[Python-modules-commits] [python-cryptography] 01/03: Import python-cryptography_1.2.1.orig.tar.gz
Tristan Seligmann
mithrandi at moszumanska.debian.org
Sat Jan 23 14:19:58 UTC 2016
This is an automated email from the git hooks/post-receive script.
mithrandi pushed a commit to branch master
in repository python-cryptography.
commit 61b9dec968c93af35847ed8843996c477d00d126
Author: Tristan Seligmann <mithrandi at debian.org>
Date: Sat Jan 23 04:19:39 2016 +0200
Import python-cryptography_1.2.1.orig.tar.gz
---
CHANGELOG.rst | 65 +-
PKG-INFO | 2 +-
docs/conf.py | 2 +-
docs/development/custom-vectors/arc4.rst | 30 +
.../custom-vectors/arc4/generate_arc4.py | 98 +++
.../development/custom-vectors/arc4/verify_arc4.go | 111 +++
.../custom-vectors/secp256k1/verify_secp256k1.py | 4 +-
docs/development/submitting-patches.rst | 4 +-
docs/development/test-vectors.rst | 13 +-
docs/faq.rst | 2 +-
docs/hazmat/backends/interfaces.rst | 35 +-
docs/hazmat/bindings/openssl.rst | 2 +-
docs/hazmat/primitives/asymmetric/ec.rst | 2 +-
.../hazmat/primitives/asymmetric/serialization.rst | 42 +-
docs/installation.rst | 23 +-
docs/limitations.rst | 2 +-
docs/spelling_wordlist.txt | 1 +
docs/x509/reference.rst | 411 +++++++++++-
setup.py | 6 +-
src/_cffi_src/build_commoncrypto.py | 1 +
src/_cffi_src/build_constant_time.py | 5 +-
src/_cffi_src/build_openssl.py | 7 +-
src/_cffi_src/build_padding.py | 5 +-
src/_cffi_src/commoncrypto/sectrust.py | 22 +
src/_cffi_src/openssl/asn1.py | 5 +-
src/_cffi_src/openssl/bignum.py | 2 +
src/_cffi_src/openssl/callbacks.py | 50 ++
src/_cffi_src/openssl/ec.py | 29 +-
src/_cffi_src/openssl/err.py | 1 +
src/_cffi_src/openssl/evp.py | 11 +
src/_cffi_src/openssl/pem.py | 1 +
src/_cffi_src/openssl/ssl.py | 33 +-
src/_cffi_src/openssl/x509.py | 28 +
src/_cffi_src/openssl/x509_vfy.py | 2 +
src/_cffi_src/openssl/x509v3.py | 12 +
src/_cffi_src/utils.py | 27 +-
src/cryptography.egg-info/PKG-INFO | 2 +-
src/cryptography.egg-info/SOURCES.txt | 8 +
src/cryptography.egg-info/requires.txt | 4 +-
src/cryptography/__about__.py | 4 +-
src/cryptography/__init__.py | 3 +-
src/cryptography/exceptions.py | 14 -
src/cryptography/hazmat/backends/interfaces.py | 14 +
src/cryptography/hazmat/backends/multibackend.py | 18 +
.../hazmat/backends/openssl/backend.py | 537 ++++++++++-----
src/cryptography/hazmat/backends/openssl/ec.py | 5 +
src/cryptography/hazmat/backends/openssl/rsa.py | 1 +
src/cryptography/hazmat/backends/openssl/x509.py | 195 +++++-
.../hazmat/bindings/openssl/_conditional.py | 15 +-
.../hazmat/bindings/openssl/binding.py | 43 +-
.../hazmat/primitives/ciphers/algorithms.py | 2 +-
src/cryptography/utils.py | 6 +-
src/cryptography/x509/__init__.py | 32 +-
src/cryptography/x509/base.py | 209 ++++++
src/cryptography/x509/extensions.py | 230 ++++++-
src/cryptography/x509/general_name.py | 6 +
src/cryptography/x509/oid.py | 60 +-
tests/hazmat/backends/test_multibackend.py | 14 +
tests/hazmat/backends/test_openssl.py | 126 +++-
tests/hazmat/primitives/fixtures_ec.py | 296 ++++++++
tests/hazmat/primitives/test_arc4.py | 1 +
tests/hazmat/primitives/test_ec.py | 25 +-
tests/hazmat/primitives/test_rsa.py | 37 +
tests/test_x509.py | 745 ++++++++++++++++++---
tests/test_x509_crlbuilder.py | 449 +++++++++++++
tests/test_x509_ext.py | 410 +++++++++++-
tests/test_x509_revokedcertbuilder.py | 160 +++++
67 files changed, 4275 insertions(+), 492 deletions(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 19bfad0..f7c62fc 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,70 @@
Changelog
=========
+1.2.1 - 2016-01-08
+~~~~~~~~~~~~~~~~~~
+
+* Reverts a change to an OpenSSL ``EVP_PKEY`` object that caused errors with
+ ``pyOpenSSL``.
+
+1.2 - 2016-01-08
+~~~~~~~~~~~~~~~~
+
+* **BACKWARDS INCOMPATIBLE:**
+ :class:`~cryptography.x509.RevokedCertificate`
+ :attr:`~cryptography.x509.RevokedCertificate.extensions` now uses extension
+ classes rather than returning raw values inside the
+ :class:`~cryptography.x509.Extension`
+ :attr:`~cryptography.x509.Extension.value`. The new classes
+ are:
+
+ * :class:`~cryptography.x509.CertificateIssuer`
+ * :class:`~cryptography.x509.CRLReason`
+ * :class:`~cryptography.x509.InvalidityDate`
+* Deprecated support for OpenSSL 0.9.8 and 1.0.0. At this time there is no time
+ table for actually dropping support, however we strongly encourage all users
+ to upgrade, as those versions no longer receives support from the OpenSSL
+ project.
+* The :class:`~cryptography.x509.Certificate` class now has
+ :attr:`~cryptography.x509.Certificate.signature` and
+ :attr:`~cryptography.x509.Certificate.tbs_certificate_bytes` attributes.
+* The :class:`~cryptography.x509.CertificateSigningRequest` class now has
+ :attr:`~cryptography.x509.CertificateSigningRequest.signature` and
+ :attr:`~cryptography.x509.CertificateSigningRequest.tbs_certrequest_bytes`
+ attributes.
+* The :class:`~cryptography.x509.CertificateRevocationList` class now has
+ :attr:`~cryptography.x509.CertificateRevocationList.signature` and
+ :attr:`~cryptography.x509.CertificateRevocationList.tbs_certlist_bytes`
+ attributes.
+* :class:`~cryptography.x509.NameConstraints` are now supported in the
+ :class:`~cryptography.x509.CertificateBuilder` and
+ :class:`~cryptography.x509.CertificateSigningRequestBuilder`.
+* Support serialization of certificate revocation lists using the
+ :meth:`~cryptography.x509.CertificateRevocationList.public_bytes` method of
+ :class:`~cryptography.x509.CertificateRevocationList`.
+* Add support for parsing :class:`~cryptography.x509.CertificateRevocationList`
+ :meth:`~cryptography.x509.CertificateRevocationList.extensions` in the
+ OpenSSL backend. The following extensions are currently supported:
+
+ * :class:`~cryptography.x509.AuthorityInformationAccess`
+ * :class:`~cryptography.x509.AuthorityKeyIdentifier`
+ * :class:`~cryptography.x509.CRLNumber`
+ * :class:`~cryptography.x509.IssuerAlternativeName`
+* Added :class:`~cryptography.x509.CertificateRevocationListBuilder` and
+ :class:`~cryptography.x509.RevokedCertificateBuilder` to allow creation of
+ CRLs.
+* Unrecognized non-critical X.509 extensions are now parsed into an
+ :class:`~cryptography.x509.UnrecognizedExtension` object.
+
+1.1.2 - 2015-12-10
+~~~~~~~~~~~~~~~~~~
+
+* Fixed a SIGBUS crash with the OS X wheels caused by redefinition of a
+ method.
+* Fixed a runtime error ``undefined symbol EC_GFp_nistp224_method`` that
+ occurred with some OpenSSL installations.
+* Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2e.
+
1.1.1 - 2015-11-19
~~~~~~~~~~~~~~~~~~
@@ -34,7 +98,6 @@ Changelog
* ``countryName`` is now encoded as a ``PrintableString`` when creating subject
and issuer distinguished names with the Certificate and CSR builder classes.
-
1.0.2 - 2015-09-27
~~~~~~~~~~~~~~~~~~
* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
diff --git a/PKG-INFO b/PKG-INFO
index a5813ba..555d0c4 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: cryptography
-Version: 1.1.1
+Version: 1.2.1
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
diff --git a/docs/conf.py b/docs/conf.py
index 5a4c41b..dcc9c62 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -71,7 +71,7 @@ master_doc = 'index'
# General information about the project.
project = 'Cryptography'
-copyright = '2013-2015, Individual Contributors'
+copyright = '2013-2016, Individual Contributors'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
diff --git a/docs/development/custom-vectors/arc4.rst b/docs/development/custom-vectors/arc4.rst
new file mode 100644
index 0000000..ed8cd54
--- /dev/null
+++ b/docs/development/custom-vectors/arc4.rst
@@ -0,0 +1,30 @@
+ARC4 vector creation
+====================
+
+This page documents the code that was used to generate the ARC4 test
+vectors for key lengths not available in RFC 6229. All the vectors
+were generated using OpenSSL and verified with Go.
+
+Creation
+--------
+
+``cryptography`` was modified to support ARC4 key lengths not listed
+in RFC 6229. Then the following Python script was run to generate the
+vector files.
+
+.. literalinclude:: /development/custom-vectors/arc4/generate_arc4.py
+
+Download link: :download:`generate_arc4.py
+</development/custom-vectors/arc4/generate_arc4.py>`
+
+
+Verification
+------------
+
+The following Go code was used to verify the vectors.
+
+.. literalinclude:: /development/custom-vectors/arc4/verify_arc4.go
+ :language: go
+
+Download link: :download:`verify_arc4.go
+</development/custom-vectors/arc4/verify_arc4.go>`
diff --git a/docs/development/custom-vectors/arc4/generate_arc4.py b/docs/development/custom-vectors/arc4/generate_arc4.py
new file mode 100644
index 0000000..3dee44a
--- /dev/null
+++ b/docs/development/custom-vectors/arc4/generate_arc4.py
@@ -0,0 +1,98 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import binascii
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import ciphers
+from cryptography.hazmat.primitives.ciphers import algorithms
+
+
+_RFC6229_KEY_MATERIALS = [
+ (True,
+ 8 * '0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20'),
+ (False,
+ 8 * '1ada31d5cf688221c109163908ebe51debb46227c6cc8b37641910833222772a')
+]
+
+
+_RFC6229_OFFSETS = [
+ 0,
+ 16,
+ 240,
+ 256,
+ 496,
+ 512,
+ 752,
+ 768,
+ 1008,
+ 1024,
+ 1520,
+ 1536,
+ 2032,
+ 2048,
+ 3056,
+ 3072,
+ 4080,
+ 4096
+]
+
+
+_SIZES_TO_GENERATE = [
+ 160
+]
+
+
+def _key_for_size(size, keyinfo):
+ msb, key = keyinfo
+ if msb:
+ return key[:size // 4]
+ else:
+ return key[-size // 4:]
+
+
+def _build_vectors():
+ count = 0
+ output = []
+ key = None
+ plaintext = binascii.unhexlify(32 * '0')
+ for size in _SIZES_TO_GENERATE:
+ for keyinfo in _RFC6229_KEY_MATERIALS:
+ key = _key_for_size(size, keyinfo)
+ cipher = ciphers.Cipher(
+ algorithms.ARC4(binascii.unhexlify(key)),
+ None,
+ default_backend())
+ encryptor = cipher.encryptor()
+ current_offset = 0
+ for offset in _RFC6229_OFFSETS:
+ if offset % 16 != 0:
+ raise ValueError(
+ "Offset {} is not evenly divisible by 16"
+ .format(offset))
+ while current_offset < offset:
+ encryptor.update(plaintext)
+ current_offset += len(plaintext)
+ output.append("\nCOUNT = {}".format(count))
+ count += 1
+ output.append("KEY = {}".format(key))
+ output.append("OFFSET = {}".format(offset))
+ output.append("PLAINTEXT = {}".format(
+ binascii.hexlify(plaintext)))
+ output.append("CIPHERTEXT = {}".format(
+ binascii.hexlify(encryptor.update(plaintext))))
+ current_offset += len(plaintext)
+ assert not encryptor.finalize()
+ return "\n".join(output)
+
+
+def _write_file(data, filename):
+ with open(filename, 'w') as f:
+ f.write(data)
+
+
+if __name__ == '__main__':
+ _write_file(_build_vectors(), 'arc4.txt')
diff --git a/docs/development/custom-vectors/arc4/verify_arc4.go b/docs/development/custom-vectors/arc4/verify_arc4.go
new file mode 100644
index 0000000..508fe98
--- /dev/null
+++ b/docs/development/custom-vectors/arc4/verify_arc4.go
@@ -0,0 +1,111 @@
+package main
+
+import (
+ "bufio"
+ "bytes"
+ "crypto/rc4"
+ "encoding/hex"
+ "fmt"
+ "os"
+ "strconv"
+ "strings"
+)
+
+func unhexlify(s string) []byte {
+ bytes, err := hex.DecodeString(s)
+ if err != nil {
+ panic(err)
+ }
+ return bytes
+}
+
+type vectorArgs struct {
+ count string
+ offset uint64
+ key string
+ plaintext string
+ ciphertext string
+}
+
+type vectorVerifier interface {
+ validate(count string, offset uint64, key, plaintext, expectedCiphertext []byte)
+}
+
+type arc4Verifier struct{}
+
+func (o arc4Verifier) validate(count string, offset uint64, key, plaintext, expectedCiphertext []byte) {
+ if offset%16 != 0 || len(plaintext) != 16 || len(expectedCiphertext) != 16 {
+ panic(fmt.Errorf("Unexpected input value encountered: offset=%v; len(plaintext)=%v; len(expectedCiphertext)=%v",
+ offset,
+ len(plaintext),
+ len(expectedCiphertext)))
+ }
+ stream, err := rc4.NewCipher(key)
+ if err != nil {
+ panic(err)
+ }
+
+ var currentOffset uint64 = 0
+ ciphertext := make([]byte, len(plaintext))
+ for currentOffset <= offset {
+ stream.XORKeyStream(ciphertext, plaintext)
+ currentOffset += uint64(len(plaintext))
+ }
+ if !bytes.Equal(ciphertext, expectedCiphertext) {
+ panic(fmt.Errorf("vector mismatch @ COUNT = %s:\n %s != %s\n",
+ count,
+ hex.EncodeToString(expectedCiphertext),
+ hex.EncodeToString(ciphertext)))
+ }
+}
+
+func validateVectors(verifier vectorVerifier, filename string) {
+ vectors, err := os.Open(filename)
+ if err != nil {
+ panic(err)
+ }
+ defer vectors.Close()
+
+ var segments []string
+ var vector *vectorArgs
+
+ scanner := bufio.NewScanner(vectors)
+ for scanner.Scan() {
+ segments = strings.Split(scanner.Text(), " = ")
+
+ switch {
+ case strings.ToUpper(segments[0]) == "COUNT":
+ if vector != nil {
+ verifier.validate(vector.count,
+ vector.offset,
+ unhexlify(vector.key),
+ unhexlify(vector.plaintext),
+ unhexlify(vector.ciphertext))
+ }
+ vector = &vectorArgs{count: segments[1]}
+ case strings.ToUpper(segments[0]) == "OFFSET":
+ vector.offset, err = strconv.ParseUint(segments[1], 10, 64)
+ if err != nil {
+ panic(err)
+ }
+ case strings.ToUpper(segments[0]) == "KEY":
+ vector.key = segments[1]
+ case strings.ToUpper(segments[0]) == "PLAINTEXT":
+ vector.plaintext = segments[1]
+ case strings.ToUpper(segments[0]) == "CIPHERTEXT":
+ vector.ciphertext = segments[1]
+ }
+ }
+ if vector != nil {
+ verifier.validate(vector.count,
+ vector.offset,
+ unhexlify(vector.key),
+ unhexlify(vector.plaintext),
+ unhexlify(vector.ciphertext))
+ }
+}
+
+func main() {
+ validateVectors(arc4Verifier{}, "vectors/cryptography_vectors/ciphers/ARC4/arc4.txt")
+ fmt.Println("ARC4 OK.")
+}
diff --git a/docs/development/custom-vectors/secp256k1/verify_secp256k1.py b/docs/development/custom-vectors/secp256k1/verify_secp256k1.py
index 3d2c25b..b236d77 100644
--- a/docs/development/custom-vectors/secp256k1/verify_secp256k1.py
+++ b/docs/development/custom-vectors/secp256k1/verify_secp256k1.py
@@ -6,7 +6,7 @@ from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric.utils import (
- encode_rfc6979_signature
+ encode_dss_signature
)
from tests.utils import (
@@ -27,7 +27,7 @@ def verify_one_vector(vector):
message = vector['message']
x = vector['x']
y = vector['y']
- signature = encode_rfc6979_signature(vector['r'], vector['s'])
+ signature = encode_dss_signature(vector['r'], vector['s'])
numbers = ec.EllipticCurvePublicNumbers(
x, y,
diff --git a/docs/development/submitting-patches.rst b/docs/development/submitting-patches.rst
index 6610584..563bc81 100644
--- a/docs/development/submitting-patches.rst
+++ b/docs/development/submitting-patches.rst
@@ -151,6 +151,6 @@ So, specifically:
.. _`Write comments as complete sentences.`: http://nedbatchelder.com/blog/201401/comments_should_be_sentences.html
.. _`syntax`: http://sphinx-doc.org/domains.html#info-field-lists
-.. _`Studies have shown`: https://smartbear.com/smartbear/media/pdfs/wp-cc-11-best-practices-of-peer-code-review.pdf
+.. _`Studies have shown`: https://smartbear.com/SmartBear/media/pdfs/11_Best_Practices_for_Peer_Code_Review.pdf
.. _`our mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev
-.. _`doc8`: https://github.com/stackforge/doc8
+.. _`doc8`: https://github.com/openstack/doc8
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index 0b249cc..ad945f2 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -141,6 +141,10 @@ Custom X.509 Vectors
* ``unsupported_extension.pem`` - An RSA 2048 bit self-signed certificate
containing an unsupported extension type. The OID was encoded as
"1.2.3.4" with an ``extnValue`` of "value".
+* ``unsupported_extension_2.pem`` - A ``secp256r1`` certificate
+ containing two unsupported extensions. The OIDs are ``1.3.6.1.4.1.41482.2``
+ with an ``extnValue`` of ``1.3.6.1.4.1.41482.1.2`` and
+ ``1.3.6.1.4.1.45724.2.1.1`` with an ``extnValue`` of ``\x03\x02\x040``
* ``unsupported_extension_critical.pem`` - An RSA 2048 bit self-signed
certificate containing an unsupported extension type marked critical. The OID
was encoded as "1.2.3.4" with an ``extnValue`` of "value".
@@ -304,6 +308,10 @@ Custom X.509 Certificate Revocation List Vectors
an unsupported reason code.
* ``crl_inval_cert_issuer_entry_ext.pem`` - Contains a CRL with one revocation
which has one entry extension for certificate issuer with an empty value.
+* ``crl_empty.pem`` - Contains a CRL with no revoked certificates.
+* ``crl_ian_aia_aki.pem`` - Contains a CRL with ``IssuerAlternativeName``,
+ ``AuthorityInformationAccess``, ``AuthorityKeyIdentifier`` and ``CRLNumber``
+ extensions.
Hashes
~~~~~~
@@ -346,7 +354,9 @@ Symmetric ciphers
* AES (CBC, CFB, ECB, GCM, OFB) from `NIST CAVP`_.
* AES CTR from :rfc:`3686`.
* 3DES (CBC, CFB, ECB, OFB) from `NIST CAVP`_.
-* ARC4 from :rfc:`6229`.
+* ARC4 (KEY-LENGTH: 40, 56, 64, 80, 128, 192, 256) from :rfc:`6229`.
+* ARC4 (KEY-LENGTH: 160) generated by this project.
+ See: :doc:`/development/custom-vectors/arc4`
* Blowfish (CBC, CFB, ECB, OFB) from `Bruce Schneier's vectors`_.
* Camellia (ECB) from NTT's `Camellia page`_ as linked by `CRYPTREC`_.
* Camellia (CBC, CFB, OFB) from `OpenSSL's test vectors`_.
@@ -385,6 +395,7 @@ Custom Symmetric Vectors
.. toctree::
:maxdepth: 1
+ custom-vectors/arc4
custom-vectors/cast5
custom-vectors/idea
custom-vectors/seed
diff --git a/docs/faq.rst b/docs/faq.rst
index 0b7bdce..10c8656 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -14,5 +14,5 @@ to NaCl.
If you prefer NaCl's design, we highly recommend `PyNaCl`_.
-.. _`NaCl`: http://nacl.cr.yp.to/
+.. _`NaCl`: https://nacl.cr.yp.to/
.. _`PyNaCl`: https://pynacl.readthedocs.org
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index 442bd0d..73011dd 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -547,8 +547,8 @@ A specific ``backend`` may provide one or more of these interfaces.
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
that will be used to generate the request signature.
- :returns: A new object with the
- :class:`~cryptography.x509.CertificateSigningRequest` interface.
+ :returns: A new instance of
+ :class:`~cryptography.x509.CertificateSigningRequest`.
.. method:: create_x509_certificate(builder, private_key, algorithm)
@@ -567,9 +567,36 @@ A specific ``backend`` may provide one or more of these interfaces.
:class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
that will be used to generate the certificate signature.
- :returns: A new object with the
- :class:`~cryptography.x509.Certificate` interface.
+ :returns: A new instance of :class:`~cryptography.x509.Certificate`.
+
+ .. method:: create_x509_crl(builder, private_key, algorithm)
+
+ .. versionadded:: 1.2
+
+ :param builder: An instance of
+ :class:`~cryptography.x509.CertificateRevocationListBuilder`.
+
+ :param private_key: The
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey` or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+ that will be used to sign the CRL.
+
+ :param algorithm: The
+ :class:`~cryptography.hazmat.primitives.hashes.HashAlgorithm`
+ that will be used to generate the CRL signature.
+
+ :returns: A new instance of
+ :class:`~cryptography.x509.CertificateRevocationList`.
+
+ .. method:: create_x509_revoked_certificate(builder)
+
+ .. versionadded:: 1.2
+
+ :param builder: An instance of RevokedCertificateBuilder.
+ :returns: A new instance of
+ :class:`~cryptography.x509.RevokedCertificate`.
.. class:: DHBackend
diff --git a/docs/hazmat/bindings/openssl.rst b/docs/hazmat/bindings/openssl.rst
index 0ec0a3d..99cd7a4 100644
--- a/docs/hazmat/bindings/openssl.rst
+++ b/docs/hazmat/bindings/openssl.rst
@@ -46,4 +46,4 @@ OpenSSL.
.. _`CFFI`: https://cffi.readthedocs.org/
.. _`OpenSSL`: https://www.openssl.org/
-.. _`thread safety facilities`: https://www.openssl.org/docs/crypto/threads.html
+.. _`thread safety facilities`: https://www.openssl.org/docs/manmaster/crypto/threads.html
diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst
index c1619dd..8e3a365 100644
--- a/docs/hazmat/primitives/asymmetric/ec.rst
+++ b/docs/hazmat/primitives/asymmetric/ec.rst
@@ -504,7 +504,7 @@ Key Interfaces
.. _`some concern`: https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters
.. _`less than 224 bits`: http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf
.. _`elliptic curve diffie-hellman is faster than diffie-hellman`: http://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1100&context=cseconfwork
-.. _`minimize the number of security concerns for elliptic-curve cryptography`: http://cr.yp.to/ecdh/curve25519-20060209.pdf
+.. _`minimize the number of security concerns for elliptic-curve cryptography`: https://cr.yp.to/ecdh/curve25519-20060209.pdf
.. _`SafeCurves`: http://safecurves.cr.yp.to/
.. _`ECDSA`: https://en.wikipedia.org/wiki/ECDSA
.. _`EdDSA`: https://en.wikipedia.org/wiki/EdDSA
diff --git a/docs/hazmat/primitives/asymmetric/serialization.rst b/docs/hazmat/primitives/asymmetric/serialization.rst
index f14f403..b94c0e1 100644
--- a/docs/hazmat/primitives/asymmetric/serialization.rst
+++ b/docs/hazmat/primitives/asymmetric/serialization.rst
@@ -118,7 +118,12 @@ all begin with ``-----BEGIN {format}-----`` and end with ``-----END
:class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend`
provider.
- :returns: A new instance of a private key.
+ :returns: One of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+ depending on the contents of ``data``.
:raises ValueError: If the PEM data could not be decrypted or if its
structure could not be decoded successfully.
@@ -136,7 +141,8 @@ all begin with ``-----BEGIN {format}-----`` and end with ``-----END
.. versionadded:: 0.6
Deserialize a public key from PEM encoded data to one of the supported
- asymmetric public key types.
+ asymmetric public key types. The PEM encoded data is typically a
+ ``subjectPublicKeyInfo`` payload as specified in :rfc:`5280`.
.. doctest::
@@ -151,7 +157,13 @@ all begin with ``-----BEGIN {format}-----`` and end with ``-----END
:class:`~cryptography.hazmat.backends.interfaces.PEMSerializationBackend`
provider.
- :returns: A new instance of a public key.
+
+ :returns: One of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
+ depending on the contents of ``data``.
:raises ValueError: If the PEM data's structure could not be decoded
successfully.
@@ -183,7 +195,12 @@ the rest.
:class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend`
provider.
- :returns: A new instance of a private key.
+ :returns: One of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPrivateKey`,
+ or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey`
+ depending on the contents of ``data``.
:raises ValueError: If the DER data could not be decrypted or if its
structure could not be decoded successfully.
@@ -210,7 +227,8 @@ the rest.
.. versionadded:: 0.8
Deserialize a public key from DER encoded data to one of the supported
- asymmetric public key types.
+ asymmetric public key types. The DER encoded data is typically a
+ ``subjectPublicKeyInfo`` payload as specified in :rfc:`5280`.
:param bytes data: The DER encoded key data.
@@ -218,7 +236,12 @@ the rest.
:class:`~cryptography.hazmat.backends.interfaces.DERSerializationBackend`
provider.
- :returns: A new instance of a public key.
+ :returns: One of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
+ depending on the contents of ``data``.
:raises ValueError: If the DER data's structure could not be decoded
successfully.
@@ -275,7 +298,12 @@ DSA keys look almost identical but begin with ``ssh-dss`` rather than
:class:`~cryptography.hazmat.backends.interfaces.EllipticCurveBackend`
depending on the key's type.
- :returns: A new instance of a public key type.
+ :returns: One of
+ :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey`,
+ :class:`~cryptography.hazmat.primitives.asymmetric.dsa.DSAPublicKey`,
+ or
+ :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey`
+ depending on the contents of ``data``.
:raises ValueError: If the OpenSSH data could not be properly decoded or
if the key is not in the proper format.
diff --git a/docs/installation.rst b/docs/installation.rst
index 61f9348..f9d2261 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -21,12 +21,15 @@ Currently we test ``cryptography`` on Python 2.6, 2.7, 3.3, 3.4, 3.5, and PyPy
* x86-64 Debian Wheezy (7.x), Jessie (8.x), and Debian Sid (unstable)
* 32-bit and 64-bit Python on 64-bit Windows Server 2012
+.. warning::
+ Python 2.6 is no longer supported by the Python core team. A future version
+ of cryptography will drop support for this version.
+
We test compiling with ``clang`` as well as ``gcc`` and use the following
OpenSSL releases:
* ``OpenSSL 0.9.8e-fips-rhel5`` (``RHEL/CentOS 5``)
* ``OpenSSL 0.9.8k``
-* ``OpenSSL 0.9.8-latest`` (The most recent 0.9.8 release)
* ``OpenSSL 1.0.0-fips`` (``RHEL/CentOS 6.4``)
* ``OpenSSL 1.0.1``
* ``OpenSSL 1.0.1e-fips`` (``RHEL/CentOS 7``)
@@ -34,6 +37,11 @@ OpenSSL releases:
* ``OpenSSL 1.0.1f``
* ``OpenSSL 1.0.2-latest``
+.. warning::
+ OpenSSL versions 0.9.8 and 1.0.0 are no longer supported by the OpenSSL
+ project. A future version of cryptography will drop support for these
+ releases.
+
On Windows
----------
@@ -59,6 +67,8 @@ to include the proper locations. For example:
C:\> set INCLUDE=C:\OpenSSL-win64\include;%INCLUDE%
C:\> pip install cryptography
+If you need to rebuild ``cryptography`` for any reason be sure to clear the
+local `wheel cache`_.
.. _build-on-linux:
@@ -174,7 +184,7 @@ Building cryptography on OS X
-----------------------------
The wheel package on OS X is a statically linked build (as of 1.0.1) so for
-users on 10.10 (Yosemite) and above you only need one step:
+users with pip 1.5 or above you only need one step:
.. code-block:: console
@@ -183,8 +193,8 @@ users on 10.10 (Yosemite) and above you only need one step:
If you want to build cryptography yourself or are on an older OS X version
cryptography requires the presence of a C compiler, development headers, and
the proper libraries. On OS X much of this is provided by Apple's Xcode
-development tools. To install the Xcode command line tools open a terminal
-window and run:
+development tools. To install the Xcode command line tools (on OS X 10.9+)
+open a terminal window and run:
.. code-block:: console
@@ -194,6 +204,7 @@ This will install a compiler (clang) along with (most of) the required
development headers.
You'll also need OpenSSL, which you can obtain from `Homebrew`_ or `MacPorts`_.
+Cryptography does **not** support Apple's deprecated OpenSSL distribution.
To build cryptography and dynamically link it:
@@ -227,6 +238,9 @@ You can also build cryptography statically:
$ sudo port install openssl
$ env CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 LDFLAGS="/opt/local/lib/libssl.a /opt/local/lib/libcrypto.a" CFLAGS="-I/opt/local/include" pip install cryptography
+If you need to rebuild ``cryptography`` for any reason be sure to clear the
+local `wheel cache`_.
+
Building cryptography with conda
--------------------------------
@@ -257,3 +271,4 @@ information, consult `Greg Wilson's blog post`_ on the subject.
.. _`Greg Wilson's blog post`: http://software-carpentry.org/blog/2014/04/mr-biczo-was-right.html
.. _virtualenv: https://virtualenv.pypa.io/en/latest/
.. _openssl.org: https://openssl.org/source/
+.. _`wheel cache`: https://pip.pypa.io/en/stable/reference/pip_install/#caching
diff --git a/docs/limitations.rst b/docs/limitations.rst
index 0dfc49c..503bdfe 100644
--- a/docs/limitations.rst
+++ b/docs/limitations.rst
@@ -15,5 +15,5 @@ software in Python is potentially vulnerable to this attack. The
Likelihood: unlikely, Remediation Cost: expensive to repair" and we do not
consider this a high risk for most users.
-.. _`Memory wiping`: http://blogs.msdn.com/b/oldnewthing/archive/2013/05/29/10421912.aspx
+.. _`Memory wiping`: https://blogs.msdn.microsoft.com/oldnewthing/20130529-00/?p=4223/
.. _`CERT secure coding guidelines`: https://www.securecoding.cert.org/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index dc8bcd0..6def795 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -56,6 +56,7 @@ preprocessors
pseudorandom
pyOpenSSL
relicensed
+runtime
Schneier
scrypt
Serializers
diff --git a/docs/x509/reference.rst b/docs/x509/reference.rst
index f056a72..8bb3f40 100644
--- a/docs/x509/reference.rst
+++ b/docs/x509/reference.rst
@@ -382,6 +382,26 @@ X.509 Certificate Object
<Extension(oid=<ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)>, critical=False, value=<CertificatePolicies([<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=2.16.840.1.101.3.2.1.48.1, name=Unknown OID)>, policy_qualifiers=None)>])>)>
<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=True, value=<BasicConstraints(ca=True, path_length=None)>)>
+ .. attribute:: signature
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The bytes of the certificate's signature.
+
+ .. attribute:: tbs_certificate_bytes
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The DER encoded bytes payload (as defined by :rfc:`5280`) that is hashed
+ and then signed by the private key of the certificate's issuer. This
+ data may be used to validate a signature, but use extreme caution as
+ certificate validation is a complex problem that involves much more
+ than just signature checks.
+
.. method:: public_bytes(encoding)
.. versionadded:: 1.0
@@ -484,6 +504,38 @@ X.509 CRL (Certificate Revocation List) Object
The extensions encoded in the CRL.
+ .. attribute:: signature
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The bytes of the CRL's signature.
+
+ .. attribute:: tbs_certlist_bytes
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The DER encoded bytes payload (as defined by :rfc:`5280`) that is hashed
+ and then signed by the private key of the CRL's issuer. This data may be
+ used to validate a signature, but use extreme caution as CRL validation
+ is a complex problem that involves much more than just signature checks.
+
+ .. method:: public_bytes(encoding)
+
+ .. versionadded:: 1.2
+
+ :param encoding: The
+ :class:`~cryptography.hazmat.primitives.serialization.Encoding`
+ that will be used to serialize the certificate revocation list.
+
+ :return bytes: The data that can be written to a file or sent
+ over the network and used as part of a certificate verification
+ process.
+
+
X.509 Certificate Builder
~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -506,11 +558,7 @@ X.509 Certificate Builder
... key_size=2048,
... backend=default_backend()
... )
- >>> public_key = rsa.generate_private_key(
- ... public_exponent=65537,
- ... key_size=2048,
- ... backend=default_backend()
- ... ).public_key()
+ >>> public_key = private_key.public_key()
>>> builder = x509.CertificateBuilder()
>>> builder = builder.subject_name(x509.Name([
... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io'),
@@ -694,6 +742,132 @@ X.509 CSR (Certificate Signing Request) Object
over the network to be signed by the certificate
authority.
+ .. attribute:: signature
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The bytes of the certificate signing request's signature.
+
+ .. attribute:: tbs_certrequest_bytes
+
+ .. versionadded:: 1.2
+
+ :type: bytes
+
+ The DER encoded bytes payload (as defined by :rfc:`2986`) that is
+ hashed and then signed by the private key (corresponding to the public
+ key embedded in the CSR). This data may be used to validate the CSR
+ signature.
+
+X.509 Certificate Revocation List Builder
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. class:: CertificateRevocationListBuilder
+
+ .. versionadded:: 1.2
+
+ .. doctest::
+
+ >>> from cryptography import x509
+ >>> from cryptography.hazmat.backends import default_backend
+ >>> from cryptography.hazmat.primitives import hashes
+ >>> from cryptography.hazmat.primitives.asymmetric import rsa
+ >>> from cryptography.x509.oid import NameOID
+ >>> import datetime
+ >>> one_day = datetime.timedelta(1, 0, 0)
+ >>> private_key = rsa.generate_private_key(
+ ... public_exponent=65537,
+ ... key_size=2048,
+ ... backend=default_backend()
+ ... )
+ >>> builder = x509.CertificateRevocationListBuilder()
+ >>> builder = builder.issuer_name(x509.Name([
+ ... x509.NameAttribute(NameOID.COMMON_NAME, u'cryptography.io CA'),
+ ... ]))
+ >>> builder = builder.last_update(datetime.datetime.today())
+ >>> builder = builder.next_update(datetime.datetime.today() + one_day)
+ >>> revoked_cert = x509.RevokedCertificateBuilder().serial_number(
+ ... 333
+ ... ).revocation_date(
+ ... datetime.datetime.today()
+ ... ).build(default_backend())
+ >>> builder = builder.add_revoked_certificate(revoked_cert)
+ >>> crl = builder.sign(
+ ... private_key=private_key, algorithm=hashes.SHA256(),
+ ... backend=default_backend()
+ ... )
+ >>> len(crl)
+ 1
+
+ .. method:: issuer_name(name)
+
+ Sets the issuer's distinguished name.
+
+ :param name: The :class:`~cryptography.x509.Name` that describes the
+ issuer (CA).
+
+ .. method:: last_update(time)
+
+ Sets this CRL's activation time. This is the time from which
+ clients can start trusting this CRL. It may be different from
+ the time at which this CRL was created. This is also known as the
+ ``thisUpdate`` time.
+
+ :param time: The :class:`datetime.datetime` object (in UTC) that marks
+ the activation time for this CRL. The CRL may not be trusted if it
+ is used before this time.
+
+ .. method:: next_update(time)
+
+ Sets this CRL's next update time. This is the time by which
+ a new CRL will be issued. The CA is allowed to issue a new CRL before
+ this date, however clients are not required to check for it.
+
+ :param time: The :class:`datetime.datetime` object (in UTC) that marks
+ the next update time for this CRL.
+
+ .. method:: add_extension(extension, critical)
+
+ Adds an X.509 extension to this CRL.
+
+ :param extension: An extension with the
+ :class:`~cryptography.x509.ExtensionType` interface.
+
+ :param critical: Set to ``True`` if the extension must be understood and
+ handled by whoever reads the CRL.
+
+ .. method:: add_revoked_certificate(revoked_certificate)
+
+ Adds a revoked certificate to this CRL.
+
+ :param revoked_certificate: An instance of
+ :class:`~cryptography.x509.RevokedCertificate`. These can be
... 6069 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-cryptography.git
More information about the Python-modules-commits
mailing list