* Added a test for RC2-CBC with an effectiveKeyLength
* Update docs/development/test-vectors.rst
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* Add PyPolicyDefinition, make accessible via verifiers.
* Add python Policy to x509.pyi
* Expose PyPolicyDefinition to Python.
* Rename PyPolicyDefinition to PyPolicy to match python name.
* `test_verification` uses `policy` property.
* Add additional PyPolicy tests.
* Add back direct getters on verifiers with deprecation warnings.
* Correct Policy.subject return type in x509.pyi
* Rename x509.verify.py_policy module to x509.verify.policy
* x509.verify uses mod.rs convention
* Use Optional<SubjectOwner> instead of adding None value to SubjectOwner.
* PyPolicy stores original subject + naming changes in Verifiers.
* Two more testscases for key loading
* Update tests/hazmat/primitives/test_serialization.py
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* fixes#10808 -- allow empty plaintexts for aes-gcm-siv
* Update src/rust/build.rs
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
---------
Co-authored-by: Nick Pope <nick@nickpope.me.uk>
* Reject d, e values <= 1
This avoids a potential infinite loop (e.g. with d=e=1 or d=e=-1).
* Add tests for possible loop/DoS in rsa_recover_prime_factors()
* make x509.name.NameAttribute use Generic to overload get_attributes_for_oid
* reformat code using ruff format (not only ruff check)
* use subtypes of ObjectIdentifier to allow type detection in get_attributes_for_oid
* add missing overloads for test cases
* revert most changes to achieve base plate
* ruff format
* try typing.Union for python 3.9
* add return_string to get_attributes_for_oid for overload
* fix documentation link and flake8
* fixup docs
* docs: add versionadded for param return_string
* add test case
* Revert "add return_string to get_attributes_for_oid for overload"
This reverts commit c4a2a5f0273ea8e60f3d5425a015b0563586b67a.
* Revert "fix documentation link and flake8"
This reverts commit b79a4ecf73f1425bd9304aefd2eaf8a89329610b.
* make NameAttributeValueType covariant
* Add tests
* Implement __copy__ in private keys
* Fix issue with tests for DHPrivateKey
* Another attempt at fixing the tests
* Revert "Another attempt at fixing the tests"
This reverts commit cc7c2b301e635baa7b958dc1b02666f1c80c7c36.
* Skip tests with weak key on FIPS
* Add __copy__ to abstract base classes of both public and private keys
* first python API proposition
first round-trip tests
feat: made asn1 structures readable
refacto: adapted existing functions accordingly
feat/pkcs12: added symmetric_decrypt
feat: deserialize 3 possible encodings
feat: handling AES-128
feat: raise error when no recipient is found
feat/pkcs7: added decanonicalize function
feat/asn1: added decode_der_data
feat/pkcs7: added smime_enveloped_decode
tests are the round-trip (encrypt & decrypt)
more tests for 100% python coverage
test support pkcs7_encrypt with openssl
added algorithm to pkcs7_encrypt signature
refacto: decrypt function is clearer
flow is more natural
refacto: added all rust error tests
refacto: added another CA chain for checking
fix: const handling
Refactor PKCS7Decryptor to pkcs7_decrypt
refacto: removed SMIME_ENVELOPED_DECODE from rust code
refacto: removed decode_der_data
adapted tests accordingly
removed the PEM tag check
added tests for smime_decnonicalize
one more test case
Update src/rust/src/pkcs7.rs
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
took comments into account
pem to der is now outside of decrypt
fix: removed test_support pkcs7_encrypt
added vector for aes_256_cbc encrypted pkcs7
feat: not using test_support decrypt anymore
added new vectors for PKCS7 tests
feat: using pkcs7 vectors
removed previous ones
fix: changed wrong function
feat: added certificate issuer check
test: generating the RSA chain
removed the vectors accordingly
moved symmetric_decrypt to pkcs7.rs
* Update src/cryptography/hazmat/primitives/serialization/pkcs7.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* fix: removed use of deprecated new_bound for PyBytes
* corrected some error types
* updated tests accordingly
* fix: handling other key encryption algorithms
added vectors & tests accordingly
* first attempts raising error when no header to remove
* one more test to handle text data without header
* fix: went back to the previous implementation
* refacto: removed the return part
* feat: Binary option does not seem useful for decryption
removed decanonicalization function
adapted tests accordingly
* moved logic into rust
only left some checks (for now?)
* removed pyfunction for the inner decrypt one
* added checks in rust now :)
changed name for clarity
* removed unused function
* some checks not needed anymore
* removed a parameter
* took comments into account
* removed unused import
removed excess get_type
* added first unwrap corrections
cleaned tests, added some others
added more vectors
* no more unwrap for parameter checks
* removing headers is Python now
added tests accordingly
will compare with OpenSSL
* final corrections?
* first version of documentation
some minor refactoring
* corrected doctests
* better indentation
* doctest: added RSA private key
* oops
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* argon2id support
* make it all rust now
* set a threadpool number
* address comments
* set threadpool to max(available, current)
* review comments
* a few more improvements
* Update docs/hazmat/primitives/key-derivation-functions.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* feat: implement parsing of admissions extension
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: add tests for admissions extension parsing
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: use cryptography result return type
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: apply fixes done by cargo fmt and clippy
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* add gematik company name and the gmbh abbreviations to known words
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: regenerate the synthetic certificate with additional admission covering the case of naming authority with no data
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: parse none for profession_oids if profession_oids is none
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: apply formatting to changes in rust codebase
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* refactor: switch return type of parse_profession_infos from PyObject to Bound<PyAny>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* refactor: switch return type of parse_naming_authority from PyObject to Bound<PyAny>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* refactor: switch return type of parse_admissions from PyObject to Bound<PyAny>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: remove gematik certs from repo
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: remove gematik certs from this pr
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: extend parser tests with an additional synthetic certificate to complete rust coverage
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* chore: add description for the additional certificate without authority
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* use into_bound(py) as shortcut, refrain from using to_object() in all added functions
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* add better description for the admissions synthetic cert
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* adjust description to avoid using misspelled words
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
---------
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* Speedup rsa_recover_prime_factors() by using random value
* Comply with ruff codingstyle
* Reject invalid combinations of n, d, e early to avoid excessive runtime
* Add second failure test case for rsa_recover_prime_factors to hit early error path
* Remove leftover debug code
* Reduce _MAX_RECOVERY_ATTEMPTS and remove obsolete comment
Previously, the code would increase a in steps of 2, therefore,
_MAX_RECOVERY_ATTEMPTS was twice the number of tries. With the new
code, this is no longer the case.
* feat: implement encoding of admissions extension
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: add encoding tests
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* refactor: split encoding of inner objects into separate functions
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: simplify code comment to pass the line length checks
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: add test to check encoding of none values
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: extend none values test to also check encoding of naming authority with none values
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: use none checks when converting python data
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: raise a valueerror if the url can not be encoded to an ia5string
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: revert to truthness check for py_oids for now, will be amended in a separate pr
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: raise a valueerror if the registration_number can not be encoded to a printablestring
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: encode none for profession_oids if profession_oids is none
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
---------
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* feat(admissions): add profession info python type for the admissions extension
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* feat(admissions): add profession info rust type for the admissions extension
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* feat(admissions): add test for profession info hash implementation
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix(admissions): minor fixes
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* remove the asn1 traits from the profession info rust type
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* remove the explicit mark from the naming authority field
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: add commented out annotation for the naming authority field
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* fix: use correct type for add_profeccion_info field
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* refactor: explicitly convert profession items and oids to tuples for hash calculation
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* refactor: add asn1 trait derives to naming authority and profession info types, commented out
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
---------
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
Signed-off-by: Oleg Hoefling <oleg.hoefling@gmail.com>
* feat(admissions): add naming authority python type for the admissions extension
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* feat(admissions): user short names for naming authority fields
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* feat(admissions): add naming authority rust type for the admissions extension
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: use assert_eq macro for value comparison in naming authority test
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* chore: drop useless test for naming authority rust type
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* fix: correct the naming authority text type
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
---------
Signed-off-by: oleg.hoefling <oleg.hoefling@gmail.com>
* Per RFC5280 Section 5.2.5, the Issuing Distribution Point extension in a CRL can have only one of onlyContainsUserCerts, onlyContainsCACerts, onlyContainsAttributeCerts set to TRUE. However, extensions.py (lines 1991 : 2003), indirectCRL is also included, which leads to invalid CRL even if the RFC requirement is met. The proposed fix is to drop indirectCRL from the check so it conforms to the RFC.
* Made the comment shorter per line to meet the format requirement.
Removed a invalid test case for IDP
* Add CustomPolicyBuilder foundation.
* Add EKU getters to ClientVerifier and ServerVerifier.
* Document the implemented part of custom verification.
* Remove `subject` field from VerifiedClient, rename `sans` back to `subjects`.
* Remove EKU-related setters, getters and documentation from this PR.
* Use double backticks in reStructuredText.
* Remove CustomPolicyBuilder in favor of extending PolicyBuilder.
* Code style improvements.
* Resolve coverage issues.
