- 21 Jul, 2020 5 commits
-
-
Alex Gaynor authored
-
Alex Gaynor authored
-
Alex Gaynor authored
-
Alex Gaynor authored
-
Paul Kehrer authored
-
- 20 Jul, 2020 6 commits
-
-
Paul Kehrer authored
* prep 3.0 for release * okay then
-
Alex Gaynor authored
* Tell people to use black in our dev docs * For codecov
-
Alex Gaynor authored
-
Paul Kehrer authored
* test FIPS mode on centos8 * remove branch we don't take * simpler * better comment * rename * revert some things that don't matter * small cleanups
-
Paul Kehrer authored
* generate_pkcs12 (#4952) * pkcs12 support * simplify * remove fixtures * reorg and other improvements. memleak check * ugh * more fixes * last changes hopefully Co-authored-by:
Tomer Shalev <tshalev@proofpoint.com>
-
Paul Kehrer authored
speeds things up a bit and makes it easier to do the FIPS PR
-
- 19 Jul, 2020 8 commits
-
-
Alex Gaynor authored
-
Paul Kehrer authored
* disable the osrandom engine on 1.1.1d+ * skip (and run) some tests on 1.1.1d+ * simplify our conditionals * Update src/_cffi_src/openssl/src/osrandom_engine.c Co-authored-by:
Alex Gaynor <alex.gaynor@gmail.com> * words * more words * language * get coverage more cleverly * a word * Update .github/workflows/ci.yml Co-authored-by:
Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by:
Alex Gaynor <alex.gaynor@gmail.com>
-
Paul Kehrer authored
-
Alex Gaynor authored
fixes #5129
-
Paul Kehrer authored
InternalErrors are bad when we know they're reachable
-
Paul Kehrer authored
* support encoding attributes via CertificateSigningRequestBuilder * use a constant. now you know what 12 means! * pep8
-
Paul Kehrer authored
fixes #5127
-
Paul Kehrer authored
-
- 18 Jul, 2020 3 commits
-
-
Paul Kehrer authored
-
Alex Gaynor authored
We have already validated that `p` is large enough to store `name`. In `strncpy` the `len` parameter should generally be the length of the target buffer, not the source buffer.
-
Tristan Seligmann authored
-
- 15 Jul, 2020 1 commit
-
-
Steven Pitman authored
-
- 06 Jul, 2020 5 commits
-
-
Paul Kehrer authored
we'll parse the challenge password in a doctest after another PR lands
-
Paul Kehrer authored
* remove NPN bindings -- you should be using ALPN! pyOpenSSL consumed these, but we've marked it as deprecated and it already handles the case where the bindings are not available. * set Cryptography_HAS_NEXTPROTONEG to 0 for pyOpenSSL we can remove this symbol in like...5 years. * remove another NPN related definition * suspicious * Revert "remove another NPN related definition" This reverts commit d872a7d1d776858c77b8c607f63cc9b5fef1ae39. Revert "suspicious" This reverts commit 5b767484f1cde132f686600a46e61a18e33cbdae.
-
Paul Kehrer authored
* support x509 request challenge password parsing * switch to a more generic (but not too generic) attribute parsing * make it raise a valueerror * Update tests/x509/test_x509.py Co-authored-by:
Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by:
Alex Gaynor <alex.gaynor@gmail.com>
-
Paul Kehrer authored
* support 4096 bit DSA parsing from numbers classes * need to get local linting fixed. * reorder * add a link to more reasons why DSA sucks
-
Paul Kehrer authored
* add unstructured name x509 csr attribute vector * Update docs/development/test-vectors.rst Co-authored-by:
Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by:
Alex Gaynor <alex.gaynor@gmail.com>
-
- 05 Jul, 2020 5 commits
-
-
Paul Kehrer authored
-
Alex Gaynor authored
Closes #5290
-
Paul Kehrer authored
* Support parsing SCTs in OCSPResponse * s/typically/only and pep8 * remove unused vector Co-authored-by:
Szilárd Pfeiffer <szilard.pfeiffer@balasys.hu>
-
Marko Kreen authored
* Add variable/fixed cost section * Add subtitle to each algorithm * Reorder alphabetically
-
Alex Gaynor authored
* Run tests on centos8 * Document that we test this * debugging * Try adding this? * Remove this
-
- 02 Jul, 2020 1 commit
-
-
Paul Kehrer authored
* add SubjectInformationAccess extension support * fixes
-
- 28 Jun, 2020 1 commit
-
-
Paul Kehrer authored
* constrain RSA key generation more heavily * constraint to just 3 & 65537 * explain change
-
- 26 Jun, 2020 3 commits
-
-
Alex Gaynor authored
-
Alex Gaynor authored
-
Alex Gaynor authored
-
- 25 Jun, 2020 2 commits
-
-
Jakub Stasiak authored
* Disallow ttl=None in (Multi)Fernet.decrypt_at_time() Since the introduction of the _at_time() methods in #5256[1] there's been this little voice in the back of my mind telling me that maybe it's not the best idea to allow ttl=None in decrypt_at_time(). It's been like this for convenience and code reuse reasons. Then I submitted a patch for cryptography stubs in typeshed[2] and I had to decide whether to define decrypt_at_time()'s ttl as int and be incompatible with cryptography's behavior or Optional[int] and advertise an API that can be misused much too easily. I went ahead with int. Considering the above I decided to propose this patch. Some amount of redundancy (and a new test to properly cover the MultiFernet.decrypt_at_time() implementation) is a price to prevent clients from shooting themselves in the foot with the tll=None gun since setting ttl to None disabled timestamp checks even if current_time was provided. [1] https://github.com/pyca/cryptography/pull/5256 [2] https://github.com/python/typeshed/pull/4238 * Actually test the return value here * Fix formatting
-
David Benjamin authored
The CRL is missing a CRL number and should mark the delta CRL extension as critical. RFC 5280 says the following: Section 5.2.3: > CRL issuers conforming to this profile MUST include this extension > [CRL number] in all CRLs and MUST mark this extension as > non-critical. Section 5.2.4: > The delta CRL indicator is a critical CRL extension that identifies a > CRL as being a delta CRL. > When a conforming CRL issuer generates a delta CRL, the delta CRL > MUST include a critical delta CRL indicator extension. Sadly, RFC 5280 is often unclear about the difference between issuer requirements and verifier requirements, but test certificates should conform to issuer requirements where possible, in case the underly library becomes stricter. Section 5.2.4 includes further text which implies a delta CRL without a CRL number is unusable for a verifier anyway: > A complete CRL and a delta CRL MAY be combined if the following four > conditions are satisfied: > > [...] > > (d) The CRL number of the complete CRL is less than the CRL number > of the delta CRL. That is, the delta CRL follows the complete > CRL in the numbering sequence. Note I have not updated the signature in crl_delta_crl_indicator.pem. The test does not care, and it is unclear which key to sign it with.
-