* Fixed crash when loading a PKCS#7 bundle with no certificates (#9926)
* Version bump for 41.0.6
* Temporarily allow a new clippy warning (#9835)
* Temporarily allow a new clippy warning
* Update lib.rs
* Update lib.rs
* Need to accept this to skip test
* It's a word
* tolerate NULL params in ECDSA SHA2 AlgorithmIdentifier (#9002)
* tolerate NULL params in ECDSA SHA2 AlgorithmIdentifier
Java 11 does this incorrectly. It was fixed in Java16+ and they are
planning to do a backport, but we'll need to tolerate this invalid
encoding for a while.
* test both inner and outer
* changelog entry
* language
* admit to the existence of nuance in HKDF
* Update docs/hazmat/primitives/key-derivation-functions.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
RFC 4055 section 2.1 states "All implementations MUST accept both
NULL and absent parameters as legal and equivalent encodings".
It also makes some somewhat conflicting statements after that, but
LibreSSL omits the null params for PSS, and OpenSSL parses this
without issue so tolerance it is.
* support X.509 certificate PSS signing
no CSR, CRL, etc
* handle PSS.(MAX_LENGTH, DIGEST_LENGTH), review feedback
* name the kwarg
* test improvements
* skip if sha3 isn't supported
* invalid visible string support
this allows utf8 in visiblestring, which is not valid DER. we raise a
warning when this happens, but allow it since belgian eIDs, among
others, have encoding errors. Belgium fixed this by 2021 (and possibly
earlier), but their eID certificates have 10 year validity.
* review comments
* clippy
* Fix for #8854
Fix for issue #8854
* Fix for issue #8854
Fix for issue #8854
* versionadded
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* drop python 3.6 support
* Update tests/hazmat/bindings/test_openssl.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
This removes the OS random engine, which contained the only CPython PSF
licensed code in the repository. Accordingly, that license has now been
removed.
This is extra mega cursed, and strictly speaking unsound. It does, however, match the status quo ante, where someone mutating a buffer while its being used in cffi code will basically always be UB.
* Rename Union type aliases to CamelCase
Many `typing.Union` type aliases were previously using `UPPER_SNAKE_CASE`, but Python's convention is `CamelCase` for these (e.g. https://docs.python.org/3/library/typing.html#type-aliases)
* Add utils.deprecated for the old non-underscore type aliases
* Added documentation for new type aliases & minor tweaks
* Use 'versionadded:: 40.0.0'
* Fix CertificatePublicKeyTypes vs CertificateIssuerPublicKeyTypes. Rename CertificatePrivateKeyTypes to CertificateIssuerPrivateKeyTypes
* Fix imports (ruff)
* Fix one more versionadded
* Tweak docs & Reorder: CertificateIssuerPublicKeyTypes before CertificateIssuerPrivateKeyTypes
* Fix test mypy errors using cast()
* Fix black, oops
* Revert "Fix black, oops"
This reverts commit 85344e231d697bdc0940e105f7aed729445f9743.
* Revert "Fix test mypy errors using cast()"
This reverts commit b272d8ca95fbbbc62060663f9e8930a139a7a43e.
* Revert type of SubjectKeyIdentifier.from_public_key arg
* Changelog tweak
* WIP: Add raw export alias method for x25519 keys
* Ditto for x448, ed448, ed25519
* Document new private_bytes_raw public_bytes_raw methods
* docs: Populate versionadded to be 40
* docs: Fix PublicFormat -> PrivateFormat where applicable
* formatting
* Update tests for test_pub_priv_bytes_raw in x25519, x448, ed448 (TODO: ed25519)
* Add test_pub_priv_bytes_raw test for Ed25519
Update SSHCertificateBuilder sample code to:
* Correctly use the signing key when signing the certificate, rather than the user's own private key.
* Generate the user's public key in one line, making it clearer to the reader that only the public key is an input to the certificate builder.
