* Update install docs now that we test on Windows 2022
* Update installation.rst
* Update spelling_wordlist.txt
* Update docs/installation.rst
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* WIP
* x509: remove TBS work for now
Signed-off-by: William Woodruff <william@yossarian.net>
* CT: flake8
Signed-off-by: William Woodruff <william@yossarian.net>
* CT: remove TODO, add links
Signed-off-by: William Woodruff <william@yossarian.net>
* CT/SCT: strong enums for HashAlgorithm and SignatureAlgorithm
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: add SCT hash/signature algorithm tests
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: fix SignatureAlgorithm test, add signature contents test
Signed-off-by: William Woodruff <william@yossarian.net>
* rust: unit tests for {Hash,Signature}Algorithm
Signed-off-by: William Woodruff <william@yossarian.net>
* x509/sct: code coverage shenanigans
Signed-off-by: William Woodruff <william@yossarian.net>
* asn1, sct: pesky coverage
Signed-off-by: William Woodruff <william@yossarian.net>
* x509/sct: simplify parsing
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: document new SCT APIs
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: add refs to RFC 5246
Signed-off-by: William Woodruff <william@yossarian.net>
* SCT: forbid nonsense hash and signature algos
No tests, yet.
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: add invalid hash/sig algo tests
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: remove ToAttr trait
Inline impl into each struct's impl.
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: remove invalid hash/sig variants
These should never appear in the context of SCTs.
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: collapse matches
Handle invalid/unknown variants together.
Signed-off-by: William Woodruff <william@yossarian.net>
* tests: update SCT tests
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: add a TODO
Signed-off-by: William Woodruff <william@yossarian.net>
* sct: return a primitives.hashes object instead of a custom enum
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
CRL versions only go up to v2 (numeric value 1) and CSRs only define v1
(numeric value 0). See
https://www.rfc-editor.org/rfc/rfc5280.html#section-5.1 and
https://www.rfc-editor.org/rfc/rfc2986.html#section-4. Some of the
inputs used in tests were misissued.
Unfortunately, the corresponding private keys for these test vectors
weren't provided, so I've just editted the inputs with der-ascii and
left the signatures invalid. The tests in question don't seem to rely on
valid signatures.
* add x509 pss certificate and public key
the cert is signed using rsa_pss_2048.pem and the public key is the
public components of that private key
* Update docs/development/test-vectors.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* tests: better testid generation for fernet vectors
Use the vector filename and array index for the pytest id rather than a
concatenation of the vector content.
eg: `tests/test_fernet.py::TestFernet::test_invalid[invalid.json:2]`
* (Multi)Fernet: allow str tokens for decryption
Remove some developer friction by allowing string tokens to be passed to
Fernet decryption methods. Because a valid token as generated by
`Fernet.encrypt()` is url-safe base64-encoded, a non-ASCII token is
definitely invalid.
The stdlib base64 function already accepts and checks ASCII str values
so delegate to that.
* Kick CI
* check for invalid keys that RSA_check_key misses
RSA_check_key checks for primality but that fails to catch this case
since 2 is prime. Instead we fetch p and q and verify that they are odd
and if not reject the key as invalid.
* circleci sucks
* Initial tests
* Implement.
Required updating many many tests based on my read of the RFC. Should be reviewed closely.
* Fix for py36
* flake8
* Improve coverage on hypothesis test
* Remove bad assertion in hypothesis test
* Update docs
* fix docs
* Fixed unicode support
* review
* docs review
* support 12-15 byte nonce sizes in OCB3
* Update tests/hazmat/primitives/test_aead.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* PKCS12 serialization wrapper supports PKCS12Certificate cas
* Added code from Felix's gist to serialize_key_and_certificate_to_pkcs12. Doesn't break current behaviour/tests, need to write validate new behaviour, write tests, and format code.
* Simplified instance check
* Tried to write tests, but I cannot figure out how to read the friendlyName from parsed_more_certs.
* Fixed test function and renamed it.
* Fixed formatting.
* Commiting before trying black
* Formatted updates to make flake8 and black happy.
* Fixed first review comments.
* remove forgotten print statement
* use backend.openssl_assert instead of if ...
* Documented changes.
* Updated documentation.
* Added OID
* Added to docuemntation for IPSec SAs
* Update docs/x509/reference.rst to correct the version change.
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* OCSP responses can contain multiple SINGLERESPs
Instead of throwing an exception when encountering a OCSP
response with multiple SINGLERESPs, throw the exception when
attempting to pull a single structure if multiple are present.
Add a response_iter property to the OCSP Response object, which
allows for iteration through all the SINGLERESPs, and properties
to be individually accessed for each.
* Small fixes to OCSP multiple response handling. Squash eventually
* Docs updates. Should be squashed
* Get rid of mutating iterator, replace with separate return object
* Fix versionadded strings in docs
* Cleanup docs & python bindings.
* support bitstring values in DNs
parsing is limited to x500UniqueIdentifier only
* Update src/cryptography/x509/name.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
The spec requires both of these to be exactly two characters to
correspond with ISO country codes. Reality is sometimes messier, so this
allows parsing (but not encoding) of this invalid data. Parsing will
raise a UserWarning if incorrect lengths are detected.
