[Python-modules-commits] [python-cryptography] 01/04: Import python-cryptography_1.3.1.orig.tar.gz
Tristan Seligmann
mithrandi at moszumanska.debian.org
Wed Apr 6 20:50:19 UTC 2016
This is an automated email from the git hooks/post-receive script.
mithrandi pushed a commit to branch master
in repository python-cryptography.
commit 703d5a499e941fa81dcd513ea04f21db2137f2fb
Author: Tristan Seligmann <mithrandi at debian.org>
Date: Wed Apr 6 22:37:31 2016 +0200
Import python-cryptography_1.3.1.orig.tar.gz
---
CHANGELOG.rst | 26 +-
PKG-INFO | 2 +-
docs/conf.py | 104 +--
docs/development/test-vectors.rst | 19 +-
docs/faq.rst | 28 +
docs/hazmat/backends/interfaces.rst | 4 +-
docs/hazmat/primitives/asymmetric/ec.rst | 2 +-
docs/hazmat/primitives/asymmetric/rsa.rst | 8 +-
docs/hazmat/primitives/constant-time.rst | 2 +-
docs/hazmat/primitives/padding.rst | 45 ++
docs/hazmat/primitives/symmetric-encryption.rst | 5 +-
docs/installation.rst | 6 +-
docs/security.rst | 37 +-
docs/spelling_wordlist.txt | 1 +
docs/x509/reference.rst | 88 +++
docs/x509/tutorial.rst | 72 +-
setup.py | 2 +-
src/_cffi_src/build_commoncrypto.py | 2 +
src/_cffi_src/build_openssl.py | 24 +-
src/_cffi_src/commoncrypto/cf.py | 10 +
.../{sectrust.py => seccertificate.py} | 5 +-
.../{openssl/conf.py => commoncrypto/secpolicy.py} | 7 +-
src/_cffi_src/commoncrypto/sectrust.py | 17 +
src/_cffi_src/hazmat_src/padding.c | 24 +
src/_cffi_src/hazmat_src/padding.h | 1 +
src/_cffi_src/openssl/aes.py | 11 +-
src/_cffi_src/openssl/asn1.py | 10 +-
src/_cffi_src/openssl/bio.py | 3 -
src/_cffi_src/openssl/cms.py | 5 -
src/_cffi_src/openssl/crypto.py | 69 +-
src/_cffi_src/openssl/dh.py | 1 -
src/_cffi_src/openssl/dsa.py | 8 -
src/_cffi_src/openssl/ec.py | 22 +-
src/_cffi_src/openssl/ecdh.py | 14 -
src/_cffi_src/openssl/ecdsa.py | 21 +-
src/_cffi_src/openssl/engine.py | 35 +-
src/_cffi_src/openssl/err.py | 12 +-
src/_cffi_src/openssl/evp.py | 44 +-
src/_cffi_src/openssl/hmac.py | 31 +-
src/_cffi_src/openssl/ocsp.py | 67 ++
src/_cffi_src/openssl/rand.py | 3 +-
src/_cffi_src/openssl/ssl.py | 139 +++-
src/_cffi_src/openssl/x509.py | 94 ++-
src/_cffi_src/openssl/x509_vfy.py | 6 +-
src/_cffi_src/openssl/x509name.py | 12 +-
src/_cffi_src/openssl/x509v3.py | 9 +
src/cryptography.egg-info/PKG-INFO | 2 +-
src/cryptography.egg-info/SOURCES.txt | 10 +-
src/cryptography.egg-info/requires.txt | 2 +-
src/cryptography/__about__.py | 2 +-
src/cryptography/fernet.py | 6 +-
src/cryptography/hazmat/__init__.py | 6 +
src/cryptography/hazmat/backends/__init__.py | 7 +-
src/cryptography/hazmat/backends/multibackend.py | 7 +
.../hazmat/backends/openssl/backend.py | 722 ++-----------------
.../backends/openssl/{x509.py => decode_asn1.py} | 453 +++---------
.../hazmat/backends/openssl/encode_asn1.py | 592 +++++++++++++++
src/cryptography/hazmat/backends/openssl/hashes.py | 13 +-
src/cryptography/hazmat/backends/openssl/hmac.py | 13 +-
src/cryptography/hazmat/backends/openssl/rsa.py | 8 +-
src/cryptography/hazmat/backends/openssl/x509.py | 797 ++-------------------
.../hazmat/bindings/openssl/_conditional.py | 32 +-
.../hazmat/bindings/openssl/binding.py | 37 +-
src/cryptography/hazmat/primitives/ciphers/base.py | 2 +-
.../hazmat/primitives/ciphers/modes.py | 21 +
src/cryptography/hazmat/primitives/padding.py | 172 +++--
.../hazmat/primitives/serialization.py | 14 +-
src/cryptography/utils.py | 10 +-
src/cryptography/x509/__init__.py | 18 +-
src/cryptography/x509/base.py | 6 +
src/cryptography/x509/extensions.py | 70 ++
src/cryptography/x509/name.py | 7 +-
tests/doubles.py | 43 ++
tests/hazmat/backends/test_commoncrypto.py | 13 +-
tests/hazmat/backends/test_multibackend.py | 20 +-
tests/hazmat/backends/test_openssl.py | 82 +--
tests/hazmat/bindings/test_openssl.py | 28 +-
tests/hazmat/primitives/fixtures_rsa.py | 72 ++
tests/hazmat/primitives/test_3des.py | 8 +-
tests/hazmat/primitives/test_aes.py | 12 +-
tests/hazmat/primitives/test_arc4.py | 2 +-
tests/hazmat/primitives/test_block.py | 50 +-
tests/hazmat/primitives/test_blowfish.py | 8 +-
tests/hazmat/primitives/test_camellia.py | 8 +-
tests/hazmat/primitives/test_cast5.py | 10 +-
tests/hazmat/primitives/test_dsa.py | 45 +-
tests/hazmat/primitives/test_ec.py | 14 +-
tests/hazmat/primitives/test_hashes.py | 11 +-
tests/hazmat/primitives/test_hmac.py | 11 +-
tests/hazmat/primitives/test_idea.py | 8 +-
tests/hazmat/primitives/test_keywrap.py | 10 +-
tests/hazmat/primitives/test_padding.py | 92 +++
tests/hazmat/primitives/test_pbkdf2hmac.py | 13 +-
tests/hazmat/primitives/test_rsa.py | 103 ++-
tests/hazmat/primitives/test_seed.py | 8 +-
tests/hazmat/primitives/test_x963_vectors.py | 11 +-
tests/hypothesis/test_padding.py | 32 +
tests/test_fernet.py | 13 +-
tests/test_warnings.py | 41 ++
tests/test_x509.py | 111 +++
tests/test_x509_ext.py | 113 +++
101 files changed, 2798 insertions(+), 2380 deletions(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 5393b30..a549dc7 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,30 @@
Changelog
=========
+1.3.1 - 2016-03-21
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a bug that caused an ``AttributeError`` when using ``mock`` to patch
+ some ``cryptography`` modules.
+
+1.3 - 2016-03-18
+~~~~~~~~~~~~~~~~
+
+* Added support for padding ANSI X.923 with
+ :class:`~cryptography.hazmat.primitives.padding.ANSIX923`.
+* Deprecated support for OpenSSL 0.9.8. Support will be removed in
+ ``cryptography`` 1.4.
+* Added support for the :class:`~cryptography.x509.PolicyConstraints`
+ X.509 extension including both parsing and generation using
+ :class:`~cryptography.x509.CertificateBuilder` and
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
+* Added :attr:`~cryptography.x509.CertificateSigningRequest.is_signature_valid`
+ to :class:`~cryptography.x509.CertificateSigningRequest`.
+* Fixed an intermittent ``AssertionError`` when performing an RSA decryption on
+ an invalid ciphertext, ``ValueError`` is now correctly raised in all cases.
+* Added
+ :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`.
+
1.2.3 - 2016-03-01
~~~~~~~~~~~~~~~~~~
@@ -33,7 +57,7 @@ Changelog
* :class:`~cryptography.x509.InvalidityDate`
* Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time there is no time
table for actually dropping support, however we strongly encourage all users
- to upgrade, as those versions no longer receives support from the OpenSSL
+ to upgrade, as those versions no longer receive support from the OpenSSL
project.
* The :class:`~cryptography.x509.Certificate` class now has
:attr:`~cryptography.x509.Certificate.signature` and
diff --git a/PKG-INFO b/PKG-INFO
index 57a01cf..304c225 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: cryptography
-Version: 1.2.3
+Version: 1.3.1
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
diff --git a/docs/conf.py b/docs/conf.py
index dcc9c62..85a569a 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -116,10 +116,6 @@ exclude_patterns = ['_build']
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
-# A list of ignored prefixes for module index sorting.
-# modindex_common_prefix = []
-
-
# -- Options for HTML output --------------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
@@ -131,73 +127,11 @@ if sphinx_rtd_theme:
else:
html_theme = "default"
-# Theme options are theme-specific and customize the look and feel of a theme
-# further. For a list of options available for each theme, see the
-# documentation.
-# html_theme_options = {}
-
-# The name for this set of Sphinx documents. If None, it defaults to
-# "<project> v<release> documentation".
-# html_title = None
-
-# A shorter title for the navigation bar. Default is the same as html_title.
-# html_short_title = None
-
-# The name of an image file (relative to this directory) to place at the top
-# of the sidebar.
-# html_logo = None
-
-# The name of an image file (within the static path) to use as favicon of the
-# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
-# pixels large.
-# html_favicon = None
-
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
-# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
-# using the given strftime format.
-# html_last_updated_fmt = '%b %d, %Y'
-
-# If true, SmartyPants will be used to convert quotes and dashes to
-# typographically correct entities.
-# html_use_smartypants = True
-
-# Custom sidebar templates, maps document names to template names.
-# html_sidebars = {}
-
-# Additional templates that should be rendered to pages, maps page names to
-# template names.
-# html_additional_pages = {}
-
-# If false, no module index is generated.
-# html_domain_indices = True
-
-# If false, no index is generated.
-# html_use_index = True
-
-# If true, the index is split into individual pages for each letter.
-# html_split_index = False
-
-# If true, links to the reST sources are added to the pages.
-# html_show_sourcelink = True
-
-# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
-# html_show_sphinx = True
-
-# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
-# html_show_copyright = True
-
-# If true, an OpenSearch description file will be output, and all pages will
-# contain a <link> tag referring to it. The value of this option must be the
-# base URL from which the finished HTML is served.
-# html_use_opensearch = ''
-
-# This is the file name suffix for HTML files (e.g. ".xhtml").
-# html_file_suffix = None
-
# Output file base name for HTML help builder.
htmlhelp_basename = 'Cryptographydoc'
@@ -214,27 +148,6 @@ latex_documents = [
'Individual Contributors', 'manual'),
]
-# The name of an image file (relative to this directory) to place at the top of
-# the title page.
-# latex_logo = None
-
-# For "manual" documents, if this is true, then toplevel headings are parts,
-# not chapters.
-# latex_use_parts = False
-
-# If true, show page references after internal links.
-# latex_show_pagerefs = False
-
-# If true, show URL addresses after external links.
-# latex_show_urls = False
-
-# Documents to append as an appendix to all manuals.
-# latex_appendices = []
-
-# If false, no module index is generated.
-# latex_domain_indices = True
-
-
# -- Options for manual page output -------------------------------------------
# One entry per manual page. List of tuples
@@ -244,10 +157,6 @@ man_pages = [
['Individual Contributors'], 1)
]
-# If true, show URL addresses after external links.
-# man_show_urls = False
-
-
# -- Options for Texinfo output -----------------------------------------------
# Grouping the document tree into Texinfo files. List of tuples
@@ -260,16 +169,11 @@ texinfo_documents = [
'Miscellaneous'),
]
-# Documents to append as an appendix to all manuals.
-# texinfo_appendices = []
-
-# If false, no module index is generated.
-# texinfo_domain_indices = True
-
-# How to display URL addresses: 'footnote', 'no', or 'inline'.
-# texinfo_show_urls = 'footnote'
-
# Example configuration for intersphinx: refer to the Python standard library.
intersphinx_mapping = {'https://docs.python.org/3': None}
epub_theme = 'epub'
+
+# Retry requests in the linkcheck builder so that we're resillient against
+# transient network errors.
+linkcheck_retries = 2
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index ad945f2..cc44492 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -110,6 +110,12 @@ X.509
containing a SAN extension with an ``ediPartyName`` general name.
* ``san_x400address.der`` - A DSA certificate from a `Mozilla bug`_ containing
a SAN extension with an ``x400Address`` general name.
+* ``department-of-state-root.pem`` - The intermediary CA for the Department of
+ State, issued by the United States Federal Government's Common Policy CA.
+ Notably has a ``critical`` policy constraints extensions.
+* ``e-trust.ru.der`` - A certificate from a `Russian CA`_ signed using the GOST
+ cipher and containing numerous unusual encodings such as NUMERICSTRING in
+ the subject DN.
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
@@ -260,6 +266,8 @@ Custom X.509 Vectors
policy constraints extension with a require explicit policy element.
* ``unsupported_subject_public_key_info.pem`` - A certificate whose public key
is an unknown OID (``1.3.6.1.4.1.8432.1.1.2``).
+* ``policy_constraints_explicit.pem`` - A self-signed certificate containing
+ a ``policyConstraints`` extension with a ``requireExplicitPolicy`` value.
Custom X.509 Request Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -278,7 +286,7 @@ Custom X.509 Request Vectors
request using RSA and SHA1 with a subject alternative name extension
generated using OpenSSL.
* ``two_basic_constraints.pem`` - A certificate signing request
- for a RSA 2048 bit key containing two basic constraints extensions.
+ for an RSA 2048 bit key containing two basic constraints extensions.
* ``unsupported_extension.pem`` - A certificate signing request
for an RSA 2048 bit key containing containing an unsupported
extension type. The OID was encoded as "1.2.3.4" with an
@@ -287,9 +295,11 @@ Custom X.509 Request Vectors
request for an RSA 2048 bit key containing containing an unsupported
extension type marked critical. The OID was encoded as "1.2.3.4"
with an ``extnValue`` of "value".
-* ``basic_constraints.pem`` - A certificate signing request for a RSA
+* ``basic_constraints.pem`` - A certificate signing request for an RSA
2048 bit key containing a basic constraints extension marked as
critical.
+* ``invalid_signature.pem`` - A certificate signing request for an RSA
+ 1024 bit key containing an invalid signature with correct padding.
Custom X.509 Certificate Revocation List Vectors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -337,6 +347,8 @@ Key derivation functions
* PBKDF2 (HMAC-SHA1) from :rfc:`6070`.
* scrypt from the `draft RFC`_.
* X9.63 KDF from `NIST CAVP`_.
+* SP 800-108 Counter Mode KDF (HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
+ HMAC-SHA384, HMAC-SHA512) from `NIST CAVP`_.
Key wrapping
~~~~~~~~~~~~
@@ -418,7 +430,7 @@ header format (substituting the correct information):
.. _`NIST CAVP`: http://csrc.nist.gov/groups/STM/cavp/
.. _`Bruce Schneier's vectors`: https://www.schneier.com/code/vectors.txt
.. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/
-.. _`CRYPTREC`: http://www.cryptrec.go.jp
+.. _`CRYPTREC`: https://www.cryptrec.go.jp
.. _`OpenSSL's test vectors`: https://github.com/openssl/openssl/blob/97cf1f6c2854a3a955fd7dd3a1f113deba00c9ef/crypto/evp/evptests.txt#L232
.. _`RIPEMD website`: http://homes.esat.kuleuven.be/~bosselae/ripemd160.html
.. _`Whirlpool website`: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
@@ -443,3 +455,4 @@ header format (substituting the correct information):
.. _`root data`: https://hg.mozilla.org/projects/nss/file/25b2922cc564/security/nss/lib/ckfw/builtins/certdata.txt#l2053
.. _`asymmetric/public/PKCS1/dsa.pub.pem`: https://github.com/ruby/ruby/blob/4ccb387f3bc436a08fc6d72c4931994f5de95110/test/openssl/test_pkey_dsa.rb#L53
.. _`Mozilla bug`: https://bugzilla.mozilla.org/show_bug.cgi?id=233586
+.. _`Russian CA`: http://e-trust.gosuslugi.ru/MainCA
diff --git a/docs/faq.rst b/docs/faq.rst
index 10c8656..3456ba9 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -14,5 +14,33 @@ to NaCl.
If you prefer NaCl's design, we highly recommend `PyNaCl`_.
+Compiling ``cryptography`` on OS X produces a ``fatal error: 'openssl/aes.h' file not found`` error
+---------------------------------------------------------------------------------------------------
+
+This happens because OS X 10.11 no longer includes a copy of OpenSSL.
+``cryptography`` now provides wheels which include a statically linked copy of
+OpenSSL. You're seeing this error because your copy of pip is too old to find
+our wheel files. Upgrade your copy of pip with ``pip install -U pip`` and then
+try install ``cryptography`` again.
+
+Starting ``cryptography`` using ``mod_wsgi`` produces an ``InternalError`` during a call in ``_register_osrandom_engine``
+-------------------------------------------------------------------------------------------------------------------------
+
+This happens because ``mod_wsgi`` uses sub-interpreters, which can cause a
+problem during initialization of the OpenSSL backend. To resolve this set the
+`WSGIApplicationGroup`_ to ``%{GLOBAL}`` in the ``mod_wsgi`` configuration.
+
+``cryptography`` raised an ``InternalError`` and I'm not sure what to do?
+-------------------------------------------------------------------------
+
+Frequently ``InternalError`` is raised when there are errors on the OpenSSL
+error stack that were placed there by other libraries that are also using
+OpenSSL. Try removing the other libraries and see if the problem persists.
+If you have no other libraries using OpenSSL in your process, or they do not
+appear to be at fault, it's possible that this is a bug in ``cryptography``.
+Please file an `issue`_ with instructions on how to reproduce it.
+
.. _`NaCl`: https://nacl.cr.yp.to/
.. _`PyNaCl`: https://pynacl.readthedocs.org
+.. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIApplicationGroup.html
+.. _`issue`: https://github.com/pyca/cryptography/issues
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index 73011dd..83ec6f1 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -133,13 +133,15 @@ A specific ``backend`` may provide one or more of these interfaces.
:returns: ``True`` if the specified ``algorithm`` is supported for HMAC
by this backend, otherwise ``False``.
- .. method:: create_hmac_ctx(algorithm)
+ .. method:: create_hmac_ctx(key, algorithm)
Create a
:class:`~cryptography.hazmat.primitives.hashes.HashContext` that
uses the specified ``algorithm`` to calculate a hash-based message
authentication code.
+ :param bytes key: Secret key as ``bytes``.
+
:param algorithm: An instance of a
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
provider.
diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst
index 8e3a365..b32d331 100644
--- a/docs/hazmat/primitives/asymmetric/ec.rst
+++ b/docs/hazmat/primitives/asymmetric/ec.rst
@@ -505,7 +505,7 @@ Key Interfaces
.. _`less than 224 bits`: http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
.. _`elliptic curve diffie-hellman is faster than diffie-hellman`: http://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1100&context=cseconfwork
.. _`minimize the number of security concerns for elliptic-curve cryptography`: https://cr.yp.to/ecdh/curve25519-20060209.pdf
-.. _`SafeCurves`: http://safecurves.cr.yp.to/
+.. _`SafeCurves`: https://safecurves.cr.yp.to/
.. _`ECDSA`: https://en.wikipedia.org/wiki/ECDSA
.. _`EdDSA`: https://en.wikipedia.org/wiki/EdDSA
.. _`forward secrecy`: https://en.wikipedia.org/wiki/Forward_secrecy
diff --git a/docs/hazmat/primitives/asymmetric/rsa.rst b/docs/hazmat/primitives/asymmetric/rsa.rst
index bc2402d..c2a6d43 100644
--- a/docs/hazmat/primitives/asymmetric/rsa.rst
+++ b/docs/hazmat/primitives/asymmetric/rsa.rst
@@ -271,7 +271,7 @@ Padding
Pass this attribute to ``salt_length`` to get the maximum salt length
available.
-.. class:: OAEP(mgf, label)
+.. class:: OAEP(mgf, algorithm, label)
.. versionadded:: 0.4
@@ -283,6 +283,10 @@ Padding
:param mgf: A mask generation function object. At this time the only
supported MGF is :class:`MGF1`.
+ :param algorithm: An instance of a
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+ provider.
+
:param bytes label: A label to apply. This is a rarely used field and
should typically be set to ``None`` or ``b""``, which are equivalent.
@@ -656,6 +660,6 @@ Key interfaces
.. _`at least 2048`: http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
.. _`OpenPGP`: https://en.wikipedia.org/wiki/Pretty_Good_Privacy
.. _`Chinese Remainder Theorem`: https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29#Using_the_Chinese_remainder_algorithm
-.. _`security proof`: http://eprint.iacr.org/2001/062.pdf
+.. _`security proof`: https://eprint.iacr.org/2001/062.pdf
.. _`recommended padding algorithm`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
.. _`proven secure`: https://cseweb.ucsd.edu/~mihir/papers/oae.pdf
diff --git a/docs/hazmat/primitives/constant-time.rst b/docs/hazmat/primitives/constant-time.rst
index 1394b6b..1c1d544 100644
--- a/docs/hazmat/primitives/constant-time.rst
+++ b/docs/hazmat/primitives/constant-time.rst
@@ -40,4 +40,4 @@ about the timing attacks on KeyCzar and Java's ``MessageDigest.isEqual()``.
``bytes``.
-.. _`Coda Hale's blog post`: http://codahale.com/a-lesson-in-timing-attacks/
+.. _`Coda Hale's blog post`: https://codahale.com/a-lesson-in-timing-attacks/
diff --git a/docs/hazmat/primitives/padding.rst b/docs/hazmat/primitives/padding.rst
index a60f5ac..0b76327 100644
--- a/docs/hazmat/primitives/padding.rst
+++ b/docs/hazmat/primitives/padding.rst
@@ -54,6 +54,49 @@ multiple of the block size.
provider.
+.. class:: ANSIX923(block_size)
+
+ .. versionadded:: 1.3
+
+ `ANSI X.923`_ padding works by appending ``N-1`` bytes with the value of
+ ``0`` and a last byte with the value of ``chr(N)``, where ``N`` is the
+ number of bytes required to make the final block of data the same size as
+ the block size. A simple example of padding is:
+
+ .. doctest::
+
+ >>> padder = padding.ANSIX923(128).padder()
+ >>> padded_data = padder.update(b"11111111111111112222222222")
+ >>> padded_data
+ '1111111111111111'
+ >>> padded_data += padder.finalize()
+ >>> padded_data
+ '11111111111111112222222222\x00\x00\x00\x00\x00\x06'
+ >>> unpadder = padding.ANSIX923(128).unpadder()
+ >>> data = unpadder.update(padded_data)
+ >>> data
+ '1111111111111111'
+ >>> data + unpadder.finalize()
+ '11111111111111112222222222'
+
+ :param block_size: The size of the block in bits that the data is being
+ padded to.
+ :raises ValueError: Raised if block size is not a multiple of 8 or is not
+ between 0 and 256.
+
+ .. method:: padder()
+
+ :returns: A padding
+ :class:`~cryptography.hazmat.primitives.padding.PaddingContext`
+ provider
+
+ .. method:: unpadder()
+
+ :returns: An unpadding
+ :class:`~cryptography.hazmat.primitives.padding.PaddingContext`
+ provider.
+
+
.. class:: PaddingContext
When calling ``padder()`` or ``unpadder()`` the result will conform to the
@@ -82,3 +125,5 @@ multiple of the block size.
:raises TypeError: Raised if data is not bytes.
:raises ValueError: When trying to remove padding from incorrectly
padded data.
+
+.. _`ANSI X.923`: https://en.wikipedia.org/wiki/Padding_%28cryptography%29#ANSI_X.923
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 309c6fd..7b00d11 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -334,6 +334,9 @@ Modes
:raises ValueError: This is raised if ``len(tag) < min_tag_length``.
+ An example of securely encrypting and decrypting data with ``AES`` in the
+ ``GCM`` mode looks like:
+
.. testcode::
import os
@@ -607,7 +610,7 @@ Interfaces used by the symmetric cipher modes described in
.. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
.. _`Communications Security Establishment`: https://www.cse-cst.gc.ca
.. _`encrypt`: https://ssd.eff.org/en/module/what-encryption
-.. _`CRYPTREC`: http://www.cryptrec.go.jp/english/
+.. _`CRYPTREC`: https://www.cryptrec.go.jp/english/
.. _`significant patterns in the output`: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_.28ECB.29
.. _`International Data Encryption Algorithm`: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
.. _`OpenPGP`: http://www.openpgp.org
diff --git a/docs/installation.rst b/docs/installation.rst
index f9d2261..8c3c436 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -39,8 +39,8 @@ OpenSSL releases:
.. warning::
OpenSSL versions 0.9.8 and 1.0.0 are no longer supported by the OpenSSL
- project. A future version of cryptography will drop support for these
- releases.
+ project. Support for OpenSSL 0.9.8 will be removed in the next
+ ``cryptography`` release.
On Windows
----------
@@ -268,7 +268,7 @@ information, consult `Greg Wilson's blog post`_ on the subject.
.. _`MacPorts`: https://www.macports.org
.. _`openssl-release`: https://jenkins.cryptography.io/job/openssl-release/
.. _`bug in conda`: https://github.com/conda/conda-recipes/issues/110
-.. _`Greg Wilson's blog post`: http://software-carpentry.org/blog/2014/04/mr-biczo-was-right.html
+.. _`Greg Wilson's blog post`: https://software-carpentry.org/blog/2014/04/mr-biczo-was-right.html
.. _virtualenv: https://virtualenv.pypa.io/en/latest/
.. _openssl.org: https://openssl.org/source/
.. _`wheel cache`: https://pip.pypa.io/en/stable/reference/pip_install/#caching
diff --git a/docs/security.rst b/docs/security.rst
index 13f9996..1cc1273 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -5,6 +5,39 @@ We take the security of ``cryptography`` seriously. The following are a set of
policies we have adopted to ensure that security issues are addressed in a
timely fashion.
+What is a security issue?
+-------------------------
+
+Anytime it's possible to write code using ``cryptography``'s public API which
+does not provide the guarantees that a reasonable developer would expect it to
+based on our documentation.
+
+That's a bit academic, but basically it means the scope of what we consider a
+vulnerability is broad, and we do not require a proof of concept or even a
+specific exploit, merely a reasonable threat model under which ``cryptography``
+could be attacked.
+
+To give a few examples of things we would consider security issues:
+
+* If a recipe, such as Fernet, made it easy for a user to bypass
+ confidentiality or integrity with the public API (e.g. if the API let a user
+ reuse nonces).
+* If, under any circumstances, we used a CSPRNG which wasn't fork-safe.
+* If ``cryptography`` used an API in an underlying C library and failed to
+ handle error conditions safely.
+
+Examples of things we wouldn't consider security issues:
+
+* Offering ECB mode for symmetric encryption in the *Hazmat* layer. Though ECB
+ is critically weak, it is documented as being weak in our documentation.
+* Using a variable time comparison somewhere, if it's not possible to
+ articulate any particular program in which this would result in problematic
+ information disclosure.
+
+In general, if you're unsure, we request that you to default to treating things
+as security issues and handling them sensitively, the worst thing that can
+happen is that we'll ask you to file a bug issue.
+
Reporting a security issue
--------------------------
@@ -14,7 +47,7 @@ tracker.
If you believe you've identified a security issue with ``cryptography``, please
report it to ``alex.gaynor at gmail.com``. Messages may be optionally encrypted
with PGP using key fingerprint
-``E27D 4AA0 1651 72CB C5D2 AF2B 125F 5C67 DFE9 4084`` (this public key is
+``F7FC 698F AAE2 D2EF BECD E98E D1B3 ADC0 E023 8CA6`` (this public key is
available from most commonly-used key servers).
Once you've submitted an issue via email, you should receive an acknowledgment
@@ -25,7 +58,7 @@ Supported Versions
------------------
At any given time, we will provide security support for the `master`_ branch
-as well as the 2 most recent releases.
+as well as the most recent release.
New releases for OpenSSL updates
--------------------------------
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index 6def795..47415a7 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -45,6 +45,7 @@ multi
naïve
namespace
namespaces
+nonces
Nonces
online
paddings
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index 8bb3f40..399d693 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -761,6 +761,12 @@ X.509 CSR (Certificate Signing Request) Object
key embedded in the CSR). This data may be used to validate the CSR
signature.
+ .. attribute:: is_signature_valid
+
+ .. versionadded:: 1.3
+
+ Returns True if the CSR signature is correct, False otherwise.
+
X.509 Certificate Revocation List Builder
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -1535,6 +1541,13 @@ X.509 Extensions
.. versionadded:: 1.0
+ .. note::
+
+ This method should be used if the issuer certificate does not
+ contain a :class:`~cryptography.x509.SubjectKeyIdentifier`.
+ Otherwise, use
+ :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`.
+
Creates a new AuthorityKeyIdentifier instance using the public key
provided to generate the appropriate digest. This should be the
**issuer's public key**. The resulting object will contain
@@ -1562,6 +1575,37 @@ X.509 Extensions
>>> x509.AuthorityKeyIdentifier.from_issuer_public_key(issuer_cert.public_key())
<AuthorityKeyIdentifier(key_identifier='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9', authority_cert_issuer=None, authority_cert_serial_number=None)>
+ .. classmethod:: from_issuer_subject_key_identifier(ski)
+
+ .. versionadded:: 1.3
+
+ .. note::
+ This method should be used if the issuer certificate contains a
+ :class:`~cryptography.x509.SubjectKeyIdentifier`. Otherwise, use
+ :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_public_key`.
+
+ Creates a new AuthorityKeyIdentifier instance using the
+ SubjectKeyIdentifier from the issuer certificate. The resulting object
+ will contain
+ :attr:`~cryptography.x509.AuthorityKeyIdentifier.key_identifier`, but
+ :attr:`~cryptography.x509.AuthorityKeyIdentifier.authority_cert_issuer`
+ and
+ :attr:`~cryptography.x509.AuthorityKeyIdentifier.authority_cert_serial_number`
+ will be None.
+
+ :param ski: The
+ :class:`~cryptography.x509.SubjectKeyIdentifier` from the issuer
+ certificate.
+
+ .. doctest::
+
+ >>> from cryptography import x509
+ >>> from cryptography.hazmat.backends import default_backend
+ >>> issuer_cert = x509.load_pem_x509_certificate(pem_data, default_backend())
+ >>> ski = issuer_cert.extensions.get_extension_for_class(x509.SubjectKeyIdentifier)
+ >>> x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(ski)
+ <AuthorityKeyIdentifier(key_identifier='X\x01\x84$\x1b\xbc+R\x94J=\xa5\x10r\x14Q\xf5\xaf:\xc9', authority_cert_issuer=None, authority_cert_serial_number=None)>
+
.. class:: SubjectKeyIdentifier(digest)
.. versionadded:: 0.9
@@ -1860,6 +1904,44 @@ X.509 Extensions
:type: int
+.. class:: PolicyConstraints
+
+ .. versionadded:: 1.3
+
+ The policy constraints extension is used to inhibit policy mapping or
+ require that each certificate in a chain contain an acceptable policy
+ identifier. For more information about the use of this extension see
+ :rfc:`5280`.
+
+ .. attribute:: oid
+
+ :type: :class:`ObjectIdentifier`
+
+ Returns :attr:`~cryptography.x509.oid.ExtensionOID.POLICY_CONSTRAINTS`.
+
+ .. attribute:: require_explicit_policy
+
+ :type: int or None
+
+ If this field is not None, the value indicates the number of additional
+ certificates that may appear in the chain before an explicit policy is
+ required for the entire path. When an explicit policy is required, it
+ is necessary for all certificates in the chain to contain an acceptable
+ policy identifier in the certificate policies extension. An
+ acceptable policy identifier is the identifier of a policy required
+ by the user of the certification path or the identifier of a policy
+ that has been declared equivalent through policy mapping.
+
+ .. attribute:: inhibit_policy_mapping
+
+ :type: int or None
+
+ If this field is not None, the value indicates the number of additional
+ certificates that may appear in the chain before policy mapping is no
+ longer permitted. For example, a value of one indicates that policy
+ mapping may be processed in certificates issued by the subject of this
+ certificate, but not in additional certificates in the chain.
+
.. class:: CRLNumber(crl_number)
.. versionadded:: 1.2
@@ -2392,6 +2474,12 @@ instances. The following common OIDs are available as constants.
the ``CRLNumber`` extension type. This extension only has meaning
for certificate revocation lists.
+ .. attribute:: POLICY_CONSTRAINTS
+
+ Corresponds to the dotted string ``"2.5.29.36"``. The identifier for the
+ :class:`~cryptography.x509.PolicyConstraints` extension type.
+
+
.. class:: CRLEntryExtensionOID
.. versionadded:: 1.2
diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst
index 0fa061a..6941372 100644
--- a/docs/x509/tutorial.rst
+++ b/docs/x509/tutorial.rst
@@ -1,8 +1,8 @@
Tutorial
========
-X.509 certificates are used to authenticate clients on servers. The most common
-use case is for web servers using HTTPS.
+X.509 certificates are used to authenticate clients and servers. The most
+common use case is for web servers using HTTPS.
Creating a Certificate Signing Request (CSR)
--------------------------------------------
@@ -82,3 +82,71 @@ a few details:
... f.write(csr.public_bytes(serialization.Encoding.PEM))
Now we can give our CSR to a CA, who will give a certificate to us in return.
+
+Creating a self-signed certificate
+----------------------------------
+
+While most of the time you want a certificate that has been *signed* by someone
+else (i.e. a certificate authority), so that trust is established, sometimes
+you want to create a self-signed certificate. Self-signed certificates are not
+issued by a certificate authority, but instead they are signed by the private
+key corresponding to the public key they embed.
+
+This means that other people don't trust these certificates, but it also means
+they can be issued very easily. In general the only use case for a self-signed
+certificate is local testing, where you don't need anyone else to trust your
+certificate.
+
+Like generating a CSR, we start with creating a new private key:
+
+.. code-block:: pycon
+
+ >>> # Generate our key
+ >>> key = rsa.generate_private_key(
+ ... public_exponent=65537,
+ ... key_size=2048,
+ ... backend=default_backend()
+ ... )
+ >>> # Write our key to disk for safe keeping
+ >>> with open("path/to/store/key.pem", "wb") as f:
+ ... f.write(key.private_bytes(
+ ... encoding=serialization.Encoding.PEM,
+ ... format=serialization.PrivateFormat.TraditionalOpenSSL,
+ ... encryption_algorithm=serialization.BestAvailableEncryption(b"passphrase"),
+ ... ))
+
+Then we generate the certificate itself:
+
+.. code-block:: pycon
+
+ >>> # Various details about who we are. For a self-signed certificate the
+ >>> # subject and issuer are always the same.
+ >>> subject = issuer = x509.Name([
+ ... x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
+ ... x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"CA"),
+ ... x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
+ ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
+ ... x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
+ ... ])
+ >>> cert = x509.CertificateBuilder().subject_name(
+ ... subject
+ ... ).issuer_name(
+ ... issuer
+ ... ).public_key(
+ ... private_key.public_key()
+ ... ).not_valid_before(
+ ... datetime.datetime.utcnow()
+ ... ).not_valid_after(
+ ... # Our certificate will be valid for 10 days
+ ... datetime.datetime.utcnow() + datetime.timedelta(days=10)
+ ... ).add_extension(
+ ... x509.SubjectAlternativeName([x509.DNSName(u"localhost")]),
+ ... critical=False,
+ ... # Sign our certificate with our private key
+ ... ).sign(private_key, hashes.SHA256(), default_backend())
+ >>> # Write our certificate out to disk.
+ >>> with open("path/to/certificate.pem", "wb") as f:
+ ... f.write(cert.public_bytes(serialization.Encoding.PEM))
+
+And now we have a private key and certificate that can be used for local
+testing.
diff --git a/setup.py b/setup.py
index b0a4807..88dfd7d 100644
--- a/setup.py
+++ b/setup.py
@@ -37,7 +37,7 @@ requirements = [
"idna>=2.0",
"pyasn1>=0.1.8",
"six>=1.4.1",
- "setuptools>=1.0",
+ "setuptools>=11.3",
]
setup_requirements = []
diff --git a/src/_cffi_src/build_commoncrypto.py b/src/_cffi_src/build_commoncrypto.py
index 4e69b6d..09e020a 100644
--- a/src/_cffi_src/build_commoncrypto.py
+++ b/src/_cffi_src/build_commoncrypto.py
@@ -17,10 +17,12 @@ ffi = build_ffi_for_binding(
"common_key_derivation",
"common_cryptor",
"common_symmetric_key_wrap",
+ "seccertificate",
"secimport",
"secitem",
"seckey",
"seckeychain",
+ "secpolicy",
"sectransform",
"sectrust",
],
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index ebbe886..2ff28d7 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -37,21 +37,10 @@ def _osx_libraries(build_static):
return ["ssl", "crypto"]
-_OSX_PRE_INCLUDE = """
-#ifdef __APPLE__
-#include <AvailabilityMacros.h>
-#define __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
- DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#endif
-"""
-
-_OSX_POST_INCLUDE = """
-#ifdef __APPLE__
-#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
-#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
- __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
+_PRE_INCLUDE = """
+#include <openssl/e_os2.h>
+#if defined(OPENSSL_SYS_WINDOWS)
+#include <windows.h>
#endif
"""
@@ -66,7 +55,6 @@ ffi = build_ffi_for_binding(
"bio",
"cmac",
"cms",
- "conf",
"crypto",
"dh",
"dsa",
@@ -79,6 +67,7 @@ ffi = build_ffi_for_binding(
"hmac",
"nid",
"objects",
+ "ocsp",
"opensslv",
"pem",
"pkcs12",
@@ -92,8 +81,7 @@ ffi = build_ffi_for_binding(
"pkcs7",
"callbacks",
],
- pre_include=_OSX_PRE_INCLUDE,
- post_include=_OSX_POST_INCLUDE,
+ pre_include=_PRE_INCLUDE,
libraries=_get_openssl_libraries(sys.platform),
extra_link_args=extra_link_args(compiler_type()),
)
diff --git a/src/_cffi_src/commoncrypto/cf.py b/src/_cffi_src/commoncrypto/cf.py
index 9d4387e..02e58d9 100644
--- a/src/_cffi_src/commoncrypto/cf.py
+++ b/src/_cffi_src/commoncrypto/cf.py
@@ -20,6 +20,7 @@ typedef ... *CFDataRef;
typedef signed long long CFIndex;
typedef ... *CFStringRef;
typedef ... *CFArrayRef;
+typedef ... *CFMutableArrayRef;
typedef ... *CFBooleanRef;
typedef ... *CFErrorRef;
typedef ... *CFNumberRef;
@@ -35,6 +36,9 @@ typedef struct {
typedef struct {
...;
} CFRange;
+typedef struct {
+ ...;
+} CFArrayCallBacks;
... 7199 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-cryptography.git
More information about the Python-modules-commits
mailing list