GitLab

* prep 3.0 for release

* okay then

* Tell people to use black in our dev docs

* For codecov

* test FIPS mode on centos8

* remove branch we don't take

* simpler

* better comment

* rename

* revert some things that don't matter

* small cleanups

* generate_pkcs12 (#4952)

* pkcs12 support

* simplify

* remove fixtures

* reorg and other improvements. memleak check

* ugh

* more fixes

* last changes hopefully
Co-authored-by: Tomer Shalev <tshalev@proofpoint.com>

speeds things up a bit and makes it easier to do the FIPS PR

* disable the osrandom engine on 1.1.1d+

* skip (and run) some tests on 1.1.1d+

* simplify our conditionals

* Update src/_cffi_src/openssl/src/osrandom_engine.c
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

* words

* more words

* language

* get coverage more cleverly

* a word

* Update .github/workflows/ci.yml
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

fixes #5129

InternalErrors are bad when we know they're reachable

* support encoding attributes via CertificateSigningRequestBuilder

* use a constant. now you know what 12 means!

* pep8

fixes #5127

We have already validated that `p` is large enough to store `name`. In `strncpy` the `len` parameter should generally be the length of the target buffer, not the source buffer.

we'll parse the challenge password in a doctest after another PR lands

* remove NPN bindings -- you should be using ALPN!

pyOpenSSL consumed these, but we've marked it as deprecated and it
already handles the case where the bindings are not available.

* set Cryptography_HAS_NEXTPROTONEG to 0 for pyOpenSSL

we can remove this symbol in like...5 years.

* remove another NPN related definition

* suspicious

* Revert "remove another NPN related definition"

This reverts commit d872a7d1d776858c77b8c607f63cc9b5fef1ae39.

Revert "suspicious"

This reverts commit 5b767484f1cde132f686600a46e61a18e33cbdae.

* support x509 request challenge password parsing

* switch to a more generic (but not too generic) attribute parsing

* make it raise a valueerror

* Update tests/x509/test_x509.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

* support 4096 bit DSA parsing from numbers classes

* need to get local linting fixed.

* reorder

* add a link to more reasons why DSA sucks

* add unstructured name x509 csr attribute vector

* Update docs/development/test-vectors.rst
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>

Closes #5290

* Support parsing SCTs in OCSPResponse

* s/typically/only and pep8

* remove unused vector
Co-authored-by: Szilárd Pfeiffer <szilard.pfeiffer@balasys.hu>

* Add variable/fixed cost section
* Add subtitle to each algorithm
* Reorder alphabetically

* Run tests on centos8

* Document that we test this

* debugging

* Try adding this?

* Remove this

* add SubjectInformationAccess extension support

* fixes

* constrain RSA key generation more heavily

* constraint to just 3 & 65537

* explain change

* Disallow ttl=None in (Multi)Fernet.decrypt_at_time()

Since the introduction of the _at_time() methods in #5256[1] there's
been this little voice in the back of my mind telling me that maybe it's
not the best idea to allow ttl=None in decrypt_at_time(). It's been like
this for convenience and code reuse reasons.

Then I submitted a patch for cryptography stubs in typeshed[2] and I had
to decide whether to define decrypt_at_time()'s ttl as int and be
incompatible with cryptography's behavior or Optional[int] and advertise
an API that can be misused much too easily. I went ahead with int.

Considering the above I decided to propose this patch. Some amount of
redundancy (and a new test to properly cover the
MultiFernet.decrypt_at_time() implementation) is a price to prevent
clients from shooting themselves in the foot with the tll=None gun since
setting ttl to None disabled timestamp checks even if current_time was
provided.

[1] https://github.com/pyca/cryptography/pull/5256
[2] https://github.com/python/typeshed/pull/4238

* Actually test the return value here

* Fix formatting

The CRL is missing a CRL number and should mark the delta CRL extension
as critical. RFC 5280 says the following:

Section 5.2.3:

> CRL issuers conforming to this profile MUST include this extension
> [CRL number] in all CRLs and MUST mark this extension as
> non-critical.

Section 5.2.4:

> The delta CRL indicator is a critical CRL extension that identifies a
> CRL as being a delta CRL.

> When a conforming CRL issuer generates a delta CRL, the delta CRL
> MUST include a critical delta CRL indicator extension.

Sadly, RFC 5280 is often unclear about the difference between issuer
requirements and verifier requirements, but test certificates should
conform to issuer requirements where possible, in case the underly
library becomes stricter. Section 5.2.4 includes further text which
implies a delta CRL without a CRL number is unusable for a verifier
anyway:

> A complete CRL and a delta CRL MAY be combined if the following four
> conditions are satisfied:
>
> [...]
>
>   (d)  The CRL number of the complete CRL is less than the CRL number
>        of the delta CRL.  That is, the delta CRL follows the complete
>        CRL in the numbering sequence.

Note I have not updated the signature in crl_delta_crl_indicator.pem.
The test does not care, and it is unclear which key to sign it with.