| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* extensions: EKU must contain at least one member
Signed-off-by: William Woodruff <william@trailofbits.com>
* record changes
Signed-off-by: William Woodruff <william@trailofbits.com>
* empty EKU test vector
Signed-off-by: William Woodruff <william@trailofbits.com>
* typo
Signed-off-by: William Woodruff <william@trailofbits.com>
---------
Signed-off-by: William Woodruff <william@trailofbits.com>
|
|
fixes #10790
closes #10864
closes #11218
|
|
|
|
* Add support for encrypting S/MIME messages
* Move PKCS7 decrypt test function to Rust
* Use symmetric encryption function from PKCS12
* Remove debug file write from tests
* Remove unneeded backend parameter
* docs and changelog
|
|
* Bump x509-limbo and/or wycheproof in CI
* test_limbo: allow build_server_verifier to fail
...in a predictable way.
* test_limbo: remove assert
* test_limbo: return early when exceptional
---------
Co-authored-by: pyca-boringbot[bot] <pyca-boringbot[bot]+106132319@users.noreply.github.com>
|
|
|
|
* Move rust code that exists for our tests to its own module
* Update src/rust/src/test_support.rs
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
---------
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
|
* Try removing a workaround for old OpenSSL
* Update test_pkcs7.py
|
|
* Remove workaround for old libressl
* Update backend.py
|
|
|
|
fixes #10553
|
|
* add support for CipherContext.reset_nonce
This only supports ChaCha20 and ciphers in CTR mode.
* expand tests to reset to different nonces
|
|
Given the RSA public exponent (`e`), and the RSA primes (`p`, `q`), it is possible
to calculate the corresponding private exponent `d = e⁻¹ mod λ(n)` where
`λ(n) = lcm(p-1, q-1)`.
With this function added, it becomes possible to use the library to reconstruct an RSA
private key given *only* `p`, `q`, and `e`:
from cryptography.hazmat.primitives.asymmetric import rsa
n = p * q
d = rsa.rsa_recover_private_exponent(e, p, q) # newly-added piece
iqmp = rsa.rsa_crt_iqmp(p, q) # preexisting
dmp1 = rsa.rsa_crt_dmp1(d, p) # preexisting
dmq1 = rsa.rsa_crt_dmq1(d, q) # preexisting
assert rsa.rsa_recover_prime_factors(n, e, d) in ((p, q), (q, p)) # verify consistency
privk = rsa.RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, rsa.RSAPublicNumbers(e, n)).private_key()
Older RSA implementations, including the original RSA paper, often used the
Euler totient function `ɸ(n) = (p-1) * (q-1)` instead of `λ(n)`. The
private exponents generated by that method work equally well, but may be
larger than strictly necessary (`λ(n)` always divides `ɸ(n)`). This commit
additionally implements `_rsa_recover_euler_private_exponent`, so that tests
of the internal structure of RSA private keys can allow for either the Euler
or the Carmichael versions of the private exponents.
It makes sense to expose only the more modern version (using the Carmichael
totient function) for public usage, given that it is slightly more
computationally efficient to use the keys in this form, and that some
standards like FIPS 186-4 require this form. (See
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf#page=63)
|
|
|
|
Fixes #11170.
|
|
* utils: guard against zero-length int_to_bytes
* add tests for HBKDF with llen=0
* kbkdf: guard against llen==0
* test that kbkdf rejects llen==0 at __init__
* add standalone test for zero-length int_to_bytes
* Update src/cryptography/hazmat/primitives/kdf/kbkdf.py
typo
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
|
* policy/extension: improve extension policy errors
* verification: ValidationError::ExtensionError variant
Begin cleaning things up.
* policy/extension: remove redundant clone
* ensure that we render the ext OID
* lib: coverage for other display arms
* relocate custom vector
* test-vectors: typo
|
|
|
|
This tests many different primitives
|
|
|
|
|
|
|
|
* re-add branch we dropped in the past
* add the test
* test all key types
* Update src/rust/src/backend/utils.rs
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
|
Empty string is a valid result from RFC4514 serialization, and should parse successfully.
According to https://datatracker.ietf.org/doc/html/rfc4514#section-2.1
> If the RDNSequence is an empty sequence, the result is the empty or zero-length string.
|
|
ISC001 Implicitly concatenated string literals on one line
This rule is currently disabled because it conflicts with the formatter:
https://github.com/astral-sh/ruff/issues/8272
|
|
* Ensure curves are supported in determinisic ECDSA tests
* x25519/x448 isnt fips anymore i guess
|
|
|
|
For now, only handle unencrypted cert-only PKCS#12.
|
|
|
|
(#10848)
|
|
|
|
|
|
* Adding support for OpenSSH ecdsa-sk & ed25519-sk public keys
fixes #10604
* Revert changing the keygen
* Add application string to sk key generation
* Typing - fix load_application return value annotation
* fix sk keys skipping loading in the tests
* fix ruff E509
* Fix ruff …
* comment wording
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* requested changes
* no subclassing
* fix SyntaxError: annotated name '_KEY_FORMATS' can't be global
in python 3.7
c.f. https://github.com/python/cpython/issues/79120
* typo
* Update src/cryptography/hazmat/primitives/serialization/ssh.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* Update src/cryptography/hazmat/primitives/serialization/ssh.py
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---------
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
|
|
|
|
|
* verification: WIP client verification skeleton
Signed-off-by: William Woodruff <william@yossarian.net>
* verify: fill in build_client_verifier
Signed-off-by: William Woodruff <william@yossarian.net>
* implement ClientVerifier.verify
Signed-off-by: William Woodruff <william@yossarian.net>
* verification: make Python 3.8 happy
Signed-off-by: William Woodruff <william@yossarian.net>
* switch to a full VerifiedClient type
Signed-off-by: William Woodruff <william@yossarian.net>
* remove the SubjectOwner::None hack
Signed-off-by: William Woodruff <william@yossarian.net>
* docs: fix ClientVerifier
Signed-off-by: William Woodruff <william@yossarian.net>
* verification: replace match with if
Signed-off-by: William Woodruff <william@yossarian.net>
* return GNs directly, not whole extension
Signed-off-by: William Woodruff <william@yossarian.net>
* docs/verification: document UnsupportedGeneralNameType raise
Signed-off-by: William Woodruff <william@yossarian.net>
* lib: RFC822 checks on NCs
* test_limbo: enable client tests
* tests: flake
* test_verification: more Python API coverage
* verification: filter GNs by NC support
* verification: forbid unsupported NC GNs
This is what we should have been doing originally, per
RFC 5280 4.2.1.10:
> If a name constraints extension that is marked as critical
> imposes constraints on a particular name form, and an instance of
> that name form appears in the subject field or subjectAltName
> extension of a subsequent certificate, then the application MUST
> either process the constraint or reject the certificate.
* docs/verification: remove old sentence
Signed-off-by: William Woodruff <william@yossarian.net>
* verification: ensure the right EKU for client/server paths
Signed-off-by: William Woodruff <william@yossarian.net>
* test_limbo: fixup EKU assertion
* verification: feedback
---------
Signed-off-by: William Woodruff <william@yossarian.net>
|
|
|
|
|
|
|
|
* test_limbo: skip non-SERVER cases for now
Signed-off-by: William Woodruff <william@yossarian.net>
* Bump x509-limbo and/or wycheproof in CI
---------
Signed-off-by: William Woodruff <william@yossarian.net>
Co-authored-by: pyca-boringbot[bot] <pyca-boringbot[bot]+106132319@users.noreply.github.com>
|
|
|
|
|
|
* Add support for deterministic ECDSA (RFC 6979)
|
|
* Fix ASN.1 for S/MIME capabilities.
The current implementation defines the SMIMECapabilities attribute
so that its value is a SEQUENCE of all the algorithm OIDs that are
supported.
However, the S/MIME v3 spec (RFC 2633) specifies that each algorithm
should be specified in its own SEQUENCE:
SMIMECapabilities ::= SEQUENCE OF SMIMECapability
SMIMECapability ::= SEQUENCE {
capabilityID OBJECT IDENTIFIER,
parameters ANY DEFINED BY capabilityID OPTIONAL }
(RFC 2633, Appendix A)
This commit changes the implementation so that each algorithm
is inside its own SEQUENCE. This also matches the OpenSSL
implementation.
* Fix the RSA OID used for signing PKCS#7/SMIME
The current implementation computes the algorithm identifier used
in the `digest_encryption_algorithm` PKCS#7 field
(or `SignatureAlgorithmIdentifier` in S/MIME) based on both the
algorithm used to sign (e.g. RSA) and the digest algorithm (e.g. SHA512).
This is correct for ECDSA signatures, where the OIDs used include the
digest algorithm (e.g: ecdsa-with-SHA512). However, due to historical
reasons, when signing with RSA the OID specified should be the one
corresponding to just RSA ("1.2.840.113549.1.1.1" rsaEncryption),
rather than OIDs which also include the digest algorithm (such as
"1.2.840.113549.1.1.13", sha512WithRSAEncryption).
This means that the logic to compute the algorithm identifier is the
same except when signing with RSA, in which case the OID will always
be `rsaEncryption`. This is consistent with the OpenSSL implementation,
and the RFCs that define PKCS#7 and S/MIME.
See RFC 3851 (section 2.2), and RFC 3370 (section 3.2) for more details.
* Add tests for the changes in PKCS7 signing
* PKCS7 fixes from code review
* Update CHANGELOG
|
|
|
|
|
|
|
|
|
|
This PR supports a bad old algorithm to support a scapy use case, but
does not expose support for effective key bits or any key length other
than 128-bit. CBC support only -- no other modes.
|
|
* Revert "smaller mmap in tests to fit in a 32-bit ssize_t (#10365)"
This reverts commit b6934e7301d3401ee7f4dcb153f8fa265f577bbf.
* skip overflow aead tests on 32-bit systems
|
