summaryrefslogtreecommitdiff
path: root/src/OpenSSL/crypto.py
Commit message (Collapse)AuthorAgeFilesLines
* remove X509StoreFlags.NOTIFY_POLICY (#1213)Paul Kehrer2023-04-211-1/+0
| | | | | | | | | * remove X509StoreFlags.NOTIFY_POLICY fixes #1212 * also fix twisted * more CI fixes, sigh
* Reject invalid versions in X509Req.set_version (#1208)Alex Gaynor2023-04-011-0/+6
| | | | | | | | | | | * Reject invalid versions in X509Req.set_version * Update CHANGELOG.rst Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com> --------- Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
* port changelog (#1205)Paul Kehrer2023-03-271-1/+8
| | | | | * port changelog * forward port the nid2sn workaround
* Fix CI (#1185)Maximilian Hils2023-02-131-2/+0
| | | | | * Reformat code using black 23.x * fix compat with tox 4
* fixes #1173 (#1174)Alex Gaynor2022-12-291-1/+2
| | | | | | | * fixes #1173 make the x509extension docs more clear * Update crypto.py
* Fix CRL nextUpdate handling. (#1169)David Benjamin2022-12-161-9/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Fix CRL nextUpdate handling. When setting the nextUpdate field of a CRL, this code grabbed the nextUpdate ASN1_TIME field from the CRL and set its time. But nextUpdate is optional in a CRL so that field is usually NULL. But OpenSSL's ASN1_TIME_set_string succeeds when the destination argument is NULL, so it was silently a no-op. Given that, the call in a test to set the nextUpdate field suddenly starts working and sets the time to 2018, thus causing the CRL to be considered expired and breaking the test. So this change also changes the expiry year far into the future. Additionally, the other CRL and Revoked setters violate const in the API. Fixes #1168. * Replace self-check with an assert for coverage * Update src/OpenSSL/crypto.py Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Fix some memory leaks in CRL.export (#1170)David Benjamin2022-12-161-8/+11
| | | | The bio was never freed, or used. sometime is never freed. While I'm here, check return values for all the functions called here.
* Add support for X509_V_FLAG_PARTIAL_CHAIN (#1166)vEpiphyte2022-12-151-0/+1
| | | | | | | | | * Add support for X509_V_FLAG_PARTIAL_CHAIN * Remove unneeded import * Update changelog to add PR number. * Fix whitespace issue identified by black
* Switch to the new utils.deprecation spelling (#1140)David Benjamin2022-08-131-2/+4
| | | | | | | | | | | | * Switch to the new utils.deprecation spelling The new spelling was introduced in https://github.com/pyca/cryptography/pull/6923 and is more friendly to type checkers. Version-wise, that PR appears to be in cryptography 37.0.0, which is now beyond the minimum version for pyOpenSSL. * reformat
* Make `X509StoreContextError`'s message friendlier (#1133)William Woodruff2022-07-071-7/+11
| | | | | | | | | | | | | | | | | | | * OpenSSL/crypto: make X509StoreContextError's message friendlier Closes #1132. Signed-off-by: William Woodruff <william@trailofbits.com> * tests: update exception tests Signed-off-by: William Woodruff <william@trailofbits.com> * OpenSSL/crypto: blacken Signed-off-by: William Woodruff <william@trailofbits.com> * CHANGELOG: record changes Signed-off-by: William Woodruff <william@trailofbits.com>
* Fix incorrect documentation on X509Req.set_version #1130 (#1131)Amir Omidi2022-06-281-1/+1
|
* Add inline type annotations (#1089)lovetox2022-05-201-192/+274
| | | | | | | | | | | | | | | | | * crypto: Add type annotations * Don’t redefine var mypy complains about the redefinition * _util: Add type annotations * rand: Add type annotations * Prepare package & CI for running mypy * fix toxenv name Co-authored-by: Maximilian Hils <github@maximilianhils.com>
* Handle no expire date in X509.has_expire() (#1083)lovetox2022-05-131-1/+4
| | | | | | get_notAfter() can return None. Instead of raising a NoneType error, raise a ValueError which tells us why it failed.
* Fix X.509 version handling. (#1123)David Benjamin2022-05-121-1/+1
| | | | | | | | | | | | | | | | | Certificate versions go up to v3 (numeric value 2), CRLs go up to v2 (numeric value 1), and CSRs go up to v1 (numeric value 0). This CL fixes the following issues: - Add a missing check to the return value of X509_set_version - Fix crlDataUnsupportedExtension which had an invalid CRL version. - Switch TestX509.test_version to test valid versions, so it doesn't prevent OpenSSL or an OpenSSL derivative from checking for invalid versions. - Make TestX509Req.test_version tolerate set_version(1) failing on CSRs. Since there's nothing useful to test otherwise, I've made the test work for either possible backend behavior.
* remove more global initialization that isn't required on modern openssl (#1108)Alex Gaynor2022-03-131-16/+0
|
* Remove call that hasn't been required since OpenSSL 1.1.0 (#1107)Alex Gaynor2022-03-131-5/+0
|
* Changed load_crl doc comment return to CRL (#1105)Oscar Mattsson2022-03-031-1/+1
|
* flake8-import-order (#1099)whiteowl32022-03-021-5/+6
| | | | | | | | | | | * flake8-import-order * make sure bad import orders fail * flake8-import-order * add application name to flake8 section * correct import order for openssl as application
* don't block ec/ed keys from_cryptography_key() (#1096)whiteowl32022-02-261-2/+11
| | | | | | | * don't block ec/ed keys from_cryptography_key() * clean up test comments * properly describe test
* Stop passing backend to cryptography (#1094)Alex Gaynor2022-02-131-23/+5
|
* Use a non-deprecated OpeNSSL function (#1093)Alex Gaynor2022-02-131-4/+4
|
* X509Name: Raise AttributeError correctly (#1088)lovetox2022-01-301-1/+1
| | | | | | | X509Name does only inherit from object, which has no __getattr__() method. By accident this also raised an AttributeError but the error message is confusing. This commit now raises the AttributeError with a descriptive message.
* X509Name: Use functools.totalordering for comparisons (#1086)lovetox2022-01-301-16/+10
| | | | | | | | | | | * X509Name: Use functools.totalordering for comparisons - Reduce the magic - Make it more readable - Make it easier to add type annotations in the future * Correctly return NotImplemented * Add new comparison test case
* Don’t inherit from object (#1084)lovetox2022-01-301-16/+16
| | | In python3 all classes inherit by default from object
* Remove superfluous isinstance() call (#1087)lovetox2022-01-301-3/+2
| | | | - hex() returns always str - don’t redefine variable
* latest black (#1082)Paul Kehrer2022-01-291-1/+1
|
* Docs: Fix param type for methods where digest is used (#1078)lovetox2022-01-291-5/+5
|
* Rename path_string to path_bytes since that's what it actually does (#1067)Alex Gaynor2021-12-201-3/+3
|
* Remove native, it's behavior is confusing (#1069)Alex Gaynor2021-12-201-14/+11
| | | Instead just decode stuff at the call-sites -- 100% of which were passing bytes
* use more functions guaranteed available in cryptography 35.0 (#1060)Paul Kehrer2021-11-041-10/+10
| | | | | * use more functions guaranteed available in cryptography 35.0 * these are also guaranteed
* py27 going, going, gone (#1047)Paul Kehrer2021-10-041-26/+18
| | | | | | | | | | | * py27 going, going, gone * black * more black * ok then * forgot to remove pypy2
* use public interfaces for all cryptography<->pyopenssl translations (#1030)Paul Kehrer2021-07-251-26/+50
|
* remove CB_ISSUER_CHECK (#982)Rosen Penev2021-02-201-1/+0
| | | | | Deprecated under OpenSSL 1.1 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* fix a memleak (#967)Paul Kehrer2020-11-271-1/+12
| | | | | * fix a memleak * black
* Drop CI for OpenSSL 1.0.2 (#953)Alex Gaynor2020-10-261-10/+2
| | | | | | | * Drop CI for OpenSSL 1.0.2 * Delete code for coverage reasons * Bump minimum cryptography version
* Fixing issue #798 (#907)jalberdi0042020-10-181-1/+4
| | | | | | * Fixing issue #798, thanks to @reaperhulk; removing undocumented '%s' option and getting the date in a more robust way Co-authored-by: Joseba Alberdi <j.alberdi@simuneatomistics.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Correct typos in crypto.py (#949)Felix Yan2020-10-141-2/+2
|
* crypto._PassphraseHelper: pass non-callable passphrase using callback (#947)Huw Jones2020-10-121-10/+9
| | | | | | | | | | | | * crypto._PassphraseHelper: pass non-callable passphrase using callback Fixes #945 Before this commit, we would pass a bytes passphrase as a null terminated string. This causes issue when a randomly generated key's first byte is null because OpenSSL rightly determines the key length is 0. This commit modifies the passphrase helper to pass the passphrase via the callback * Update changelog to document bug fix
* Allow using additional untrusted certificates for chain building in ↵Sándor Oroszi2020-10-121-2/+34
| | | | | | | | | | | | X509StoreContext (#948) The additional certificates provided in the new `chain` parameter will be untrusted but may be used to build the chain. This makes it easier to validate a certificate against a store which contains only root ca certificates, and the intermediates come from e.g. the same untrusted source as the certificate to be verified. Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
* Allow using an OpenSSL hashed directory for verification in X509Store (#943)Sándor Oroszi2020-09-111-0/+48
| | | | | | | Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL- style hashed CA/CRL lookup directory, similar to the already existing SSL.Context.load_verify_locations(). Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
* Switch to new notBefore/After APIs (#843)Rosen Penev2020-08-131-6/+6
| | | Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Allow accessing a connection's verfied certificate chain (#894)Shane Harvey2020-08-051-1/+41
| | | | | | | | | | | | | | | | | | | | | | | | | * Allow accessing a connection's verfied certificate chain Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain. Add Connection.get_verified_chain using SSL_get0_verified_chain if available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain otherwise. Fixes #740. * TLSv1_METHOD -> SSLv23_METHOD * Use X509_up_ref instead of X509_dup * Add _openssl_assert where appropriate * SSL_get_peer_cert_chain should not be null * Reformat with black * Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0> * Add Changelog entry * Remove _add_chain
* Deprecated pkcs7 and pkcs12 support (#921)Alex Gaynor2020-08-051-1/+23
|
* Paint it Black by the Rolling Stones (#920)Alex Gaynor2020-07-231-97/+151
|
* Remove asserts (#904)Adrián Chaves2020-03-311-2/+2
|
* Fix PKey.check for some broken keys (#897)Mrmaxmeier2020-03-111-1/+1
| | | | | | | | | * fix PKey.check for some broken keys RSA_check_key is documented to return 1 for valid keys. It (currently) returns 0 or -1 for invalid ones. The previous code accepted invalid keys if RSA_check_key returns -1! * add test
* Make the code slightly resillient to python4 (#880)Alex Gaynor2019-11-181-2/+2
|
* Removed deprecated Type aliases (#814)Alex Gaynor2019-02-071-71/+0
| | | | | | | | | | | | * Removed deprecated Type aliases * typo * typo * missed this somehow * Line wrap
* Provide a valid digest option (#811)Wayne Werner2019-01-301-1/+1
| | | 2566 is not a valid digest, whoops!
* add key types consts (#776)Igr2019-01-211-0/+2
|
View Lorry Controller Status