| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
* Reject invalid versions in X509Req.set_version
* Update CHANGELOG.rst
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
|
|
|
|
| |
* port changelog
* forward port the nid2sn workaround
|
|
|
|
|
| |
* fix tests on Windows, add Windows CI
* remove test safeguards from coverage
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for DTLS timeouts
When performing a DTLS handshake, the DTLS state machine may need to be
updated based on the passage of time, for instance in response to packet
loss.
OpenSSL supports this by means of the `DTLSv1_get_timeout` and
`DTLSv1_handle_timeout` methods, both of which are included in
cryptography's bindings. This change adds Python wrappers for these
methods in the `Connection` class.
|
|
|
|
|
| |
* Reformat code using black 23.x
* fix compat with tox 4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Fix CRL nextUpdate handling.
When setting the nextUpdate field of a CRL, this code grabbed the
nextUpdate ASN1_TIME field from the CRL and set its time. But nextUpdate
is optional in a CRL so that field is usually NULL. But OpenSSL's
ASN1_TIME_set_string succeeds when the destination argument is NULL, so
it was silently a no-op.
Given that, the call in a test to set the nextUpdate field suddenly
starts working and sets the time to 2018, thus causing the CRL to be
considered expired and breaking the test. So this change also changes
the expiry year far into the future.
Additionally, the other CRL and Revoked setters violate const in the
API.
Fixes #1168.
* Replace self-check with an assert for coverage
* Update src/OpenSSL/crypto.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
|
|
|
|
|
|
|
|
| |
* Add support for X509_V_FLAG_PARTIAL_CHAIN
* Remove unneeded import
* Update changelog to add PR number.
* Fix whitespace issue identified by black
|
| |
|
|
|
|
|
|
|
|
|
| |
(#1147)
* disallow latest sphinx release because it doesn't work with sphinx_rtd_theme
* Update test_ssl.py
* black
|
|
|
|
|
|
|
|
|
|
|
| |
* add `Connection.use_(certificate|privatekey)`
* bump minimum cryptography version
* deduplicate tests
* black!
* max line length
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Don't test that invalid RSA keys can be imported
test_check_pr_897 asserts that an invalid key is correctly detected as
invalid. However, in doing so, it also asserts that the invalid key is
considered *valid* at parse time.
Ideally, the underlying cryptography library would just call
RSA_check_key during parsing, but it would then fail this test. Make the
test more tolerant by allow either parsing or checking to throw an
error.
* Review comments, and also update the other test
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* OpenSSL/crypto: make X509StoreContextError's message friendlier
Closes #1132.
Signed-off-by: William Woodruff <william@trailofbits.com>
* tests: update exception tests
Signed-off-by: William Woodruff <william@trailofbits.com>
* OpenSSL/crypto: blacken
Signed-off-by: William Woodruff <william@trailofbits.com>
* CHANGELOG: record changes
Signed-off-by: William Woodruff <william@trailofbits.com>
|
|
|
|
|
|
| |
get_notAfter() can return None.
Instead of raising a NoneType error, raise a ValueError which tells
us why it failed.
|
|
|
|
|
|
|
|
|
|
|
| |
* add `Connection.set_verify`, fix #255
* show that it works with cryptography main
* Revert "show that it works with cryptography main"
This reverts commit fb0136a8e5aa5d2c6e0c16f8f4ecee2f3c72a16b.
* make it black
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certificate versions go up to v3 (numeric value 2), CRLs go up to v2
(numeric value 1), and CSRs go up to v1 (numeric value 0). This CL fixes
the following issues:
- Add a missing check to the return value of X509_set_version
- Fix crlDataUnsupportedExtension which had an invalid CRL version.
- Switch TestX509.test_version to test valid versions, so it doesn't
prevent OpenSSL or an OpenSSL derivative from checking for invalid
versions.
- Make TestX509Req.test_version tolerate set_version(1) failing on CSRs.
Since there's nothing useful to test otherwise, I've made the test
work for either possible backend behavior.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* repair CI
* more fixes
* pypy39 requires latest cryptography
* Apply suggestions from code review
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* use constant
* bump minimum version
* remove unneeded try
* fix
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* flake8-import-order
* make sure bad import orders fail
* flake8-import-order
* add application name to flake8 section
* correct import order for openssl as application
|
|
|
|
|
|
|
| |
* don't block ec/ed keys from_cryptography_key()
* clean up test comments
* properly describe test
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* X509Name: Use functools.totalordering for comparisons
- Reduce the magic
- Make it more readable
- Make it easier to add type annotations in the future
* Correctly return NotImplemented
* Add new comparison test case
|
|
|
| |
In python3 all classes inherit by default from object
|
| |
|
|
|
|
|
|
|
|
| |
* Reduce MD5 and SHA1 dependency in tests
Most of the tests aren't specifically testing MD5 or SHA1. Switch those
to a modern hash.
* Fix line length
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Expose DTLS_METHOD and friends
* Expose OP_NO_RENEGOTIATION
* Expose DTLS MTU-related functions
* Expose DTLSv1_listen and associated callbacks
* Add a basic DTLS test
* Cope with old versions of openssl/libressl
* blacken
* Soothe flake8
* Add temporary hack to skip DTLS test on old cryptography versions
* Update for cryptography v35 release
* Add changelog entry
* Fix versionadded::
* get_cleartext_mtu doesn't exist on decrepit old openssl
* Rewrite DTLS test to work around stupid OpenSSL misbehavior
* flake8 go away
* minor tidying
|
|
|
|
|
|
|
| |
* Check for invalid ALPN lists before calling OpenSSL, for consistency
Fixes gh-1043
* Soothe flake8
|
|
|
|
|
|
|
|
|
|
|
| |
* py27 going, going, gone
* black
* more black
* ok then
* forgot to remove pypy2
|
|
|
|
|
|
|
|
| |
While the tests currently pass without it, this is because OpenSSL's
encoder doesn't notice that it is emitting garbage. See
https://github.com/openssl/openssl/issues/16538
Fill in a placeholder validity period so the tests both better mirror
real X.509 signing code and do not rely on this bug.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A default-constructed X509_REQ or NETSCAPE_SPKI contains empty values
for all its fields, notably the OIDs in public keys. This initial state
is incomplete and not yet a valid object. The ASN.1 structures make the
public key mandatory. When serializing, OpenSSL would previously
silently omit the field, which doesn't actually produce a valid
structure.
As of https://github.com/openssl/openssl/pull/16027, OpenSSL will notice
this and return an error rather than serialize garbage. Sadly, that had
to be reverted on 1.1.1, but it is present in the 3.0 branch. With that
change, some of pyOpenSSL's tests fail.
The bug here is in pyOpenSSL: pyOpenSSL tests are trying to serialize
incomplete objects. Instead, fill in the public key. While not
syntactically necessary (the empty string is a BIT STRING), also fill in
the signature for NetscapeSPKI, to better align with real code.
Tested by running pyOpenSSL tests against a copy of OpenSSL 1.1.1's dev
branch, prior to the changes getting reverted.
|
|
|
|
|
| |
* Attempt to test with system OpenSSL on recent Ubuntu
* attempted fix for this test
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add Context.set_*_proto_version, fix #860
* docs: add new openssl tls methods
* accept the fact that nothing can be taken for granted
* bump minimum required cryptography version to 3.3
* drop support for Python 3.5
* use binary wheels for cryptography
* Revert "use binary wheels for cryptography"
This reverts commit 91a04c612ed1d0dd9fd541dfefe21cac7c25b1c1.
* docker ci: compile cryptography with rust
|
|
|
|
|
|
|
| |
* check return code of SSL_CTX_set_alpn_protos, fix #992
* paint it black!
* fix line lengths as well :upside_down_face:
|
|
|
|
|
| |
* fix a memleak
* black
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Keep reference to SSL verify_call in Connection object
If a set_verify is used on a context before and after a Connection
the reference in the SSL* object still points to the old _verify_helper
object. Since this object has no longer any references to it, the
callback can result in a segfault.
This commit fixes the issues by ensuring that as long as the
Connection object/SSL* object lives a reference to the callback
function is held.
* Add Unit test for set_verify_callback deference
|
|
|
|
|
|
|
| |
* Drop CI for OpenSSL 1.0.2
* Delete code for coverage reasons
* Bump minimum cryptography version
|
|
|
|
|
|
|
|
|
|
|
|
| |
* crypto._PassphraseHelper: pass non-callable passphrase using callback
Fixes #945
Before this commit, we would pass a bytes passphrase as a null terminated string.
This causes issue when a randomly generated key's first byte is null because
OpenSSL rightly determines the key length is 0.
This commit modifies the passphrase helper to pass the passphrase via the
callback
* Update changelog to document bug fix
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509StoreContext (#948)
The additional certificates provided in the new `chain` parameter will be
untrusted but may be used to build the chain.
This makes it easier to validate a certificate against a store which
contains only root ca certificates, and the intermediates come from e.g.
the same untrusted source as the certificate to be verified.
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
|
|
|
|
|
|
| |
Add X509Store.load_locations() to set a CA bundle file and/or an OpenSSL-
style hashed CA/CRL lookup directory, similar to the already existing
SSL.Context.load_verify_locations().
Co-authored-by: Sandor Oroszi <sandor.oroszi@balabit.com>
|
| |
|
|
|
|
|
|
|
| |
* Context.set_verify: allow omission of callback
* squeeze to 80 chars
* make it clear that default callback is used
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Allow accessing a connection's verfied certificate chain
Add X509StoreContext.get_verified_chain using X509_STORE_CTX_get1_chain.
Add Connection.get_verified_chain using SSL_get0_verified_chain if
available (ie OpenSSL 1.1+) and X509StoreContext.get_verified_chain
otherwise.
Fixes #740.
* TLSv1_METHOD -> SSLv23_METHOD
* Use X509_up_ref instead of X509_dup
* Add _openssl_assert where appropriate
* SSL_get_peer_cert_chain should not be null
* Reformat with black
* Fix <OpenSSL.crypto.X509 object at 0x7fdbb59e8050> != <OpenSSL.crypto.X509 object at 0x7fdbb59daad0>
* Add Changelog entry
* Remove _add_chain
|
|
|
|
|
|
|
|
|
| |
* focal time
* larger dh params, assert on something
* urllib3 fix
* actually check an error
|
|
|
|
|
| |
* remove npn support entirely. you should be using alpn
* flake8
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
* simplify
* generate new certs and keys with 3072-bit RSA
* black
* add a test to avoid losing coverage
|
|
|
|
|
|
|
| |
* make our CI less frustrating
* sigh, even less sensitive
* can we stop doing this on macos now?
|
| |
|