[Python-modules-commits] [python-cryptography] 01/03: Import python-cryptography_1.7.1.orig.tar.gz
Tristan Seligmann
mithrandi at moszumanska.debian.org
Thu Dec 15 04:22:14 UTC 2016
This is an automated email from the git hooks/post-receive script.
mithrandi pushed a commit to branch master
in repository python-cryptography.
commit 55816224b8c57c07982677ad261a11520141b97e
Author: Tristan Seligmann <mithrandi at debian.org>
Date: Wed Dec 14 07:59:13 2016 +0200
Import python-cryptography_1.7.1.orig.tar.gz
---
AUTHORS.rst | 5 +
CHANGELOG.rst | 69 ++-
LICENSE | 4 +
PKG-INFO | 11 +-
README.rst | 9 +
.../custom-vectors/cast5/generate_cast5.py | 1 +
docs/development/custom-vectors/idea.rst | 2 +-
.../custom-vectors/idea/generate_idea.py | 1 +
.../rsa-oaep-sha2/generate_rsa_oaep_sha2.py | 1 +
.../custom-vectors/secp256k1/generate_secp256k1.py | 1 +
docs/development/custom-vectors/seed.rst | 2 +-
.../custom-vectors/seed/generate_seed.py | 1 +
docs/development/getting-started.rst | 18 +-
docs/development/test-vectors.rst | 14 +-
docs/faq.rst | 17 +-
docs/hazmat/backends/commoncrypto.rst | 2 +-
docs/hazmat/backends/interfaces.rst | 56 +-
docs/hazmat/backends/openssl.rst | 27 +
docs/hazmat/bindings/commoncrypto.rst | 2 +-
docs/hazmat/bindings/openssl.rst | 2 +-
docs/hazmat/primitives/asymmetric/dh.rst | 163 ++++--
docs/hazmat/primitives/asymmetric/dsa.rst | 14 +-
docs/hazmat/primitives/asymmetric/ec.rst | 102 +++-
docs/hazmat/primitives/asymmetric/rsa.rst | 14 +-
docs/hazmat/primitives/asymmetric/utils.rst | 58 +++
docs/hazmat/primitives/cryptographic-hashes.rst | 34 ++
.../hazmat/primitives/key-derivation-functions.rst | 121 ++++-
docs/hazmat/primitives/padding.rst | 4 +-
docs/hazmat/primitives/symmetric-encryption.rst | 4 +-
docs/installation.rst | 22 +-
docs/random-numbers.rst | 2 +-
docs/spelling_wordlist.txt | 11 +
docs/x509/reference.rst | 157 +++++-
docs/x509/tutorial.rst | 2 +
setup.py | 2 +-
src/_cffi_src/build_openssl.py | 8 +-
src/_cffi_src/hazmat_src/padding.c | 30 +-
src/_cffi_src/openssl/bio.py | 11 +
src/_cffi_src/openssl/callbacks.py | 73 ++-
src/_cffi_src/openssl/crypto.py | 1 +
src/_cffi_src/openssl/cryptography.py | 4 +
src/_cffi_src/openssl/dh.py | 1 +
src/_cffi_src/openssl/ecdh.py | 9 +
src/_cffi_src/openssl/err.py | 34 +-
src/_cffi_src/openssl/evp.py | 15 +
src/_cffi_src/openssl/nid.py | 3 +
src/_cffi_src/openssl/objects.py | 9 +
src/_cffi_src/openssl/osrandom_engine.py | 29 ++
src/_cffi_src/openssl/src/osrandom_engine.c | 576 +++++++++++++++++++++
src/_cffi_src/openssl/src/osrandom_engine.h | 88 ++++
src/_cffi_src/openssl/ssl.py | 13 +
src/_cffi_src/openssl/x509_vfy.py | 32 ++
src/_cffi_src/openssl/x509name.py | 10 +
src/_cffi_src/openssl/x509v3.py | 10 +-
src/cryptography.egg-info/PKG-INFO | 11 +-
src/cryptography.egg-info/SOURCES.txt | 8 +
src/cryptography.egg-info/requires.txt | 2 +-
src/cryptography/__about__.py | 2 +-
src/cryptography/exceptions.py | 1 +
src/cryptography/hazmat/backends/__init__.py | 32 +-
src/cryptography/hazmat/backends/interfaces.py | 35 +-
src/cryptography/hazmat/backends/multibackend.py | 100 +++-
.../hazmat/backends/openssl/backend.py | 260 +++++++++-
.../hazmat/backends/openssl/ciphers.py | 13 +-
.../hazmat/backends/openssl/decode_asn1.py | 24 +-
src/cryptography/hazmat/backends/openssl/dh.py | 182 +++++++
src/cryptography/hazmat/backends/openssl/dsa.py | 75 +--
src/cryptography/hazmat/backends/openssl/ec.py | 122 +++--
.../hazmat/backends/openssl/encode_asn1.py | 41 +-
src/cryptography/hazmat/backends/openssl/hashes.py | 6 +-
src/cryptography/hazmat/backends/openssl/rsa.py | 423 +++++++--------
src/cryptography/hazmat/backends/openssl/utils.py | 20 +
src/cryptography/hazmat/backends/openssl/x509.py | 51 +-
.../hazmat/bindings/openssl/_conditional.py | 11 +-
.../hazmat/bindings/openssl/binding.py | 97 +---
.../hazmat/primitives/asymmetric/dh.py | 23 +
.../hazmat/primitives/asymmetric/ec.py | 13 +
.../hazmat/primitives/asymmetric/utils.py | 12 +
src/cryptography/hazmat/primitives/hashes.py | 42 ++
src/cryptography/hazmat/primitives/kdf/scrypt.py | 59 +++
src/cryptography/hazmat/primitives/padding.py | 4 +-
src/cryptography/utils.py | 25 +-
src/cryptography/x509/__init__.py | 7 +-
src/cryptography/x509/base.py | 23 +
src/cryptography/x509/extensions.py | 19 +-
src/cryptography/x509/name.py | 63 ++-
src/cryptography/x509/oid.py | 43 +-
tests/hazmat/backends/test_backendinit.py | 17 +
tests/hazmat/backends/test_multibackend.py | 94 +++-
tests/hazmat/backends/test_openssl.py | 32 +-
tests/hazmat/bindings/test_openssl.py | 73 +--
tests/hazmat/primitives/test_asym_utils.py | 9 +-
tests/hazmat/primitives/test_dh.py | 207 +++++++-
tests/hazmat/primitives/test_dsa.py | 47 +-
tests/hazmat/primitives/test_ec.py | 97 +++-
tests/hazmat/primitives/test_hash_vectors.py | 34 ++
tests/hazmat/primitives/test_hashes.py | 48 ++
tests/hazmat/primitives/test_padding.py | 16 +
tests/hazmat/primitives/test_rsa.py | 64 ++-
tests/hazmat/primitives/test_scrypt.py | 136 +++++
tests/hazmat/primitives/test_x963_vectors.py | 3 +-
tests/hypothesis/test_padding.py | 4 +-
tests/test_cryptography_utils.py | 11 +
tests/test_interfaces.py | 28 +-
tests/test_x509.py | 365 +++++++++----
tests/test_x509_ext.py | 41 +-
106 files changed, 4263 insertions(+), 823 deletions(-)
diff --git a/AUTHORS.rst b/AUTHORS.rst
index 50bdcd5..13e552d 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -31,3 +31,8 @@ PGP key fingerprints are enclosed in parentheses.
* Amaury Forgeot d'Arc <amauryfa at google.com>
* Dirkjan Ochtman <dirkjan at ochtman.nl> (25BB BAC1 13C1 BFD5 AA59 4A4C 9F96 B929 3038 0381)
* Maximilian Hils <max at maximilianhils.com>
+* Simo Sorce <simo at redhat.com>
+* Thomas Sileo <t at a4.io>
+* Fraser Tweedale <ftweedal at redhat.com>
+* Ofek Lev <ofekmeister at gmail.com> (FFB6 B92B 30B1 7848 546E 9912 972F E913 DAD5 A46E)
+* Erik Daguerre <fallenwolf at wolfthefallen.com>
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 9b0bf29..dd5e887 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,19 +1,84 @@
Changelog
=========
+1.7.1 - 2016-12-13
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a regression in ``int_from_bytes`` where it failed to accept
+ ``bytearray``.
+
+1.7 - 2016-12-12
+~~~~~~~~~~~~~~~~
+
+* Support for OpenSSL 1.0.0 has been removed. Users on older version of OpenSSL
+ will need to upgrade.
+* Added support for Diffie-Hellman key exchange using
+ :meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKeyWithSerialization.exchange`
+* The OS random engine for OpenSSL has been rewritten to improve compatibility
+ with embedded Python and other edge cases. More information about this change
+ can be found in the
+ `pull request <https://github.com/pyca/cryptography/pull/3229>`_.
+
+1.6 - 2016-11-22
+~~~~~~~~~~~~~~~~
+
+* Deprecated support for OpenSSL 1.0.0. Support will be removed in
+ ``cryptography`` 1.7.
+* Replaced the Python-based OpenSSL locking callbacks with a C version to fix
+ a potential deadlock that could occur if a garbage collection cycle occurred
+ while inside the lock.
+* Added support for :class:`~cryptography.hazmat.primitives.hashes.BLAKE2b` and
+ :class:`~cryptography.hazmat.primitives.hashes.BLAKE2s` when using OpenSSL
+ 1.1.0.
+* Added
+ :attr:`~cryptography.x509.Certificate.signature_algorithm_oid` support to
+ :class:`~cryptography.x509.Certificate`.
+* Added
+ :attr:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_oid`
+ support to :class:`~cryptography.x509.CertificateSigningRequest`.
+* Added
+ :attr:`~cryptography.x509.CertificateRevocationList.signature_algorithm_oid`
+ support to :class:`~cryptography.x509.CertificateRevocationList`.
+* Added support for :class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`
+ when using OpenSSL 1.1.0.
+* Added a workaround to improve compatibility with Python application bundling
+ tools like ``PyInstaller`` and ``cx_freeze``.
+* Added support for generating a
+ :meth:`~cryptography.x509.random_serial_number`.
+* Added support for encoding ``IPv4Network`` and ``IPv6Network`` in X.509
+ certificates for use with :class:`~cryptography.x509.NameConstraints`.
+* Added :meth:`~cryptography.x509.Name.public_bytes` to
+ :class:`~cryptography.x509.Name`.
+* Added :class:`~cryptography.x509.RelativeDistinguishedName`
+* :class:`~cryptography.x509.DistributionPoint` now accepts
+ :class:`~cryptography.x509.RelativeDistinguishedName` for
+ :attr:`~cryptography.x509.DistributionPoint.relative_name`.
+ Deprecated use of :class:`~cryptography.x509.Name` as
+ :attr:`~cryptography.x509.DistributionPoint.relative_name`.
+* :class:`~cryptography.x509.Name` now accepts an iterable of
+ :class:`~cryptography.x509.RelativeDistinguishedName`. RDNs can
+ be accessed via the :attr:`~cryptography.x509.Name.rdns`
+ attribute. When constructed with an iterable of
+ :class:`~cryptography.x509.NameAttribute`, each attribute becomes
+ a single-valued RDN.
+* Added
+ :func:`~cryptography.hazmat.primitives.asymmetric.ec.derive_private_key`.
+* Added support for signing and verifying RSA, DSA, and ECDSA signatures with
+ :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
+ digests.
+
1.5.3 - 2016-11-05
~~~~~~~~~~~~~~~~~~
* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty
byte-string if used with a ``length`` less than ``algorithm.digest_size``.
- Credit to **Markus Döring** for reporting the issue.
+ Credit to **Markus Döring** for reporting the issue. *CVE-2016-9243*
1.5.2 - 2016-09-26
~~~~~~~~~~~~~~~~~~
* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2j.
-
1.5.1 - 2016-09-22
~~~~~~~~~~~~~~~~~~
diff --git a/LICENSE b/LICENSE
index b11f379..e290cd1 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,3 +1,7 @@
This software is made available under the terms of *either* of the licenses
found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made
under the terms of *both* these licenses.
+
+The code used in the OpenSSL locking callback and OS random engine is derived
+from the same in CPython itself, and is licensed under the terms of the PSF
+License Agreement.
diff --git a/PKG-INFO b/PKG-INFO
index 9de24de..4409380 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: cryptography
-Version: 1.5.3
+Version: 1.7.1
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
@@ -47,6 +47,14 @@ Description: Cryptography
You can find more information in the `documentation`_.
+ You can install ``cryptography`` with:
+
+ .. code-block:: console
+
+ $ pip install cryptography
+
+ For full details see `the installation documentation`_.
+
Discussion
~~~~~~~~~~
@@ -59,6 +67,7 @@ Description: Cryptography
.. _`documentation`: https://cryptography.io/
+ .. _`the installation documentation`: https://cryptography.io/en/latest/installation/
.. _`issue tracker`: https://github.com/pyca/cryptography/issues
.. _`cryptography-dev`: https://mail.python.org/mailman/listinfo/cryptography-dev
diff --git a/README.rst b/README.rst
index 19fa779..a58af53 100644
--- a/README.rst
+++ b/README.rst
@@ -39,6 +39,14 @@ key derivation functions. For example, to encrypt something with
You can find more information in the `documentation`_.
+You can install ``cryptography`` with:
+
+.. code-block:: console
+
+ $ pip install cryptography
+
+For full details see `the installation documentation`_.
+
Discussion
~~~~~~~~~~
@@ -51,5 +59,6 @@ involved.
.. _`documentation`: https://cryptography.io/
+.. _`the installation documentation`: https://cryptography.io/en/latest/installation/
.. _`issue tracker`: https://github.com/pyca/cryptography/issues
.. _`cryptography-dev`: https://mail.python.org/mailman/listinfo/cryptography-dev
diff --git a/docs/development/custom-vectors/cast5/generate_cast5.py b/docs/development/custom-vectors/cast5/generate_cast5.py
index 20f3517..a0e28e3 100644
--- a/docs/development/custom-vectors/cast5/generate_cast5.py
+++ b/docs/development/custom-vectors/cast5/generate_cast5.py
@@ -57,6 +57,7 @@ def write_file(data, filename):
with open(filename, "w") as f:
f.write(data)
+
cbc_path = "tests/hazmat/primitives/vectors/ciphers/AES/CBC/CBCMMT128.rsp"
write_file(build_vectors(modes.CBC, cbc_path), "cast5-cbc.txt")
ofb_path = "tests/hazmat/primitives/vectors/ciphers/AES/OFB/OFBMMT128.rsp"
diff --git a/docs/development/custom-vectors/idea.rst b/docs/development/custom-vectors/idea.rst
index 336cdf0..758a108 100644
--- a/docs/development/custom-vectors/idea.rst
+++ b/docs/development/custom-vectors/idea.rst
@@ -29,4 +29,4 @@ project's Python bindings.
Download link: :download:`verify_idea.py
</development/custom-vectors/idea/verify_idea.py>`
-.. _`Botan`: http://botan.randombit.net
+.. _`Botan`: https://botan.randombit.net
diff --git a/docs/development/custom-vectors/idea/generate_idea.py b/docs/development/custom-vectors/idea/generate_idea.py
index c9f9402..2eb6996 100644
--- a/docs/development/custom-vectors/idea/generate_idea.py
+++ b/docs/development/custom-vectors/idea/generate_idea.py
@@ -52,6 +52,7 @@ def write_file(data, filename):
with open(filename, "w") as f:
f.write(data)
+
CBC_PATH = "tests/hazmat/primitives/vectors/ciphers/AES/CBC/CBCMMT128.rsp"
write_file(build_vectors(modes.CBC, CBC_PATH), "idea-cbc.txt")
OFB_PATH = "tests/hazmat/primitives/vectors/ciphers/AES/OFB/OFBMMT128.rsp"
diff --git a/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py b/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py
index 5a48e0c..bd5148f 100644
--- a/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py
+++ b/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py
@@ -104,6 +104,7 @@ def write_file(data, filename):
with open(filename, "w") as f:
f.write(data)
+
oaep_path = os.path.join(
"asymmetric", "RSA", "pkcs-1v2-1d2-vec", "oaep-vect.txt"
)
diff --git a/docs/development/custom-vectors/secp256k1/generate_secp256k1.py b/docs/development/custom-vectors/secp256k1/generate_secp256k1.py
index 502a3ff..d6a2071 100644
--- a/docs/development/custom-vectors/secp256k1/generate_secp256k1.py
+++ b/docs/development/custom-vectors/secp256k1/generate_secp256k1.py
@@ -74,6 +74,7 @@ def write_file(lines, dest):
print(line)
print(line, file=dest)
+
source_path = os.path.join("asymmetric", "ECDSA", "FIPS_186-3", "SigGen.txt")
dest_path = os.path.join("asymmetric", "ECDSA", "SECP256K1", "SigGen.txt")
diff --git a/docs/development/custom-vectors/seed.rst b/docs/development/custom-vectors/seed.rst
index 290fb77..8c4a7aa 100644
--- a/docs/development/custom-vectors/seed.rst
+++ b/docs/development/custom-vectors/seed.rst
@@ -29,4 +29,4 @@ project's Python bindings.
Download link: :download:`verify_seed.py
</development/custom-vectors/seed/verify_seed.py>`
-.. _`Botan`: http://botan.randombit.net
+.. _`Botan`: https://botan.randombit.net
diff --git a/docs/development/custom-vectors/seed/generate_seed.py b/docs/development/custom-vectors/seed/generate_seed.py
index d59597f..5c62d67 100644
--- a/docs/development/custom-vectors/seed/generate_seed.py
+++ b/docs/development/custom-vectors/seed/generate_seed.py
@@ -51,6 +51,7 @@ def write_file(data, filename):
with open(filename, "w") as f:
f.write(data)
+
OFB_PATH = "vectors/cryptography_vectors/ciphers/AES/OFB/OFBMMT128.rsp"
write_file(build_vectors(modes.OFB, OFB_PATH), "seed-ofb.txt")
CFB_PATH = "vectors/cryptography_vectors/ciphers/AES/CFB/CFB128MMT128.rsp"
diff --git a/docs/development/getting-started.rst b/docs/development/getting-started.rst
index 3ad9fe8..dc55893 100644
--- a/docs/development/getting-started.rst
+++ b/docs/development/getting-started.rst
@@ -6,18 +6,28 @@ Development dependencies
Working on ``cryptography`` requires the installation of a small number of
development dependencies in addition to the dependencies for
:doc:`/installation`. These are listed in ``dev-requirements.txt`` and they can
-be installed in a `virtualenv`_ using `pip`_. Once you've installed the
-dependencies, install ``cryptography`` in ``editable`` mode. For example:
+be installed in a `virtualenv`_ using `pip`_. Before you install them, follow
+the **build** instructions in :doc:`/installation` (be sure to stop before
+actually installing ``cryptography``). Once you've done that, install the
+development dependencies, and then install ``cryptography`` in ``editable``
+mode. For example:
.. code-block:: console
$ # Create a virtualenv and activate it
+ $ # Set up your cryptography build environment
$ pip install --requirement dev-requirements.txt
$ pip install --editable .
You will also need to install ``enchant`` using your system's package manager
to check spelling in the documentation.
+.. note::
+ There is an upstream bug in ``enchant`` that prevents its installation on
+ Windows with 64-bit Python. See `this Github issue`_ for more information.
+ The easiest workaround is to use 32-bit Python for ``cryptography``
+ development, even on 64-bit Windows.
+
You are now ready to run the tests and build the documentation.
OpenSSL on OS X
@@ -42,7 +52,6 @@ absolute path for the `OpenSSL`_ libraries before calling pip.
.. tip::
You will also need to set these values when `Building documentation`_.
-
Running tests
-------------
@@ -111,10 +120,11 @@ The HTML documentation index can now be found at
.. _`Homebrew`: http://brew.sh
.. _`MacPorts`: https://www.macports.org
-.. _`OpenSSL`: https://openssl.org
+.. _`OpenSSL`: https://www.openssl.org
.. _`pytest`: https://pypi.python.org/pypi/pytest
.. _`tox`: https://pypi.python.org/pypi/tox
.. _`virtualenv`: https://pypi.python.org/pypi/virtualenv
.. _`pip`: https://pypi.python.org/pypi/pip
.. _`sphinx`: https://pypi.python.org/pypi/Sphinx
.. _`reStructured Text`: http://sphinx-doc.org/rest.html
+.. _`this Github issue`: https://github.com/rfk/pyenchant/issues/42
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 4f0ece5..fb72240 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -91,6 +91,13 @@ Key exchange
* ``vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt`` contains
Diffie-Hellman examples from appendix A.1, A.2 and A.3 of :rfc:`5114`.
+* ``vectors/cryptography_vectors/asymmetric/DH/vec.txt`` contains
+ Diffie-Hellman examples from `botan`_.
+
+* ``vectors/cryptography_vectors/asymmetric/DH/bad_exchange.txt`` contains
+ Diffie-Hellman vector pairs that were generated using OpenSSL
+ DH_generate_parameters_ex and DH_generate_key.
+
X.509
~~~~~
@@ -117,6 +124,9 @@ X.509
* ``e-trust.ru.der`` - A certificate from a `Russian CA`_ signed using the GOST
cipher and containing numerous unusual encodings such as NUMERICSTRING in
the subject DN.
+* ``alternate-rsa-sha1-oid.pem`` - A certificate from an
+ `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for
+ RSA with SHA1.
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
@@ -427,7 +437,7 @@ header format (substituting the correct information):
# Verified against the CommonCrypto and Go crypto packages
# Key Length : 128
-.. _`NIST`: http://www.nist.gov/
+.. _`NIST`: https://www.nist.gov/
.. _`IETF`: https://www.ietf.org/
.. _`NIST CAVP`: http://csrc.nist.gov/groups/STM/cavp/
.. _`Bruce Schneier's vectors`: https://www.schneier.com/code/vectors.txt
@@ -459,3 +469,5 @@ header format (substituting the correct information):
.. _`Mozilla bug`: https://bugzilla.mozilla.org/show_bug.cgi?id=233586
.. _`Russian CA`: https://e-trust.gosuslugi.ru/MainCA
.. _`test/evptests.txt`: https://github.com/openssl/openssl/blob/2d0b44126763f989a4cbffbffe9d0c7518158bb7/test/evptests.txt
+.. _`unknown signature OID`: https://bugzilla.mozilla.org/show_bug.cgi?id=405966
+.. _`botan`: https://github.com/randombit/botan/blob/57789bdfc55061002b2727d0b32587612829a37c/src/tests/data/pubkey/dh.vec
diff --git a/docs/faq.rst b/docs/faq.rst
index 2ddc5db..76117a9 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -40,6 +40,19 @@ If you have no other libraries using OpenSSL in your process, or they do not
appear to be at fault, it's possible that this is a bug in ``cryptography``.
Please file an `issue`_ with instructions on how to reproduce it.
+Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.0
+--------------------------------------------------------------------
+
+The OpenSSL project has dropped support for the 1.0.0 release series. Since it
+is no longer receiving security patches from upstream, ``cryptography`` is also
+dropping support for it. To fix this issue you should upgrade to a newer
+version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer
+operating system.
+
+For the 1.7 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_100``
+environment variable. Please note that this is *temporary* and will be removed
+in ``cryptography`` 1.8.
+
Installing cryptography with OpenSSL 0.9.8 fails
------------------------------------------------
@@ -49,10 +62,6 @@ dropping support for it. To fix this issue you should upgrade to a newer
version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer
operating system.
-In ``cryptography`` 1.4, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_098``
-environment variable. Please note that this is *temporary* and is removed in
-``cryptography`` 1.5.
-
.. _`NaCl`: https://nacl.cr.yp.to/
.. _`PyNaCl`: https://pynacl.readthedocs.io
.. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.io/en/develop/configuration-directives/WSGIApplicationGroup.html
diff --git a/docs/hazmat/backends/commoncrypto.rst b/docs/hazmat/backends/commoncrypto.rst
index ddaf97e..a6eb490 100644
--- a/docs/hazmat/backends/commoncrypto.rst
+++ b/docs/hazmat/backends/commoncrypto.rst
@@ -27,4 +27,4 @@ CommonCrypto backend is only supported on OS X versions 10.8 and above.
The string name of this backend: ``"commoncrypto"``
-.. _`CommonCrypto`: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/Common%20Crypto.3cc.html
+.. _`CommonCrypto`: https://developer.apple.com/library/content/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html#//apple_ref/doc/uid/TP40011172-CH9-SW10
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index 14f72cf..87fc6ab 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -422,6 +422,16 @@ A specific ``backend`` may provide one or more of these interfaces.
:returns: An instance of
:class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`.
+ .. method:: derive_elliptic_curve_private_key(private_value, curve)
+
+ :param private_value: A secret scalar value.
+
+ :param curve: An instance of
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve`.
+
+ :returns: An instance of
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`.
+
.. class:: PEMSerializationBackend
.. versionadded:: 0.6
@@ -576,13 +586,23 @@ A specific ``backend`` may provide one or more of these interfaces.
:returns: A new instance of
:class:`~cryptography.x509.RevokedCertificate`.
+ .. method:: x509_name_bytes(name)
+
+ .. versionadded:: 1.6
+
+ :param name: An instance of :class:`~cryptography.x509.Name`.
+
+ :return bytes: The DER encoded bytes.
+
.. class:: DHBackend
.. versionadded:: 0.9
A backend with methods for doing Diffie-Hellman key exchange.
- .. method:: generate_dh_parameters(key_size)
+ .. method:: generate_dh_parameters(generator, key_size)
+
+ :param int generator: The generator to use. Often 2 or 5.
:param int key_size: The bit length of the prime modulus to generate.
@@ -599,7 +619,9 @@ A specific ``backend`` may provide one or more of these interfaces.
:return: A new instance of
:class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`.
- .. method:: generate_dh_private_key_and_parameters(self, key_size)
+ .. method:: generate_dh_private_key_and_parameters(generator, key_size)
+
+ :param int generator: The generator to use. Often 2 or 5.
:param int key_size: The bit length of the prime modulus to generate.
@@ -652,3 +674,33 @@ A specific ``backend`` may provide one or more of these interfaces.
:returns: ``True`` if the given values of ``p`` and ``g`` are supported
by this backend, otherwise ``False``.
+
+
+.. class:: ScryptBackend
+
+ .. versionadded:: 1.6
+
+ A backend with methods for using Scrypt.
+
+ The following backends implement this interface:
+
+ * :doc:`/hazmat/backends/openssl`
+
+ .. method:: derive_scrypt(self, key_material, salt, length, n, r, p)
+
+ :param bytes key_material: The key material to use as a basis for
+ the derived key. This is typically a password.
+
+ :param bytes salt: A salt.
+
+ :param int length: The desired length of the derived key.
+
+ :param int n: CPU/Memory cost parameter. It must be larger than 1 and be a
+ power of 2.
+
+ :param int r: Block size parameter.
+
+ :param int p: Parallelization parameter.
+
+ :return bytes: Derived key.
+
diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst
index 8bc7dac..f97ec57 100644
--- a/docs/hazmat/backends/openssl.rst
+++ b/docs/hazmat/backends/openssl.rst
@@ -15,6 +15,7 @@ greater.
* :class:`~cryptography.hazmat.backends.interfaces.CipherBackend`
* :class:`~cryptography.hazmat.backends.interfaces.CMACBackend`
* :class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend`
+ * :class:`~cryptography.hazmat.backends.interfaces.DHBackend`
* :class:`~cryptography.hazmat.backends.interfaces.DSABackend`
* :class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`
* :class:`~cryptography.hazmat.backends.interfaces.HashBackend`
@@ -24,6 +25,11 @@ greater.
* :class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend`
* :class:`~cryptography.hazmat.backends.interfaces.X509Backend`
+ It also implements the following interface for OpenSSL versions ``1.1.0``
+ and above.
+
+ * :class:`~cryptography.hazmat.backends.interfaces.ScryptBackend`
+
It also exposes the following:
.. attribute:: name
@@ -35,6 +41,12 @@ greater.
Activates the OS random engine. This will effectively disable OpenSSL's
default CSPRNG.
+ .. method:: osrandom_engine_implementation()
+
+ .. versionadded:: 1.7
+
+ Returns the implementation of OS random engine.
+
.. method:: activate_builtin_random()
This will activate the default OpenSSL CSPRNG.
@@ -76,6 +88,21 @@ details.
Linux uses its own PRNG design. ``/dev/urandom`` is a non-blocking source
seeded from the same pool as ``/dev/random``.
++------------------------------------------+------------------------------+
+| Windows | ``CryptGenRandom()`` |
++------------------------------------------+------------------------------+
+| Linux >= 3.4.17 with working | ``getrandom(GRND_NONBLOCK)`` |
+| ``SYS_getrandom`` syscall | |
++------------------------------------------+------------------------------+
+| OpenBSD >= 5.6 | ``getentropy()`` |
++------------------------------------------+------------------------------+
+| BSD family (including macOS 10.12+) with | ``getentropy()`` |
+| ``SYS_getentropy`` in ``sys/syscall.h`` | |
++------------------------------------------+------------------------------+
+| fallback | ``/dev/urandom`` with |
+| | cached file descriptor |
++------------------------------------------+------------------------------+
+
.. _`OpenSSL`: https://www.openssl.org/
.. _`initializing the RNG`: https://en.wikipedia.org/wiki/OpenSSL#Predictable_private_keys_.28Debian-specific.29
diff --git a/docs/hazmat/bindings/commoncrypto.rst b/docs/hazmat/bindings/commoncrypto.rst
index fd3d39a..d5a739c 100644
--- a/docs/hazmat/bindings/commoncrypto.rst
+++ b/docs/hazmat/bindings/commoncrypto.rst
@@ -27,4 +27,4 @@ available on Mac OS X versions 10.8 and above.
.. _`CFFI`: https://cffi.readthedocs.io
-.. _`CommonCrypto`: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/Common%20Crypto.3cc.html
+.. _`CommonCrypto`: https://developer.apple.com/library/content/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html#//apple_ref/doc/uid/TP40011172-CH9-SW10
diff --git a/docs/hazmat/bindings/openssl.rst b/docs/hazmat/bindings/openssl.rst
index 8aef488..482cfaf 100644
--- a/docs/hazmat/bindings/openssl.rst
+++ b/docs/hazmat/bindings/openssl.rst
@@ -45,4 +45,4 @@ OpenSSL.
.. _`CFFI`: https://cffi.readthedocs.io
.. _`OpenSSL`: https://www.openssl.org/
-.. _`thread safety facilities`: https://www.openssl.org/docs/manmaster/crypto/threads.html
+.. _`thread safety facilities`: https://www.openssl.org/docs/man1.0.2/crypto/threads.html
diff --git a/docs/hazmat/primitives/asymmetric/dh.rst b/docs/hazmat/primitives/asymmetric/dh.rst
index 8cb6828..463df90 100644
--- a/docs/hazmat/primitives/asymmetric/dh.rst
+++ b/docs/hazmat/primitives/asymmetric/dh.rst
@@ -6,69 +6,70 @@ Diffie-Hellman key exchange
.. currentmodule:: cryptography.hazmat.primitives.asymmetric.dh
-Numbers
-~~~~~~~
-
-.. class:: DHPrivateNumbers(x, public_numbers)
-
- .. versionadded:: 0.8
-
- The collection of integers that make up a Diffie-Hellman private key.
-
- .. attribute:: public_numbers
-
- :type: :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
-
- The :class:`DHPublicNumbers` which makes up the DH public
- key associated with this DH private key.
-
- .. attribute:: x
-
- :type: int
-
- The private value.
+`Diffie-Hellman key exchange`_ (D–H) is a method that allows two parties
+to jointly agree on a shared secret using an insecure channel.
-.. class:: DHPublicNumbers(y, parameter_numbers)
-
- .. versionadded:: 0.8
+Exchange Algorithm
+~~~~~~~~~~~~~~~~~~
- The collection of integers that make up a Diffie-Hellman public key.
+For most applications the ``shared_key`` should be passed to a key
+derivation function.
- .. attribute:: parameter_numbers
-
- :type: :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
+.. code-block:: pycon
- The parameters for this DH group.
+ >>> from cryptography.hazmat.backends import default_backend
+ >>> from cryptography.hazmat.primitives.asymmetric import dh
+ >>> parameters = dh.generate_parameters(generator=2, key_size=2048,
+ ... backend=default_backend())
+ >>> private_key = parameters.generate_private_key()
+ >>> peer_public_key = parameters.generate_private_key().public_key()
+ >>> shared_key = private_key.exchange(peer_public_key)
- .. attribute:: y
+DHE (or EDH), the ephemeral form of this exchange, is **strongly
+preferred** over simple DH and provides `forward secrecy`_ when used.
+You must generate a new private key using :func:`~DHParameters.generate_private_key` for
+each :meth:`~DHPrivateKeyWithSerialization.exchange` when performing an DHE key
+exchange.
- :type: int
+To assemble a :class:`~DHParameters` and a :class:`~DHPublicKey` from
+primitive integers, you must first create the
+:class:`~DHParameterNumbers` and :class:`~DHPublicNumbers` objects. For
+example if **p**, **g**, and **y** are :class:`int` objects received from a
+peer::
- The public value.
+ pn = dh.DHParameterNumbers(p, g)
+ parameters = pn.parameters(default_backend())
+ peer_public_numbers = dh.DHPublicNumbers(y, pn)
+ peer_public_key = peer_public_numbers.public_key(default_backend())
-.. class:: DHParameterNumbers(p, g)
+See also the :class:`~cryptography.hazmat.backends.interfaces.DHBackend`
+API for additional functionality.
- .. versionadded:: 0.8
+Group parameters
+~~~~~~~~~~~~~~~~
- The collection of integers that define a Diffie-Hellman group.
+.. function:: generate_parameters(generator, key_size, backend)
- .. attribute:: p
+ .. versionadded:: 0.9
- :type: int
+ Generate a new DH parameter group for use with ``backend``.
- The prime modulus value.
+ :param generator: The :class:`int` to use as a generator. Must be
+ 2 or 5.
- .. attribute:: g
+ :param key_size: The bit length of the prime modulus to generate.
- :type: int
+ :param backend: A
+ :class:`~cryptography.hazmat.backends.interfaces.DHBackend`
+ instance.
- The generator value.
+ :returns: DH parameters as a new instance of
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`.
+ :raises ValueError: If ``key_size`` is not at least 512.
-Key interfaces
-~~~~~~~~~~~~~~
.. class:: DHParameters
@@ -99,6 +100,9 @@ Key interfaces
:return: A :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`.
+Key interfaces
+~~~~~~~~~~~~~~
+
.. class:: DHPrivateKey
.. versionadded:: 0.9
@@ -132,6 +136,15 @@ Key interfaces
:return: A :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateNumbers`.
+ .. method:: exchange(peer_public_key)
+
+ .. versionadded:: 1.7
+
+ :param DHPublicKeyWithSerialization peer_public_key: The public key for the
+ peer.
+
+ :return bytes: The agreed key. The bytes are ordered in 'big' endian.
+
.. class:: DHPublicKey
@@ -159,3 +172,67 @@ Key interfaces
Return the numbers that make up this public key.
:return: A :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`.
+
+
+Numbers
+~~~~~~~
+
+.. class:: DHParameterNumbers(p, g)
+
+ .. versionadded:: 0.8
+
+ The collection of integers that define a Diffie-Hellman group.
+
+ .. attribute:: p
+
+ :type: int
+
+ The prime modulus value.
+
+ .. attribute:: g
+
+ :type: int
+
+ The generator value. Must be 2 or 5.
+
+.. class:: DHPrivateNumbers(x, public_numbers)
+
+ .. versionadded:: 0.8
+
+ The collection of integers that make up a Diffie-Hellman private key.
+
+ .. attribute:: public_numbers
+
+ :type: :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
+
+ The :class:`DHPublicNumbers` which makes up the DH public
+ key associated with this DH private key.
+
+ .. attribute:: x
+
+ :type: int
+
+ The private value.
+
+
+.. class:: DHPublicNumbers(y, parameter_numbers)
+
+ .. versionadded:: 0.8
+
+ The collection of integers that make up a Diffie-Hellman public key.
+
+ .. attribute:: parameter_numbers
+
+ :type: :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
+
+ The parameters for this DH group.
+
+ .. attribute:: y
+
+ :type: int
+
+ The public value.
+
+
+.. _`Diffie-Hellman key exchange`: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
+.. _`forward secrecy`: https://en.wikipedia.org/wiki/Forward_secrecy
diff --git a/docs/hazmat/primitives/asymmetric/dsa.rst b/docs/hazmat/primitives/asymmetric/dsa.rst
index 126cdc2..d4c2525 100644
--- a/docs/hazmat/primitives/asymmetric/dsa.rst
+++ b/docs/hazmat/primitives/asymmetric/dsa.rst
@@ -301,6 +301,9 @@ Key interfaces
.. method:: sign(data, algorithm)
.. versionadded:: 1.5
+ .. versionchanged:: 1.6
+ :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
+ can now be used as an ``algorithm``.
Sign one block of data which can be verified later by others using the
public key.
@@ -308,7 +311,9 @@ Key interfaces
:param bytes data: The message string to sign.
:param algorithm: An instance of
- :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
+ if the ``data`` you want to sign has already been hashed.
:return bytes: Signature.
@@ -424,6 +429,9 @@ Key interfaces
.. method:: verify(signature, data, algorithm)
.. versionadded:: 1.5
+ .. versionchanged:: 1.6
+ :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
+ can now be used as an ``algorithm``.
Verify one block of data was signed by the private key
associated with this public key.
@@ -433,7 +441,9 @@ Key interfaces
:param bytes data: The message string that was signed.
:param algorithm: An instance of
- :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`.
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
+ if the ``data`` you want to sign has already been hashed.
:raises cryptography.exceptions.InvalidSignature: If the signature does
not validate.
diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst
index add5966..99abcc6 100644
--- a/docs/hazmat/primitives/asymmetric/ec.rst
+++ b/docs/hazmat/primitives/asymmetric/ec.rst
@@ -20,6 +20,23 @@ Elliptic curve cryptography
:returns: A new instance of :class:`EllipticCurvePrivateKey`.
+.. function:: derive_private_key(private_value, curve, backend)
+
+ .. versionadded:: 1.6
+
+ Derive a private key from ``private_value`` on ``curve`` for use with
+ ``backend``.
+
+ :param int private_value: The secret scalar value.
+
+ :param curve: An instance of :class:`EllipticCurve`.
+
+ :param backend: An instance of
+ :class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`.
+
+ :returns: A new instance of :class:`EllipticCurvePrivateKey`.
+
+
Elliptic Curve Signature Algorithms
-----------------------------------
@@ -61,6 +78,21 @@ Elliptic Curve Signature Algorithms
:func:`~cryptography.hazmat.primitives.asymmetric.utils.decode_dss_signature`.
+ Verification requires the public key, the signature itself, the signed data, and knowledge of the hashing algorithm that was used when producing the signature:
+
+ >>> public_key = private_key.public_key()
+ >>> verifier = public_key.verifier(signature, ec.ECDSA(hashes.SHA256()))
+ >>> verifier.update(b"this is some data I'd like")
+ >>> verifier.update(b" to sign")
+ >>> verifier.verify()
+ True
+
+ The last call will either return ``True`` or raise an :class:`~cryptography.exceptions.InvalidSignature` exception.
+
+ .. note::
+ Although in this case the public key was derived from the private one, in a typical setting you will not possess the private key. The `Key loading`_ section explains how to load the public key from other sources.
+
+
.. class:: EllipticCurvePrivateNumbers(private_value, public_numbers)
@@ -352,12 +384,16 @@ Key Interfaces
.. class:: EllipticCurveSignatureAlgorithm
.. versionadded:: 0.5
+ .. versionchanged:: 1.6
+ :class:`~cryptography.hazmat.primitives.asymmetric.utils.Prehashed`
+ can now be used as an ``algorithm``.
... 7031 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-cryptography.git
More information about the Python-modules-commits
mailing list