailofbits.com>
* empty EKU test vector
Signed-off-by: William Woodruff <william@trailofbits.com>
* typo
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
* allow SPKI RSA keys to be parsed even if they have an incorrect delimiter
This allows RSA SPKI keys (typically delimited with PUBLIC KEY) to be parsed
even if they are using the RSA PUBLIC KEY delimiter.
* formatting
* use original error if nothing parses, don't let it parse non-RSA
* Add support for SM4-GCM cipher
ref: #7503
ref: https://github.com/openssl/openssl/issues/13667
* Update SM4 GCM tests to use external test vector
* Cite SM4 test vectors sources in document
* Add tests for SM4ModeGCM finalize_with_tag
* Update CHANGELOG.rst
- No special configuration is required for brew or macports OpenSSL anymore
- There's no point in documenting building local docs, it's basically never necessary
The existing cert doesn't expire until late 2038 but this simplifies
2038 checks for some downstream consumers. We shift the original
cert/key into a new pkcs12/ca directory so that we don't need to
regenerate all the PKCS12 vectors (which don't care about expiry anyway)
* Adapt ChaCha20 test vectors to 64-bit counter
* Add ChaCha20 test vectors for counter overflow
These vectors test the behavior during counter overflow. Since
different implementations use different counter sizes (e.g. OpenSSL
uses a 64-bit counter, whereas BoringSSL uses a 32-bit counter),
it's important to ensure that the behavior during counter overflow
is consistent between implementations.
These vectors take into account both 32-bit and 64-bit overflows.
* tolerate NULL params in ECDSA SHA2 AlgorithmIdentifier
Java 11 does this incorrectly. It was fixed in Java16+ and they are
planning to do a backport, but we'll need to tolerate this invalid
encoding for a while.
* test both inner and outer
RFC 4055 section 2.1 states "All implementations MUST accept both
NULL and absent parameters as legal and equivalent encodings".
It also makes some somewhat conflicting statements after that, but
LibreSSL omits the null params for PSS, and OpenSSL parses this
without issue so tolerance it is.
* invalid visible string support
this allows utf8 in visiblestring, which is not valid DER. we raise a
warning when this happens, but allow it since belgian eIDs, among
others, have encoding errors. Belgium fixed this by 2021 (and possibly
earlier), but their eID certificates have 10 year validity.
* review comments
* clippy
