[Pkg-freeipa-devel] [Git][freeipa-team/python-jwcrypto][master] 84 commits: Add P-256K alias for secp256k1
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Thu Feb 15 08:35:11 GMT 2024
Timo Aaltonen pushed to branch master at FreeIPA packaging / python-jwcrypto
Commits:
3524c722 by Simo Sorce at 2021-12-02T12:36:44-05:00
Add P-256K alias for secp256k1
Resolves #241
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
8613bae0 by Simo Sorce at 2021-12-02T12:36:44-05:00
Refactor how EC curves are fetched
Deprecates the get_curve() function which shouldn't really be exposed
to users as it is an internal detail.
Change tests and jwa.py to stop using get_curve()
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
172af589 by Simo Sorce at 2021-12-03T16:29:48-05:00
Add a sphinx doctest target
Reformat example code as necessary to make it pass tests.
Specifically some of the randomly generated output has been replaced
with '...' which is the only way to make doctest match/skip a part of
the ouput while still running the command for testing.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
48f62347 by Simo Sorce at 2022-01-07T15:09:22-05:00
Add way to verify detached payloads
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
c6dcae9e by Justin Frahm at 2022-04-13T14:40:53-04:00
Handle multiple keys with same kid
Signed-off-by: Justin Frahm <justin.frahm at maxar.com>
- - - - -
38b427c3 by Simo Sorce at 2022-04-26T18:48:14-04:00
Fix test to use correct parameters
Otherwise false negatives may happen
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
d3f6226b by Simo Sorce at 2022-04-26T18:51:15-04:00
Version 1.2
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
d83b316b by Simo Sorce at 2022-04-28T14:13:45-04:00
Add auto-publishing to pypi on release
This triggers when a release tag is pushed
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
7a181049 by Simo Sorce at 2022-04-28T14:30:52-04:00
Source README.md in setup to be used for PyPI
When Release scripts publish to PyPI they will set the README.md as
the long decription there.
- - - - -
fd2f49e0 by Simo Sorce at 2022-05-10T09:03:02-04:00
Allow passing p2s/p2c params on encrypting
This was not really obvious but clearly it should be possible to pass in
parameters (p2s/p2c) in input when using PBES, and set defaults if they
are not provided.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
7dcc162b by Simo Sorce at 2022-05-10T09:03:02-04:00
Fix error message
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
5dc1aee6 by Simo Sorce at 2022-05-10T09:03:28-04:00
Allow audience claims to be arrays
This means that if a server checking a token provides an array as the
check_claims argument it intends that the server is handling multiple
identities and the token checks will result valid as long as one of the
audiences matches one of the identities the server impersonates.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
8f2ddb7f by Simo Sorce at 2022-05-11T10:59:51-04:00
Test that JWS argument is not modified
See Issue #281
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
4d375fc6 by Simo Sorce at 2022-05-11T10:59:51-04:00
JWS: Ensure arguments are not modified
In some cases a dictionary passsed in to JWS would be stored directly as
a reference and later modified due to internal header processing.
Ensure all disctionaries are properly copied, generally by simply
re-encoding them on assignment.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
a33cbb7d by Simo Sorce at 2022-05-11T10:59:51-04:00
JWT: Ensure claims setter does not modify argument
The processing of setting claims modifies the passed in dictionary if
there are deveult_claims set on the token. Always use a copy of the
dictionary to avoid changes to the passed in argument.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
9b3b4aa1 by Simo Sorce at 2022-05-11T15:29:23-04:00
Add class method to deserialize JWE token
One shot api to get a JWE token from a serialized json token
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
1a0d24dd by Simo Sorce at 2022-05-11T15:29:23-04:00
Add __str__ and __repr_ for JWE
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
5654d4a1 by Simo Sorce at 2022-05-11T15:29:23-04:00
Add class method to deserialize JWS token
One shot api to get a JWS token from a serialized json token
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
4d618002 by Simo Sorce at 2022-05-11T15:29:23-04:00
Add __str__ and __repr_ for JWS
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
481be4b1 by Simo Sorce at 2022-05-11T15:29:23-04:00
Add class method to deserialize JWT token
One shot api to get a JWT token from a serialized json token
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
56e3642a by Simo Sorce at 2022-05-11T15:29:23-04:00
Add __str__ and __repr_ for JWT
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
9f72813c by Simo Sorce at 2022-05-11T15:29:23-04:00
Add __eq__ function for JWS, JWE, JWT
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
bc1fd83e by Simo Sorce at 2022-05-11T15:29:23-04:00
Add tests for overloaded operators
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
737361f1 by Simo Sorce at 2022-05-11T17:40:09-04:00
JWT: Add validate() method
This allows callers to deserialize() without a key and later validate
the parsed token without having to deserialize() again from scratch.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
1b834581 by Simo Sorce at 2022-05-11T18:34:41-04:00
Add docstrings for return types of public methods
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
81797b9e by Simo Sorce at 2022-05-11T18:56:21-04:00
Add ReadTheDocs badge
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
c26c4a21 by Simo Sorce at 2022-05-11T22:30:59-04:00
JWE: Allow JWKSet as key for decryption
Adds support to use a JWKSet directly in JWE so that callers do not need
to loop on their own.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
e795a137 by Simo Sorce at 2022-05-11T22:30:59-04:00
JWS: Allow JWKSet as key for verification
Adds support to use a JWKSet directly in JWS so that callers do not need
to loop on their own.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
659fe723 by Simo Sorce at 2022-05-11T22:30:59-04:00
JWT: Move JWKSet processing to JWE,JWS
Instead of handling key sets in the JWT, push the work down into JWS and
JWE tokens now that they directly support it.
This has the side effect that the JWTMissingKey error cannot be easily
reported anymore, so deprecate it and stop using it.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
aad7da1f by Simo Sorce at 2022-05-12T15:07:53-04:00
Move version information into a single place
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
bd2a741b by Simo Sorce at 2022-05-12T15:09:41-04:00
Version 1.3
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
f2941876 by Simo Sorce at 2022-05-12T23:08:07-04:00
Add more nitpicking sphinx testing
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
793fb433 by Simo Sorce at 2022-05-12T23:08:07-04:00
Add documentation for jwcrypto.common
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
1e5c385a by Simo Sorce at 2022-05-12T23:08:07-04:00
Fix sphinx nitpicked errors
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
60fc7ee1 by Simo Sorce at 2022-05-13T13:11:02-04:00
Disable HW optimizations on ppc64le
Apparently since openssl 3.0.2 some assembly HW optimizations are
triggeringering QEMU emulation errors. Disabling accelaration at
runtime seem to make tests pass again.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
997b900d by Simo Sorce at 2022-05-21T11:37:25-04:00
Introduce a new JWKeyNotFound exception
This new Exception is returned only for the newly introduced support for
using JWKset.
This patch also includes a bugfix for jwe to be able to successfully
decrypt using a JWKSet, which was non-functional, and a direct test for
both JWE and JWS to insure no regressions in JWKSet support.
Also restores use of JWTMissingKey for backwards compatibility.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
e1b4c36e by Simo Sorce at 2022-05-21T11:39:08-04:00
Version 1.3.1
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
e5c1e421 by Christian Clauss at 2022-08-11T06:23:17-04:00
Upgrade GitHub Actions
- - - - -
5a13cfc6 by Simo Sorce at 2022-08-13T10:02:57-04:00
Add support for RFC 9278: JWK Thumbprint URI
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
f4e912f8 by Simo Sorce at 2022-09-13T12:14:23-04:00
Make JWT require to know what to expect
This is needed to address CVE-2022-3102.
Thanks to Tom tervoort from Secura for finding and reporting this issue.
Also test that "unepxected" token types are not validated
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
34b65252 by Simo Sorce at 2022-09-13T12:14:23-04:00
Add global workaround for applications
Because the previous patch changes the behavoir of jwcrypto, this knob
is a quick way for application developers to get back the old behavior
temporarily without having to change the code immediately as it may
require some significant refactoring, depending on how the application
was written.
This is not intended to be used in the long term and will be eventually
deleted. Unfortunately I cannot decorate a simply global variable with
the @deprecated decoration to make it clearer.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
84f121f5 by Simo Sorce at 2022-09-13T12:15:49-04:00
Version 1.4
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
c4e0beee by Simo Sorce at 2022-09-14T18:16:14-04:00
Add more heuristics for backwards JWT compat
These additional heuristics help in case the calling application was
correctly calssifying key usage, as this is another valid hitn of what
the application intended.
Invalid key usage would already cause failure, so this does not affect
the countermeasures introduced but can avoid issues in older
applications.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
54618cc2 by Simo Sorce at 2022-09-14T18:17:32-04:00
Version 1.4.1
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
69954476 by Jan Christian Grünhage at 2022-09-15T08:55:51-04:00
Fix typo in new backwards JWT compat heuristics
- - - - -
a7b2136b by Simo Sorce at 2022-09-15T08:55:51-04:00
Add tests for algos heuristics
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
83ab6cb4 by Simo Sorce at 2022-09-15T08:56:36-04:00
Version 1.4.2
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
3a8fb807 by Simo Sorce at 2022-09-28T13:29:21-04:00
Raising the bar for minimum pyca/cryptography
Fixes #305
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
28d71891 by Christian Clauss at 2022-10-04T12:45:56-04:00
Fix typos with codespell
- - - - -
14d1f81a by Simo Sorce at 2022-10-04T13:09:56-04:00
Add codespell checks in CI
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
fcdc7d76 by spilikin at 2022-10-10T16:35:40-04:00
Add Brainpool EC-curves support
This commit adds the support of Brainpool curves to jwcrypto. The Brainpool curves defined in RFC 5639 are mandatory for use in german e-health systems as defined by the Federal Office of Information Security (BSI) and National Digital Health Agency (gematik GmbH).
In order to use the public E-Health APIs clients are required to:
* Load and use the Brainpool keys using JWK
* Sign and verify the signatures using the Brainpool elliptic curves using JWS
* Encrypt and decrypt the data using the Brainpool elliptic curves and AES using JWE
At the time of this commit there is no official standardization of these algorithms for JOSE/JWK/JWS/JWE. The use of these algorithms is specified solely by the gematik GmbH – National Digital Health Agency - for use in german e-health applications.
Signed-off-by: Sergej Suskov <git at spilikin.dev>
- - - - -
434149a6 by Timo Aaltonen at 2022-11-07T19:34:37+02:00
Merge branch 'upstream'
- - - - -
de8708f4 by Timo Aaltonen at 2022-11-07T19:35:13+02:00
version bump
- - - - -
652afd92 by Christoph Zwerschke at 2023-03-15T10:19:30-04:00
Fix error message
- - - - -
4f6cf303 by Simo Sorce at 2023-03-15T10:57:35-04:00
Python 3.6 is not available anymore in CI
With the configured Ubuntu image it is not available, and it is not
worth doing a lot of work for it as 3.6 is on the way out generally
anyway.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
0c31ee00 by Simo Sorce at 2023-03-15T10:57:35-04:00
Make linter happier about dummy exception
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
381c5d12 by Simo Sorce at 2023-03-15T10:57:35-04:00
Fix codespell issue
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
dc21a783 by Simo Sorce at 2023-03-15T10:57:35-04:00
Fix test to actually do what it should
This one was odd, glad CI picked it.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
9f2cd3ab by Simo Sorce at 2023-03-15T11:05:07-04:00
Fix CI to run on the correct branch for main
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
2fec7038 by Simo Sorce at 2023-05-30T13:14:22-04:00
Misc fixes and docstring corrections
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
e08cbf16 by Simo Sorce at 2023-05-30T13:14:22-04:00
Use separate input_keysize property
This allows to propery compute an octect key for algorithms like
A256CBC-HS512 ha sa different input keysize than the putput key size.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
db1f9f45 by Simo Sorce at 2023-05-30T13:14:22-04:00
Add test to generate key with algorithm
This uses an algorithm that has different input_keysize and output
keysize.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
41fb08a0 by Simo Sorce at 2023-05-30T13:43:41-04:00
Version 1.5
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
4c900198 by Amaury Chamayou at 2023-11-28T16:31:42-05:00
Fix X25519 import/export from PEM
Signed-off-by: Amaury Chamayou <amaury at xargs.fr>
- - - - -
ac40895d by Simo Sorce at 2023-11-28T16:46:19-05:00
Read the Docs now requires a config file
Let's give it one.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
d64536b1 by peppelinux at 2023-12-07T09:16:13-05:00
chore: refactor for removing pdb symbols
- - - - -
6ee0e891 by Giuseppe De Marco at 2023-12-07T09:16:13-05:00
chore: arg renamed
- - - - -
d2655d37 by Simo Sorce at 2023-12-26T14:43:14-05:00
Fix potential DoS issue with p2c header
Unbounded p2c headers may be used to cause an application that accept
PBES algorithms to spend alot of resources running PBKDF2 with a very
high number of iterations.
Clamp the default maximum to 16384 (double the default of 8192).
An application that wants to use more iterations will have to chenge the
jwa default max.
Fixes CVE-2023-6681
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
066d13f2 by Simo Sorce at 2023-12-26T14:46:36-05:00
Update Security Policy
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
8ae0df65 by Simo Sorce at 2023-12-26T14:46:36-05:00
Version 1.5.1
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
70c0782d by David Diamant at 2024-01-08T12:29:27-05:00
replace deprecated package with typing_extensions
Signed-off-by: David Diamant <david at homelend.com>
- - - - -
6c61f42e by Simo Sorce at 2024-02-07T11:53:15-05:00
Version 1.5.2
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
c659e385 by Simo Sorce at 2024-02-07T15:13:41-05:00
Drop python 3.6 and 3.7 and add 3.11 support
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
a06b84a1 by Simo Sorce at 2024-02-07T15:13:41-05:00
Version 1.5.3
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
e7ef80f2 by Simo Sorce at 2024-02-13T10:50:12-05:00
Set a minimum version for typing_extensions
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
b9432ef4 by Simo Sorce at 2024-02-13T10:50:34-05:00
Version 1.5.4
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
e26522c5 by Timo Aaltonen at 2024-02-15T10:01:20+02:00
control: Fix maintainer address.
- - - - -
167a0a00 by Timo Aaltonen at 2024-02-15T10:10:12+02:00
rules: Update clean target.
- - - - -
fa2c62c2 by Timo Aaltonen at 2024-02-15T10:10:33+02:00
Merge branch 'upstream'
- - - - -
dd460d4f by Timo Aaltonen at 2024-02-15T10:10:48+02:00
version bump
- - - - -
f6a42ff1 by Timo Aaltonen at 2024-02-15T10:14:10+02:00
control: Add python3-typing-extensions to build-depends.
- - - - -
09c546c1 by Timo Aaltonen at 2024-02-15T10:20:25+02:00
control: Migrate to nose2. (Closes: #1018520)
- - - - -
ebfca14e by Timo Aaltonen at 2024-02-15T10:25:10+02:00
rules: Remove empty doc/jwcrypto.
- - - - -
d0c920f9 by Timo Aaltonen at 2024-02-15T10:27:00+02:00
releasing package python-jwcrypto version 1.5.4-1
- - - - -
30 changed files:
- .github/workflows/build.yml
- .github/workflows/codeql-analysis.yml
- .github/workflows/ppc64le.yml
- + .github/workflows/publish-to-pypi.yml
- .gitignore
- + .readthedocs.yaml
- MANIFEST.in
- Makefile
- README.md
- SECURITY.md
- debian/changelog
- debian/control
- debian/rules
- + docs/source/common.rst
- docs/source/conf.py
- docs/source/index.rst
- docs/source/jwe.rst
- docs/source/jwk.rst
- docs/source/jws.rst
- docs/source/jwt.rst
- + jwcrypto/VERSION
- jwcrypto/common.py
- jwcrypto/jwa.py
- jwcrypto/jwe.py
- jwcrypto/jwk.py
- jwcrypto/jws.py
- jwcrypto/jwt.py
- jwcrypto/tests-cookbook.py
- jwcrypto/tests.py
- setup.py
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/python-jwcrypto/-/compare/5c1faed5ab1024d163b3d71ce8ca919a67caf118...d0c920f985cf320c14d47a429190d2ea3e6d5d39
--
View it on GitLab: https://salsa.debian.org/freeipa-team/python-jwcrypto/-/compare/5c1faed5ab1024d163b3d71ce8ca919a67caf118...d0c920f985cf320c14d47a429190d2ea3e6d5d39
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20240215/0b5312b3/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list